diff options
Diffstat (limited to 'nixos')
220 files changed, 6780 insertions, 2071 deletions
diff --git a/nixos/doc/manual/administration/declarative-containers.section.md b/nixos/doc/manual/administration/declarative-containers.section.md index 00fd244bb91fb..eaa50d3c663d4 100644 --- a/nixos/doc/manual/administration/declarative-containers.section.md +++ b/nixos/doc/manual/administration/declarative-containers.section.md @@ -9,7 +9,7 @@ containers.database = { config = { config, pkgs, ... }: { services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql_10; + services.postgresql.package = pkgs.postgresql_14; }; }; ``` diff --git a/nixos/doc/manual/configuration/config-file.section.md b/nixos/doc/manual/configuration/config-file.section.md index f21ba113bf8c6..efd231fd1f4e4 100644 --- a/nixos/doc/manual/configuration/config-file.section.md +++ b/nixos/doc/manual/configuration/config-file.section.md @@ -166,7 +166,7 @@ Packages pkgs.emacs ]; - services.postgresql.package = pkgs.postgresql_10; + services.postgresql.package = pkgs.postgresql_14; ``` The latter option definition changes the default PostgreSQL package diff --git a/nixos/doc/manual/from_md/administration/declarative-containers.section.xml b/nixos/doc/manual/from_md/administration/declarative-containers.section.xml index b8179dca1f8bd..4831c9c74e848 100644 --- a/nixos/doc/manual/from_md/administration/declarative-containers.section.xml +++ b/nixos/doc/manual/from_md/administration/declarative-containers.section.xml @@ -11,7 +11,7 @@ containers.database = { config = { config, pkgs, ... }: { services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql_10; + services.postgresql.package = pkgs.postgresql_14; }; }; </programlisting> diff --git a/nixos/doc/manual/from_md/configuration/config-file.section.xml b/nixos/doc/manual/from_md/configuration/config-file.section.xml index 952c6e6003021..9792116eb08d5 100644 --- a/nixos/doc/manual/from_md/configuration/config-file.section.xml +++ b/nixos/doc/manual/from_md/configuration/config-file.section.xml @@ -217,7 +217,7 @@ environment.systemPackages = pkgs.emacs ]; -services.postgresql.package = pkgs.postgresql_10; +services.postgresql.package = pkgs.postgresql_14; </programlisting> <para> The latter option definition changes the default PostgreSQL diff --git a/nixos/doc/manual/from_md/installation/installing-usb.section.xml b/nixos/doc/manual/from_md/installation/installing-usb.section.xml index df266eb16800f..9d12ac45aac21 100644 --- a/nixos/doc/manual/from_md/installation/installing-usb.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-usb.section.xml @@ -1,35 +1,135 @@ <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-booting-from-usb"> - <title>Booting from a USB Drive</title> + <title>Booting from a USB flash drive</title> <para> - For systems without CD drive, the NixOS live CD can be booted from a - USB stick. You can use the <literal>dd</literal> utility to write - the image: <literal>dd if=path-to-image of=/dev/sdX</literal>. Be - careful about specifying the correct drive; you can use the - <literal>lsblk</literal> command to get a list of block devices. + The image has to be written verbatim to the USB flash drive for it + to be bootable on UEFI and BIOS systems. Here are the recommended + tools to do that. </para> - <note> - <title>On macOS</title> + <section xml:id="sec-booting-from-usb-graphical"> + <title>Creating bootable USB flash drive with a graphical + tool</title> + <para> + Etcher is a popular and user-friendly tool. It works on Linux, + Windows and macOS. + </para> + <para> + Download it from + <link xlink:href="https://www.balena.io/etcher/">balena.io</link>, + start the program, select the downloaded NixOS ISO, then select + the USB flash drive and flash it. + </para> + <warning> + <para> + Etcher reports errors and usage statistics by default, which can + be disabled in the settings. + </para> + </warning> + <para> + An alternative is + <link xlink:href="https://bztsrc.gitlab.io/usbimager">USBImager</link>, + which is very simple and does not connect to the internet. + Download the version with write-only (wo) interface for your + system. Start the program, select the image, select the USB flash + drive and click <quote>Write</quote>. + </para> + </section> + <section xml:id="sec-booting-from-usb-linux"> + <title>Creating bootable USB flash drive from a Terminal on + Linux</title> + <orderedlist numeration="arabic" spacing="compact"> + <listitem> + <para> + Plug in the USB flash drive. + </para> + </listitem> + <listitem> + <para> + Find the corresponding device with <literal>lsblk</literal>. + You can distinguish them by their size. + </para> + </listitem> + <listitem> + <para> + Make sure all partitions on the device are properly unmounted. + Replace <literal>sdX</literal> with your device (e.g. + <literal>sdb</literal>). + </para> + </listitem> + </orderedlist> + <programlisting> +sudo umount /dev/sdX* +</programlisting> + <orderedlist numeration="arabic" spacing="compact"> + <listitem override="4"> + <para> + Then use the <literal>dd</literal> utility to write the image + to the USB flash drive. + </para> + </listitem> + </orderedlist> <programlisting> -$ diskutil list -[..] -/dev/diskN (external, physical): - #: TYPE NAME SIZE IDENTIFIER -[..] -$ diskutil unmountDisk diskN -Unmount of all volumes on diskN was successful -$ sudo dd if=nix.iso of=/dev/rdiskN bs=1M +sudo dd if=<path-to-image> of=/dev/sdX bs=4M conv=fsync +</programlisting> + </section> + <section xml:id="sec-booting-from-usb-macos"> + <title>Creating bootable USB flash drive from a Terminal on + macOS</title> + <orderedlist numeration="arabic" spacing="compact"> + <listitem> + <para> + Plug in the USB flash drive. + </para> + </listitem> + <listitem> + <para> + Find the corresponding device with + <literal>diskutil list</literal>. You can distinguish them by + their size. + </para> + </listitem> + <listitem> + <para> + Make sure all partitions on the device are properly unmounted. + Replace <literal>diskX</literal> with your device (e.g. + <literal>disk1</literal>). + </para> + </listitem> + </orderedlist> + <programlisting> +diskutil unmountDisk diskX +</programlisting> + <orderedlist numeration="arabic" spacing="compact"> + <listitem override="4"> + <para> + Then use the <literal>dd</literal> utility to write the image + to the USB flash drive. + </para> + </listitem> + </orderedlist> + <programlisting> +sudo dd if=<path-to-image> of=/dev/rdiskX bs=4m </programlisting> <para> - Using the 'raw' <literal>rdiskN</literal> device instead of - <literal>diskN</literal> completes in minutes instead of hours. After <literal>dd</literal> completes, a GUI dialog "The disk you inserted was not readable by this computer" will pop up, which can be ignored. </para> - </note> - <para> - The <literal>dd</literal> utility will write the image verbatim to - the drive, making it the recommended option for both UEFI and - non-UEFI installations. - </para> + <note> + <para> + Using the 'raw' <literal>rdiskX</literal> device instead of + <literal>diskX</literal> with dd completes in minutes instead of + hours. + </para> + </note> + <orderedlist numeration="arabic" spacing="compact"> + <listitem override="5"> + <para> + Eject the disk when it is finished. + </para> + </listitem> + </orderedlist> + <programlisting> +diskutil eject /dev/diskX +</programlisting> + </section> </section> diff --git a/nixos/doc/manual/from_md/installation/installing.chapter.xml b/nixos/doc/manual/from_md/installation/installing.chapter.xml index e0ff368b800c1..02a0f14b984ac 100644 --- a/nixos/doc/manual/from_md/installation/installing.chapter.xml +++ b/nixos/doc/manual/from_md/installation/installing.chapter.xml @@ -1,26 +1,212 @@ <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" xml:id="sec-installation"> <title>Installing NixOS</title> <section xml:id="sec-installation-booting"> - <title>Booting the system</title> + <title>Booting from the install medium</title> <para> - NixOS can be installed on BIOS or UEFI systems. The procedure for - a UEFI installation is by and large the same as a BIOS - installation. The differences are mentioned in the steps that - follow. + To begin the installation, you have to boot your computer from the + install drive. </para> + <orderedlist numeration="arabic"> + <listitem> + <para> + Plug in the install drive. Then turn on or restart your + computer. + </para> + </listitem> + <listitem> + <para> + Open the boot menu by pressing the appropriate key, which is + usually shown on the display on early boot. Select the USB + flash drive (the option usually contains the word + <quote>USB</quote>). If you choose the incorrect drive, your + computer will likely continue to boot as normal. In that case + restart your computer and pick a different drive. + </para> + <note> + <para> + The key to open the boot menu is different across computer + brands and even models. It can be <keycap>F12</keycap>, but + also <keycap>F1</keycap>, <keycap>F9</keycap>, + <keycap>F10</keycap>, <keycap>Enter</keycap>, + <keycap>Del</keycap>, <keycap>Esc</keycap> or another + function key. If you are unsure and don’t see it on the + early boot screen, you can search online for your computers + brand, model followed by <quote>boot from usb</quote>. The + computer might not even have that feature, so you have to go + into the BIOS/UEFI settings to change the boot order. Again, + search online for details about your specific computer + model. + </para> + <para> + For Apple computers with Intel processors press and hold the + <keycap>⌥</keycap> (Option or Alt) key until you see the + boot menu. On Apple silicon press and hold the power button. + </para> + </note> + <note> + <para> + If your computer supports both BIOS and UEFI boot, choose + the UEFI option. + </para> + </note> + <note> + <para> + If you use a CD for the installation, the computer will + probably boot from it automatically. If not, choose the + option containing the word <quote>CD</quote> from the boot + menu. + </para> + </note> + </listitem> + <listitem> + <para> + Shortly after selecting the appropriate boot drive, you should + be presented with a menu with different installer options. + Leave the default and wait (or press <keycap>Enter</keycap> to + speed up). + </para> + </listitem> + <listitem> + <para> + The graphical images will start their corresponding desktop + environment and the graphical installer, which can take some + time. The minimal images will boot to a command line. You have + to follow the instructions in + <xref linkend="sec-installation-manual" /> there. + </para> + </listitem> + </orderedlist> + </section> + <section xml:id="sec-installation-graphical"> + <title>Graphical Installation</title> <para> - The installation media can be burned to a CD, or now more - commonly, <quote>burned</quote> to a USB drive (see - <xref linkend="sec-booting-from-usb" />). + The graphical installer is recommended for desktop users and will + guide you through the installation. </para> + <orderedlist numeration="arabic"> + <listitem> + <para> + In the <quote>Welcome</quote> screen, you can select the + language of the Installer and the installed system. + </para> + <tip> + <para> + Leaving the language as <quote>American English</quote> will + make it easier to search for error messages in a search + engine or to report an issue. + </para> + </tip> + </listitem> + <listitem> + <para> + Next you should choose your location to have the timezone set + correctly. You can actually click on the map! + </para> + <note> + <para> + The installer will use an online service to guess your + location based on your public IP address. + </para> + </note> + </listitem> + <listitem> + <para> + Then you can select the keyboard layout. The default keyboard + model should work well with most desktop keyboards. If you + have a special keyboard or notebook, your model might be in + the list. Select the language you are most comfortable typing + in. + </para> + </listitem> + <listitem> + <para> + On the <quote>Users</quote> screen, you have to type in your + display name, login name and password. You can also enable an + option to automatically login to the desktop. + </para> + </listitem> + <listitem> + <para> + Then you have the option to choose a desktop environment. If + you want to create a custom setup with a window manager, you + can select <quote>No desktop</quote>. + </para> + <tip> + <para> + If you don’t have a favorite desktop and don’t know which + one to choose, you can stick to either GNOME or Plasma. They + have a quite different design, so you should choose + whichever you like better. They are both popular choices and + well tested on NixOS. + </para> + </tip> + </listitem> + <listitem> + <para> + You have the option to allow unfree software in the next + screen. + </para> + </listitem> + <listitem> + <para> + The easiest option in the <quote>Partitioning</quote> screen + is <quote>Erase disk</quote>, which will delete all data from + the selected disk and install the system on it. Also select + <quote>Swap (with Hibernation)</quote> in the dropdown below + it. You have the option to encrypt the whole disk with LUKS. + </para> + <note> + <para> + At the top left you see if the Installer was booted with + BIOS or UEFI. If you know your system supports UEFI and it + shows <quote>BIOS</quote>, reboot with the correct option. + </para> + </note> + <warning> + <para> + Make sure you have selected the correct disk at the top and + that no valuable data is still on the disk! It will be + deleted when formatting the disk. + </para> + </warning> + </listitem> + <listitem> + <para> + Check the choices you made in the <quote>Summary</quote> and + click <quote>Install</quote>. + </para> + <note> + <para> + The installation takes about 15 minutes. The time varies + based on the selected desktop environment, internet + connection speed and disk write speed. + </para> + </note> + </listitem> + <listitem> + <para> + When the install is complete, remove the USB flash drive and + reboot into your new system! + </para> + </listitem> + </orderedlist> + </section> + <section xml:id="sec-installation-manual"> + <title>Manual Installation</title> <para> - The installation media contains a basic NixOS installation. When - it’s finished booting, it should have detected most of your - hardware. + NixOS can be installed on BIOS or UEFI systems. The procedure for + a UEFI installation is broadly the same as for a BIOS + installation. The differences are mentioned in the following + steps. </para> <para> The NixOS manual is available by running - <literal>nixos-help</literal>. + <literal>nixos-help</literal> in the command line or from the + application menu in the desktop environment. + </para> + <para> + To have access to the command line on the graphical images, open + Terminal (GNOME) or Konsole (Plasma) from the application menu. </para> <para> You are logged-in automatically as <literal>nixos</literal>. The @@ -31,11 +217,8 @@ $ sudo -i </programlisting> <para> - If you downloaded the graphical ISO image, you can run - <literal>systemctl start display-manager</literal> to start the - desktop environment. If you want to continue on the terminal, you - can use <literal>loadkeys</literal> to switch to your preferred - keyboard layout. (We even provide neo2 via + You can use <literal>loadkeys</literal> to switch to your + preferred keyboard layout. (We even provide neo2 via <literal>loadkeys de neo</literal>!) </para> <para> @@ -49,9 +232,13 @@ $ sudo -i bootloader lists boot entries, select the serial console boot entry. </para> - <section xml:id="sec-installation-booting-networking"> + <section xml:id="sec-installation-manual-networking"> <title>Networking in the installer</title> <para> + <anchor xml:id="sec-installation-booting-networking" /> + <!-- legacy anchor --> + </para> + <para> The boot process should have brought up networking (check <literal>ip a</literal>). Networking is necessary for the installer, since it will download lots of stuff (such as source @@ -130,502 +317,527 @@ OK able to login. </para> </section> - </section> - <section xml:id="sec-installation-partitioning"> - <title>Partitioning and formatting</title> - <para> - The NixOS installer doesn’t do any partitioning or formatting, so - you need to do that yourself. - </para> - <para> - The NixOS installer ships with multiple partitioning tools. The - examples below use <literal>parted</literal>, but also provides - <literal>fdisk</literal>, <literal>gdisk</literal>, - <literal>cfdisk</literal>, and <literal>cgdisk</literal>. - </para> - <para> - The recommended partition scheme differs depending if the computer - uses <emphasis>Legacy Boot</emphasis> or - <emphasis>UEFI</emphasis>. - </para> - <section xml:id="sec-installation-partitioning-UEFI"> - <title>UEFI (GPT)</title> + <section xml:id="sec-installation-manual-partitioning"> + <title>Partitioning and formatting</title> + <para> + <anchor xml:id="sec-installation-partitioning" /> + <!-- legacy anchor --> + </para> + <para> + The NixOS installer doesn’t do any partitioning or formatting, + so you need to do that yourself. + </para> + <para> + The NixOS installer ships with multiple partitioning tools. The + examples below use <literal>parted</literal>, but also provides + <literal>fdisk</literal>, <literal>gdisk</literal>, + <literal>cfdisk</literal>, and <literal>cgdisk</literal>. + </para> <para> - Here's an example partition scheme for UEFI, using - <literal>/dev/sda</literal> as the device. + The recommended partition scheme differs depending if the + computer uses <emphasis>Legacy Boot</emphasis> or + <emphasis>UEFI</emphasis>. </para> - <note> + <section xml:id="sec-installation-manual-partitioning-UEFI"> + <title>UEFI (GPT)</title> <para> - You can safely ignore <literal>parted</literal>'s - informational message about needing to update /etc/fstab. + <anchor xml:id="sec-installation-partitioning-UEFI" /> + <!-- legacy anchor --> </para> - </note> - <orderedlist numeration="arabic"> - <listitem> + <para> + Here's an example partition scheme for UEFI, using + <literal>/dev/sda</literal> as the device. + </para> + <note> <para> - Create a <emphasis>GPT</emphasis> partition table. + You can safely ignore <literal>parted</literal>'s + informational message about needing to update /etc/fstab. </para> - <programlisting> + </note> + <orderedlist numeration="arabic"> + <listitem> + <para> + Create a <emphasis>GPT</emphasis> partition table. + </para> + <programlisting> # parted /dev/sda -- mklabel gpt </programlisting> - </listitem> - <listitem> - <para> - Add the <emphasis>root</emphasis> partition. This will fill - the disk except for the end part, where the swap will live, - and the space left in front (512MiB) which will be used by - the boot partition. - </para> - <programlisting> + </listitem> + <listitem> + <para> + Add the <emphasis>root</emphasis> partition. This will + fill the disk except for the end part, where the swap will + live, and the space left in front (512MiB) which will be + used by the boot partition. + </para> + <programlisting> # parted /dev/sda -- mkpart primary 512MB -8GB </programlisting> - </listitem> - <listitem> - <para> - Next, add a <emphasis>swap</emphasis> partition. The size - required will vary according to needs, here a 8GB one is - created. - </para> - <programlisting> + </listitem> + <listitem> + <para> + Next, add a <emphasis>swap</emphasis> partition. The size + required will vary according to needs, here a 8GB one is + created. + </para> + <programlisting> # parted /dev/sda -- mkpart primary linux-swap -8GB 100% </programlisting> - <note> + <note> + <para> + The swap partition size rules are no different than for + other Linux distributions. + </para> + </note> + </listitem> + <listitem> <para> - The swap partition size rules are no different than for - other Linux distributions. + Finally, the <emphasis>boot</emphasis> partition. NixOS by + default uses the ESP (EFI system partition) as its + <emphasis>/boot</emphasis> partition. It uses the + initially reserved 512MiB at the start of the disk. </para> - </note> - </listitem> - <listitem> - <para> - Finally, the <emphasis>boot</emphasis> partition. NixOS by - default uses the ESP (EFI system partition) as its - <emphasis>/boot</emphasis> partition. It uses the initially - reserved 512MiB at the start of the disk. - </para> - <programlisting> + <programlisting> # parted /dev/sda -- mkpart ESP fat32 1MB 512MB # parted /dev/sda -- set 3 esp on </programlisting> - </listitem> - </orderedlist> - <para> - Once complete, you can follow with - <xref linkend="sec-installation-partitioning-formatting" />. - </para> - </section> - <section xml:id="sec-installation-partitioning-MBR"> - <title>Legacy Boot (MBR)</title> - <para> - Here's an example partition scheme for Legacy Boot, using - <literal>/dev/sda</literal> as the device. - </para> - <note> + </listitem> + </orderedlist> <para> - You can safely ignore <literal>parted</literal>'s - informational message about needing to update /etc/fstab. + Once complete, you can follow with + <xref linkend="sec-installation-manual-partitioning-formatting" />. </para> - </note> - <orderedlist numeration="arabic"> - <listitem> + </section> + <section xml:id="sec-installation-manual-partitioning-MBR"> + <title>Legacy Boot (MBR)</title> + <para> + <anchor xml:id="sec-installation-partitioning-MBR" /> + <!-- legacy anchor --> + </para> + <para> + Here's an example partition scheme for Legacy Boot, using + <literal>/dev/sda</literal> as the device. + </para> + <note> <para> - Create a <emphasis>MBR</emphasis> partition table. + You can safely ignore <literal>parted</literal>'s + informational message about needing to update /etc/fstab. </para> - <programlisting> + </note> + <orderedlist numeration="arabic"> + <listitem> + <para> + Create a <emphasis>MBR</emphasis> partition table. + </para> + <programlisting> # parted /dev/sda -- mklabel msdos </programlisting> - </listitem> - <listitem> - <para> - Add the <emphasis>root</emphasis> partition. This will fill - the the disk except for the end part, where the swap will - live. - </para> - <programlisting> + </listitem> + <listitem> + <para> + Add the <emphasis>root</emphasis> partition. This will + fill the the disk except for the end part, where the swap + will live. + </para> + <programlisting> # parted /dev/sda -- mkpart primary 1MB -8GB </programlisting> - </listitem> - <listitem> - <para> - Set the root partition’s boot flag to on. This allows the - disk to be booted from. - </para> - <programlisting> + </listitem> + <listitem> + <para> + Set the root partition’s boot flag to on. This allows the + disk to be booted from. + </para> + <programlisting> # parted /dev/sda -- set 1 boot on </programlisting> - </listitem> - <listitem> - <para> - Finally, add a <emphasis>swap</emphasis> partition. The size - required will vary according to needs, here a 8GiB one is - created. - </para> - <programlisting> + </listitem> + <listitem> + <para> + Finally, add a <emphasis>swap</emphasis> partition. The + size required will vary according to needs, here a 8GiB + one is created. + </para> + <programlisting> # parted /dev/sda -- mkpart primary linux-swap -8GB 100% </programlisting> - <note> + <note> + <para> + The swap partition size rules are no different than for + other Linux distributions. + </para> + </note> + </listitem> + </orderedlist> + <para> + Once complete, you can follow with + <xref linkend="sec-installation-manual-partitioning-formatting" />. + </para> + </section> + <section xml:id="sec-installation-manual-partitioning-formatting"> + <title>Formatting</title> + <para> + <anchor xml:id="sec-installation-partitioning-formatting" /> + <!-- legacy anchor --> + </para> + <para> + Use the following commands: + </para> + <itemizedlist> + <listitem> <para> - The swap partition size rules are no different than for - other Linux distributions. + For initialising Ext4 partitions: + <literal>mkfs.ext4</literal>. It is recommended that you + assign a unique symbolic label to the file system using + the option <literal>-L label</literal>, since this makes + the file system configuration independent from device + changes. For example: </para> - </note> - </listitem> - </orderedlist> - <para> - Once complete, you can follow with - <xref linkend="sec-installation-partitioning-formatting" />. - </para> + <programlisting> +# mkfs.ext4 -L nixos /dev/sda1 +</programlisting> + </listitem> + <listitem> + <para> + For creating swap partitions: <literal>mkswap</literal>. + Again it’s recommended to assign a label to the swap + partition: <literal>-L label</literal>. For example: + </para> + <programlisting> +# mkswap -L swap /dev/sda2 +</programlisting> + </listitem> + <listitem> + <para> + <emphasis role="strong">UEFI systems</emphasis> + </para> + <para> + For creating boot partitions: <literal>mkfs.fat</literal>. + Again it’s recommended to assign a label to the boot + partition: <literal>-n label</literal>. For example: + </para> + <programlisting> +# mkfs.fat -F 32 -n boot /dev/sda3 +</programlisting> + </listitem> + <listitem> + <para> + For creating LVM volumes, the LVM commands, e.g., + <literal>pvcreate</literal>, <literal>vgcreate</literal>, + and <literal>lvcreate</literal>. + </para> + </listitem> + <listitem> + <para> + For creating software RAID devices, use + <literal>mdadm</literal>. + </para> + </listitem> + </itemizedlist> + </section> </section> - <section xml:id="sec-installation-partitioning-formatting"> - <title>Formatting</title> + <section xml:id="sec-installation-manual-installing"> + <title>Installing</title> <para> - Use the following commands: + <anchor xml:id="sec-installation-installing" /> + <!-- legacy anchor --> </para> - <itemizedlist> + <orderedlist numeration="arabic"> <listitem> <para> - For initialising Ext4 partitions: - <literal>mkfs.ext4</literal>. It is recommended that you - assign a unique symbolic label to the file system using the - option <literal>-L label</literal>, since this makes the - file system configuration independent from device changes. - For example: + Mount the target file system on which NixOS should be + installed on <literal>/mnt</literal>, e.g. </para> <programlisting> -# mkfs.ext4 -L nixos /dev/sda1 +# mount /dev/disk/by-label/nixos /mnt </programlisting> </listitem> <listitem> <para> - For creating swap partitions: <literal>mkswap</literal>. - Again it’s recommended to assign a label to the swap - partition: <literal>-L label</literal>. For example: + <emphasis role="strong">UEFI systems</emphasis> + </para> + <para> + Mount the boot file system on <literal>/mnt/boot</literal>, + e.g. </para> <programlisting> -# mkswap -L swap /dev/sda2 +# mkdir -p /mnt/boot +# mount /dev/disk/by-label/boot /mnt/boot </programlisting> </listitem> <listitem> <para> - <emphasis role="strong">UEFI systems</emphasis> - </para> - <para> - For creating boot partitions: <literal>mkfs.fat</literal>. - Again it’s recommended to assign a label to the boot - partition: <literal>-n label</literal>. For example: + If your machine has a limited amount of memory, you may want + to activate swap devices now + (<literal>swapon device</literal>). The installer (or + rather, the build actions that it may spawn) may need quite + a bit of RAM, depending on your configuration. </para> <programlisting> -# mkfs.fat -F 32 -n boot /dev/sda3 +# swapon /dev/sda2 </programlisting> </listitem> <listitem> <para> - For creating LVM volumes, the LVM commands, e.g., - <literal>pvcreate</literal>, <literal>vgcreate</literal>, - and <literal>lvcreate</literal>. + You now need to create a file + <literal>/mnt/etc/nixos/configuration.nix</literal> that + specifies the intended configuration of the system. This is + because NixOS has a <emphasis>declarative</emphasis> + configuration model: you create or edit a description of the + desired configuration of your system, and then NixOS takes + care of making it happen. The syntax of the NixOS + configuration file is described in + <xref linkend="sec-configuration-syntax" />, while a list of + available configuration options appears in + <xref linkend="ch-options" />. A minimal example is shown in + <link linkend="ex-config">Example: NixOS + Configuration</link>. </para> - </listitem> - <listitem> <para> - For creating software RAID devices, use - <literal>mdadm</literal>. + The command <literal>nixos-generate-config</literal> can + generate an initial configuration file for you: </para> - </listitem> - </itemizedlist> - </section> - </section> - <section xml:id="sec-installation-installing"> - <title>Installing</title> - <orderedlist numeration="arabic"> - <listitem> - <para> - Mount the target file system on which NixOS should be - installed on <literal>/mnt</literal>, e.g. - </para> - <programlisting> -# mount /dev/disk/by-label/nixos /mnt -</programlisting> - </listitem> - <listitem> - <para> - <emphasis role="strong">UEFI systems</emphasis> - </para> - <para> - Mount the boot file system on <literal>/mnt/boot</literal>, - e.g. - </para> - <programlisting> -# mkdir -p /mnt/boot -# mount /dev/disk/by-label/boot /mnt/boot -</programlisting> - </listitem> - <listitem> - <para> - If your machine has a limited amount of memory, you may want - to activate swap devices now - (<literal>swapon device</literal>). The installer (or rather, - the build actions that it may spawn) may need quite a bit of - RAM, depending on your configuration. - </para> - <programlisting> -# swapon /dev/sda2 -</programlisting> - </listitem> - <listitem> - <para> - You now need to create a file - <literal>/mnt/etc/nixos/configuration.nix</literal> that - specifies the intended configuration of the system. This is - because NixOS has a <emphasis>declarative</emphasis> - configuration model: you create or edit a description of the - desired configuration of your system, and then NixOS takes - care of making it happen. The syntax of the NixOS - configuration file is described in - <xref linkend="sec-configuration-syntax" />, while a list of - available configuration options appears in - <xref linkend="ch-options" />. A minimal example is shown in - <link linkend="ex-config">Example: NixOS Configuration</link>. - </para> - <para> - The command <literal>nixos-generate-config</literal> can - generate an initial configuration file for you: - </para> - <programlisting> + <programlisting> # nixos-generate-config --root /mnt </programlisting> - <para> - You should then edit - <literal>/mnt/etc/nixos/configuration.nix</literal> to suit - your needs: - </para> - <programlisting> + <para> + You should then edit + <literal>/mnt/etc/nixos/configuration.nix</literal> to suit + your needs: + </para> + <programlisting> # nano /mnt/etc/nixos/configuration.nix </programlisting> - <para> - If you’re using the graphical ISO image, other editors may be - available (such as <literal>vim</literal>). If you have - network access, you can also install other editors – for - instance, you can install Emacs by running - <literal>nix-env -f '<nixpkgs>' -iA emacs</literal>. - </para> - <variablelist> - <varlistentry> - <term> - BIOS systems - </term> - <listitem> - <para> - You <emphasis>must</emphasis> set the option - <xref linkend="opt-boot.loader.grub.device" /> to - specify on which disk the GRUB boot loader is to be - installed. Without it, NixOS cannot boot. - </para> - <para> - If there are other operating systems running on the - machine before installing NixOS, the - <xref linkend="opt-boot.loader.grub.useOSProber" /> - option can be set to <literal>true</literal> to - automatically add them to the grub menu. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - UEFI systems - </term> - <listitem> - <para> - You must select a boot-loader, either system-boot or - GRUB. The recommended option is systemd-boot: set the - option - <xref linkend="opt-boot.loader.systemd-boot.enable" /> - to <literal>true</literal>. - <literal>nixos-generate-config</literal> should do this - automatically for new configurations when booted in UEFI - mode. - </para> - <para> - You may want to look at the options starting with - <link linkend="opt-boot.loader.efi.canTouchEfiVariables"><literal>boot.loader.efi</literal></link> - and - <link linkend="opt-boot.loader.systemd-boot.enable"><literal>boot.loader.systemd-boot</literal></link> - as well. - </para> - <para> - If you want to use GRUB, set - <xref linkend="opt-boot.loader.grub.device" /> to - <literal>nodev</literal> and - <xref linkend="opt-boot.loader.grub.efiSupport" /> to - <literal>true</literal>. - </para> - <para> - With system-boot, you should not need any special - configuration to detect other installed systems. With - GRUB, set - <xref linkend="opt-boot.loader.grub.useOSProber" /> to - <literal>true</literal>, but this will only detect - windows partitions, not other linux distributions. If - you dual boot another linux distribution, use - system-boot instead. - </para> - </listitem> - </varlistentry> - </variablelist> - <para> - If you need to configure networking for your machine the - configuration options are described in - <xref linkend="sec-networking" />. In particular, while wifi - is supported on the installation image, it is not enabled by - default in the configuration generated by - <literal>nixos-generate-config</literal>. - </para> - <para> - Another critical option is <literal>fileSystems</literal>, - specifying the file systems that need to be mounted by NixOS. - However, you typically don’t need to set it yourself, because - <literal>nixos-generate-config</literal> sets it automatically - in - <literal>/mnt/etc/nixos/hardware-configuration.nix</literal> - from your currently mounted file systems. (The configuration - file <literal>hardware-configuration.nix</literal> is included - from <literal>configuration.nix</literal> and will be - overwritten by future invocations of - <literal>nixos-generate-config</literal>; thus, you generally - should not modify it.) Additionally, you may want to look at - <link xlink:href="https://github.com/NixOS/nixos-hardware">Hardware - configuration for known-hardware</link> at this point or after - installation. - </para> - <note> <para> - Depending on your hardware configuration or type of file - system, you may need to set the option - <literal>boot.initrd.kernelModules</literal> to include the - kernel modules that are necessary for mounting the root file - system, otherwise the installed system will not be able to - boot. (If this happens, boot from the installation media - again, mount the target file system on - <literal>/mnt</literal>, fix - <literal>/mnt/etc/nixos/configuration.nix</literal> and - rerun <literal>nixos-install</literal>.) In most cases, - <literal>nixos-generate-config</literal> will figure out the - required modules. + If you’re using the graphical ISO image, other editors may + be available (such as <literal>vim</literal>). If you have + network access, you can also install other editors – for + instance, you can install Emacs by running + <literal>nix-env -f '<nixpkgs>' -iA emacs</literal>. </para> - </note> - </listitem> - <listitem> - <para> - Do the installation: - </para> - <programlisting> + <variablelist> + <varlistentry> + <term> + BIOS systems + </term> + <listitem> + <para> + You <emphasis>must</emphasis> set the option + <xref linkend="opt-boot.loader.grub.device" /> to + specify on which disk the GRUB boot loader is to be + installed. Without it, NixOS cannot boot. + </para> + <para> + If there are other operating systems running on the + machine before installing NixOS, the + <xref linkend="opt-boot.loader.grub.useOSProber" /> + option can be set to <literal>true</literal> to + automatically add them to the grub menu. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + UEFI systems + </term> + <listitem> + <para> + You must select a boot-loader, either system-boot or + GRUB. The recommended option is systemd-boot: set the + option + <xref linkend="opt-boot.loader.systemd-boot.enable" /> + to <literal>true</literal>. + <literal>nixos-generate-config</literal> should do + this automatically for new configurations when booted + in UEFI mode. + </para> + <para> + You may want to look at the options starting with + <link linkend="opt-boot.loader.efi.canTouchEfiVariables"><literal>boot.loader.efi</literal></link> + and + <link linkend="opt-boot.loader.systemd-boot.enable"><literal>boot.loader.systemd-boot</literal></link> + as well. + </para> + <para> + If you want to use GRUB, set + <xref linkend="opt-boot.loader.grub.device" /> to + <literal>nodev</literal> and + <xref linkend="opt-boot.loader.grub.efiSupport" /> to + <literal>true</literal>. + </para> + <para> + With system-boot, you should not need any special + configuration to detect other installed systems. With + GRUB, set + <xref linkend="opt-boot.loader.grub.useOSProber" /> to + <literal>true</literal>, but this will only detect + windows partitions, not other linux distributions. If + you dual boot another linux distribution, use + system-boot instead. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + If you need to configure networking for your machine the + configuration options are described in + <xref linkend="sec-networking" />. In particular, while wifi + is supported on the installation image, it is not enabled by + default in the configuration generated by + <literal>nixos-generate-config</literal>. + </para> + <para> + Another critical option is <literal>fileSystems</literal>, + specifying the file systems that need to be mounted by + NixOS. However, you typically don’t need to set it yourself, + because <literal>nixos-generate-config</literal> sets it + automatically in + <literal>/mnt/etc/nixos/hardware-configuration.nix</literal> + from your currently mounted file systems. (The configuration + file <literal>hardware-configuration.nix</literal> is + included from <literal>configuration.nix</literal> and will + be overwritten by future invocations of + <literal>nixos-generate-config</literal>; thus, you + generally should not modify it.) Additionally, you may want + to look at + <link xlink:href="https://github.com/NixOS/nixos-hardware">Hardware + configuration for known-hardware</link> at this point or + after installation. + </para> + <note> + <para> + Depending on your hardware configuration or type of file + system, you may need to set the option + <literal>boot.initrd.kernelModules</literal> to include + the kernel modules that are necessary for mounting the + root file system, otherwise the installed system will not + be able to boot. (If this happens, boot from the + installation media again, mount the target file system on + <literal>/mnt</literal>, fix + <literal>/mnt/etc/nixos/configuration.nix</literal> and + rerun <literal>nixos-install</literal>.) In most cases, + <literal>nixos-generate-config</literal> will figure out + the required modules. + </para> + </note> + </listitem> + <listitem> + <para> + Do the installation: + </para> + <programlisting> # nixos-install </programlisting> - <para> - This will install your system based on the configuration you - provided. If anything fails due to a configuration problem or - any other issue (such as a network outage while downloading - binaries from the NixOS binary cache), you can re-run - <literal>nixos-install</literal> after fixing your - <literal>configuration.nix</literal>. - </para> - <para> - As the last step, <literal>nixos-install</literal> will ask - you to set the password for the <literal>root</literal> user, - e.g. - </para> - <programlisting> + <para> + This will install your system based on the configuration you + provided. If anything fails due to a configuration problem + or any other issue (such as a network outage while + downloading binaries from the NixOS binary cache), you can + re-run <literal>nixos-install</literal> after fixing your + <literal>configuration.nix</literal>. + </para> + <para> + As the last step, <literal>nixos-install</literal> will ask + you to set the password for the <literal>root</literal> + user, e.g. + </para> + <programlisting> setting root password... New password: *** Retype new password: *** </programlisting> - <note> + <note> + <para> + For unattended installations, it is possible to use + <literal>nixos-install --no-root-passwd</literal> in order + to disable the password prompt entirely. + </para> + </note> + </listitem> + <listitem> <para> - For unattended installations, it is possible to use - <literal>nixos-install --no-root-passwd</literal> in order - to disable the password prompt entirely. + If everything went well: </para> - </note> - </listitem> - <listitem> - <para> - If everything went well: - </para> - <programlisting> + <programlisting> # reboot </programlisting> - </listitem> - <listitem> - <para> - You should now be able to boot into the installed NixOS. The - GRUB boot menu shows a list of <emphasis>available - configurations</emphasis> (initially just one). Every time you - change the NixOS configuration (see - <link linkend="sec-changing-config">Changing - Configuration</link>), a new item is added to the menu. This - allows you to easily roll back to a previous configuration if - something goes wrong. - </para> - <para> - You should log in and change the <literal>root</literal> - password with <literal>passwd</literal>. - </para> - <para> - You’ll probably want to create some user accounts as well, - which can be done with <literal>useradd</literal>: - </para> - <programlisting> + </listitem> + <listitem> + <para> + You should now be able to boot into the installed NixOS. The + GRUB boot menu shows a list of <emphasis>available + configurations</emphasis> (initially just one). Every time + you change the NixOS configuration (see + <link linkend="sec-changing-config">Changing + Configuration</link>), a new item is added to the menu. This + allows you to easily roll back to a previous configuration + if something goes wrong. + </para> + <para> + You should log in and change the <literal>root</literal> + password with <literal>passwd</literal>. + </para> + <para> + You’ll probably want to create some user accounts as well, + which can be done with <literal>useradd</literal>: + </para> + <programlisting> $ useradd -c 'Eelco Dolstra' -m eelco $ passwd eelco </programlisting> - <para> - You may also want to install some software. This will be - covered in <xref linkend="sec-package-management" />. - </para> - </listitem> - </orderedlist> - </section> - <section xml:id="sec-installation-summary"> - <title>Installation summary</title> - <para> - To summarise, <link linkend="ex-install-sequence">Example: - Commands for Installing NixOS on - <literal>/dev/sda</literal></link> shows a typical sequence of - commands for installing NixOS on an empty hard drive (here - <literal>/dev/sda</literal>). <link linkend="ex-config">Example: - NixOS Configuration</link> shows a corresponding configuration Nix - expression. - </para> - <anchor xml:id="ex-partition-scheme-MBR" /> - <para> - <emphasis role="strong">Example: Example partition schemes for - NixOS on <literal>/dev/sda</literal> (MBR)</emphasis> - </para> - <programlisting> + <para> + You may also want to install some software. This will be + covered in <xref linkend="sec-package-management" />. + </para> + </listitem> + </orderedlist> + </section> + <section xml:id="sec-installation-manual-summary"> + <title>Installation summary</title> + <para> + <anchor xml:id="sec-installation-summary" /> + <!-- legacy anchor --> + </para> + <para> + To summarise, <link linkend="ex-install-sequence">Example: + Commands for Installing NixOS on + <literal>/dev/sda</literal></link> shows a typical sequence of + commands for installing NixOS on an empty hard drive (here + <literal>/dev/sda</literal>). <link linkend="ex-config">Example: + NixOS Configuration</link> shows a corresponding configuration + Nix expression. + </para> + <anchor xml:id="ex-partition-scheme-MBR" /> + <para> + <emphasis role="strong">Example: Example partition schemes for + NixOS on <literal>/dev/sda</literal> (MBR)</emphasis> + </para> + <programlisting> # parted /dev/sda -- mklabel msdos # parted /dev/sda -- mkpart primary 1MiB -8GiB # parted /dev/sda -- mkpart primary linux-swap -8GiB 100% </programlisting> - <anchor xml:id="ex-partition-scheme-UEFI" /> - <para> - <emphasis role="strong">Example: Example partition schemes for - NixOS on <literal>/dev/sda</literal> (UEFI)</emphasis> - </para> - <programlisting> + <anchor xml:id="ex-partition-scheme-UEFI" /> + <para> + <emphasis role="strong">Example: Example partition schemes for + NixOS on <literal>/dev/sda</literal> (UEFI)</emphasis> + </para> + <programlisting> # parted /dev/sda -- mklabel gpt # parted /dev/sda -- mkpart primary 512MiB -8GiB # parted /dev/sda -- mkpart primary linux-swap -8GiB 100% # parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB # parted /dev/sda -- set 3 esp on </programlisting> - <anchor xml:id="ex-install-sequence" /> - <para> - <emphasis role="strong">Example: Commands for Installing NixOS on - <literal>/dev/sda</literal></emphasis> - </para> - <para> - With a partitioned disk. - </para> - <programlisting> + <anchor xml:id="ex-install-sequence" /> + <para> + <emphasis role="strong">Example: Commands for Installing NixOS + on <literal>/dev/sda</literal></emphasis> + </para> + <para> + With a partitioned disk. + </para> + <programlisting> # mkfs.ext4 -L nixos /dev/sda1 # mkswap -L swap /dev/sda2 # swapon /dev/sda2 @@ -638,11 +850,11 @@ $ passwd eelco # nixos-install # reboot </programlisting> - <anchor xml:id="ex-config" /> - <para> - <emphasis role="strong">Example: NixOS Configuration</emphasis> - </para> - <programlisting> + <anchor xml:id="ex-config" /> + <para> + <emphasis role="strong">Example: NixOS Configuration</emphasis> + </para> + <programlisting> { config, pkgs, ... }: { imports = [ # Include the results of the hardware scan. @@ -661,6 +873,7 @@ $ passwd eelco services.sshd.enable = true; } </programlisting> + </section> </section> <section xml:id="sec-installation-additional-notes"> <title>Additional installation notes</title> diff --git a/nixos/doc/manual/from_md/installation/obtaining.chapter.xml b/nixos/doc/manual/from_md/installation/obtaining.chapter.xml index a922feda25366..d187adfc0c535 100644 --- a/nixos/doc/manual/from_md/installation/obtaining.chapter.xml +++ b/nixos/doc/manual/from_md/installation/obtaining.chapter.xml @@ -2,16 +2,15 @@ <title>Obtaining NixOS</title> <para> NixOS ISO images can be downloaded from the - <link xlink:href="https://nixos.org/nixos/download.html">NixOS - download page</link>. There are a number of installation options. If - you happen to have an optical drive and a spare CD, burning the - image to CD and booting from that is probably the easiest option. - Most people will need to prepare a USB stick to boot from. - <xref linkend="sec-booting-from-usb" /> describes the preferred - method to prepare a USB stick. A number of alternative methods are - presented in the - <link xlink:href="https://nixos.wiki/wiki/NixOS_Installation_Guide#Making_the_installation_media">NixOS - Wiki</link>. + <link xlink:href="https://nixos.org/download.html#nixos-iso">NixOS + download page</link>. Follow the instructions in + <xref linkend="sec-booting-from-usb" /> to create a bootable USB + flash drive. + </para> + <para> + If you have a very old system that can’t boot from USB, you can burn + the image to an empty CD. NixOS might not work very well on such + systems. </para> <para> As an alternative to installing NixOS yourself, you can get a @@ -23,16 +22,16 @@ Using virtual appliances in Open Virtualization Format (OVF) that can be imported into VirtualBox. These are available from the - <link xlink:href="https://nixos.org/nixos/download.html">NixOS + <link xlink:href="https://nixos.org/download.html#nixos-virtualbox">NixOS download page</link>. </para> </listitem> <listitem> <para> - Using AMIs for Amazon’s EC2. To find one for your region and - instance type, please refer to the - <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/ec2-amis.nix">list - of most recent AMIs</link>. + Using AMIs for Amazon’s EC2. To find one for your region, please + refer to the + <link xlink:href="https://nixos.org/download.html#nixos-amazon">download + page</link>. </para> </listitem> <listitem> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 02201861234b9..6f06838833eb4 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1501,18 +1501,18 @@ </listitem> <listitem> <para> - MultiMC has been replaced with the fork PolyMC due to upstream - developers being hostile to 3rd party package maintainers. - PolyMC removes all MultiMC branding and is aimed at providing - proper 3rd party packages like the one contained in Nixpkgs. - This change affects the data folder where game instances and - other save and configuration files are stored. Users with - existing installations should rename + MultiMC has been replaced with the fork PrismLauncher due to + upstream developers being hostile to 3rd party package + maintainers. PrismLauncher removes all MultiMC branding and is + aimed at providing proper 3rd party packages like the one + contained in Nixpkgs. This change affects the data folder + where game instances and other save and configuration files + are stored. Users with existing installations should rename <literal>~/.local/share/multimc</literal> to - <literal>~/.local/share/polymc</literal>. The main config - file’s path has also moved from + <literal>~/.local/share/PrismLauncher</literal>. The main + config file’s path has also moved from <literal>~/.local/share/multimc/multimc.cfg</literal> to - <literal>~/.local/share/polymc/polymc.cfg</literal>. + <literal>~/.local/share/PrismLauncher/prismlauncher.cfg</literal>. </para> </listitem> <listitem> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index ec0afe73eb4a2..f36b2cda538c3 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -139,6 +139,15 @@ </listitem> <listitem> <para> + Improved performances of + <literal>lib.closePropagation</literal> which was previously + quadratic. This is used in e.g. + <literal>ghcWithPackages</literal>. Please see backward + incompatibilities notes below. + </para> + </listitem> + <listitem> + <para> Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream. @@ -182,6 +191,15 @@ </listitem> <listitem> <para> + [xray] (https://github.com/XTLS/Xray-core), a fully compatible + v2ray-core replacement. Features XTLS, which when enabled on + server and client, brings UDP FullCone NAT to proxy setups. + Available as + <link xlink:href="options.html#opt-services.xray.enable">services.xray</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/mozilla-services/syncstorage-rs">syncstorage-rs</link>, a self-hostable sync server for Firefox. Available as <link xlink:href="options.html#opt-services.firefox-syncserver.enable">services.firefox-syncserver</link>. @@ -256,6 +274,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/prymitive/karma">karma</link>, + an alert dashboard for Prometheus Alertmanager. Available as + <link xlink:href="options.html#opt-services.karma.enable">services.karma</link> + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://languagetool.org/">languagetool</link>, a multilingual grammar, style, and spell checker. Available as <link xlink:href="options.html#opt-services.languagetool.enable">services.languagetool</link>. @@ -277,6 +302,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://ntfy.sh">ntfy.sh</link>, a push + notification service. Available as + <link linkend="opt-services.ntfy-sh.enable">services.ntfy-sh</link> + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://git.sr.ht/~migadu/alps">alps</link>, a simple and extensible webmail. Available as <link linkend="opt-services.alps.enable">services.alps</link>. @@ -284,6 +316,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/skeeto/endlessh">endlessh</link>, + an SSH tarpit. Available as + <link linkend="opt-services.endlessh.enable">services.endlessh</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/shizunge/endlessh-go">endlessh-go</link>, an SSH tarpit that exposes Prometheus metrics. Available as <link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>. @@ -291,6 +330,14 @@ </listitem> <listitem> <para> + <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link>, + a simple object storage server for geodistributed deployments, + alternative to MinIO. Available as + <link linkend="opt-services.garage.enable">services.garage</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://netbird.io">netbird</link>, a zero configuration VPN. Available as <link xlink:href="options.html#opt-services.netbird.enable">services.netbird</link>. @@ -336,6 +383,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://troglobit.com/projects/merecat/">merecat</link>, + a small and easy HTTP server based on thttpd. Available as + <link linkend="opt-services.merecat.enable">services.merecat</link> + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/L11R/go-autoconfig">go-autoconfig</link>, IMAP/SMTP autodiscover server. Available as <link linkend="opt-services.go-autoconfig.enable">services.go-autoconfig</link>. @@ -396,6 +450,13 @@ <link xlink:href="options.html#opt-services.listmonk.enable">services.listmonk</link>. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://uptime.kuma.pet/">Uptime + Kuma</link>, a fancy self-hosted monitoring tool. Available as + <link linkend="opt-services.uptime-kuma.enable">services.uptime-kuma</link>. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.11-incompatibilities"> @@ -475,6 +536,16 @@ </listitem> <listitem> <para> + <literal>openssh</literal> was updated to version 9.1, + disabling the generation of DSA keys when using + <literal>ssh-keygen -A</literal> as they are insecure. Also, + <literal>SetEnv</literal> directives in + <literal>ssh_config</literal> and + <literal>sshd_config</literal> are now first-match-wins + </para> + </listitem> + <listitem> + <para> <literal>bsp-layout</literal> no longer uses the command <literal>cycle</literal> to switch to other window layouts, as it got replaced by the commands <literal>previous</literal> @@ -531,6 +602,17 @@ </listitem> <listitem> <para> + The ipfs package and module were renamed to kubo. The kubo + module now uses an RFC42-style <literal>settings</literal> + option instead of <literal>extraConfig</literal> and the + <literal>gatewayAddress</literal>, + <literal>apiAddress</literal> and + <literal>swarmAddress</literal> options were renamed. Using + the old names will print a warning but still work. + </para> + </listitem> + <listitem> + <para> <literal>pkgs.cosign</literal> does not provide the <literal>cosigned</literal> binary anymore. The <literal>sget</literal> binary has been moved into its own @@ -581,6 +663,12 @@ </listitem> <listitem> <para> + <literal>lib.closePropagation</literal> now needs that all + gathered sets have an <literal>outPath</literal> attribute. + </para> + </listitem> + <listitem> + <para> lemmy module option <literal>services.lemmy.settings.database.createLocally</literal> moved to @@ -595,6 +683,14 @@ </listitem> <listitem> <para> + The <literal>nix.checkConfig</literal> option now fully + disables the config check. The new + <literal>nix.checkAllErrors</literal> option behaves like + <literal>nix.checkConfig</literal> previously did. + </para> + </listitem> + <listitem> + <para> <literal>generateOptparseApplicativeCompletions</literal> and <literal>generateOptparseApplicativeCompletion</literal> from <literal>haskell.lib.compose</literal> (and @@ -626,6 +722,13 @@ </listitem> <listitem> <para> + The <literal>trace</literal> binary from + <literal>perf-linux</literal> package has been removed, due to + being a duplicate of the <literal>perf</literal> binary. + </para> + </listitem> + <listitem> + <para> The <literal>aws</literal> package has been removed due to being abandoned by the upstream. It is recommended to use <literal>awscli</literal> or <literal>awscli2</literal> @@ -634,6 +737,16 @@ </listitem> <listitem> <para> + The + <link xlink:href="https://ce-programming.github.io/CEmu">CEmu + TI-84 Plus CE emulator</link> package has been renamed to + <literal>cemu-ti</literal>. The + <link xlink:href="https://cemu.info">Cemu Wii U + emulator</link> is now packaged as <literal>cemu</literal>. + </para> + </listitem> + <listitem> + <para> <literal>systemd-networkd</literal> v250 deprecated, renamed, and moved some sections and settings which leads to the following breaking module changes: @@ -709,6 +822,14 @@ </listitem> <listitem> <para> + The <literal>adguardhome</literal> module no longer uses + <literal>host</literal> and <literal>port</literal> options, + use <literal>settings.bind_host</literal> and + <literal>settings.bind_port</literal> instead. + </para> + </listitem> + <listitem> + <para> The default <literal>kops</literal> version is now 1.25.1 and support for 1.22 and older has been dropped. </para> @@ -721,12 +842,47 @@ </listitem> <listitem> <para> + <literal>cassandra_2_1</literal> and + <literal>cassandra_2_2</literal> have been removed. Please + update to <literal>cassandra_3_11</literal> or + <literal>cassandra_3_0</literal>. See the + <link xlink:href="https://github.com/apache/cassandra/blob/cassandra-3.11.14/NEWS.txt">changelog</link> + for more information about the upgrade process. + </para> + </listitem> + <listitem> + <para> + <literal>mysql57</literal> has been removed. Please update to + <literal>mysql80</literal> or <literal>mariadb</literal>. See + the + <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mysql-to-mariadb/">upgrade + guide</link> for more information. + </para> + </listitem> + <listitem> + <para> + Consequently, <literal>cqrlog</literal> and + <literal>amorok</literal> now use <literal>mariadb</literal> + instead of <literal>mysql57</literal> for their embedded + databases. Running <literal>mysql_upgrade</literal> may be + neccesary. + </para> + </listitem> + <listitem> + <para> <literal>k3s</literal> supports <literal>clusterInit</literal> option, and it is enabled by default, for servers. </para> </listitem> <listitem> <para> + <literal>percona-server56</literal> has been removed. Please + migrate to <literal>mysql</literal> or + <literal>mariadb</literal> if possible. + </para> + </listitem> + <listitem> + <para> <literal>stylua</literal> no longer accepts <literal>lua52Support</literal> and <literal>luauSupport</literal> overrides, use @@ -734,6 +890,16 @@ <literal>[ "lua54" "luau" ]</literal>. </para> </listitem> + <listitem> + <para> + <literal>pkgs.fetchNextcloudApp</literal> has been rewritten + to circumvent impurities in e.g. tarballs from GitHub and to + make it easier to apply patches. This means that your hashes + are out-of-date and the (previously required) attributes + <literal>name</literal> and <literal>version</literal> are no + longer accepted. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.11-notable-changes"> @@ -767,6 +933,18 @@ </listitem> <listitem> <para> + ZFS module will not allow hibernation by default, this is a + safety measure to prevent data loss cases like the ones + described at + <link xlink:href="https://github.com/openzfs/zfs/issues/260">OpenZFS/260</link> + and + <link xlink:href="https://github.com/openzfs/zfs/issues/12842">OpenZFS/12842</link>. + Use the <literal>boot.zfs.allowHibernation</literal> option to + configure this behaviour. + </para> + </listitem> + <listitem> + <para> The Redis module now disables RDB persistence when <literal>services.redis.servers.<name>.save = []</literal> instead of using the Redis default. @@ -787,12 +965,84 @@ </listitem> <listitem> <para> + The option <literal>overrideStrategy</literal> was added to + the different systemd unit options + (<literal>systemd.services.<name></literal>, + <literal>systemd.sockets.<name></literal>, …) to allow + enforcing the creation of a dropin file, rather than the main + unit file, by setting it to <literal>asDropin</literal>. This + is useful in cases where the existence of the main unit file + is not known to Nix at evaluation time, for example when the + main unit file is provided by adding a package to + <literal>systemd.packages</literal>. See the fix proposed in + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/135557#issuecomment-1295392470">NixOS’s + systemd abstraction doesn’t work with systemd template + units</link> for an example. + </para> + </listitem> + <listitem> + <para> + The <literal>polymc</literal> package has been removed due to + a rogue maintainer. It has been replaced by + <literal>prismlauncher</literal>, a fork by the rest of the + maintainers. For more details, see + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/196624">the + pull request that made this change</link> and + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/196460">this + issue detailing the vulnerability</link>. Users with existing + installations should rename + <literal>~/.local/share/polymc</literal> to + <literal>~/.local/share/PrismLauncher</literal>. The main + config file’s path has also moved from + <literal>~/.local/share/polymc/polymc.cfg</literal> to + <literal>~/.local/share/PrismLauncher/prismlauncher.cfg</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>bloat</literal> package has been updated from + unstable-2022-03-31 to unstable-2022-10-25, which brings a + breaking change. See + <link xlink:href="https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73">this + upstream commit message</link> for details. + </para> + </listitem> + <listitem> + <para> The <literal>services.matrix-synapse</literal> systemd unit has been hardened. </para> </listitem> <listitem> <para> + The <literal>services.grafana</literal> options were converted + to a + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link> configuration. + </para> + </listitem> + <listitem> + <para> + The <literal>services.grafana.provision.datasources</literal> + and <literal>services.grafana.provision.dashboards</literal> + options were converted to a + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link> configuration. They also now support specifying + the provisioning YAML file with <literal>path</literal> + option. + </para> + </listitem> + <listitem> + <para> + The <literal>services.grafana.provision.alerting</literal> + option was added. It includes suboptions for every + alerting-related objects (with the exception of + <literal>notifiers</literal>), which means it’s now possible + to configure modern Grafana alerting declaratively. + </para> + </listitem> + <listitem> + <para> Matrix Synapse now requires entries in the <literal>state_group_edges</literal> table to be unique, in order to prevent accidentally introducing duplicate @@ -867,6 +1117,48 @@ </listitem> <listitem> <para> + Nextcloud has been updated to version + <emphasis role="strong">25</emphasis>. Additionally the + following things have changed for Nextcloud in NixOS: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + For Nextcloud <emphasis role="strong">>=24</emphasis>, + the default PHP version is 8.1. + </para> + </listitem> + <listitem> + <para> + Nextcloud <emphasis role="strong">23</emphasis> has been + removed since it will reach its + <link xlink:href="https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d">end + of life in December 2022</link>. + </para> + </listitem> + <listitem> + <para> + For <literal>system.stateVersion</literal> being + <emphasis role="strong">>=22.11</emphasis>, Nextcloud + 25 will be installed by default. For older versions, + Nextcloud 24 will be installed. + </para> + </listitem> + <listitem> + <para> + Please ensure that you only upgrade on major release at a + time! Nextcloud doesn’t support upgrades across multiple + versions, i.e. an upgrade from + <emphasis role="strong">23</emphasis> to + <emphasis role="strong">25</emphasis> is only possible + when upgrading to <emphasis role="strong">24</emphasis> + first. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> Add udev rules for the Teensy family of microcontrollers. </para> </listitem> @@ -887,6 +1179,13 @@ </listitem> <listitem> <para> + The <literal>tt-rss</literal> service performs two database + migrations when you first use its web UI after upgrade. + Consider backing up its database before updating. + </para> + </listitem> + <listitem> + <para> The <literal>pass-secret-service</literal> package now includes systemd units from upstream, so adding it to the NixOS <literal>services.dbus.packages</literal> option will @@ -909,6 +1208,29 @@ </listitem> <listitem> <para> + The default package for + <literal>services.mullvad-vpn.package</literal> was changed to + <literal>pkgs.mullvad</literal>, allowing cross-platform usage + of Mullvad. <literal>pkgs.mullvad</literal> only contains the + Mullvad CLI tool, so users who rely on the Mullvad GUI will + want to change it back to <literal>pkgs.mullvad-vpn</literal>, + or add <literal>pkgs.mullvad-vpn</literal> to their + environment. + </para> + </listitem> + <listitem> + <para> + PowerDNS has been updated from <literal>4.6.x</literal> to + <literal>4.7.x</literal>. Please be sure to review the + <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master">Upgrade + Notes</link> provided by upstream before upgrading. Worth + specifically noting is that the new Catalog Zones feature + comes with a mandatory schema change for the gsql database + backends, which has to be manually applied. + </para> + </listitem> + <listitem> + <para> There is a new module for the <literal>thunar</literal> program (the Xfce file manager), which depends on the <literal>xfconf</literal> dbus service, and also has a dbus diff --git a/nixos/doc/manual/installation/installing-usb.section.md b/nixos/doc/manual/installation/installing-usb.section.md index d893e22e6381b..da32935a7a108 100644 --- a/nixos/doc/manual/installation/installing-usb.section.md +++ b/nixos/doc/manual/installation/installing-usb.section.md @@ -1,31 +1,72 @@ -# Booting from a USB Drive {#sec-booting-from-usb} +# Booting from a USB flash drive {#sec-booting-from-usb} -For systems without CD drive, the NixOS live CD can be booted from a USB -stick. You can use the `dd` utility to write the image: -`dd if=path-to-image of=/dev/sdX`. Be careful about specifying the correct -drive; you can use the `lsblk` command to get a list of block devices. +The image has to be written verbatim to the USB flash drive for it to be +bootable on UEFI and BIOS systems. Here are the recommended tools to do that. -::: {.note} -::: {.title} -On macOS -::: +## Creating bootable USB flash drive with a graphical tool {#sec-booting-from-usb-graphical} + +Etcher is a popular and user-friendly tool. It works on Linux, Windows and macOS. + +Download it from [balena.io](https://www.balena.io/etcher/), start the program, +select the downloaded NixOS ISO, then select the USB flash drive and flash it. -```ShellSession -$ diskutil list -[..] -/dev/diskN (external, physical): - #: TYPE NAME SIZE IDENTIFIER -[..] -$ diskutil unmountDisk diskN -Unmount of all volumes on diskN was successful -$ sudo dd if=nix.iso of=/dev/rdiskN bs=1M -``` - -Using the \'raw\' `rdiskN` device instead of `diskN` completes in -minutes instead of hours. After `dd` completes, a GUI dialog \"The disk -you inserted was not readable by this computer\" will pop up, which can -be ignored. +::: {.warning} +Etcher reports errors and usage statistics by default, which can be disabled in +the settings. ::: -The `dd` utility will write the image verbatim to the drive, making it -the recommended option for both UEFI and non-UEFI installations. +An alternative is [USBImager](https://bztsrc.gitlab.io/usbimager), +which is very simple and does not connect to the internet. Download the version +with write-only (wo) interface for your system. Start the program, +select the image, select the USB flash drive and click "Write". + +## Creating bootable USB flash drive from a Terminal on Linux {#sec-booting-from-usb-linux} + +1. Plug in the USB flash drive. +2. Find the corresponding device with `lsblk`. You can distinguish them by + their size. +3. Make sure all partitions on the device are properly unmounted. Replace `sdX` + with your device (e.g. `sdb`). + + ```ShellSession + sudo umount /dev/sdX* + ``` + +4. Then use the `dd` utility to write the image to the USB flash drive. + + ```ShellSession + sudo dd if=<path-to-image> of=/dev/sdX bs=4M conv=fsync + ``` + +## Creating bootable USB flash drive from a Terminal on macOS {#sec-booting-from-usb-macos} + +1. Plug in the USB flash drive. +2. Find the corresponding device with `diskutil list`. You can distinguish them + by their size. +3. Make sure all partitions on the device are properly unmounted. Replace `diskX` + with your device (e.g. `disk1`). + + ```ShellSession + diskutil unmountDisk diskX + ``` + +4. Then use the `dd` utility to write the image to the USB flash drive. + + ```ShellSession + sudo dd if=<path-to-image> of=/dev/rdiskX bs=4m + ``` + + After `dd` completes, a GUI dialog \"The disk + you inserted was not readable by this computer\" will pop up, which can + be ignored. + + ::: {.note} + Using the \'raw\' `rdiskX` device instead of `diskX` with dd completes in + minutes instead of hours. + ::: + +5. Eject the disk when it is finished. + + ```ShellSession + diskutil eject /dev/diskX + ``` diff --git a/nixos/doc/manual/installation/installing.chapter.md b/nixos/doc/manual/installation/installing.chapter.md index b1e58b14b7838..44e7e29421d65 100644 --- a/nixos/doc/manual/installation/installing.chapter.md +++ b/nixos/doc/manual/installation/installing.chapter.md @@ -1,30 +1,143 @@ # Installing NixOS {#sec-installation} -## Booting the system {#sec-installation-booting} +## Booting from the install medium {#sec-installation-booting} + +To begin the installation, you have to boot your computer from the install drive. + +1. Plug in the install drive. Then turn on or restart your computer. + +2. Open the boot menu by pressing the appropriate key, which is usually shown + on the display on early boot. + Select the USB flash drive (the option usually contains the word "USB"). + If you choose the incorrect drive, your computer will likely continue to + boot as normal. In that case restart your computer and pick a + different drive. + + ::: {.note} + The key to open the boot menu is different across computer brands and even + models. It can be <kbd>F12</kbd>, but also <kbd>F1</kbd>, + <kbd>F9</kbd>, <kbd>F10</kbd>, <kbd>Enter</kbd>, <kbd>Del</kbd>, + <kbd>Esc</kbd> or another function key. If you are unsure and don't see + it on the early boot screen, you can search online for your computers + brand, model followed by "boot from usb". + The computer might not even have that feature, so you have to go into the + BIOS/UEFI settings to change the boot order. Again, search online for + details about your specific computer model. + + For Apple computers with Intel processors press and hold the <kbd>⌥</kbd> + (Option or Alt) key until you see the boot menu. On Apple silicon press + and hold the power button. + ::: + + ::: {.note} + If your computer supports both BIOS and UEFI boot, choose the UEFI option. + ::: + + ::: {.note} + If you use a CD for the installation, the computer will probably boot from + it automatically. If not, choose the option containing the word "CD" from + the boot menu. + ::: + +3. Shortly after selecting the appropriate boot drive, you should be + presented with a menu with different installer options. Leave the default + and wait (or press <kbd>Enter</kbd> to speed up). + +4. The graphical images will start their corresponding desktop environment + and the graphical installer, which can take some time. The minimal images + will boot to a command line. You have to follow the instructions in + [](#sec-installation-manual) there. + +## Graphical Installation {#sec-installation-graphical} + +The graphical installer is recommended for desktop users and will guide you +through the installation. + +1. In the "Welcome" screen, you can select the language of the Installer and + the installed system. + + ::: {.tip} + Leaving the language as "American English" will make it easier to search for + error messages in a search engine or to report an issue. + ::: + +2. Next you should choose your location to have the timezone set correctly. + You can actually click on the map! + + ::: {.note} + The installer will use an online service to guess your location based on + your public IP address. + ::: + +3. Then you can select the keyboard layout. The default keyboard model should + work well with most desktop keyboards. If you have a special keyboard or + notebook, your model might be in the list. Select the language you are most + comfortable typing in. + +4. On the "Users" screen, you have to type in your display name, login name + and password. You can also enable an option to automatically login to the + desktop. + +5. Then you have the option to choose a desktop environment. If you want to + create a custom setup with a window manager, you can select "No desktop". + + ::: {.tip} + If you don't have a favorite desktop and don't know which one to choose, + you can stick to either GNOME or Plasma. They have a quite different + design, so you should choose whichever you like better. + They are both popular choices and well tested on NixOS. + ::: + +6. You have the option to allow unfree software in the next screen. + +7. The easiest option in the "Partitioning" screen is "Erase disk", which will + delete all data from the selected disk and install the system on it. + Also select "Swap (with Hibernation)" in the dropdown below it. + You have the option to encrypt the whole disk with LUKS. + + ::: {.note} + At the top left you see if the Installer was booted with BIOS or UEFI. If + you know your system supports UEFI and it shows "BIOS", reboot with the + correct option. + ::: + + ::: {.warning} + Make sure you have selected the correct disk at the top and that no + valuable data is still on the disk! It will be deleted when + formatting the disk. + ::: + +8. Check the choices you made in the "Summary" and click "Install". + + ::: {.note} + The installation takes about 15 minutes. The time varies based on the + selected desktop environment, internet connection speed and disk write speed. + ::: + +9. When the install is complete, remove the USB flash drive and + reboot into your new system! + +## Manual Installation {#sec-installation-manual} NixOS can be installed on BIOS or UEFI systems. The procedure for a UEFI -installation is by and large the same as a BIOS installation. The -differences are mentioned in the steps that follow. +installation is broadly the same as for a BIOS installation. The differences +are mentioned in the following steps. -The installation media can be burned to a CD, or now more commonly, -"burned" to a USB drive (see [](#sec-booting-from-usb)). +The NixOS manual is available by running `nixos-help` in the command line +or from the application menu in the desktop environment. -The installation media contains a basic NixOS installation. When it's -finished booting, it should have detected most of your hardware. - -The NixOS manual is available by running `nixos-help`. +To have access to the command line on the graphical images, open +Terminal (GNOME) or Konsole (Plasma) from the application menu. You are logged-in automatically as `nixos`. The `nixos` user account has an empty password so you can use `sudo` without a password: + ```ShellSession $ sudo -i ``` -If you downloaded the graphical ISO image, you can run `systemctl -start display-manager` to start the desktop environment. If you want -to continue on the terminal, you can use `loadkeys` to switch to your -preferred keyboard layout. (We even provide neo2 via `loadkeys de -neo`!) +You can use `loadkeys` to switch to your preferred keyboard layout. +(We even provide neo2 via `loadkeys de neo`!) If the text is too small to be legible, try `setfont ter-v32n` to increase the font size. @@ -33,7 +146,8 @@ To install over a serial port connect with `115200n8` (e.g. `picocom -b 115200 /dev/ttyUSB0`). When the bootloader lists boot entries, select the serial console boot entry. -### Networking in the installer {#sec-installation-booting-networking} +### Networking in the installer {#sec-installation-manual-networking} +[]{#sec-installation-booting-networking} <!-- legacy anchor --> The boot process should have brought up networking (check `ip a`). Networking is necessary for the installer, since it will @@ -100,7 +214,8 @@ placed by mounting the image on a different machine). Alternatively you must set a password for either `root` or `nixos` with `passwd` to be able to login. -## Partitioning and formatting {#sec-installation-partitioning} +### Partitioning and formatting {#sec-installation-manual-partitioning} +[]{#sec-installation-partitioning} <!-- legacy anchor --> The NixOS installer doesn't do any partitioning or formatting, so you need to do that yourself. @@ -112,7 +227,8 @@ below use `parted`, but also provides `fdisk`, `gdisk`, `cfdisk`, and The recommended partition scheme differs depending if the computer uses *Legacy Boot* or *UEFI*. -### UEFI (GPT) {#sec-installation-partitioning-UEFI} +#### UEFI (GPT) {#sec-installation-manual-partitioning-UEFI} +[]{#sec-installation-partitioning-UEFI} <!-- legacy anchor --> Here\'s an example partition scheme for UEFI, using `/dev/sda` as the device. @@ -158,9 +274,10 @@ update /etc/fstab. ``` Once complete, you can follow with -[](#sec-installation-partitioning-formatting). +[](#sec-installation-manual-partitioning-formatting). -### Legacy Boot (MBR) {#sec-installation-partitioning-MBR} +#### Legacy Boot (MBR) {#sec-installation-manual-partitioning-MBR} +[]{#sec-installation-partitioning-MBR} <!-- legacy anchor --> Here\'s an example partition scheme for Legacy Boot, using `/dev/sda` as the device. @@ -202,9 +319,10 @@ update /etc/fstab. ::: Once complete, you can follow with -[](#sec-installation-partitioning-formatting). +[](#sec-installation-manual-partitioning-formatting). -### Formatting {#sec-installation-partitioning-formatting} +#### Formatting {#sec-installation-manual-partitioning-formatting} +[]{#sec-installation-partitioning-formatting} <!-- legacy anchor --> Use the following commands: @@ -239,7 +357,8 @@ Use the following commands: - For creating software RAID devices, use `mdadm`. -## Installing {#sec-installation-installing} +### Installing {#sec-installation-manual-installing} +[]{#sec-installation-installing} <!-- legacy anchor --> 1. Mount the target file system on which NixOS should be installed on `/mnt`, e.g. @@ -410,7 +529,8 @@ Use the following commands: You may also want to install some software. This will be covered in [](#sec-package-management). -## Installation summary {#sec-installation-summary} +### Installation summary {#sec-installation-manual-summary} +[]{#sec-installation-summary} <!-- legacy anchor --> To summarise, [Example: Commands for Installing NixOS on `/dev/sda`](#ex-install-sequence) shows a typical sequence of commands for installing NixOS on an empty hard diff --git a/nixos/doc/manual/installation/obtaining.chapter.md b/nixos/doc/manual/installation/obtaining.chapter.md index 832ec6146a9d9..a72194ecf9853 100644 --- a/nixos/doc/manual/installation/obtaining.chapter.md +++ b/nixos/doc/manual/installation/obtaining.chapter.md @@ -1,24 +1,21 @@ # Obtaining NixOS {#sec-obtaining} NixOS ISO images can be downloaded from the [NixOS download -page](https://nixos.org/nixos/download.html). There are a number of -installation options. If you happen to have an optical drive and a spare -CD, burning the image to CD and booting from that is probably the -easiest option. Most people will need to prepare a USB stick to boot -from. [](#sec-booting-from-usb) describes the preferred method to -prepare a USB stick. A number of alternative methods are presented in -the [NixOS Wiki](https://nixos.wiki/wiki/NixOS_Installation_Guide#Making_the_installation_media). +page](https://nixos.org/download.html#nixos-iso). Follow the instructions in +[](#sec-booting-from-usb) to create a bootable USB flash drive. + +If you have a very old system that can't boot from USB, you can burn the image +to an empty CD. NixOS might not work very well on such systems. As an alternative to installing NixOS yourself, you can get a running NixOS system through several other means: - Using virtual appliances in Open Virtualization Format (OVF) that can be imported into VirtualBox. These are available from the [NixOS - download page](https://nixos.org/nixos/download.html). + download page](https://nixos.org/download.html#nixos-virtualbox). -- Using AMIs for Amazon's EC2. To find one for your region and - instance type, please refer to the [list of most recent - AMIs](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/ec2-amis.nix). +- Using AMIs for Amazon's EC2. To find one for your region, please refer + to the [download page](https://nixos.org/download.html#nixos-amazon). - Using NixOps, the NixOS-based cloud deployment tool, which allows you to provision VirtualBox and EC2 NixOS instances from declarative diff --git a/nixos/doc/manual/md-to-db.sh b/nixos/doc/manual/md-to-db.sh index 2091f9b31cd2f..beb0ff9f70828 100755 --- a/nixos/doc/manual/md-to-db.sh +++ b/nixos/doc/manual/md-to-db.sh @@ -19,6 +19,7 @@ pandoc_flags=( "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/myst-reader/roles.lua" "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/link-unix-man-references.lua" "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/rst-roles.lua" + "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/html-elements.lua" "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/labelless-link-is-xref.lua" -f "commonmark${pandoc_commonmark_enabled_extensions}+smart" -t docbook diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 2d2140d92d590..6fe5eba212f38 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -581,7 +581,15 @@ In addition to numerous new and upgraded packages, this release has the followin - The `miller` package has been upgraded from 5.10.3 to [6.2.0](https://github.com/johnkerl/miller/releases/tag/v6.2.0). See [What's new in Miller 6](https://miller.readthedocs.io/en/latest/new-in-miller-6). -- MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename `~/.local/share/multimc` to `~/.local/share/polymc`. The main config file's path has also moved from `~/.local/share/multimc/multimc.cfg` to `~/.local/share/polymc/polymc.cfg`. +- MultiMC has been replaced with the fork PrismLauncher due to upstream + developers being hostile to 3rd party package maintainers. PrismLauncher + removes all MultiMC branding and is aimed at providing proper 3rd party + packages like the one contained in Nixpkgs. This change affects the data + folder where game instances and other save and configuration files are stored. + Users with existing installations should rename `~/.local/share/multimc` to + `~/.local/share/PrismLauncher`. The main config file's path has also moved + from `~/.local/share/multimc/multimc.cfg` to + `~/.local/share/PrismLauncher/prismlauncher.cfg`. - `systemd-nspawn@.service` settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set `systemd.nspawn.<name>.execConfig.PrivateUsers = false` diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 1028a975f30f8..8b24a6146270e 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -55,6 +55,8 @@ In addition to numerous new and upgraded packages, this release has the followin - Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default. +- Improved performances of `lib.closePropagation` which was previously quadratic. This is used in e.g. `ghcWithPackages`. Please see backward incompatibilities notes below. + - Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream. @@ -69,6 +71,9 @@ In addition to numerous new and upgraded packages, this release has the followin ## New Services {#sec-release-22.11-new-services} - [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable). + +- [xray] (https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable). + - [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable). - [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable). @@ -91,6 +96,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization. Available as [services.kanata](options.html#opt-services.kanata.enable). +- [karma](https://github.com/prymitive/karma), an alert dashboard for Prometheus Alertmanager. Available as [services.karma](options.html#opt-services.karma.enable) + - [languagetool](https://languagetool.org/), a multilingual grammar, style, and spell checker. Available as [services.languagetool](options.html#opt-services.languagetool.enable). @@ -98,10 +105,16 @@ In addition to numerous new and upgraded packages, this release has the followin - [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable). +- [ntfy.sh](https://ntfy.sh), a push notification service. Available as [services.ntfy-sh](#opt-services.ntfy-sh.enable) + - [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable). +- [endlessh](https://github.com/skeeto/endlessh), an SSH tarpit. Available as [services.endlessh](#opt-services.endlessh.enable). + - [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable). +- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable). + - [netbird](https://netbird.io), a zero configuration VPN. Available as [services.netbird](options.html#opt-services.netbird.enable). @@ -115,6 +128,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable). +- [merecat](https://troglobit.com/projects/merecat/), a small and easy HTTP server based on thttpd. Available as [services.merecat](#opt-services.merecat.enable) + - [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable). - [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable). @@ -132,6 +147,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable). +- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable). + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Backward Incompatibilities {#sec-release-22.11-incompatibilities} @@ -158,6 +175,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `fetchgit` fetcher now uses [cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalscone_mode_handling) by default for sparse checkouts. [Non-cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalsnon_cone_problems) can be enabled by passing `nonConeMode = true`, but note that non-cone mode is deprecated and this option may be removed alongside a future Git update without notice. +- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins + - `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`. - The Barco ClickShare driver/client package `pkgs.clickshare-csc1` and the option `programs.clickshare-csc1.enable` have been removed, @@ -178,6 +197,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - PHP 7.4 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 22.11 release. +- The ipfs package and module were renamed to kubo. The kubo module now uses an RFC42-style `settings` option instead of `extraConfig` and the `gatewayAddress`, `apiAddress` and `swarmAddress` options were renamed. Using the old names will print a warning but still work. + - `pkgs.cosign` does not provide the `cosigned` binary anymore. The `sget` binary has been moved into its own package. - Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues. @@ -191,11 +212,15 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - `teleport` has been upgraded to major version 10. Please see upstream [upgrade instructions](https://goteleport.com/docs/ver/10.0/management/operations/upgrading/) and [release notes](https://goteleport.com/docs/ver/10.0/changelog/#1000). +- `lib.closePropagation` now needs that all gathered sets have an `outPath` attribute. + - lemmy module option `services.lemmy.settings.database.createLocally` moved to `services.lemmy.database.createLocally`. - virtlyst package and `services.virtlyst` module removed, due to lack of maintainers. +- The `nix.checkConfig` option now fully disables the config check. The new `nix.checkAllErrors` option behaves like `nix.checkConfig` previously did. + - `generateOptparseApplicativeCompletions` and `generateOptparseApplicativeCompletion` from `haskell.lib.compose` (and `haskell.lib`) have been deprecated in favor of `generateOptparseApplicativeCompletions` (plural!) as provided by the haskell package sets (so `haskellPackages.generateOptparseApplicativeCompletions` etc.). @@ -210,8 +235,12 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). `python3.pkgs.influxgraph` packages, have been removed due to lack of upstream maintenance. +- The `trace` binary from `perf-linux` package has been removed, due to being a duplicate of the `perf` binary. + - The `aws` package has been removed due to being abandoned by the upstream. It is recommended to use `awscli` or `awscli2` instead. +- The [CEmu TI-84 Plus CE emulator](https://ce-programming.github.io/CEmu) package has been renamed to `cemu-ti`. The [Cemu Wii U emulator](https://cemu.info) is now packaged as `cemu`. + - `systemd-networkd` v250 deprecated, renamed, and moved some sections and settings which leads to the following breaking module changes: * `systemd.network.networks.<name>.dhcpV6PrefixDelegationConfig` is renamed to `systemd.network.networks.<name>.dhcpPrefixDelegationConfig`. @@ -228,14 +257,27 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). Use `configure.packages` instead. - Neovim can not be configured with plug anymore (still works for vim). +- The `adguardhome` module no longer uses `host` and `port` options, use `settings.bind_host` and `settings.bind_port` instead. + - The default `kops` version is now 1.25.1 and support for 1.22 and older has been dropped. - `k3s` no longer supports docker as runtime due to upstream dropping support. +- `cassandra_2_1` and `cassandra_2_2` have been removed. Please update to `cassandra_3_11` or `cassandra_3_0`. See the [changelog](https://github.com/apache/cassandra/blob/cassandra-3.11.14/NEWS.txt) for more information about the upgrade process. + +- `mysql57` has been removed. Please update to `mysql80` or `mariadb`. See the [upgrade guide](https://mariadb.com/kb/en/upgrading-from-mysql-to-mariadb/) for more information. + +- Consequently, `cqrlog` and `amorok` now use `mariadb` instead of `mysql57` for their embedded databases. Running `mysql_upgrade` may be neccesary. - `k3s` supports `clusterInit` option, and it is enabled by default, for servers. +- `percona-server56` has been removed. Please migrate to `mysql` or `mariadb` if possible. + - `stylua` no longer accepts `lua52Support` and `luauSupport` overrides, use `features` instead, which defaults to `[ "lua54" "luau" ]`. +- `pkgs.fetchNextcloudApp` has been rewritten to circumvent impurities in e.g. tarballs from GitHub and to make it easier to + apply patches. This means that your hashes are out-of-date and the (previously required) attributes `name` and `version` + are no longer accepted. + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Other Notable Changes {#sec-release-22.11-notable-changes} @@ -246,14 +288,38 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`. +- ZFS module will not allow hibernation by default, this is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842). Use the `boot.zfs.allowHibernation` option to configure this behaviour. + - The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default. - Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance. - The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark. +- The option `overrideStrategy` was added to the different systemd unit options (`systemd.services.<name>`, `systemd.sockets.<name>`, …) to allow enforcing the creation of a dropin file, rather than the main unit file, by setting it to `asDropin`. + This is useful in cases where the existence of the main unit file is not known to Nix at evaluation time, for example when the main unit file is provided by adding a package to `systemd.packages`. + See the fix proposed in [NixOS's systemd abstraction doesn't work with systemd template units](https://github.com/NixOS/nixpkgs/issues/135557#issuecomment-1295392470) for an example. + +- The `polymc` package has been removed due to a rogue maintainer. It has been + replaced by `prismlauncher`, a fork by the rest of the maintainers. For more + details, see [the pull request that made this + change](https://github.com/NixOS/nixpkgs/pull/196624) and [this issue + detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460). + Users with existing installations should rename `~/.local/share/polymc` to + `~/.local/share/PrismLauncher`. The main config file's path has also moved + from `~/.local/share/polymc/polymc.cfg` to + `~/.local/share/PrismLauncher/prismlauncher.cfg`. + +- The `bloat` package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See [this upstream commit message](https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73) for details. + - The `services.matrix-synapse` systemd unit has been hardened. +- The `services.grafana` options were converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. + +- The `services.grafana.provision.datasources` and `services.grafana.provision.dashboards` options were converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. They also now support specifying the provisioning YAML file with `path` option. + +- The `services.grafana.provision.alerting` option was added. It includes suboptions for every alerting-related objects (with the exception of `notifiers`), which means it's now possible to configure modern Grafana alerting declaratively. + - Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation. - The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details. @@ -272,6 +338,16 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The udisks2 service, available at `services.udisks2.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. This also means that polkit will now actually be disabled by default. The default for `security.polkit.enable` was already flipped in the previous release, but udisks2 being enabled by default re-enabled it. +- Nextcloud has been updated to version **25**. Additionally the following things have changed + for Nextcloud in NixOS: + - For Nextcloud **>=24**, the default PHP version is 8.1. + - Nextcloud **23** has been removed since it will reach its [end of life in December 2022](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d). + - For `system.stateVersion` being **>=22.11**, Nextcloud 25 will be installed by default. For older versions, + Nextcloud 24 will be installed. + - Please ensure that you only upgrade on major release at a time! Nextcloud doesn't support + upgrades across multiple versions, i.e. an upgrade from **23** to **25** is only possible + when upgrading to **24** first. + - Add udev rules for the Teensy family of microcontrollers. - systemd-oomd is enabled by default. Depending on which systemd units have @@ -282,6 +358,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). [systemd.oomd.enableRootSlice](options.html#opt-systemd.oomd.enableRootSlice), [systemd.oomd.enableSystemSlice](options.html#opt-systemd.oomd.enableSystemSlice), and [systemd.oomd.enableUserServices](options.html#opt-systemd.oomd.enableUserServices). + +- The `tt-rss` service performs two database migrations when you first use its web UI after upgrade. Consider backing up its database before updating. - The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API. @@ -289,6 +367,10 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The Wordpress module got support for installing language packs through `services.wordpress.sites.<site>.languages`. +- The default package for `services.mullvad-vpn.package` was changed to `pkgs.mullvad`, allowing cross-platform usage of Mullvad. `pkgs.mullvad` only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to `pkgs.mullvad-vpn`, or add `pkgs.mullvad-vpn` to their environment. + +- PowerDNS has been updated from `4.6.x` to `4.7.x`. Please be sure to review the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master) provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the gsql database backends, which has to be manually applied. + - There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed. - There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service. diff --git a/nixos/lib/make-options-doc/default.nix b/nixos/lib/make-options-doc/default.nix index 6a1bb868c20de..dde3cac1c1bab 100644 --- a/nixos/lib/make-options-doc/default.nix +++ b/nixos/lib/make-options-doc/default.nix @@ -122,10 +122,14 @@ in rec { optionsJSON = pkgs.runCommand "options.json" { meta.description = "List of NixOS options in JSON format"; - buildInputs = [ + nativeBuildInputs = [ pkgs.brotli (let - self = (pkgs.python3Minimal.override { + # python3Minimal can't be overridden with packages on Darwin, due to a missing framework. + # Instead of modifying stdenv, we take the easy way out, since most people on Darwin will + # just be hacking on the Nixpkgs manual (which also uses make-options-doc). + python = if pkgs.stdenv.isDarwin then pkgs.python3 else pkgs.python3Minimal; + self = (python.override { inherit self; includeSiteCustomize = true; }); diff --git a/nixos/lib/make-options-doc/options-to-docbook.xsl b/nixos/lib/make-options-doc/options-to-docbook.xsl index d5b921b1dedb3..0fe14a6d2d169 100644 --- a/nixos/lib/make-options-doc/options-to-docbook.xsl +++ b/nixos/lib/make-options-doc/options-to-docbook.xsl @@ -40,8 +40,8 @@ concat($optionIdPrefix, translate( attr[@name = 'name']/string/@value, - '*< >[]:', - '_______' + '*< >[]:"', + '________' ))" /> <varlistentry> <term xlink:href="#{$id}"> diff --git a/nixos/lib/systemd-lib.nix b/nixos/lib/systemd-lib.nix index 779dadece582b..4c52643446ed4 100644 --- a/nixos/lib/systemd-lib.nix +++ b/nixos/lib/systemd-lib.nix @@ -187,11 +187,14 @@ in rec { done done - # Symlink all units defined by systemd.units. If these are also - # provided by systemd or systemd.packages, then add them as + # Symlink units defined by systemd.units where override strategy + # shall be automatically detected. If these are also provided by + # systemd or systemd.packages, then add them as # <unit-name>.d/overrides.conf, which makes them extend the # upstream unit. - for i in ${toString (mapAttrsToList (n: v: v.unit) units)}; do + for i in ${toString (mapAttrsToList + (n: v: v.unit) + (lib.filterAttrs (n: v: (attrByPath [ "overrideStrategy" ] "asDropinIfExists" v) == "asDropinIfExists") units))}; do fn=$(basename $i/*) if [ -e $out/$fn ]; then if [ "$(readlink -f $i/$fn)" = /dev/null ]; then @@ -210,11 +213,21 @@ in rec { fi done + # Symlink units defined by systemd.units which shall be + # treated as drop-in file. + for i in ${toString (mapAttrsToList + (n: v: v.unit) + (lib.filterAttrs (n: v: v ? overrideStrategy && v.overrideStrategy == "asDropin") units))}; do + fn=$(basename $i/*) + mkdir -p $out/$fn.d + ln -s $i/$fn $out/$fn.d/overrides.conf + done + # Create service aliases from aliases option. ${concatStrings (mapAttrsToList (name: unit: concatMapStrings (name2: '' ln -sfn '${name}' $out/'${name2}' - '') unit.aliases) units)} + '') (unit.aliases or [])) units)} # Create .wants and .requires symlinks from the wantedBy and # requiredBy options. @@ -222,13 +235,13 @@ in rec { concatMapStrings (name2: '' mkdir -p $out/'${name2}.wants' ln -sfn '../${name}' $out/'${name2}.wants'/ - '') unit.wantedBy) units)} + '') (unit.wantedBy or [])) units)} ${concatStrings (mapAttrsToList (name: unit: concatMapStrings (name2: '' mkdir -p $out/'${name2}.requires' ln -sfn '../${name}' $out/'${name2}.requires'/ - '') unit.requiredBy) units)} + '') (unit.requiredBy or [])) units)} ${optionalString (type == "system") '' # Stupid misc. symlinks. @@ -340,7 +353,7 @@ in rec { ''; targetToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable overrideStrategy; text = '' [Unit] @@ -349,7 +362,7 @@ in rec { }; serviceToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable overrideStrategy; text = commonUnitText def + '' [Service] @@ -371,7 +384,7 @@ in rec { }; socketToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable overrideStrategy; text = commonUnitText def + '' [Socket] @@ -382,7 +395,7 @@ in rec { }; timerToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable overrideStrategy; text = commonUnitText def + '' [Timer] @@ -391,7 +404,7 @@ in rec { }; pathToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable overrideStrategy; text = commonUnitText def + '' [Path] @@ -400,7 +413,7 @@ in rec { }; mountToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable overrideStrategy; text = commonUnitText def + '' [Mount] @@ -409,7 +422,7 @@ in rec { }; automountToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable overrideStrategy; text = commonUnitText def + '' [Automount] @@ -418,7 +431,7 @@ in rec { }; sliceToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; + { inherit (def) aliases wantedBy requiredBy enable overrideStrategy; text = commonUnitText def + '' [Slice] diff --git a/nixos/lib/systemd-unit-options.nix b/nixos/lib/systemd-unit-options.nix index 1c56b1b9aa049..44f26572a23ba 100644 --- a/nixos/lib/systemd-unit-options.nix +++ b/nixos/lib/systemd-unit-options.nix @@ -48,14 +48,29 @@ in rec { ''; }; + overrideStrategy = mkOption { + default = "asDropinIfExists"; + type = types.enum [ "asDropinIfExists" "asDropin" ]; + description = lib.mdDoc '' + Defines how unit configuration is provided for systemd: + + `asDropinIfExists` creates a unit file when no unit file is provided by the package + otherwise a drop-in file name `overrides.conf`. + + `asDropin` creates a drop-in file named `overrides.conf`. + Mainly needed to define instances for systemd template units (e.g. `systemd-nspawn@mycontainer.service`). + + See also systemd.unit(1). + ''; + }; + requiredBy = mkOption { default = []; type = types.listOf unitNameType; description = lib.mdDoc '' - Units that require (i.e. depend on and need to go down with) - this unit. The discussion under `wantedBy` - applies here as well: inverse `.requires` - symlinks are established. + Units that require (i.e. depend on and need to go down with) this unit. + As discussed in the `wantedBy` option description this also creates + `.requires` symlinks automatically. ''; }; @@ -63,16 +78,17 @@ in rec { default = []; type = types.listOf unitNameType; description = lib.mdDoc '' - Units that want (i.e. depend on) this unit. The standard way - to make a unit start by default at boot is to set this option - to `[ "multi-user.target" ]`. That's despite - the fact that the systemd.unit(5) manpage says this option - goes in the `[Install]` section that controls - the behaviour of `systemctl enable`. Since - such a process is stateful and thus contrary to the design of - NixOS, setting this option instead causes the equivalent - inverse `.wants` symlink to be present, - establishing the same desired relationship in a stateless way. + Units that want (i.e. depend on) this unit. The default method for + starting a unit by default at boot time is to set this option to + '["multi-user.target"]' for system services. Likewise for user units + (`systemd.user.<name>.*`) set it to `["default.target"]` to make a unit + start by default when the user `<name>` logs on. + + This option creates a `.wants` symlink in the given target that exists + statelessly without the need for running `systemctl enable`. + The in systemd.unit(5) manpage described `[Install]` section however is + not supported because it is a stateful process that does not fit well + into the NixOS design. ''; }; diff --git a/nixos/lib/testing-python.nix b/nixos/lib/testing-python.nix index f63b6c78f6da3..d7204a2bc1434 100644 --- a/nixos/lib/testing-python.nix +++ b/nixos/lib/testing-python.nix @@ -29,7 +29,9 @@ rec { }; }; - # Make a full-blown test + # Make a full-blown test (legacy) + # For an official public interface to the tests, see + # https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests makeTest = { machine ? null , nodes ? {} @@ -48,7 +50,8 @@ rec { else builtins.unsafeGetAttrPos "testScript" t) , extraPythonPackages ? (_ : []) , interactive ? {} - } @ t: + } @ t: let + testConfig = (evalTest { imports = [ { _file = "makeTest parameters"; config = t; } @@ -60,6 +63,9 @@ rec { } ]; }).config; + in + testConfig.test # For nix-build + // testConfig; # For all-tests.nix simpleTest = as: (makeTest as).test; diff --git a/nixos/lib/testing/nodes.nix b/nixos/lib/testing/nodes.nix index 0395238cbaae7..8e620c96b3bb1 100644 --- a/nixos/lib/testing/nodes.nix +++ b/nixos/lib/testing/nodes.nix @@ -101,7 +101,7 @@ in nodesCompat = mapAttrs (name: config: config // { - config = lib.warn + config = lib.warnIf (lib.isInOldestRelease 2211) "Module argument `nodes.${name}.config` is deprecated. Use `nodes.${name}` instead." config; }) diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index f646f70323e35..9eefa80d1c8b7 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -39,11 +39,19 @@ rec { || hasPrefix a'.mountPoint b'.mountPoint || any (hasPrefix a'.mountPoint) b'.depends; - # Escape a path according to the systemd rules, e.g. /dev/xyzzy - # becomes dev-xyzzy. FIXME: slow. - escapeSystemdPath = s: - replaceChars ["/" "-" " "] ["-" "\\x2d" "\\x20"] - (removePrefix "/" s); + # Escape a path according to the systemd rules. FIXME: slow + # The rules are described in systemd.unit(5) as follows: + # The escaping algorithm operates as follows: given a string, any "/" character is replaced by "-", and all other characters which are not ASCII alphanumerics, ":", "_" or "." are replaced by C-style "\x2d" escapes. In addition, "." is replaced with such a C-style escape when it would appear as the first character in the escaped string. + # When the input qualifies as absolute file system path, this algorithm is extended slightly: the path to the root directory "/" is encoded as single dash "-". In addition, any leading, trailing or duplicate "/" characters are removed from the string before transformation. Example: /foo//bar/baz/ becomes "foo-bar-baz". + escapeSystemdPath = s: let + replacePrefix = p: r: s: (if (hasPrefix p s) then r + (removePrefix p s) else s); + trim = s: removeSuffix "/" (removePrefix "/" s); + normalizedPath = strings.normalizePath s; + in + replaceChars ["/"] ["-"] + (replacePrefix "." (strings.escapeC ["."] ".") + (strings.escapeC (stringToCharacters " !\"#$%&'()*+,;<=>=@[\\]^`{|}~-") + (if normalizedPath == "/" then normalizedPath else trim normalizedPath))); # Quotes an argument for use in Exec* service lines. # systemd accepts "-quoted strings with escape sequences, toJSON produces diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index 5a21cb45d52be..4368ec24ea9e9 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -186,7 +186,7 @@ foreach my $name (keys %groupsCur) { # Rewrite /etc/group. FIXME: acquire lock. my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" } (sort { $a->{gid} <=> $b->{gid} } values(%groupsOut)); -updateFile($gidMapFile, to_json($gidMap)); +updateFile($gidMapFile, to_json($gidMap, {canonical => 1})); updateFile("/etc/group", \@lines); nscdInvalidate("group"); @@ -272,7 +272,7 @@ foreach my $name (keys %usersCur) { # Rewrite /etc/passwd. FIXME: acquire lock. @lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" } (sort { $a->{uid} <=> $b->{uid} } (values %usersOut)); -updateFile($uidMapFile, to_json($uidMap)); +updateFile($uidMapFile, to_json($uidMap, {canonical => 1})); updateFile("/etc/passwd", \@lines); nscdInvalidate("passwd"); diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index dae2fde0b4e76..b538a0119c06d 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -697,7 +697,7 @@ in { value = "[a-zA-Z0-9/+.-]+"; options = "${id}(=${value})?(,${id}=${value})*"; scheme = "${id}(${sep}${options})?"; - content = "${base64}${sep}${base64}"; + content = "${base64}${sep}${base64}(${sep}${base64})?"; mcf = "^${sep}${scheme}${sep}${content}$"; in if (allowsLogin user.hashedPassword diff --git a/nixos/modules/hardware/usb-storage.nix b/nixos/modules/hardware/usb-storage.nix new file mode 100644 index 0000000000000..9c1b7a125fd18 --- /dev/null +++ b/nixos/modules/hardware/usb-storage.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: +with lib; + +{ + options.hardware.usbStorage.manageStartStop = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Enable this option to gracefully spin-down external storage during shutdown. + If you suspect improper head parking after poweroff, install `smartmontools` and check + for the `Power-Off_Retract_Count` field for an increment. + ''; + }; + + config = mkIf config.hardware.usbStorage.manageStartStop { + services.udev.extraRules = '' + ACTION=="add|change", SUBSYSTEM=="scsi_disk", DRIVERS=="usb-storage", ATTR{manage_start_stop}="1" + ''; + }; +} diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 25cab06119751..cee230ac41cb1 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -261,7 +261,7 @@ in in optional primeEnabled { name = igpuDriver; display = offloadCfg.enable; - modules = optional (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ]; + modules = optionals (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ]; deviceSection = '' BusID "${igpuBusId}" ${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''} diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 35fa45dbc0140..e37142f05f41b 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -421,7 +421,7 @@ let echo "Usage size: $usage_size" echo "Image size: $image_size" truncate --size=$image_size "$out" - faketime "2000-01-01 00:00:00" mkfs.vfat -i 12345678 -n EFIBOOT "$out" + mkfs.vfat --invariant -i 12345678 -n EFIBOOT "$out" # Force a fixed order in mcopy for better determinism, and avoid file globbing for d in $(find EFI -type d | sort); do diff --git a/nixos/modules/installer/sd-card/sd-image.nix b/nixos/modules/installer/sd-card/sd-image.nix index cb2522d867890..ad9b803b1d1e4 100644 --- a/nixos/modules/installer/sd-card/sd-image.nix +++ b/nixos/modules/installer/sd-card/sd-image.nix @@ -224,14 +224,25 @@ in # Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img eval $(partx $img -o START,SECTORS --nr 1 --pairs) truncate -s $((SECTORS * 512)) firmware_part.img - faketime "1970-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img + + mkfs.vfat --invariant -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img # Populate the files intended for /boot/firmware mkdir firmware ${config.sdImage.populateFirmwareCommands} + find firmware -exec touch --date=2000-01-01 {} + # Copy the populated /boot/firmware into the SD image - (cd firmware; mcopy -psvm -i ../firmware_part.img ./* ::) + cd firmware + # Force a fixed order in mcopy for better determinism, and avoid file globbing + for d in $(find . -type d -mindepth 1 | sort); do + faketime "2000-01-01 00:00:00" mmd -i ../firmware_part.img "::/$d" + done + for f in $(find . -type f | sort); do + mcopy -pvm -i ../firmware_part.img "$f" "::/$f" + done + cd .. + # Verify the FAT partition before copying it. fsck.vfat -vn firmware_part.img dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS diff --git a/nixos/modules/misc/documentation.nix b/nixos/modules/misc/documentation.nix index e85ad4efd0089..aa6e40f43705e 100644 --- a/nixos/modules/misc/documentation.nix +++ b/nixos/modules/misc/documentation.nix @@ -56,6 +56,7 @@ let ) pkgSet; in scrubbedEval.options; + baseOptionsJSON = let filter = @@ -67,9 +68,9 @@ let ); in pkgs.runCommand "lazy-options.json" { - libPath = filter "${toString pkgs.path}/lib"; - pkgsLibPath = filter "${toString pkgs.path}/pkgs/pkgs-lib"; - nixosPath = filter "${toString pkgs.path}/nixos"; + libPath = filter (pkgs.path + "/lib"); + pkgsLibPath = filter (pkgs.path + "/pkgs/pkgs-lib"); + nixosPath = filter (pkgs.path + "/nixos"); modules = map (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy; } '' export NIX_STORE_DIR=$TMPDIR/store @@ -99,6 +100,7 @@ let exit 1 } >&2 ''; + inherit (cfg.nixos.options) warningsAreErrors allowDocBook; }; diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index e8becb6bf8cc7..00460a88d86cb 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -55,6 +55,11 @@ let check = builtins.isAttrs; }; + # Whether `pkgs` was constructed by this module - not if nixpkgs.pkgs or + # _module.args.pkgs is set. However, determining whether _module.args.pkgs + # is defined elsewhere does not seem feasible. + constructedByMe = !opt.pkgs.isDefined; + hasBuildPlatform = opt.buildPlatform.highestPrio < (mkOptionDefault {}).priority; hasHostPlatform = opt.hostPlatform.isDefined; hasPlatform = hasHostPlatform || hasBuildPlatform; @@ -353,12 +358,12 @@ in else "nixpkgs.localSystem"; pkgsSystem = finalPkgs.stdenv.targetPlatform.system; in { - assertion = !hasPlatform -> nixosExpectedSystem == pkgsSystem; + assertion = constructedByMe -> !hasPlatform -> nixosExpectedSystem == pkgsSystem; message = "The NixOS nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but NixOS was configured for system ${nixosExpectedSystem} via NixOS option ${nixosOption}. The NixOS system settings must match the Nixpkgs target system."; } ) { - assertion = hasPlatform -> legacyOptionsDefined == []; + assertion = constructedByMe -> hasPlatform -> legacyOptionsDefined == []; message = '' Your system configures nixpkgs with the platform parameter${optionalString hasBuildPlatform "s"}: ${hostPlatformLine diff --git a/nixos/modules/misc/nixpkgs/test.nix b/nixos/modules/misc/nixpkgs/test.nix index 9e8851707f8fc..a6d8877ae0700 100644 --- a/nixos/modules/misc/nixpkgs/test.nix +++ b/nixos/modules/misc/nixpkgs/test.nix @@ -59,5 +59,11 @@ lib.recurseIntoAttrs { For a future proof system configuration, we recommend to remove the legacy definitions. '']; + assert getErrors { + nixpkgs.localSystem = pkgs.stdenv.hostPlatform; + nixpkgs.hostPlatform = pkgs.stdenv.hostPlatform; + nixpkgs.pkgs = pkgs; + } == []; + pkgs.emptyFile; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c400fadef3a2a..fac882b415037 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -82,6 +82,7 @@ ./hardware/tuxedo-keyboard.nix ./hardware/ubertooth.nix ./hardware/usb-wwan.nix + ./hardware/usb-storage.nix ./hardware/onlykey/default.nix ./hardware/opentabletdriver.nix ./hardware/sata.nix @@ -347,6 +348,7 @@ ./services/continuous-integration/hercules-ci-agent/default.nix ./services/continuous-integration/hydra/default.nix ./services/continuous-integration/github-runner.nix + ./services/continuous-integration/github-runners.nix ./services/continuous-integration/gitlab-runner.nix ./services/continuous-integration/gocd-agent/default.nix ./services/continuous-integration/gocd-server/default.nix @@ -612,6 +614,7 @@ ./services/misc/nix-optimise.nix ./services/misc/nix-ssh-serve.nix ./services/misc/novacomd.nix + ./services/misc/ntfy-sh.nix ./services/misc/nzbget.nix ./services/misc/nzbhydra2.nix ./services/misc/octoprint.nix @@ -684,6 +687,7 @@ ./services/monitoring/heapster.nix ./services/monitoring/incron.nix ./services/monitoring/kapacitor.nix + ./services/monitoring/karma.nix ./services/monitoring/kthxbye.nix ./services/monitoring/loki.nix ./services/monitoring/longview.nix @@ -714,6 +718,8 @@ ./services/monitoring/unifi-poller.nix ./services/monitoring/ups.nix ./services/monitoring/uptime.nix + ./services/monitoring/vmagent.nix + ./services/monitoring/uptime-kuma.nix ./services/monitoring/vnstat.nix ./services/monitoring/zabbix-agent.nix ./services/monitoring/zabbix-proxy.nix @@ -974,6 +980,7 @@ ./services/video/rtsp-simple-server.nix ./services/networking/uptermd.nix ./services/networking/v2ray.nix + ./services/networking/vdirsyncer.nix ./services/networking/vsftpd.nix ./services/networking/wasabibackend.nix ./services/networking/websockify.nix @@ -985,6 +992,7 @@ ./services/networking/xinetd.nix ./services/networking/xl2tpd.nix ./services/networking/x2goserver.nix + ./services/networking/xray.nix ./services/networking/xrdp.nix ./services/networking/yggdrasil.nix ./services/networking/zerobin.nix @@ -1005,6 +1013,7 @@ ./services/security/certmgr.nix ./services/security/cfssl.nix ./services/security/clamav.nix + ./services/security/endlessh.nix ./services/security/endlessh-go.nix ./services/security/fail2ban.nix ./services/security/fprintd.nix @@ -1036,6 +1045,7 @@ ./services/security/vaultwarden/default.nix ./services/security/yubikey-agent.nix ./services/system/cachix-agent/default.nix + ./services/system/cachix-watch-store.nix ./services/system/cloud-init.nix ./services/system/dbus.nix ./services/system/earlyoom.nix @@ -1069,6 +1079,7 @@ ./services/web-apps/calibre-web.nix ./services/web-apps/code-server.nix ./services/web-apps/baget.nix + ./services/web-apps/changedetection-io.nix ./services/web-apps/convos.nix ./services/web-apps/dex.nix ./services/web-apps/discourse.nix @@ -1140,6 +1151,7 @@ ./services/web-servers/caddy/default.nix ./services/web-servers/darkhttpd.nix ./services/web-servers/fcgiwrap.nix + ./services/web-servers/garage.nix ./services/web-servers/hitch/default.nix ./services/web-servers/hydron.nix ./services/web-servers/jboss/default.nix @@ -1147,6 +1159,7 @@ ./services/web-servers/lighttpd/collectd.nix ./services/web-servers/lighttpd/default.nix ./services/web-servers/lighttpd/gitweb.nix + ./services/web-servers/merecat.nix ./services/web-servers/mighttpd2.nix ./services/web-servers/minio.nix ./services/web-servers/molly-brown.nix @@ -1247,6 +1260,7 @@ ./system/boot/systemd/user.nix ./system/boot/timesyncd.nix ./system/boot/tmp.nix + ./system/boot/uvesafb.nix ./system/etc/etc-activation.nix ./tasks/auto-upgrade.nix ./tasks/bcache.nix diff --git a/nixos/modules/profiles/minimal.nix b/nixos/modules/profiles/minimal.nix index 0e65989214a18..0125017dfee88 100644 --- a/nixos/modules/profiles/minimal.nix +++ b/nixos/modules/profiles/minimal.nix @@ -13,4 +13,9 @@ with lib; documentation.nixos.enable = mkDefault false; programs.command-not-found.enable = mkDefault false; + + xdg.autostart.enable = mkDefault false; + xdg.icons.enable = mkDefault false; + xdg.mime.enable = mkDefault false; + xdg.sounds.enable = mkDefault false; } diff --git a/nixos/modules/programs/neovim.nix b/nixos/modules/programs/neovim.nix index 31848c246f646..8de527fceb26a 100644 --- a/nixos/modules/programs/neovim.nix +++ b/nixos/modules/programs/neovim.nix @@ -11,7 +11,19 @@ let in { options.programs.neovim = { - enable = mkEnableOption (lib.mdDoc "Neovim"); + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + Whether to enable Neovim. + + When enabled through this option, Neovim is wrapped to use a + configuration managed by this module. The configuration file in the + user's home directory at {file}`~/.config/nvim/init.vim` is no longer + loaded by default. + ''; + }; defaultEditor = mkOption { type = types.bool; diff --git a/nixos/modules/programs/tsm-client.nix b/nixos/modules/programs/tsm-client.nix index 89662cecaa48e..7adff7cd28cb0 100644 --- a/nixos/modules/programs/tsm-client.nix +++ b/nixos/modules/programs/tsm-client.nix @@ -223,7 +223,7 @@ let description = lib.mdDoc '' The TSM client derivation to be added to the system environment. - It will called with `.override` + It will be used with `.override` to add paths to the client system-options file. ''; }; diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 0c59d20fee467..29790e0dd759b 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -184,7 +184,7 @@ in # Tell zsh how to find installed completions. for p in ''${(z)NIX_PROFILES}; do - fpath+=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions) + fpath=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions $fpath) done # Setup custom shell init stuff. diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index e9299fb1b3adb..4e163901b0887 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -26,8 +26,8 @@ let Type = "oneshot"; User = user; Group = mkDefault "acme"; - UMask = 0022; - StateDirectoryMode = 750; + UMask = "0022"; + StateDirectoryMode = "750"; ProtectSystem = "strict"; ReadWritePaths = [ "/var/lib/acme" @@ -62,9 +62,9 @@ let SystemCallArchitectures = "native"; SystemCallFilter = [ # 1. allow a reasonable set of syscalls - "@system-service" + "@system-service @resources" # 2. and deny unreasonable ones - "~@privileged @resources" + "~@privileged" # 3. then allow the required subset within denied groups "@chown" ]; @@ -85,7 +85,7 @@ let serviceConfig = commonServiceConfig // { StateDirectory = "acme/.minica"; BindPaths = "/var/lib/acme/.minica:/tmp/ca"; - UMask = 0077; + UMask = "0077"; }; # Working directory will be /tmp @@ -243,7 +243,7 @@ let serviceConfig = commonServiceConfig // { Group = data.group; - UMask = 0027; + UMask = "0027"; StateDirectory = "acme/${cert}"; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index c74f66d918295..dc145d8585154 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -615,12 +615,12 @@ let optionalString cfg.setLoginUid '' session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so '' + - optionalString cfg.ttyAudit.enable '' - session required ${pkgs.pam}/lib/security/pam_tty_audit.so - open_only=${toString cfg.ttyAudit.openOnly} - ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"} - ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"} - '' + + optionalString cfg.ttyAudit.enable (concatStringsSep " \\\n " ([ + "session required ${pkgs.pam}/lib/security/pam_tty_audit.so" + ] ++ optional cfg.ttyAudit.openOnly "open_only" + ++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}" + ++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}" + )) + optionalString cfg.makeHomeDir '' session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077 '' + diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index 95a2d4d5377a5..f33898578b817 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -14,6 +14,8 @@ in security.polkit.enable = mkEnableOption (lib.mdDoc "polkit"); + security.polkit.debug = mkEnableOption (lib.mdDoc "debug logs from polkit. This is required in order to see log messages from rule definitions."); + security.polkit.extraConfig = mkOption { type = types.lines; default = ""; @@ -21,6 +23,7 @@ in '' /* Log authorization checks. */ polkit.addRule(function(action, subject) { + // Make sure to set { security.polkit.debug = true; } in configuration.nix polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); }); @@ -58,6 +61,11 @@ in systemd.packages = [ pkgs.polkit.out ]; + systemd.services.polkit.serviceConfig.ExecStart = [ + "" + "${pkgs.polkit.out}/lib/polkit-1/polkitd ${optionalString (!cfg.debug) "--no-debug"}" + ]; + systemd.services.polkit.restartTriggers = [ config.system.path ]; systemd.services.polkit.stopIfChanged = false; diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix index d74835e220f74..e73828081d4bd 100644 --- a/nixos/modules/services/audio/navidrome.nix +++ b/nixos/modules/services/audio/navidrome.nix @@ -62,7 +62,7 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; RestrictRealtime = true; LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/nixos/modules/services/backup/btrbk.nix b/nixos/modules/services/backup/btrbk.nix index f1d58f597c255..b6eb68cc43f12 100644 --- a/nixos/modules/services/backup/btrbk.nix +++ b/nixos/modules/services/backup/btrbk.nix @@ -1,72 +1,74 @@ { config, pkgs, lib, ... }: let inherit (lib) + concatLists + concatMap concatMapStringsSep concatStringsSep filterAttrs - flatten isAttrs - isString literalExpression mapAttrs' mapAttrsToList mkIf mkOption optionalString - partition - typeOf + sort types ; - cfg = config.services.btrbk; - sshEnabled = cfg.sshAccess != [ ]; - serviceEnabled = cfg.instances != { }; - attr2Lines = attr: + # The priority of an option or section. + # The configurations format are order-sensitive. Pairs are added as children of + # the last sections if possible, otherwise, they start a new section. + # We sort them in topological order: + # 1. Leaf pairs. + # 2. Sections that may contain (1). + # 3. Sections that may contain (1) or (2). + # 4. Etc. + prioOf = { name, value }: + if !isAttrs value then 0 # Leaf options. + else { + target = 1; # Contains: options. + subvolume = 2; # Contains: options, target. + volume = 3; # Contains: options, target, subvolume. + }.${name} or (throw "Unknow section '${name}'"); + + genConfig' = set: concatStringsSep "\n" (genConfig set); + genConfig = set: let - pairs = mapAttrsToList (name: value: { inherit name value; }) attr; - isSubsection = value: - if isAttrs value then true - else if isString value then false - else throw "invalid type in btrbk config ${typeOf value}"; - sortedPairs = partition (x: isSubsection x.value) pairs; + pairs = mapAttrsToList (name: value: { inherit name value; }) set; + sortedPairs = sort (a: b: prioOf a < prioOf b) pairs; in - flatten ( - # non subsections go first - ( - map (pair: [ "${pair.name} ${pair.value}" ]) sortedPairs.wrong - ) - ++ # subsections go last - ( - map - ( - pair: - mapAttrsToList - ( - childname: value: - [ "${pair.name} ${childname}" ] ++ (map (x: " " + x) (attr2Lines value)) - ) - pair.value - ) - sortedPairs.right - ) - ) - ; + concatMap genPair sortedPairs; + genSection = sec: secName: value: + [ "${sec} ${secName}" ] ++ map (x: " " + x) (genConfig value); + genPair = { name, value }: + if !isAttrs value + then [ "${name} ${value}" ] + else concatLists (mapAttrsToList (genSection name) value); + addDefaults = settings: { backend = "btrfs-progs-sudo"; } // settings; - mkConfigFile = settings: concatStringsSep "\n" (attr2Lines (addDefaults settings)); - mkTestedConfigFile = name: settings: - let - configFile = pkgs.writeText "btrbk-${name}.conf" (mkConfigFile settings); - in - pkgs.runCommand "btrbk-${name}-tested.conf" { } '' - mkdir foo - cp ${configFile} $out - if (set +o pipefail; ${pkgs.btrbk}/bin/btrbk -c $out ls foo 2>&1 | grep $out); - then - echo btrbk configuration is invalid - cat $out - exit 1 - fi; + + mkConfigFile = name: settings: pkgs.writeTextFile { + name = "btrbk-${name}.conf"; + text = genConfig' (addDefaults settings); + checkPhase = '' + set +e + ${pkgs.btrbk}/bin/btrbk -c $out dryrun + # According to btrbk(1), exit status 2 means parse error + # for CLI options or the config file. + if [[ $? == 2 ]]; then + echo "Btrbk configuration is invalid:" + cat $out + exit 1 + fi + set -e ''; + }; + + cfg = config.services.btrbk; + sshEnabled = cfg.sshAccess != [ ]; + serviceEnabled = cfg.instances != { }; in { meta.maintainers = with lib.maintainers; [ oxalica ]; @@ -196,7 +198,7 @@ in ( name: instance: { name = "btrbk/${name}.conf"; - value.source = mkTestedConfigFile name instance.settings; + value.source = mkConfigFile name instance.settings; } ) cfg.instances; diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 507e74570e457..d68267883e45f 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -266,7 +266,7 @@ in in '' export KUBECONFIG=${clusterAdminKubeconfig} - ${kubernetes}/bin/kubectl apply -f ${concatStringsSep " \\\n -f " files} + ${top.package}/bin/kubectl apply -f ${concatStringsSep " \\\n -f " files} ''; })]); diff --git a/nixos/modules/services/continuous-integration/github-runner.nix b/nixos/modules/services/continuous-integration/github-runner.nix index 2ece75722a1d3..24d02c931a4ae 100644 --- a/nixos/modules/services/continuous-integration/github-runner.nix +++ b/nixos/modules/services/continuous-integration/github-runner.nix @@ -1,396 +1,23 @@ -{ config, pkgs, lib, ... }: +{ config +, pkgs +, lib +, ... +}@args: + with lib; + let cfg = config.services.github-runner; - svcName = "github-runner"; - systemdDir = "${svcName}/${cfg.name}"; - # %t: Runtime directory root (usually /run); see systemd.unit(5) - runtimeDir = "%t/${systemdDir}"; - # %S: State directory root (usually /var/lib); see systemd.unit(5) - stateDir = "%S/${systemdDir}"; - # %L: Log directory root (usually /var/log); see systemd.unit(5) - logsDir = "%L/${systemdDir}"; - # Name of file stored in service state directory - currentConfigTokenFilename = ".current-token"; in -{ - options.services.github-runner = { - enable = mkOption { - default = false; - example = true; - description = lib.mdDoc '' - Whether to enable GitHub Actions runner. - - Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: - [About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). - ''; - type = lib.types.bool; - }; - - url = mkOption { - type = types.str; - description = lib.mdDoc '' - Repository to add the runner to. - - Changing this option triggers a new runner registration. - - IMPORTANT: If your token is org-wide (not per repository), you need to - provide a github org link, not a single repository, so do it like this - `https://github.com/nixos`, not like this - `https://github.com/nixos/nixpkgs`. - Otherwise, you are going to get a `404 NotFound` - from `POST https://api.github.com/actions/runner-registration` - in the configure script. - ''; - example = "https://github.com/nixos/nixpkgs"; - }; - - tokenFile = mkOption { - type = types.path; - description = lib.mdDoc '' - The full path to a file which contains either a runner registration token or a - personal access token (PAT). - The file should contain exactly one line with the token without any newline. - If a registration token is given, it can be used to re-register a runner of the same - name but is time-limited. If the file contains a PAT, the service creates a new - registration token on startup as needed. Make sure the PAT has a scope of - `admin:org` for organization-wide registrations or a scope of - `repo` for a single repository. - - Changing this option or the file's content triggers a new runner registration. - ''; - example = "/run/secrets/github-runner/nixos.token"; - }; - - name = mkOption { - # Same pattern as for `networking.hostName` - type = types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$"; - description = lib.mdDoc '' - Name of the runner to configure. Defaults to the hostname. - - Changing this option triggers a new runner registration. - ''; - example = "nixos"; - default = config.networking.hostName; - defaultText = literalExpression "config.networking.hostName"; - }; - - runnerGroup = mkOption { - type = types.nullOr types.str; - description = lib.mdDoc '' - Name of the runner group to add this runner to (defaults to the default runner group). - - Changing this option triggers a new runner registration. - ''; - default = null; - }; - - extraLabels = mkOption { - type = types.listOf types.str; - description = lib.mdDoc '' - Extra labels in addition to the default (`["self-hosted", "Linux", "X64"]`). - Changing this option triggers a new runner registration. - ''; - example = literalExpression ''[ "nixos" ]''; - default = [ ]; - }; - - replace = mkOption { - type = types.bool; - description = lib.mdDoc '' - Replace any existing runner with the same name. - - Without this flag, registering a new runner with the same name fails. - ''; - default = false; - }; - - extraPackages = mkOption { - type = types.listOf types.package; - description = lib.mdDoc '' - Extra packages to add to `PATH` of the service to make them available to workflows. - ''; - default = [ ]; - }; - - package = mkOption { - type = types.package; - description = lib.mdDoc '' - Which github-runner derivation to use. - ''; - default = pkgs.github-runner; - defaultText = literalExpression "pkgs.github-runner"; - }; - - ephemeral = mkOption { - type = types.bool; - description = lib.mdDoc '' - If enabled, causes the following behavior: - - - Passes the `--ephemeral` flag to the runner configuration script - - De-registers and stops the runner with GitHub after it has processed one job - - On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option) - - Restarts the service after its successful exit - - On start, wipes the state directory and configures a new runner - - You should only enable this option if `tokenFile` points to a file which contains a - personal access token (PAT). If you're using the option with a registration token, restarting the - service will fail as soon as the registration token expired. - ''; - default = false; - }; - }; +{ + options.services.github-runner = import ./github-runner/options.nix (args // { + # Users don't need to specify options.services.github-runner.name; it will default + # to the hostname. + includeNameDefault = true; + }); config = mkIf cfg.enable { - warnings = optionals (isStorePath cfg.tokenFile) [ - '' - `services.github-runner.tokenFile` points to the Nix store and, therefore, is world-readable. - Consider using a path outside of the Nix store to keep the token private. - '' - ]; - - systemd.services.${svcName} = { - description = "GitHub Actions runner"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network.target" "network-online.target" ]; - - environment = { - HOME = runtimeDir; - RUNNER_ROOT = stateDir; - }; - - path = (with pkgs; [ - bash - coreutils - git - gnutar - gzip - ]) ++ [ - config.nix.package - ] ++ cfg.extraPackages; - - serviceConfig = rec { - ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service"; - - # Does the following, sequentially: - # - If the module configuration or the token has changed, purge the state directory, - # and create the current and the new token file with the contents of the configured - # token. While both files have the same content, only the later is accessible by - # the service user. - # - Configure the runner using the new token file. When finished, delete it. - # - Set up the directory structure by creating the necessary symlinks. - ExecStartPre = - let - # Wrapper script which expects the full path of the state, runtime and logs - # directory as arguments. Overrides the respective systemd variables to provide - # unambiguous directory names. This becomes relevant, for example, if the - # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory= - # to contain more than one directory. This causes systemd to set the respective - # environment variables with the path of all of the given directories, separated - # by a colon. - writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" '' - set -euo pipefail - - STATE_DIRECTORY="$1" - RUNTIME_DIRECTORY="$2" - LOGS_DIRECTORY="$3" - - ${lines} - ''; - runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" ] cfg; - newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig); - currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json"; - newConfigTokenPath= "$STATE_DIRECTORY/.new-token"; - currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}"; - - runnerCredFiles = [ - ".credentials" - ".credentials_rsaparams" - ".runner" - ]; - unconfigureRunner = writeScript "unconfigure" '' - copy_tokens() { - # Copy the configured token file to the state dir and allow the service user to read the file - install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}" - # Also copy current file to allow for a diff on the next start - install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}" - } - - clean_state() { - find "$STATE_DIRECTORY/" -mindepth 1 -delete - copy_tokens - } - - diff_config() { - changed=0 - - # Check for module config changes - [[ -f "${currentConfigPath}" ]] \ - && ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \ - || changed=1 - - # Also check the content of the token file - [[ -f "${currentConfigTokenPath}" ]] \ - && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \ - || changed=1 - - # If the config has changed, remove old state and copy tokens - if [[ "$changed" -eq 1 ]]; then - echo "Config has changed, removing old runner state." - echo "The old runner will still appear in the GitHub Actions UI." \ - "You have to remove it manually." - clean_state - fi - } - - if [[ "${optionalString cfg.ephemeral "1"}" ]]; then - # In ephemeral mode, we always want to start with a clean state - clean_state - elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then - # There are state files from a previous run; diff them to decide if we need a new registration - diff_config - else - # The state directory is entirely empty which indicates a first start - copy_tokens - fi - ''; - configureRunner = writeScript "configure" '' - if [[ -e "${newConfigTokenPath}" ]]; then - echo "Configuring GitHub Actions Runner" - - args=( - --unattended - --disableupdate - --work "$RUNTIME_DIRECTORY" - --url ${escapeShellArg cfg.url} - --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} - --name ${escapeShellArg cfg.name} - ${optionalString cfg.replace "--replace"} - ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} - ${optionalString cfg.ephemeral "--ephemeral"} - ) - - # If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option, - # if it is not a PAT, we assume it contains a registration token and use the --token option - token=$(<"${newConfigTokenPath}") - if [[ "$token" =~ ^ghp_* ]]; then - args+=(--pat "$token") - else - args+=(--token "$token") - fi - - ${cfg.package}/bin/config.sh "''${args[@]}" - - # Move the automatically created _diag dir to the logs dir - mkdir -p "$STATE_DIRECTORY/_diag" - cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/" - rm -rf "$STATE_DIRECTORY/_diag/" - - # Cleanup token from config - rm "${newConfigTokenPath}" - - # Symlink to new config - ln -s '${newConfigPath}' "${currentConfigPath}" - fi - ''; - setupRuntimeDir = writeScript "setup-runtime-dirs" '' - # Link _diag dir - ln -s "$LOGS_DIRECTORY" "$RUNTIME_DIRECTORY/_diag" - - # Link the runner credentials to the runtime dir - ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$RUNTIME_DIRECTORY/" - ''; - in - map (x: "${x} ${escapeShellArgs [ stateDir runtimeDir logsDir ]}") [ - "+${unconfigureRunner}" # runs as root - configureRunner - setupRuntimeDir - ]; - - # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner) - # to trigger a fresh registration. - Restart = if cfg.ephemeral then "on-success" else "no"; - - # Contains _diag - LogsDirectory = [ systemdDir ]; - # Default RUNNER_ROOT which contains ephemeral Runner data - RuntimeDirectory = [ systemdDir ]; - # Home of persistent runner data, e.g., credentials - StateDirectory = [ systemdDir ]; - StateDirectoryMode = "0700"; - WorkingDirectory = runtimeDir; - - InaccessiblePaths = [ - # Token file path given in the configuration, if visible to the service - "-${cfg.tokenFile}" - # Token file in the state directory - "${stateDir}/${currentConfigTokenFilename}" - ]; - - # By default, use a dynamically allocated user - DynamicUser = true; - - KillSignal = "SIGINT"; - - # Hardening (may overlap with DynamicUser=) - # The following options are only for optimizing: - # systemd-analyze security github-runner - AmbientCapabilities = ""; - CapabilityBoundingSet = ""; - # ProtectClock= adds DeviceAllow=char-rtc r - DeviceAllow = ""; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - UMask = "0066"; - ProtectProc = "invisible"; - SystemCallFilter = [ - "~@clock" - "~@cpu-emulation" - "~@module" - "~@mount" - "~@obsolete" - "~@raw-io" - "~@reboot" - "~capset" - "~setdomainname" - "~sethostname" - ]; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; - - # Needs network access - PrivateNetwork = false; - # Cannot be true due to Node - MemoryDenyWriteExecute = false; - - # The more restrictive "pid" option makes `nix` commands in CI emit - # "GC Warning: Couldn't read /proc/stat" - # You may want to set this to "pid" if not using `nix` commands - ProcSubset = "all"; - # Coverage programs for compiled code such as `cargo-tarpaulin` disable - # ASLR (address space layout randomization) which requires the - # `personality` syscall - # You may want to set this to `true` if not using coverage tooling on - # compiled code - LockPersonality = false; - }; - }; + services.github-runners.${cfg.name} = cfg; }; } diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix new file mode 100644 index 0000000000000..796b5a7f1175f --- /dev/null +++ b/nixos/modules/services/continuous-integration/github-runner/options.nix @@ -0,0 +1,173 @@ +{ config +, lib +, pkgs +, includeNameDefault +, ... +}: + +with lib; + +{ + enable = mkOption { + default = false; + example = true; + description = lib.mdDoc '' + Whether to enable GitHub Actions runner. + + Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: + [About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). + ''; + type = lib.types.bool; + }; + + url = mkOption { + type = types.str; + description = lib.mdDoc '' + Repository to add the runner to. + + Changing this option triggers a new runner registration. + + IMPORTANT: If your token is org-wide (not per repository), you need to + provide a github org link, not a single repository, so do it like this + `https://github.com/nixos`, not like this + `https://github.com/nixos/nixpkgs`. + Otherwise, you are going to get a `404 NotFound` + from `POST https://api.github.com/actions/runner-registration` + in the configure script. + ''; + example = "https://github.com/nixos/nixpkgs"; + }; + + tokenFile = mkOption { + type = types.path; + description = lib.mdDoc '' + The full path to a file which contains either a runner registration token or a + (fine-grained) personal access token (PAT). + The file should contain exactly one line with the token without any newline. + If a registration token is given, it can be used to re-register a runner of the same + name but is time-limited. If the file contains a PAT, the service creates a new + registration token on startup as needed. Make sure the PAT has a scope of + `admin:org` for organization-wide registrations or a scope of + `repo` for a single repository. Fine-grained PATs need read and write permission + to the "Adminstration" resources. + + Changing this option or the file's content triggers a new runner registration. + ''; + example = "/run/secrets/github-runner/nixos.token"; + }; + + name = let + # Same pattern as for `networking.hostName` + baseType = types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$"; + in mkOption { + type = if includeNameDefault then baseType else types.nullOr baseType; + description = lib.mdDoc '' + Name of the runner to configure. Defaults to the hostname. + + Changing this option triggers a new runner registration. + ''; + example = "nixos"; + } // (if includeNameDefault then { + default = config.networking.hostName; + defaultText = literalExpression "config.networking.hostName"; + } else { + default = null; + }); + + runnerGroup = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc '' + Name of the runner group to add this runner to (defaults to the default runner group). + + Changing this option triggers a new runner registration. + ''; + default = null; + }; + + extraLabels = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + Extra labels in addition to the default (`["self-hosted", "Linux", "X64"]`). + + Changing this option triggers a new runner registration. + ''; + example = literalExpression ''[ "nixos" ]''; + default = [ ]; + }; + + replace = mkOption { + type = types.bool; + description = lib.mdDoc '' + Replace any existing runner with the same name. + + Without this flag, registering a new runner with the same name fails. + ''; + default = false; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + description = lib.mdDoc '' + Extra packages to add to `PATH` of the service to make them available to workflows. + ''; + default = [ ]; + }; + + extraEnvironment = mkOption { + type = types.attrs; + description = lib.mdDoc '' + Extra environment variables to set for the runner, as an attrset. + ''; + example = { + GIT_CONFIG = "/path/to/git/config"; + }; + default = {}; + }; + + serviceOverrides = mkOption { + type = types.attrs; + description = lib.mdDoc '' + Overrides for the systemd service. Can be used to adjust the sandboxing options. + ''; + example = { + ProtectHome = false; + }; + default = {}; + }; + + package = mkOption { + type = types.package; + description = lib.mdDoc '' + Which github-runner derivation to use. + ''; + default = pkgs.github-runner; + defaultText = literalExpression "pkgs.github-runner"; + }; + + ephemeral = mkOption { + type = types.bool; + description = lib.mdDoc '' + If enabled, causes the following behavior: + + - Passes the `--ephemeral` flag to the runner configuration script + - De-registers and stops the runner with GitHub after it has processed one job + - On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option) + - Restarts the service after its successful exit + - On start, wipes the state directory and configures a new runner + + You should only enable this option if `tokenFile` points to a file which contains a + personal access token (PAT). If you're using the option with a registration token, restarting the + service will fail as soon as the registration token expired. + ''; + default = false; + }; + + user = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc '' + User under which to run the service. If null, will use a systemd dynamic user. + ''; + default = null; + defaultText = literalExpression "username"; + }; +} diff --git a/nixos/modules/services/continuous-integration/github-runner/service.nix b/nixos/modules/services/continuous-integration/github-runner/service.nix new file mode 100644 index 0000000000000..49195410bb423 --- /dev/null +++ b/nixos/modules/services/continuous-integration/github-runner/service.nix @@ -0,0 +1,254 @@ +{ config +, lib +, pkgs + +, cfg ? config.services.github-runner +, svcName + +, systemdDir ? "${svcName}/${cfg.name}" + # %t: Runtime directory root (usually /run); see systemd.unit(5) +, runtimeDir ? "%t/${systemdDir}" + # %S: State directory root (usually /var/lib); see systemd.unit(5) +, stateDir ? "%S/${systemdDir}" + # %L: Log directory root (usually /var/log); see systemd.unit(5) +, logsDir ? "%L/${systemdDir}" + # Name of file stored in service state directory +, currentConfigTokenFilename ? ".current-token" + +, ... +}: + +with lib; + +{ + description = "GitHub Actions runner"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + + environment = { + HOME = runtimeDir; + RUNNER_ROOT = stateDir; + } // cfg.extraEnvironment; + + path = (with pkgs; [ + bash + coreutils + git + gnutar + gzip + ]) ++ [ + config.nix.package + ] ++ cfg.extraPackages; + + serviceConfig = rec { + ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service"; + + # Does the following, sequentially: + # - If the module configuration or the token has changed, purge the state directory, + # and create the current and the new token file with the contents of the configured + # token. While both files have the same content, only the later is accessible by + # the service user. + # - Configure the runner using the new token file. When finished, delete it. + # - Set up the directory structure by creating the necessary symlinks. + ExecStartPre = + let + # Wrapper script which expects the full path of the state, runtime and logs + # directory as arguments. Overrides the respective systemd variables to provide + # unambiguous directory names. This becomes relevant, for example, if the + # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory= + # to contain more than one directory. This causes systemd to set the respective + # environment variables with the path of all of the given directories, separated + # by a colon. + writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" '' + set -euo pipefail + + STATE_DIRECTORY="$1" + RUNTIME_DIRECTORY="$2" + LOGS_DIRECTORY="$3" + + ${lines} + ''; + runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" ] cfg; + newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig); + currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json"; + newConfigTokenPath= "$STATE_DIRECTORY/.new-token"; + currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}"; + + runnerCredFiles = [ + ".credentials" + ".credentials_rsaparams" + ".runner" + ]; + unconfigureRunner = writeScript "unconfigure" '' + copy_tokens() { + # Copy the configured token file to the state dir and allow the service user to read the file + install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}" + # Also copy current file to allow for a diff on the next start + install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}" + } + clean_state() { + find "$STATE_DIRECTORY/" -mindepth 1 -delete + copy_tokens + } + diff_config() { + changed=0 + # Check for module config changes + [[ -f "${currentConfigPath}" ]] \ + && ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \ + || changed=1 + # Also check the content of the token file + [[ -f "${currentConfigTokenPath}" ]] \ + && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \ + || changed=1 + # If the config has changed, remove old state and copy tokens + if [[ "$changed" -eq 1 ]]; then + echo "Config has changed, removing old runner state." + echo "The old runner will still appear in the GitHub Actions UI." \ + "You have to remove it manually." + clean_state + fi + } + if [[ "${optionalString cfg.ephemeral "1"}" ]]; then + # In ephemeral mode, we always want to start with a clean state + clean_state + elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then + # There are state files from a previous run; diff them to decide if we need a new registration + diff_config + else + # The state directory is entirely empty which indicates a first start + copy_tokens + fi ''; + configureRunner = writeScript "configure" '' + if [[ -e "${newConfigTokenPath}" ]]; then + echo "Configuring GitHub Actions Runner" + args=( + --unattended + --disableupdate + --work "$RUNTIME_DIRECTORY" + --url ${escapeShellArg cfg.url} + --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} + --name ${escapeShellArg cfg.name} + ${optionalString cfg.replace "--replace"} + ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} + ${optionalString cfg.ephemeral "--ephemeral"} + ) + # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option, + # if it is not a PAT, we assume it contains a registration token and use the --token option + token=$(<"${newConfigTokenPath}") + if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then + args+=(--pat "$token") + else + args+=(--token "$token") + fi + ${cfg.package}/bin/config.sh "''${args[@]}" + # Move the automatically created _diag dir to the logs dir + mkdir -p "$STATE_DIRECTORY/_diag" + cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/" + rm -rf "$STATE_DIRECTORY/_diag/" + # Cleanup token from config + rm "${newConfigTokenPath}" + # Symlink to new config + ln -s '${newConfigPath}' "${currentConfigPath}" + fi + ''; + setupRuntimeDir = writeScript "setup-runtime-dirs" '' + # Link _diag dir + ln -s "$LOGS_DIRECTORY" "$RUNTIME_DIRECTORY/_diag" + + # Link the runner credentials to the runtime dir + ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$RUNTIME_DIRECTORY/" + ''; + in + map (x: "${x} ${escapeShellArgs [ stateDir runtimeDir logsDir ]}") [ + "+${unconfigureRunner}" # runs as root + configureRunner + setupRuntimeDir + ]; + + # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner) + # to trigger a fresh registration. + Restart = if cfg.ephemeral then "on-success" else "no"; + + # Contains _diag + LogsDirectory = [ systemdDir ]; + # Default RUNNER_ROOT which contains ephemeral Runner data + RuntimeDirectory = [ systemdDir ]; + # Home of persistent runner data, e.g., credentials + StateDirectory = [ systemdDir ]; + StateDirectoryMode = "0700"; + WorkingDirectory = runtimeDir; + + InaccessiblePaths = [ + # Token file path given in the configuration, if visible to the service + "-${cfg.tokenFile}" + # Token file in the state directory + "${stateDir}/${currentConfigTokenFilename}" + ]; + + KillSignal = "SIGINT"; + + # Hardening (may overlap with DynamicUser=) + # The following options are only for optimizing: + # systemd-analyze security github-runner + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + UMask = "0066"; + ProtectProc = "invisible"; + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@module" + "~@mount" + "~@obsolete" + "~@raw-io" + "~@reboot" + "~capset" + "~setdomainname" + "~sethostname" + ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; + + # Needs network access + PrivateNetwork = false; + # Cannot be true due to Node + MemoryDenyWriteExecute = false; + + # The more restrictive "pid" option makes `nix` commands in CI emit + # "GC Warning: Couldn't read /proc/stat" + # You may want to set this to "pid" if not using `nix` commands + ProcSubset = "all"; + # Coverage programs for compiled code such as `cargo-tarpaulin` disable + # ASLR (address space layout randomization) which requires the + # `personality` syscall + # You may want to set this to `true` if not using coverage tooling on + # compiled code + LockPersonality = false; + + # Note that this has some interactions with the User setting; so you may + # want to consult the systemd docs if using both. + DynamicUser = true; + } // ( + lib.optionalAttrs (cfg.user != null) { User = cfg.user; } + ) // cfg.serviceOverrides; +} diff --git a/nixos/modules/services/continuous-integration/github-runners.nix b/nixos/modules/services/continuous-integration/github-runners.nix new file mode 100644 index 0000000000000..78b57f9c7a256 --- /dev/null +++ b/nixos/modules/services/continuous-integration/github-runners.nix @@ -0,0 +1,56 @@ +{ config +, pkgs +, lib +, ... +}@args: + +with lib; + +let + cfg = config.services.github-runners; + +in + +{ + options.services.github-runners = mkOption { + default = {}; + type = with types; attrsOf (submodule { options = import ./github-runner/options.nix (args // { + # services.github-runners.${name}.name doesn't have a default; it falls back to ${name} below. + includeNameDefault = false; + }); }); + example = { + runner1 = { + enable = true; + url = "https://github.com/owner/repo"; + name = "runner1"; + tokenFile = "/secrets/token1"; + }; + + runner2 = { + enable = true; + url = "https://github.com/owner/repo"; + name = "runner2"; + tokenFile = "/secrets/token2"; + }; + }; + description = lib.mdDoc '' + Multiple GitHub Runners. + ''; + }; + + config = { + systemd.services = flip mapAttrs' cfg (n: v: + let + svcName = "github-runner-${n}"; + in + nameValuePair svcName + (import ./github-runner/service.nix (args // { + inherit svcName; + cfg = v // { + name = if v.name != null then v.name else n; + }; + systemdDir = "github-runner/${n}"; + })) + ); + }; +} diff --git a/nixos/modules/services/continuous-integration/gocd-server/default.nix b/nixos/modules/services/continuous-integration/gocd-server/default.nix index 80e819979fbfb..25c16a5c721ce 100644 --- a/nixos/modules/services/continuous-integration/gocd-server/default.nix +++ b/nixos/modules/services/continuous-integration/gocd-server/default.nix @@ -106,6 +106,8 @@ in { "-Dcruise.config.file=${cfg.workDir}/conf/cruise-config.xml" "-Dcruise.server.port=${toString cfg.port}" "-Dcruise.server.ssl.port=${toString cfg.sslPort}" + "--add-opens=java.base/java.lang=ALL-UNNAMED" + "--add-opens=java.base/java.util=ALL-UNNAMED" ]; defaultText = literalExpression '' [ @@ -119,6 +121,8 @@ in { "-Dcruise.config.file=''${config.${opt.workDir}}/conf/cruise-config.xml" "-Dcruise.server.port=''${toString config.${opt.port}}" "-Dcruise.server.ssl.port=''${toString config.${opt.sslPort}}" + "--add-opens=java.base/java.lang=ALL-UNNAMED" + "--add-opens=java.base/java.util=ALL-UNNAMED" ] ''; @@ -199,7 +203,7 @@ in { ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt ${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.startupOptions} \ ${concatStringsSep " " cfg.extraOptions} \ - -jar ${pkgs.gocd-server}/go-server/go.jar + -jar ${pkgs.gocd-server}/go-server/lib/go.jar ''; serviceConfig = { diff --git a/nixos/modules/services/continuous-integration/jenkins/default.nix b/nixos/modules/services/continuous-integration/jenkins/default.nix index 6cd5718f42276..a9a587b41e881 100644 --- a/nixos/modules/services/continuous-integration/jenkins/default.nix +++ b/nixos/modules/services/continuous-integration/jenkins/default.nix @@ -87,8 +87,8 @@ in { }; packages = mkOption { - default = [ pkgs.stdenv pkgs.git pkgs.jdk11 config.programs.ssh.package pkgs.nix ]; - defaultText = literalExpression "[ pkgs.stdenv pkgs.git pkgs.jdk11 config.programs.ssh.package pkgs.nix ]"; + default = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ]; + defaultText = literalExpression "[ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ]"; type = types.listOf types.package; description = lib.mdDoc '' Packages to add to PATH for the jenkins process. @@ -228,7 +228,7 @@ in { # For reference: https://wiki.jenkins.io/display/JENKINS/JenkinsLinuxStartupScript script = '' - ${pkgs.jdk11}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${cfg.package}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \ + ${pkgs.jdk17}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${cfg.package}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \ --httpPort=${toString cfg.port} \ --prefix=${cfg.prefix} \ -Djava.awt.headless=true \ diff --git a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix index 8dc06bf264162..3a1c6c1a371df 100644 --- a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix +++ b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix @@ -30,7 +30,7 @@ in { }; accessUser = mkOption { - default = ""; + default = "admin"; type = types.str; description = lib.mdDoc '' User id in Jenkins used to reload config. @@ -48,7 +48,8 @@ in { }; accessTokenFile = mkOption { - default = ""; + default = "${config.services.jenkins.home}/secrets/initialAdminPassword"; + defaultText = literalExpression ''"''${config.services.jenkins.home}/secrets/initialAdminPassword"''; type = types.str; example = "/run/keys/jenkins-job-builder-access-token"; description = lib.mdDoc '' diff --git a/nixos/modules/services/databases/postgresql.xml b/nixos/modules/services/databases/postgresql.xml index 0ca9f3faed212..e48c578e6ce63 100644 --- a/nixos/modules/services/databases/postgresql.xml +++ b/nixos/modules/services/databases/postgresql.xml @@ -72,16 +72,20 @@ Type "help" for help. { config, pkgs, ... }: { <xref linkend="opt-environment.systemPackages" /> = [ - (pkgs.writeScriptBin "upgrade-pg-cluster" '' + (let + # XXX specify the postgresql package you'd like to upgrade to. + # Do not forget to list the extensions you need. + newPostgres = pkgs.postgresql_13.withPackages (pp: [ + # pp.plv8 + ]); + in pkgs.writeScriptBin "upgrade-pg-cluster" '' set -eux # XXX it's perhaps advisable to stop all services that depend on postgresql systemctl stop postgresql - # XXX replace `<new version>` with the psqlSchema here - export NEWDATA="/var/lib/postgresql/<new version>" + export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}" - # XXX specify the postgresql package you'd like to upgrade to - export NEWBIN="${pkgs.postgresql_13}/bin" + export NEWBIN="${newPostgres}/bin" export OLDDATA="${config.<xref linkend="opt-services.postgresql.dataDir"/>}" export OLDBIN="${config.<xref linkend="opt-services.postgresql.package"/>}/bin" @@ -127,12 +131,25 @@ Type "help" for help. </listitem> <listitem> <para> - After the upgrade it's advisable to analyze the new cluster (as <literal>su -l postgres</literal> in the - <xref linkend="opt-services.postgresql.dataDir" />, in this example <filename>/var/lib/postgresql/13</filename>): + After the upgrade it's advisable to analyze the new cluster. + </para> + <itemizedlist> + <listitem> + <para> + For PostgreSQL ≥ 14, use the <literal>vacuumdb</literal> command printed by the upgrades script. + </para> + </listitem> + <listitem> + <para> + For PostgreSQL < 14, run (as <literal>su -l postgres</literal> in the <xref linkend="opt-services.postgresql.dataDir" />, in this example <filename>/var/lib/postgresql/13</filename>): <programlisting> <prompt>$ </prompt>./analyze_new_cluster.sh </programlisting> - <warning><para>The next step removes the old state-directory!</para></warning> + </para> + </listitem> + </itemizedlist> + <para> + <warning><para>The next step removes the old state-directory!</para></warning> <programlisting> <prompt>$ </prompt>./delete_old_cluster.sh </programlisting> diff --git a/nixos/modules/services/desktops/pipewire/daemon/filter-chain.conf.json b/nixos/modules/services/desktops/pipewire/daemon/filter-chain.conf.json new file mode 100644 index 0000000000000..689fca88359ba --- /dev/null +++ b/nixos/modules/services/desktops/pipewire/daemon/filter-chain.conf.json @@ -0,0 +1,28 @@ +{ + "context.properties": { + "log.level": 0 + }, + "context.spa-libs": { + "audio.convert.*": "audioconvert/libspa-audioconvert", + "support.*": "support/libspa-support" + }, + "context.modules": [ + { + "name": "libpipewire-module-rt", + "args": {}, + "flags": [ + "ifexists", + "nofail" + ] + }, + { + "name": "libpipewire-module-protocol-native" + }, + { + "name": "libpipewire-module-client-node" + }, + { + "name": "libpipewire-module-adapter" + } + ] +} diff --git a/nixos/modules/services/desktops/pipewire/daemon/pipewire-avb.conf.json b/nixos/modules/services/desktops/pipewire/daemon/pipewire-avb.conf.json new file mode 100644 index 0000000000000..4f669895d87b6 --- /dev/null +++ b/nixos/modules/services/desktops/pipewire/daemon/pipewire-avb.conf.json @@ -0,0 +1,38 @@ +{ + "context.properties": {}, + "context.spa-libs": { + "audio.convert.*": "audioconvert/libspa-audioconvert", + "support.*": "support/libspa-support" + }, + "context.modules": [ + { + "name": "libpipewire-module-rt", + "args": { + "nice.level": -11 + }, + "flags": [ + "ifexists", + "nofail" + ] + }, + { + "name": "libpipewire-module-protocol-native" + }, + { + "name": "libpipewire-module-client-node" + }, + { + "name": "libpipewire-module-adapter" + }, + { + "name": "libpipewire-module-avb", + "args": {} + } + ], + "context.exec": [], + "stream.properties": {}, + "avb.properties": { + "ifname": "enp3s0", + "vm.overrides": {} + } +} diff --git a/nixos/modules/services/hardware/pcscd.nix b/nixos/modules/services/hardware/pcscd.nix index 44d0d3b04a393..a09c64645c485 100644 --- a/nixos/modules/services/hardware/pcscd.nix +++ b/nixos/modules/services/hardware/pcscd.nix @@ -5,6 +5,10 @@ with lib; let cfgFile = pkgs.writeText "reader.conf" config.services.pcscd.readerConfig; + package = if config.security.polkit.enable + then pkgs.pcscliteWithPolkit + else pkgs.pcsclite; + pluginEnv = pkgs.buildEnv { name = "pcscd-plugins"; paths = map (p: "${p}/pcsc/drivers") config.services.pcscd.plugins; @@ -49,8 +53,8 @@ in environment.etc."reader.conf".source = cfgFile; - environment.systemPackages = [ pkgs.pcsclite ]; - systemd.packages = [ (getBin pkgs.pcsclite) ]; + environment.systemPackages = [ package ]; + systemd.packages = [ (getBin package) ]; systemd.sockets.pcscd.wantedBy = [ "sockets.target" ]; @@ -66,7 +70,7 @@ in # around it, we force the path to the cfgFile. # # https://github.com/NixOS/nixpkgs/issues/121088 - serviceConfig.ExecStart = [ "" "${getBin pkgs.pcsclite}/bin/pcscd -f -x -c ${cfgFile}" ]; + serviceConfig.ExecStart = [ "" "${getBin package}/bin/pcscd -f -x -c ${cfgFile}" ]; }; }; } diff --git a/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix b/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix index 9d083a615a2cd..f76ab701c5b9b 100644 --- a/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix +++ b/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix @@ -33,7 +33,8 @@ in stdenv.mkDerivation { - name = "brscan4-etc-files-0.4.3-3"; + pname = "brscan4-etc-files"; + version = "0.4.3-3"; src = "${brscan4}/opt/brother/scanner/brscan4"; nativeBuildInputs = [ brscan4 ]; diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 4b962da0c037d..7a7f8330243a2 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -192,7 +192,6 @@ in ###### interface options = { - boot.hardwareScan = mkOption { type = types.bool; default = true; @@ -205,6 +204,9 @@ in }; services.udev = { + enable = mkEnableOption (lib.mdDoc "udev") // { + default = true; + }; packages = mkOption { type = types.listOf types.path; @@ -345,7 +347,7 @@ in ###### implementation - config = mkIf (!config.boot.isContainer) { + config = mkIf cfg.enable { services.udev.extraRules = nixosRules; diff --git a/nixos/modules/services/logging/journalwatch.nix b/nixos/modules/services/logging/journalwatch.nix index a315da3ea0eee..55e2d600ee4fb 100644 --- a/nixos/modules/services/logging/journalwatch.nix +++ b/nixos/modules/services/logging/journalwatch.nix @@ -239,7 +239,7 @@ in { Type = "oneshot"; # requires a relative directory name to create beneath /var/lib StateDirectory = user; - StateDirectoryMode = 0750; + StateDirectoryMode = "0750"; ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail"; # lowest CPU and IO priority, but both still in best-effort class to prevent starvation Nice=19; diff --git a/nixos/modules/services/mail/listmonk.nix b/nixos/modules/services/mail/listmonk.nix index 7c298606a5478..c4ea6747196c4 100644 --- a/nixos/modules/services/mail/listmonk.nix +++ b/nixos/modules/services/mail/listmonk.nix @@ -202,7 +202,7 @@ in { NoNewPrivileges = true; CapabilityBoundingSet = ""; SystemCallArchitecture = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" "@resources" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; ProtectDevices = true; ProtectControlGroups = true; ProtectKernelTunables = true; diff --git a/nixos/modules/services/matrix/appservice-discord.nix b/nixos/modules/services/matrix/appservice-discord.nix index 89b4bc98f494b..15f0f0cc0cdbf 100644 --- a/nixos/modules/services/matrix/appservice-discord.nix +++ b/nixos/modules/services/matrix/appservice-discord.nix @@ -137,7 +137,7 @@ in { PrivateTmp = true; WorkingDirectory = appDir; StateDirectory = baseNameOf dataDir; - UMask = 0027; + UMask = "0027"; EnvironmentFile = cfg.environmentFile; ExecStart = '' diff --git a/nixos/modules/services/matrix/mautrix-facebook.nix b/nixos/modules/services/matrix/mautrix-facebook.nix index 18c91f649b12d..e74f25df764db 100644 --- a/nixos/modules/services/matrix/mautrix-facebook.nix +++ b/nixos/modules/services/matrix/mautrix-facebook.nix @@ -25,6 +25,7 @@ in { default = { homeserver = { address = "http://localhost:8008"; + software = "standard"; }; appservice = rec { diff --git a/nixos/modules/services/matrix/mautrix-telegram.nix b/nixos/modules/services/matrix/mautrix-telegram.nix index be220e05a5261..cbca6435d6c2a 100644 --- a/nixos/modules/services/matrix/mautrix-telegram.nix +++ b/nixos/modules/services/matrix/mautrix-telegram.nix @@ -19,6 +19,10 @@ in { apply = recursiveUpdate default; inherit (settingsFormat) type; default = { + homeserver = { + software = "standard"; + }; + appservice = rec { database = "sqlite:///${dataDir}/mautrix-telegram.db"; database_opts = {}; @@ -81,7 +85,7 @@ in { description = lib.mdDoc '' {file}`config.yaml` configuration as a Nix attribute set. Configuration options should match those described in - [example-config.yaml](https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml). + [example-config.yaml](https://github.com/mautrix/telegram/blob/master/mautrix_telegram/example-config.yaml). Secret tokens should be specified using {option}`environmentFile` instead of this world-readable attribute set. @@ -162,7 +166,7 @@ in { PrivateTmp = true; WorkingDirectory = pkgs.mautrix-telegram; # necessary for the database migration scripts to be found StateDirectory = baseNameOf dataDir; - UMask = 0027; + UMask = "0027"; EnvironmentFile = cfg.environmentFile; ExecStart = '' diff --git a/nixos/modules/services/misc/ethminer.nix b/nixos/modules/services/misc/ethminer.nix index 909c49866e543..c9b2e24b8bf1b 100644 --- a/nixos/modules/services/misc/ethminer.nix +++ b/nixos/modules/services/misc/ethminer.nix @@ -85,7 +85,7 @@ in config = mkIf cfg.enable { systemd.services.ethminer = { - path = optional (cfg.toolkit == "cuda") [ pkgs.cudaPackages.cudatoolkit ]; + path = optionals (cfg.toolkit == "cuda") [ pkgs.cudaPackages.cudatoolkit ]; description = "ethminer ethereum mining service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; diff --git a/nixos/modules/services/misc/geoipupdate.nix b/nixos/modules/services/misc/geoipupdate.nix index fafe4e3f24197..27c1157e9a8c7 100644 --- a/nixos/modules/services/misc/geoipupdate.nix +++ b/nixos/modules/services/misc/geoipupdate.nix @@ -183,7 +183,7 @@ in DynamicUser = true; ReadWritePaths = cfg.settings.DatabaseDirectory; RuntimeDirectory = "geoipupdate"; - RuntimeDirectoryMode = 0700; + RuntimeDirectoryMode = "0700"; CapabilityBoundingSet = ""; PrivateDevices = true; PrivateMounts = true; @@ -197,7 +197,7 @@ in ProtectKernelTunables = true; ProtectProc = "invisible"; ProcSubset = "pid"; - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictRealtime = true; RestrictNamespaces = true; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index d9dece3343f6d..ac598108a01ef 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -592,7 +592,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap"; }; environment = { diff --git a/nixos/modules/services/misc/mx-puppet-discord.nix b/nixos/modules/services/misc/mx-puppet-discord.nix index 33a6c8f26a957..36c9f8b122ea2 100644 --- a/nixos/modules/services/misc/mx-puppet-discord.nix +++ b/nixos/modules/services/misc/mx-puppet-discord.nix @@ -107,7 +107,7 @@ in { PrivateTmp = true; WorkingDirectory = pkgs.mx-puppet-discord; StateDirectory = baseNameOf dataDir; - UMask = 0027; + UMask = "0027"; ExecStart = '' ${pkgs.mx-puppet-discord}/bin/mx-puppet-discord \ diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index ba3ea4c47ac1d..e8a21c352bdd7 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -59,7 +59,7 @@ let ${mkKeyValuePairs cfg.settings} ${cfg.extraOptions} ''; - checkPhase = + checkPhase = lib.optionalString cfg.checkConfig ( if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' echo "Ignoring validation for cross-compilation" '' @@ -72,9 +72,9 @@ let ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ |& sed -e 's/^warning:/error:/' \ - | (! grep '${if cfg.checkConfig then "^error:" else "^error: unknown setting"}') + | (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}') set -o pipefail - ''; + ''); }; legacyConfMappings = { @@ -395,8 +395,15 @@ in type = types.bool; default = true; description = lib.mdDoc '' - If enabled (the default), checks for data type mismatches and that Nix - can parse the generated nix.conf. + If enabled, checks that Nix can parse the generated nix.conf. + ''; + }; + + checkAllErrors = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings. ''; }; diff --git a/nixos/modules/services/misc/ntfy-sh.nix b/nixos/modules/services/misc/ntfy-sh.nix new file mode 100644 index 0000000000000..9d52fcf25364f --- /dev/null +++ b/nixos/modules/services/misc/ntfy-sh.nix @@ -0,0 +1,100 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ntfy-sh; + + settingsFormat = pkgs.formats.yaml { }; +in + +{ + options.services.ntfy-sh = { + enable = mkEnableOption (mdDoc "[ntfy-sh](https://ntfy.sh), a push notification service"); + + package = mkOption { + type = types.package; + default = pkgs.ntfy-sh; + defaultText = literalExpression "pkgs.ntfy-sh"; + description = mdDoc "The ntfy.sh package to use."; + }; + + user = mkOption { + default = "ntfy-sh"; + type = types.str; + description = lib.mdDoc "User the ntfy-sh server runs under."; + }; + + group = mkOption { + default = "ntfy-sh"; + type = types.str; + description = lib.mdDoc "Primary group of ntfy-sh user."; + }; + + settings = mkOption { + type = types.submodule { freeformType = settingsFormat.type; }; + + default = { }; + + example = literalExpression '' + { + listen-http = ":8080"; + } + ''; + + description = mdDoc '' + Configuration for ntfy.sh, supported values are [here](https://ntfy.sh/docs/config/#config-options). + ''; + }; + }; + + config = + let + configuration = settingsFormat.generate "server.yml" cfg.settings; + in + mkIf cfg.enable { + # to configure access control via the cli + environment = { + etc."ntfy/server.yml".source = configuration; + systemPackages = [ cfg.package ]; + }; + + systemd.services.ntfy-sh = { + description = "Push notifications server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/ntfy serve -c ${configuration}"; + User = cfg.user; + + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + PrivateTmp = true; + NoNewPrivileges = true; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; + ProtectSystem = "full"; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + PrivateDevices = true; + RestrictSUIDSGID = true; + RestrictNamespaces = true; + RestrictRealtime = true; + MemoryDenyWriteExecute = true; + }; + }; + + users.groups = optionalAttrs (cfg.group == "ntfy-sh") { + ntfy-sh = { }; + }; + + users.users = optionalAttrs (cfg.user == "ntfy-sh") { + ntfy-sh = { + isSystemUser = true; + group = cfg.group; + }; + }; + }; +} diff --git a/nixos/modules/services/misc/podgrab.nix b/nixos/modules/services/misc/podgrab.nix index 10c7bc96b8f04..c0a1247185050 100644 --- a/nixos/modules/services/misc/podgrab.nix +++ b/nixos/modules/services/misc/podgrab.nix @@ -36,7 +36,7 @@ in }; serviceConfig = { DynamicUser = true; - EnvironmentFile = lib.optional (cfg.passwordFile != null) [ + EnvironmentFile = lib.optionals (cfg.passwordFile != null) [ cfg.passwordFile ]; ExecStart = "${pkgs.podgrab}/bin/podgrab"; diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index 9e34b25e45273..0b283ea27d82c 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -212,9 +212,9 @@ in staticClients = forEach cfg.dex.oidcClients (client: { inherit (client) id; - redirectURIs = [ client.callbackURI ]; + redirectURIs = [ client.callbackURL ]; name = "OIDC for ${client.id}"; - secret = "$DEX_CLIENT_${client.id}"; + secretEnv = "DEX_CLIENT_${client.id}"; }); }; }; diff --git a/nixos/modules/services/misc/rmfakecloud.nix b/nixos/modules/services/misc/rmfakecloud.nix index 25857c173b6ff..1cdfdeceabcde 100644 --- a/nixos/modules/services/misc/rmfakecloud.nix +++ b/nixos/modules/services/misc/rmfakecloud.nix @@ -138,7 +138,7 @@ in { SystemCallArchitectures = "native"; WorkingDirectory = serviceDataDir; StateDirectory = baseNameOf serviceDataDir; - UMask = 0027; + UMask = "0027"; }; }; }; diff --git a/nixos/modules/services/misc/sonarr.nix b/nixos/modules/services/misc/sonarr.nix index 5a5c9b5aaad86..65c51d9677d9e 100644 --- a/nixos/modules/services/misc/sonarr.nix +++ b/nixos/modules/services/misc/sonarr.nix @@ -35,6 +35,15 @@ in default = "sonarr"; description = lib.mdDoc "Group under which Sonaar runs."; }; + + package = mkOption { + type = types.package; + default = pkgs.sonarr; + defaultText = literalExpression "pkgs.sonarr"; + description = lib.mdDoc '' + Sonarr package to use. + ''; + }; }; }; @@ -52,7 +61,7 @@ in Type = "simple"; User = cfg.user; Group = cfg.group; - ExecStart = "${pkgs.sonarr}/bin/NzbDrone -nobrowser -data='${cfg.dataDir}'"; + ExecStart = "${cfg.package}/bin/NzbDrone -nobrowser -data='${cfg.dataDir}'"; Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/misc/sourcehut/default.nix b/nixos/modules/services/misc/sourcehut/default.nix index 9177f3cd022eb..a79149c8f58ad 100644 --- a/nixos/modules/services/misc/sourcehut/default.nix +++ b/nixos/modules/services/misc/sourcehut/default.nix @@ -1419,5 +1419,5 @@ in ]; meta.doc = ./sourcehut.xml; - meta.maintainers = with maintainers; [ julm tomberek ]; + meta.maintainers = with maintainers; [ tomberek ]; } diff --git a/nixos/modules/services/monitoring/grafana-image-renderer.nix b/nixos/modules/services/monitoring/grafana-image-renderer.nix index 549da138fe236..60f6e84c63c7d 100644 --- a/nixos/modules/services/monitoring/grafana-image-renderer.nix +++ b/nixos/modules/services/monitoring/grafana-image-renderer.nix @@ -106,9 +106,9 @@ in { } ]; - services.grafana.extraOptions = mkIf cfg.provisionGrafana { - RENDERING_SERVER_URL = "http://localhost:${toString cfg.settings.service.port}/render"; - RENDERING_CALLBACK_URL = "http://localhost:${toString config.services.grafana.port}"; + services.grafana.settings.rendering = mkIf cfg.provisionGrafana { + url = "http://localhost:${toString cfg.settings.service.port}/render"; + callback_url = "http://localhost:${toString config.services.grafana.port}"; }; services.grafana-image-renderer.chromium = mkDefault pkgs.chromium; diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index fd3418b8f6bd0..52d5cab9f5159 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -5,86 +5,29 @@ with lib; let cfg = config.services.grafana; opt = options.services.grafana; + provisioningSettingsFormat = pkgs.formats.yaml {}; declarativePlugins = pkgs.linkFarm "grafana-plugins" (builtins.map (pkg: { name = pkg.pname; path = pkg; }) cfg.declarativePlugins); - useMysql = cfg.database.type == "mysql"; - usePostgresql = cfg.database.type == "postgres"; - - envOptions = { - PATHS_DATA = cfg.dataDir; - PATHS_PLUGINS = if builtins.isNull cfg.declarativePlugins then "${cfg.dataDir}/plugins" else declarativePlugins; - PATHS_LOGS = "${cfg.dataDir}/log"; - - SERVER_SERVE_FROM_SUBPATH = boolToString cfg.server.serveFromSubPath; - SERVER_PROTOCOL = cfg.protocol; - SERVER_HTTP_ADDR = cfg.addr; - SERVER_HTTP_PORT = cfg.port; - SERVER_SOCKET = cfg.socket; - SERVER_DOMAIN = cfg.domain; - SERVER_ROOT_URL = cfg.rootUrl; - SERVER_STATIC_ROOT_PATH = cfg.staticRootPath; - SERVER_CERT_FILE = cfg.certFile; - SERVER_CERT_KEY = cfg.certKey; - - DATABASE_TYPE = cfg.database.type; - DATABASE_HOST = cfg.database.host; - DATABASE_NAME = cfg.database.name; - DATABASE_USER = cfg.database.user; - DATABASE_PASSWORD = cfg.database.password; - DATABASE_PATH = cfg.database.path; - DATABASE_CONN_MAX_LIFETIME = cfg.database.connMaxLifetime; - - SECURITY_ADMIN_USER = cfg.security.adminUser; - SECURITY_ADMIN_PASSWORD = cfg.security.adminPassword; - SECURITY_SECRET_KEY = cfg.security.secretKey; - - USERS_ALLOW_SIGN_UP = boolToString cfg.users.allowSignUp; - USERS_ALLOW_ORG_CREATE = boolToString cfg.users.allowOrgCreate; - USERS_AUTO_ASSIGN_ORG = boolToString cfg.users.autoAssignOrg; - USERS_AUTO_ASSIGN_ORG_ROLE = cfg.users.autoAssignOrgRole; - - AUTH_DISABLE_LOGIN_FORM = boolToString cfg.auth.disableLoginForm; - - AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable; - AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name; - AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role; - - AUTH_AZUREAD_NAME = "Azure AD"; - AUTH_AZUREAD_ENABLED = boolToString cfg.auth.azuread.enable; - AUTH_AZUREAD_ALLOW_SIGN_UP = boolToString cfg.auth.azuread.allowSignUp; - AUTH_AZUREAD_CLIENT_ID = cfg.auth.azuread.clientId; - AUTH_AZUREAD_SCOPES = "openid email profile"; - AUTH_AZUREAD_AUTH_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/authorize"; - AUTH_AZUREAD_TOKEN_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/token"; - AUTH_AZUREAD_ALLOWED_DOMAINS = cfg.auth.azuread.allowedDomains; - AUTH_AZUREAD_ALLOWED_GROUPS = cfg.auth.azuread.allowedGroups; - AUTH_AZUREAD_ROLE_ATTRIBUTE_STRICT = false; - - AUTH_GOOGLE_ENABLED = boolToString cfg.auth.google.enable; - AUTH_GOOGLE_ALLOW_SIGN_UP = boolToString cfg.auth.google.allowSignUp; - AUTH_GOOGLE_CLIENT_ID = cfg.auth.google.clientId; - - ANALYTICS_REPORTING_ENABLED = boolToString cfg.analytics.reporting.enable; - - SMTP_ENABLED = boolToString cfg.smtp.enable; - SMTP_HOST = cfg.smtp.host; - SMTP_USER = cfg.smtp.user; - SMTP_PASSWORD = cfg.smtp.password; - SMTP_FROM_ADDRESS = cfg.smtp.fromAddress; - } // cfg.extraOptions; + useMysql = cfg.settings.database.type == "mysql"; + usePostgresql = cfg.settings.database.type == "postgres"; + + settingsFormatIni = pkgs.formats.ini {}; + configFile = settingsFormatIni.generate "config.ini" cfg.settings; datasourceConfiguration = { apiVersion = 1; datasources = cfg.provision.datasources; }; - datasourceFile = pkgs.writeText "datasource.yaml" (builtins.toJSON datasourceConfiguration); + datasourceFileNew = if (cfg.provision.datasources.path == null) then provisioningSettingsFormat.generate "datasource.yaml" cfg.provision.datasources.settings else cfg.provision.datasources.path; + datasourceFile = if (builtins.isList cfg.provision.datasources) then provisioningSettingsFormat.generate "datasource.yaml" datasourceConfiguration else datasourceFileNew; dashboardConfiguration = { apiVersion = 1; providers = cfg.provision.dashboards; }; - dashboardFile = pkgs.writeText "dashboard.yaml" (builtins.toJSON dashboardConfiguration); + dashboardFileNew = if (cfg.provision.dashboards.path == null) then provisioningSettingsFormat.generate "dashboard.yaml" cfg.provision.dashboards.settings else cfg.provision.dashboards.path; + dashboardFile = if (builtins.isList cfg.provision.dashboards) then provisioningSettingsFormat.generate "dashboard.yaml" dashboardConfiguration else dashboardFileNew; notifierConfiguration = { apiVersion = 1; @@ -93,11 +36,25 @@ let notifierFile = pkgs.writeText "notifier.yaml" (builtins.toJSON notifierConfiguration); + generateAlertingProvisioningYaml = x: if (cfg.provision.alerting."${x}".path == null) + then provisioningSettingsFormat.generate "${x}.yaml" cfg.provision.alerting."${x}".settings + else cfg.provision.alerting."${x}".path; + rulesFile = generateAlertingProvisioningYaml "rules"; + contactPointsFile = generateAlertingProvisioningYaml "contactPoints"; + policiesFile = generateAlertingProvisioningYaml "policies"; + templatesFile = generateAlertingProvisioningYaml "templates"; + muteTimingsFile = generateAlertingProvisioningYaml "muteTimings"; + provisionConfDir = pkgs.runCommand "grafana-provisioning" { } '' - mkdir -p $out/{datasources,dashboards,notifiers} + mkdir -p $out/{datasources,dashboards,notifiers,alerting} ln -sf ${datasourceFile} $out/datasources/datasource.yaml ln -sf ${dashboardFile} $out/dashboards/dashboard.yaml ln -sf ${notifierFile} $out/notifiers/notifier.yaml + ln -sf ${rulesFile} $out/alerting/rules.yaml + ln -sf ${contactPointsFile} $out/alerting/contactPoints.yaml + ln -sf ${policiesFile} $out/alerting/policies.yaml + ln -sf ${templatesFile} $out/alerting/templates.yaml + ln -sf ${muteTimingsFile} $out/alerting/muteTimings.yaml ''; # Get a submodule without any embedded metadata: @@ -105,6 +62,8 @@ let # http://docs.grafana.org/administration/provisioning/#datasources grafanaTypes.datasourceConfig = types.submodule { + freeformType = provisioningSettingsFormat.type; + options = { name = mkOption { type = types.str; @@ -119,11 +78,6 @@ let default = "proxy"; description = lib.mdDoc "Access mode. proxy or direct (Server or Browser in the UI). Required."; }; - orgId = mkOption { - type = types.int; - default = 1; - description = lib.mdDoc "Org id. will default to orgId 1 if not specified."; - }; uid = mkOption { type = types.nullOr types.str; default = null; @@ -131,114 +85,68 @@ let }; url = mkOption { type = types.str; + default = "localhost"; description = lib.mdDoc "Url of the datasource."; }; - password = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc "Database password, if used."; - }; - user = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc "Database user, if used."; - }; - database = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc "Database name, if used."; - }; - basicAuth = mkOption { - type = types.nullOr types.bool; - default = null; - description = lib.mdDoc "Enable/disable basic auth."; + editable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Allow users to edit datasources from the UI."; }; - basicAuthUser = mkOption { + password = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc "Basic auth username."; + description = lib.mdDoc '' + Database password, if used. Please note that the contents of this option + will end up in a world-readable Nix store. Use the file provider + pointing at a reasonably secured file in the local filesystem + to work around that. Look at the documentation for details: + <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> + ''; }; basicAuthPassword = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc "Basic auth password."; - }; - withCredentials = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Enable/disable with credentials headers."; - }; - isDefault = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Mark as default datasource. Max one per org."; - }; - jsonData = mkOption { - type = types.nullOr types.attrs; - default = null; - description = lib.mdDoc "Datasource specific configuration."; + description = lib.mdDoc '' + Basic auth password. Please note that the contents of this option + will end up in a world-readable Nix store. Use the file provider + pointing at a reasonably secured file in the local filesystem + to work around that. Look at the documentation for details: + <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> + ''; }; secureJsonData = mkOption { type = types.nullOr types.attrs; default = null; - description = lib.mdDoc "Datasource specific secure configuration."; - }; - version = mkOption { - type = types.int; - default = 1; - description = lib.mdDoc "Version."; - }; - editable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Allow users to edit datasources from the UI."; + description = lib.mdDoc '' + Datasource specific secure configuration. Please note that the contents of this option + will end up in a world-readable Nix store. Use the file provider + pointing at a reasonably secured file in the local filesystem + to work around that. Look at the documentation for details: + <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> + ''; }; }; }; # http://docs.grafana.org/administration/provisioning/#dashboards grafanaTypes.dashboardConfig = types.submodule { + freeformType = provisioningSettingsFormat.type; + options = { name = mkOption { type = types.str; default = "default"; - description = lib.mdDoc "Provider name."; - }; - orgId = mkOption { - type = types.int; - default = 1; - description = lib.mdDoc "Organization ID."; - }; - folder = mkOption { - type = types.str; - default = ""; - description = lib.mdDoc "Add dashboards to the specified folder."; + description = lib.mdDoc "A unique provider name."; }; type = mkOption { type = types.str; default = "file"; description = lib.mdDoc "Dashboard provider type."; }; - disableDeletion = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Disable deletion when JSON file is removed."; - }; - updateIntervalSeconds = mkOption { - type = types.int; - default = 10; - description = lib.mdDoc "How often Grafana will scan for changed dashboards."; - }; - options = { - path = mkOption { - type = types.path; - description = lib.mdDoc "Path grafana will watch for dashboards."; - }; - foldersFromFilesStructure = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Use folder names from filesystem to create folders in Grafana."; - }; + options.path = mkOption { + type = types.path; + description = lib.mdDoc "Path grafana will watch for dashboards. Required when using the 'file' type."; }; }; }; @@ -296,76 +204,85 @@ let secure_settings = mkOption { type = types.nullOr types.attrs; default = null; - description = lib.mdDoc "Secure settings for the notifier type."; + description = lib.mdDoc '' + Secure settings for the notifier type. Please note that the contents of this option + will end up in a world-readable Nix store. Use the file provider + pointing at a reasonably secured file in the local filesystem + to work around that. Look at the documentation for details: + <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> + ''; }; }; }; in { + imports = [ + (mkRenamedOptionModule [ "services" "grafana" "protocol" ] [ "services" "grafana" "settings" "server" "protocol" ]) + (mkRenamedOptionModule [ "services" "grafana" "addr" ] [ "services" "grafana" "settings" "server" "http_addr" ]) + (mkRenamedOptionModule [ "services" "grafana" "port" ] [ "services" "grafana" "settings" "server" "http_port" ]) + (mkRenamedOptionModule [ "services" "grafana" "domain" ] [ "services" "grafana" "settings" "server" "domain" ]) + (mkRenamedOptionModule [ "services" "grafana" "rootUrl" ] [ "services" "grafana" "settings" "server" "root_url" ]) + (mkRenamedOptionModule [ "services" "grafana" "staticRootPath" ] [ "services" "grafana" "settings" "server" "static_root_path" ]) + (mkRenamedOptionModule [ "services" "grafana" "certFile" ] [ "services" "grafana" "settings" "server" "cert_file" ]) + (mkRenamedOptionModule [ "services" "grafana" "certKey" ] [ "services" "grafana" "settings" "server" "cert_key" ]) + (mkRenamedOptionModule [ "services" "grafana" "socket" ] [ "services" "grafana" "settings" "server" "socket" ]) + (mkRenamedOptionModule [ "services" "grafana" "database" "type" ] [ "services" "grafana" "settings" "database" "type" ]) + (mkRenamedOptionModule [ "services" "grafana" "database" "host" ] [ "services" "grafana" "settings" "database" "host" ]) + (mkRenamedOptionModule [ "services" "grafana" "database" "name" ] [ "services" "grafana" "settings" "database" "name" ]) + (mkRenamedOptionModule [ "services" "grafana" "database" "user" ] [ "services" "grafana" "settings" "database" "user" ]) + (mkRenamedOptionModule [ "services" "grafana" "database" "password" ] [ "services" "grafana" "settings" "database" "password" ]) + (mkRenamedOptionModule [ "services" "grafana" "database" "path" ] [ "services" "grafana" "settings" "database" "path" ]) + (mkRenamedOptionModule [ "services" "grafana" "database" "connMaxLifetime" ] [ "services" "grafana" "settings" "database" "conn_max_lifetime" ]) + (mkRenamedOptionModule [ "services" "grafana" "security" "adminUser" ] [ "services" "grafana" "settings" "security" "admin_user" ]) + (mkRenamedOptionModule [ "services" "grafana" "security" "adminPassword" ] [ "services" "grafana" "settings" "security" "admin_password" ]) + (mkRenamedOptionModule [ "services" "grafana" "security" "secretKey" ] [ "services" "grafana" "settings" "security" "secret_key" ]) + (mkRenamedOptionModule [ "services" "grafana" "server" "serveFromSubPath" ] [ "services" "grafana" "settings" "server" "serve_from_sub_path" ]) + (mkRenamedOptionModule [ "services" "grafana" "smtp" "enable" ] [ "services" "grafana" "settings" "smtp" "enabled" ]) + (mkRenamedOptionModule [ "services" "grafana" "smtp" "user" ] [ "services" "grafana" "settings" "smtp" "user" ]) + (mkRenamedOptionModule [ "services" "grafana" "smtp" "password" ] [ "services" "grafana" "settings" "smtp" "password" ]) + (mkRenamedOptionModule [ "services" "grafana" "smtp" "fromAddress" ] [ "services" "grafana" "settings" "smtp" "from_address" ]) + (mkRenamedOptionModule [ "services" "grafana" "users" "allowSignUp" ] [ "services" "grafana" "settings" "users" "allow_sign_up" ]) + (mkRenamedOptionModule [ "services" "grafana" "users" "allowOrgCreate" ] [ "services" "grafana" "settings" "users" "allow_org_create" ]) + (mkRenamedOptionModule [ "services" "grafana" "users" "autoAssignOrg" ] [ "services" "grafana" "settings" "users" "auto_assign_org" ]) + (mkRenamedOptionModule [ "services" "grafana" "users" "autoAssignOrgRole" ] [ "services" "grafana" "settings" "users" "auto_assign_org_role" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "disableLoginForm" ] [ "services" "grafana" "settings" "auth" "disable_login_form" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "anonymous" "enable" ] [ "services" "grafana" "settings" "auth.anonymous" "enabled" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "anonymous" "org_name" ] [ "services" "grafana" "settings" "auth.anonymous" "org_name" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "anonymous" "org_role" ] [ "services" "grafana" "settings" "auth.anonymous" "org_role" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "azuread" "enable" ] [ "services" "grafana" "settings" "auth.azuread" "enabled" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "azuread" "allowSignUp" ] [ "services" "grafana" "settings" "auth.azuread" "allow_sign_up" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "azuread" "clientId" ] [ "services" "grafana" "settings" "auth.azuread" "client_id" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "azuread" "allowedDomains" ] [ "services" "grafana" "settings" "auth.azuread" "allowed_domains" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "azuread" "allowedGroups" ] [ "services" "grafana" "settings" "auth.azuread" "allowed_groups" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "google" "enable" ] [ "services" "grafana" "settings" "auth.google" "enabled" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "google" "allowSignUp" ] [ "services" "grafana" "settings" "auth.google" "allow_sign_up" ]) + (mkRenamedOptionModule [ "services" "grafana" "auth" "google" "clientId" ] [ "services" "grafana" "settings" "auth.google" "client_id" ]) + (mkRenamedOptionModule [ "services" "grafana" "analytics" "reporting" "enable" ] [ "services" "grafana" "settings" "analytics" "reporting_enabled" ]) + + (mkRemovedOptionModule [ "services" "grafana" "database" "passwordFile" ] '' + This option has been removed. Use 'services.grafana.settings.database.password' with file provider instead. + '') + (mkRemovedOptionModule [ "services" "grafana" "security" "adminPasswordFile" ] '' + This option has been removed. Use 'services.grafana.settings.security.admin_password' with file provider instead. + '') + (mkRemovedOptionModule [ "services" "grafana" "security" "secretKeyFile" ] '' + This option has been removed. Use 'services.grafana.settings.security.secret_key' with file provider instead. + '') + (mkRemovedOptionModule [ "services" "grafana" "smtp" "passwordFile" ] '' + This option has been removed. Use 'services.grafana.settings.smtp.password' with file provider instead. + '') + (mkRemovedOptionModule [ "services" "grafana" "auth" "azuread" "clientSecretFile" ] '' + This option has been removed. Use 'services.grafana.settings.azuread.client_secret' with file provider instead. + '') + (mkRemovedOptionModule [ "services" "grafana" "auth" "google" "clientSecretFile" ] '' + This option has been removed. Use 'services.grafana.settings.google.client_secret' with file provider instead. + '') + + (mkRemovedOptionModule [ "services" "grafana" "auth" "azuread" "tenantId" ] "This option has been deprecated upstream.") + ]; + options.services.grafana = { enable = mkEnableOption (lib.mdDoc "grafana"); - protocol = mkOption { - description = lib.mdDoc "Which protocol to listen."; - default = "http"; - type = types.enum ["http" "https" "socket"]; - }; - - addr = mkOption { - description = lib.mdDoc "Listening address."; - default = "127.0.0.1"; - type = types.str; - }; - - port = mkOption { - description = lib.mdDoc "Listening port."; - default = 3000; - type = types.port; - }; - - socket = mkOption { - description = lib.mdDoc "Listening socket."; - default = "/run/grafana/grafana.sock"; - type = types.str; - }; - - domain = mkOption { - description = lib.mdDoc "The public facing domain name used to access grafana from a browser."; - default = "localhost"; - type = types.str; - }; - - rootUrl = mkOption { - description = lib.mdDoc "Full public facing url."; - default = "%(protocol)s://%(domain)s:%(http_port)s/"; - type = types.str; - }; - - certFile = mkOption { - description = lib.mdDoc "Cert file for ssl."; - default = ""; - type = types.str; - }; - - certKey = mkOption { - description = lib.mdDoc "Cert key for ssl."; - default = ""; - type = types.str; - }; - - staticRootPath = mkOption { - description = lib.mdDoc "Root path for static assets."; - default = "${cfg.package}/share/grafana/public"; - defaultText = literalExpression ''"''${package}/share/grafana/public"''; - type = types.str; - }; - - package = mkOption { - description = lib.mdDoc "Package to use."; - default = pkgs.grafana; - defaultText = literalExpression "pkgs.grafana"; - type = types.package; - }; - declarativePlugins = mkOption { type = with types; nullOr (listOf path); default = null; @@ -377,348 +294,952 @@ in { apply = x: if isList x then lib.unique x else x; }; + package = mkOption { + description = lib.mdDoc "Package to use."; + default = pkgs.grafana; + defaultText = literalExpression "pkgs.grafana"; + type = types.package; + }; + dataDir = mkOption { description = lib.mdDoc "Data directory."; default = "/var/lib/grafana"; type = types.path; }; - database = { - type = mkOption { - description = lib.mdDoc "Database type."; - default = "sqlite3"; - type = types.enum ["mysql" "sqlite3" "postgres"]; - }; - - host = mkOption { - description = lib.mdDoc "Database host."; - default = "127.0.0.1:3306"; - type = types.str; - }; - - name = mkOption { - description = lib.mdDoc "Database name."; - default = "grafana"; - type = types.str; - }; - - user = mkOption { - description = lib.mdDoc "Database user."; - default = "root"; - type = types.str; - }; - - password = mkOption { - description = lib.mdDoc '' - Database password. - This option is mutual exclusive with the passwordFile option. - ''; - default = ""; - type = types.str; - }; - - passwordFile = mkOption { - description = lib.mdDoc '' - File that containts the database password. - This option is mutual exclusive with the password option. - ''; - default = null; - type = types.nullOr types.path; - }; - - path = mkOption { - description = lib.mdDoc "Database path."; - default = "${cfg.dataDir}/data/grafana.db"; - defaultText = literalExpression ''"''${config.${opt.dataDir}}/data/grafana.db"''; - type = types.path; - }; - - connMaxLifetime = mkOption { - description = lib.mdDoc '' - Sets the maximum amount of time (in seconds) a connection may be reused. - For MySQL this setting should be shorter than the `wait_timeout' variable. - ''; - default = "unlimited"; - example = 14400; - type = types.either types.int (types.enum [ "unlimited" ]); + settings = mkOption { + description = lib.mdDoc '' + Grafana settings. See <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/> + for available options. INI format is used. + ''; + type = types.submodule { + freeformType = settingsFormatIni.type; + + options = { + paths = { + plugins = mkOption { + description = lib.mdDoc "Directory where grafana will automatically scan and look for plugins"; + default = if (cfg.declarativePlugins == null) then "${cfg.dataDir}/plugins" else declarativePlugins; + defaultText = literalExpression "if (cfg.declarativePlugins == null) then \"\${cfg.dataDir}/plugins\" else declarativePlugins"; + type = types.path; + }; + + provisioning = mkOption { + description = lib.mdDoc '' + Folder that contains provisioning config files that grafana will apply on startup and while running. + Don't change the value of this option if you are planning to use `services.grafana.provision` options. + ''; + default = provisionConfDir; + defaultText = literalExpression '' + pkgs.runCommand "grafana-provisioning" { } \'\' + mkdir -p $out/{datasources,dashboards,notifiers,alerting} + ln -sf ''${datasourceFile} $out/datasources/datasource.yaml + ln -sf ''${dashboardFile} $out/dashboards/dashboard.yaml + ln -sf ''${notifierFile} $out/notifiers/notifier.yaml + ln -sf ''${rulesFile} $out/alerting/rules.yaml + ln -sf ''${contactPointsFile} $out/alerting/contactPoints.yaml + ln -sf ''${policiesFile} $out/alerting/policies.yaml + ln -sf ''${templatesFile} $out/alerting/templates.yaml + ln -sf ''${muteTimingsFile} $out/alerting/muteTimings.yaml + \'\' + ''; + type = types.path; + }; + }; + + server = { + protocol = mkOption { + description = lib.mdDoc "Which protocol to listen."; + default = "http"; + type = types.enum ["http" "https" "h2" "socket"]; + }; + + http_addr = mkOption { + description = lib.mdDoc "Listening address."; + default = ""; + type = types.str; + }; + + http_port = mkOption { + description = lib.mdDoc "Listening port."; + default = 3000; + type = types.port; + }; + + domain = mkOption { + description = lib.mdDoc "The public facing domain name used to access grafana from a browser."; + default = "localhost"; + type = types.str; + }; + + root_url = mkOption { + description = lib.mdDoc "Full public facing url."; + default = "%(protocol)s://%(domain)s:%(http_port)s/"; + type = types.str; + }; + + static_root_path = mkOption { + description = lib.mdDoc "Root path for static assets."; + default = "${cfg.package}/share/grafana/public"; + defaultText = literalExpression ''"''${package}/share/grafana/public"''; + type = types.str; + }; + + enable_gzip = mkOption { + description = lib.mdDoc '' + Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization. + It is recommended that most users set it to true. By default it is set to false for compatibility reasons. + ''; + default = false; + type = types.bool; + }; + + cert_file = mkOption { + description = lib.mdDoc "Cert file for ssl."; + default = ""; + type = types.str; + }; + + cert_key = mkOption { + description = lib.mdDoc "Cert key for ssl."; + default = ""; + type = types.str; + }; + + socket = mkOption { + description = lib.mdDoc "Path where the socket should be created when protocol=socket. Make sure that Grafana has appropriate permissions before you change this setting."; + default = "/run/grafana/grafana.sock"; + type = types.str; + }; + }; + + database = { + type = mkOption { + description = lib.mdDoc "Database type."; + default = "sqlite3"; + type = types.enum ["mysql" "sqlite3" "postgres"]; + }; + + host = mkOption { + description = lib.mdDoc "Database host."; + default = "127.0.0.1:3306"; + type = types.str; + }; + + name = mkOption { + description = lib.mdDoc "Database name."; + default = "grafana"; + type = types.str; + }; + + user = mkOption { + description = lib.mdDoc "Database user."; + default = "root"; + type = types.str; + }; + + password = mkOption { + description = lib.mdDoc '' + Database password. Please note that the contents of this option + will end up in a world-readable Nix store. Use the file provider + pointing at a reasonably secured file in the local filesystem + to work around that. Look at the documentation for details: + <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> + ''; + default = ""; + type = types.str; + }; + + path = mkOption { + description = lib.mdDoc "Only applicable to sqlite3 database. The file path where the database will be stored."; + default = "${cfg.dataDir}/data/grafana.db"; + defaultText = literalExpression ''"''${config.${opt.dataDir}}/data/grafana.db"''; + type = types.path; + }; + }; + + security = { + admin_user = mkOption { + description = lib.mdDoc "Default admin username."; + default = "admin"; + type = types.str; + }; + + admin_password = mkOption { + description = lib.mdDoc '' + Default admin password. Please note that the contents of this option + will end up in a world-readable Nix store. Use the file provider + pointing at a reasonably secured file in the local filesystem + to work around that. Look at the documentation for details: + <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> + ''; + default = "admin"; + type = types.str; + }; + + secret_key = mkOption { + description = lib.mdDoc '' + Secret key used for signing. Please note that the contents of this option + will end up in a world-readable Nix store. Use the file provider + pointing at a reasonably secured file in the local filesystem + to work around that. Look at the documentation for details: + <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> + ''; + default = "SW2YcwTIb9zpOOhoPsMm"; + type = types.str; + }; + }; + + smtp = { + enabled = mkOption { + description = lib.mdDoc "Whether to enable SMTP."; + default = false; + type = types.bool; + }; + host = mkOption { + description = lib.mdDoc "Host to connect to."; + default = "localhost:25"; + type = types.str; + }; + user = mkOption { + description = lib.mdDoc "User used for authentication."; + default = ""; + type = types.str; + }; + password = mkOption { + description = lib.mdDoc '' + Password used for authentication. Please note that the contents of this option + will end up in a world-readable Nix store. Use the file provider + pointing at a reasonably secured file in the local filesystem + to work around that. Look at the documentation for details: + <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider> + ''; + default = ""; + type = types.str; + }; + from_address = mkOption { + description = lib.mdDoc "Email address used for sending."; + default = "admin@grafana.localhost"; + type = types.str; + }; + }; + + users = { + allow_sign_up = mkOption { + description = lib.mdDoc "Disable user signup / registration."; + default = false; + type = types.bool; + }; + + allow_org_create = mkOption { + description = lib.mdDoc "Whether user is allowed to create organizations."; + default = false; + type = types.bool; + }; + + auto_assign_org = mkOption { + description = lib.mdDoc "Whether to automatically assign new users to default org."; + default = true; + type = types.bool; + }; + + auto_assign_org_role = mkOption { + description = lib.mdDoc "Default role new users will be auto assigned."; + default = "Viewer"; + type = types.enum ["Viewer" "Editor"]; + }; + }; + + analytics.reporting_enabled = mkOption { + description = lib.mdDoc "Whether to allow anonymous usage reporting to stats.grafana.net."; + default = true; + type = types.bool; + }; + }; }; }; provision = { enable = mkEnableOption (lib.mdDoc "provision"); - datasources = mkOption { - description = lib.mdDoc "Grafana datasources configuration."; - default = []; - type = types.listOf grafanaTypes.datasourceConfig; - apply = x: map _filter x; - }; - dashboards = mkOption { - description = lib.mdDoc "Grafana dashboard configuration."; - default = []; - type = types.listOf grafanaTypes.dashboardConfig; - apply = x: map _filter x; - }; - notifiers = mkOption { - description = lib.mdDoc "Grafana notifier configuration."; - default = []; - type = types.listOf grafanaTypes.notifierConfig; - apply = x: map _filter x; - }; - }; - security = { - adminUser = mkOption { - description = lib.mdDoc "Default admin username."; - default = "admin"; - type = types.str; - }; - - adminPassword = mkOption { - description = lib.mdDoc '' - Default admin password. - This option is mutual exclusive with the adminPasswordFile option. - ''; - default = "admin"; - type = types.str; - }; - - adminPasswordFile = mkOption { + datasources = mkOption { description = lib.mdDoc '' - Default admin password. - This option is mutual exclusive with the `adminPassword` option. + Deprecated option for Grafana datasource configuration. Use either + `services.grafana.provision.datasources.settings` or + `services.grafana.provision.datasources.path` instead. ''; - default = null; - type = types.nullOr types.path; - }; - - secretKey = mkOption { - description = lib.mdDoc "Secret key used for signing."; - default = "SW2YcwTIb9zpOOhoPsMm"; - type = types.str; - }; + default = []; + apply = x: if (builtins.isList x) then map _filter x else x; + type = with types; either (listOf grafanaTypes.datasourceConfig) (submodule { + options.settings = mkOption { + description = lib.mdDoc '' + Grafana datasource configuration in Nix. Can't be used with + `services.grafana.provision.datasources.path` simultaneously. See + <https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources> + for supported options. + ''; + default = null; + type = types.nullOr (types.submodule { + options = { + apiVersion = mkOption { + description = lib.mdDoc "Config file version."; + default = 1; + type = types.int; + }; + + datasources = mkOption { + description = lib.mdDoc "List of datasources to insert/update."; + default = []; + type = types.listOf grafanaTypes.datasourceConfig; + }; + + deleteDatasources = mkOption { + description = lib.mdDoc "List of datasources that should be deleted from the database."; + default = []; + type = types.listOf (types.submodule { + options.name = mkOption { + description = lib.mdDoc "Name of the datasource to delete."; + type = types.str; + }; + + options.orgId = mkOption { + description = lib.mdDoc "Organization ID of the datasource to delete."; + type = types.int; + }; + }); + }; + }; + }); + example = literalExpression '' + { + apiVersion = 1; + + datasources = [{ + name = "Graphite"; + type = "graphite"; + }]; + + deleteDatasources = [{ + name = "Graphite"; + orgId = 1; + }]; + } + ''; + }; - secretKeyFile = mkOption { - description = lib.mdDoc "Secret key used for signing."; - default = null; - type = types.nullOr types.path; + options.path = mkOption { + description = lib.mdDoc '' + Path to YAML datasource configuration. Can't be used with + `services.grafana.provision.datasources.settings` simultaneously. + ''; + default = null; + type = types.nullOr types.path; + }; + }); }; - }; - server = { - serveFromSubPath = mkOption { - description = lib.mdDoc "Serve Grafana from subpath specified in rootUrl setting"; - default = false; - type = types.bool; - }; - }; - smtp = { - enable = mkEnableOption (lib.mdDoc "smtp"); - host = mkOption { - description = lib.mdDoc "Host to connect to."; - default = "localhost:25"; - type = types.str; - }; - user = mkOption { - description = lib.mdDoc "User used for authentication."; - default = ""; - type = types.str; - }; - password = mkOption { - description = lib.mdDoc '' - Password used for authentication. - This option is mutual exclusive with the passwordFile option. - ''; - default = ""; - type = types.str; - }; - passwordFile = mkOption { + dashboards = mkOption { description = lib.mdDoc '' - Password used for authentication. - This option is mutual exclusive with the password option. + Deprecated option for Grafana dashboard configuration. Use either + `services.grafana.provision.dashboards.settings` or + `services.grafana.provision.dashboards.path` instead. ''; - default = null; - type = types.nullOr types.path; - }; - fromAddress = mkOption { - description = lib.mdDoc "Email address used for sending."; - default = "admin@grafana.localhost"; - type = types.str; - }; - }; - - users = { - allowSignUp = mkOption { - description = lib.mdDoc "Disable user signup / registration."; - default = false; - type = types.bool; - }; + default = []; + apply = x: if (builtins.isList x) then map _filter x else x; + type = with types; either (listOf grafanaTypes.dashboardConfig) (submodule { + options.settings = mkOption { + description = lib.mdDoc '' + Grafana dashboard configuration in Nix. Can't be used with + `services.grafana.provision.dashboards.path` simultaneously. See + <https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards> + for supported options. + ''; + default = null; + type = types.nullOr (types.submodule { + options.apiVersion = mkOption { + description = lib.mdDoc "Config file version."; + default = 1; + type = types.int; + }; + + options.providers = mkOption { + description = lib.mdDoc "List of dashboards to insert/update."; + default = []; + type = types.listOf grafanaTypes.dashboardConfig; + }; + }); + example = literalExpression '' + { + apiVersion = 1; + + providers = [{ + name = "default"; + options.path = "/var/lib/grafana/dashboards"; + }]; + } + ''; + }; - allowOrgCreate = mkOption { - description = lib.mdDoc "Whether user is allowed to create organizations."; - default = false; - type = types.bool; + options.path = mkOption { + description = lib.mdDoc '' + Path to YAML dashboard configuration. Can't be used with + `services.grafana.provision.dashboards.settings` simultaneously. + ''; + default = null; + type = types.nullOr types.path; + }; + }); }; - autoAssignOrg = mkOption { - description = lib.mdDoc "Whether to automatically assign new users to default org."; - default = true; - type = types.bool; - }; - autoAssignOrgRole = mkOption { - description = lib.mdDoc "Default role new users will be auto assigned."; - default = "Viewer"; - type = types.enum ["Viewer" "Editor"]; + notifiers = mkOption { + description = lib.mdDoc "Grafana notifier configuration."; + default = []; + type = types.listOf grafanaTypes.notifierConfig; + apply = x: map _filter x; }; - }; - auth = { - disableLoginForm = mkOption { - description = lib.mdDoc "Set to true to disable (hide) the login form, useful if you use OAuth"; - default = false; - type = types.bool; - }; - anonymous = { - enable = mkOption { - description = lib.mdDoc "Whether to allow anonymous access."; - default = false; - type = types.bool; - }; - org_name = mkOption { - description = lib.mdDoc "Which organization to allow anonymous access to."; - default = "Main Org."; - type = types.str; - }; - org_role = mkOption { - description = lib.mdDoc "Which role anonymous users have in the organization."; - default = "Viewer"; - type = types.str; - }; - }; - azuread = { - enable = mkOption { - description = lib.mdDoc "Whether to allow Azure AD OAuth."; - default = false; - type = types.bool; - }; - allowSignUp = mkOption { - description = lib.mdDoc "Whether to allow sign up with Azure AD OAuth."; - default = false; - type = types.bool; - }; - clientId = mkOption { - description = lib.mdDoc "Azure AD OAuth client ID."; - default = ""; - type = types.str; - }; - clientSecretFile = mkOption { - description = lib.mdDoc "Azure AD OAuth client secret."; - default = null; - type = types.nullOr types.path; - }; - tenantId = mkOption { - description = lib.mdDoc '' - Tenant id used to create auth and token url. Default to "common" - , let user sign in with any tenant. + alerting = { + rules = { + path = mkOption { + description = lib.mdDoc '' + Path to YAML rules configuration. Can't be used with + `services.grafana.provision.alerting.rules.settings` simultaneously. ''; - default = "common"; - type = types.str; - }; - allowedDomains = mkOption { - description = lib.mdDoc '' - Limits access to users who belong to specific domains. - Separate domains with space or comma. - ''; - default = ""; - type = types.str; - }; - allowedGroups = mkOption { - description = lib.mdDoc '' - To limit access to authenticated users who are members of one or more groups, - set allowedGroups to a comma- or space-separated list of group object IDs. - You can find object IDs for a specific group on the Azure portal. + default = null; + type = types.nullOr types.path; + }; + + settings = mkOption { + description = lib.mdDoc '' + Grafana rules configuration in Nix. Can't be used with + `services.grafana.provision.alerting.rules.path` simultaneously. See + <https://grafana.com/docs/grafana/latest/administration/provisioning/#rules> + for supported options. ''; - default = ""; - type = types.str; - }; - }; - google = { - enable = mkOption { - description = lib.mdDoc "Whether to allow Google OAuth2."; - default = false; - type = types.bool; + default = null; + type = types.nullOr (types.submodule { + options = { + apiVersion = mkOption { + description = lib.mdDoc "Config file version."; + default = 1; + type = types.int; + }; + + groups = mkOption { + description = lib.mdDoc "List of rule groups to import or update."; + default = []; + type = types.listOf (types.submodule { + freeformType = provisioningSettingsFormat.type; + + options.name = mkOption { + description = lib.mdDoc "Name of the rule group. Required."; + type = types.str; + }; + + options.folder = mkOption { + description = lib.mdDoc "Name of the folder the rule group will be stored in. Required."; + type = types.str; + }; + + options.interval = mkOption { + description = lib.mdDoc "Interval that the rule group should be evaluated at. Required."; + type = types.str; + }; + }); + }; + + deleteRules = mkOption { + description = lib.mdDoc "List of alert rule UIDs that should be deleted."; + default = []; + type = types.listOf (types.submodule { + options.orgId = mkOption { + description = lib.mdDoc "Organization ID, default = 1"; + default = 1; + type = types.int; + }; + + options.uid = mkOption { + description = lib.mdDoc "Unique identifier for the rule. Required."; + type = types.str; + }; + }); + }; + }; + }); + example = literalExpression '' + { + apiVersion = 1; + + groups = [{ + orgId = 1; + name = "my_rule_group"; + folder = "my_first_folder"; + interval = "60s"; + rules = [{ + uid = "my_id_1"; + title = "my_first_rule"; + condition = "A"; + data = [{ + refId = "A"; + datasourceUid = "-100"; + model = { + conditions = [{ + evaluator = { + params = [ 3 ]; + type = "git"; + }; + operator.type = "and"; + query.params = [ "A" ]; + reducer.type = "last"; + type = "query"; + }]; + datasource = { + type = "__expr__"; + uid = "-100"; + }; + expression = "1==0"; + intervalMs = 1000; + maxDataPoints = 43200; + refId = "A"; + type = "math"; + }; + }]; + dashboardUid = "my_dashboard"; + panelId = 123; + noDataState = "Alerting"; + for = "60s"; + annotations.some_key = "some_value"; + labels.team = "sre_team1"; + }]; + }]; + + deleteRules = [{ + orgId = 1; + uid = "my_id_1"; + }]; + } + ''; + }; }; - allowSignUp = mkOption { - description = lib.mdDoc "Whether to allow sign up with Google OAuth2."; - default = false; - type = types.bool; + + contactPoints = { + path = mkOption { + description = lib.mdDoc '' + Path to YAML contact points configuration. Can't be used with + `services.grafana.provision.alerting.contactPoints.settings` simultaneously. + ''; + default = null; + type = types.nullOr types.path; + }; + + settings = mkOption { + description = lib.mdDoc '' + Grafana contact points configuration in Nix. Can't be used with + `services.grafana.provision.alerting.contactPoints.path` simultaneously. See + <https://grafana.com/docs/grafana/latest/administration/provisioning/#contact-points> + for supported options. + ''; + default = null; + type = types.nullOr (types.submodule { + options = { + apiVersion = mkOption { + description = lib.mdDoc "Config file version."; + default = 1; + type = types.int; + }; + + contactPoints = mkOption { + description = lib.mdDoc "List of contact points to import or update. Please note that sensitive data will end up in world-readable Nix store."; + default = []; + type = types.listOf (types.submodule { + freeformType = provisioningSettingsFormat.type; + + options.name = mkOption { + description = lib.mdDoc "Name of the contact point. Required."; + type = types.str; + }; + }); + }; + + deleteContactPoints = mkOption { + description = lib.mdDoc "List of receivers that should be deleted."; + default = []; + type = types.listOf (types.submodule { + options.orgId = mkOption { + description = lib.mdDoc "Organization ID, default = 1."; + default = 1; + type = types.int; + }; + + options.uid = mkOption { + description = lib.mdDoc "Unique identifier for the receiver. Required."; + type = types.str; + }; + }); + }; + }; + }); + example = literalExpression '' + { + apiVersion = 1; + + contactPoints = [{ + orgId = 1; + name = "cp_1"; + receivers = [{ + uid = "first_uid"; + type = "prometheus-alertmanager"; + settings.url = "http://test:9000"; + }]; + }]; + + deleteContactPoints = [{ + orgId = 1; + uid = "first_uid"; + }]; + } + ''; + }; }; - clientId = mkOption { - description = lib.mdDoc "Google OAuth2 client ID."; - default = ""; - type = types.str; + + policies = { + path = mkOption { + description = lib.mdDoc '' + Path to YAML notification policies configuration. Can't be used with + `services.grafana.provision.alerting.policies.settings` simultaneously. + ''; + default = null; + type = types.nullOr types.path; + }; + + settings = mkOption { + description = lib.mdDoc '' + Grafana notification policies configuration in Nix. Can't be used with + `services.grafana.provision.alerting.policies.path` simultaneously. See + <https://grafana.com/docs/grafana/latest/administration/provisioning/#notification-policies> + for supported options. + ''; + default = null; + type = types.nullOr (types.submodule { + options = { + apiVersion = mkOption { + description = lib.mdDoc "Config file version."; + default = 1; + type = types.int; + }; + + policies = mkOption { + description = lib.mdDoc "List of contact points to import or update."; + default = []; + type = types.listOf (types.submodule { + freeformType = provisioningSettingsFormat.type; + }); + }; + + resetPolicies = mkOption { + description = lib.mdDoc "List of orgIds that should be reset to the default policy."; + default = []; + type = types.listOf types.int; + }; + }; + }); + example = literalExpression '' + { + apiVersion = 1; + + policies = [{ + orgId = 1; + receiver = "grafana-default-email"; + group_by = [ "..." ]; + matchers = [ + "alertname = Watchdog" + "severity =~ \"warning|critical\"" + ]; + mute_time_intervals = [ + "abc" + ]; + group_wait = "30s"; + group_interval = "5m"; + repeat_interval = "4h"; + }]; + + resetPolicies = [ + 1 + ]; + } + ''; + }; }; - clientSecretFile = mkOption { - description = lib.mdDoc "Google OAuth2 client secret."; - default = null; - type = types.nullOr types.path; + + templates = { + path = mkOption { + description = lib.mdDoc '' + Path to YAML templates configuration. Can't be used with + `services.grafana.provision.alerting.templates.settings` simultaneously. + ''; + default = null; + type = types.nullOr types.path; + }; + + settings = mkOption { + description = lib.mdDoc '' + Grafana templates configuration in Nix. Can't be used with + `services.grafana.provision.alerting.templates.path` simultaneously. See + <https://grafana.com/docs/grafana/latest/administration/provisioning/#templates> + for supported options. + ''; + default = null; + type = types.nullOr (types.submodule { + options = { + apiVersion = mkOption { + description = lib.mdDoc "Config file version."; + default = 1; + type = types.int; + }; + + templates = mkOption { + description = lib.mdDoc "List of templates to import or update."; + default = []; + type = types.listOf (types.submodule { + freeformType = provisioningSettingsFormat.type; + + options.name = mkOption { + description = lib.mdDoc "Name of the template, must be unique. Required."; + type = types.str; + }; + + options.template = mkOption { + description = lib.mdDoc "Alerting with a custom text template"; + type = types.str; + }; + }); + }; + + deleteTemplates = mkOption { + description = lib.mdDoc "List of alert rule UIDs that should be deleted."; + default = []; + type = types.listOf (types.submodule { + options.orgId = mkOption { + description = lib.mdDoc "Organization ID, default = 1."; + default = 1; + type = types.int; + }; + + options.name = mkOption { + description = lib.mdDoc "Name of the template, must be unique. Required."; + type = types.str; + }; + }); + }; + }; + }); + example = literalExpression '' + { + apiVersion = 1; + + templates = [{ + orgId = 1; + name = "my_first_template"; + template = "Alerting with a custom text template"; + }]; + + deleteTemplates = [{ + orgId = 1; + name = "my_first_template"; + }]; + } + ''; + }; }; - }; - }; - analytics.reporting = { - enable = mkOption { - description = lib.mdDoc "Whether to allow anonymous usage reporting to stats.grafana.net."; - default = true; - type = types.bool; + muteTimings = { + path = mkOption { + description = lib.mdDoc '' + Path to YAML mute timings configuration. Can't be used with + `services.grafana.provision.alerting.muteTimings.settings` simultaneously. + ''; + default = null; + type = types.nullOr types.path; + }; + + settings = mkOption { + description = lib.mdDoc '' + Grafana mute timings configuration in Nix. Can't be used with + `services.grafana.provision.alerting.muteTimings.path` simultaneously. See + <https://grafana.com/docs/grafana/latest/administration/provisioning/#mute-timings> + for supported options. + ''; + default = null; + type = types.nullOr (types.submodule { + options = { + apiVersion = mkOption { + description = lib.mdDoc "Config file version."; + default = 1; + type = types.int; + }; + + muteTimes = mkOption { + description = lib.mdDoc "List of mute time intervals to import or update."; + default = []; + type = types.listOf (types.submodule { + freeformType = provisioningSettingsFormat.type; + + options.name = mkOption { + description = lib.mdDoc "Name of the mute time interval, must be unique. Required."; + type = types.str; + }; + }); + }; + + deleteMuteTimes = mkOption { + description = lib.mdDoc "List of mute time intervals that should be deleted."; + default = []; + type = types.listOf (types.submodule { + options.orgId = mkOption { + description = lib.mdDoc "Organization ID, default = 1."; + default = 1; + type = types.int; + }; + + options.name = mkOption { + description = lib.mdDoc "Name of the mute time interval, must be unique. Required."; + type = types.str; + }; + }); + }; + }; + }); + example = literalExpression '' + { + apiVersion = 1; + + muteTimes = [{ + orgId = 1; + name = "mti_1"; + time_intervals = [{ + times = [{ + start_time = "06:00"; + end_time = "23:59"; + }]; + weekdays = [ + "monday:wednesday" + "saturday" + "sunday" + ]; + months = [ + "1:3" + "may:august" + "december" + ]; + years = [ + "2020:2022" + "2030" + ]; + days_of_month = [ + "1:5" + "-3:-1" + ]; + }]; + }]; + + deleteMuteTimes = [{ + orgId = 1; + name = "mti_1"; + }]; + } + ''; + }; + }; }; }; - - extraOptions = mkOption { - description = lib.mdDoc '' - Extra configuration options passed as env variables as specified in - [documentation](http://docs.grafana.org/installation/configuration/), - but without GF_ prefix - ''; - default = {}; - type = with types; attrsOf (either str path); - }; }; config = mkIf cfg.enable { - warnings = flatten [ + warnings = let + usesFileProvider = opt: defaultValue: builtins.match "^${defaultValue}$|^\\$__file\\{.*}$" opt != null; + in flatten [ (optional ( - cfg.database.password != opt.database.password.default || - cfg.security.adminPassword != opt.security.adminPassword.default - ) "Grafana passwords will be stored as plaintext in the Nix store!") + ! usesFileProvider cfg.settings.database.password "" || + ! usesFileProvider cfg.settings.security.admin_password "admin" + ) "Grafana passwords will be stored as plaintext in the Nix store! Use file provider instead.") (optional ( - any (x: x.password != null || x.basicAuthPassword != null || x.secureJsonData != null) cfg.provision.datasources - ) "Datasource passwords will be stored as plaintext in the Nix store!") + let + checkOpts = opt: any (x: x.password != null || x.basicAuthPassword != null || x.secureJsonData != null) opt; + datasourcesUsed = if (cfg.provision.datasources.settings == null) then [] else cfg.provision.datasources.settings.datasources; + in if (builtins.isList cfg.provision.datasources) then checkOpts cfg.provision.datasources else checkOpts datasourcesUsed + ) '' + Datasource passwords will be stored as plaintext in the Nix store! + It is not possible to use file provider in provisioning; please provision + datasources via `services.grafana.provision.datasources.path` instead. + '') (optional ( any (x: x.secure_settings != null) cfg.provision.notifiers - ) "Notifier secure settings will be stored as plaintext in the Nix store!") + ) "Notifier secure settings will be stored as plaintext in the Nix store! Use file provider instead.") + (optional ( + builtins.isList cfg.provision.datasources && cfg.provision.datasources != [] + ) '' + Provisioning Grafana datasources with options has been deprecated. + Use `services.grafana.provision.datasources.settings` or + `services.grafana.provision.datasources.path` instead. + '') + (optional ( + builtins.isList cfg.provision.datasources && cfg.provision.dashboards != [] + ) '' + Provisioning Grafana dashboards with options has been deprecated. + Use `services.grafana.provision.dashboards.settings` or + `services.grafana.provision.dashboards.path` instead. + '') + (optional ( + cfg.provision.notifiers != [] + ) '' + Notifiers are deprecated upstream and will be removed in Grafana 10. + Use `services.grafana.provision.alerting.contactPoints` instead. + '') ]; environment.systemPackages = [ cfg.package ]; assertions = [ { - assertion = cfg.database.password != opt.database.password.default -> cfg.database.passwordFile == null; - message = "Cannot set both password and passwordFile"; + assertion = if (builtins.isList cfg.provision.datasources) then true else cfg.provision.datasources.settings == null || cfg.provision.datasources.path == null; + message = "Cannot set both datasources settings and datasources path"; + } + { + assertion = let + prometheusIsNotDirect = opt: all + ({ type, access, ... }: type == "prometheus" -> access != "direct") + opt; + in + if (builtins.isList cfg.provision.datasources) then prometheusIsNotDirect cfg.provision.datasources + else cfg.provision.datasources.settings == null || prometheusIsNotDirect cfg.provision.datasources.settings.datasources; + message = "For datasources of type `prometheus`, the `direct` access mode is not supported anymore (since Grafana 9.2.0)"; + } + { + assertion = if (builtins.isList cfg.provision.dashboards) then true else cfg.provision.dashboards.settings == null || cfg.provision.dashboards.path == null; + message = "Cannot set both dashboards settings and dashboards path"; + } + { + assertion = cfg.provision.alerting.rules.settings == null || cfg.provision.alerting.rules.path == null; + message = "Cannot set both rules settings and rules path"; + } + { + assertion = cfg.provision.alerting.contactPoints.settings == null || cfg.provision.alerting.contactPoints.path == null; + message = "Cannot set both contact points settings and contact points path"; } { - assertion = cfg.security.adminPassword != opt.security.adminPassword.default -> cfg.security.adminPasswordFile == null; - message = "Cannot set both adminPassword and adminPasswordFile"; + assertion = cfg.provision.alerting.policies.settings == null || cfg.provision.alerting.policies.path == null; + message = "Cannot set both policies settings and policies path"; } { - assertion = cfg.security.secretKey != opt.security.secretKey.default -> cfg.security.secretKeyFile == null; - message = "Cannot set both secretKey and secretKeyFile"; + assertion = cfg.provision.alerting.templates.settings == null || cfg.provision.alerting.templates.path == null; + message = "Cannot set both templates settings and templates path"; } { - assertion = cfg.smtp.password != opt.smtp.password.default -> cfg.smtp.passwordFile == null; - message = "Cannot set both password and passwordFile"; + assertion = cfg.provision.alerting.muteTimings.settings == null || cfg.provision.alerting.muteTimings.path == null; + message = "Cannot set both mute timings settings and mute timings path"; } ]; @@ -726,41 +1247,11 @@ in { description = "Grafana Service Daemon"; wantedBy = ["multi-user.target"]; after = ["networking.target"] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; - environment = { - QT_QPA_PLATFORM = "offscreen"; - } // mapAttrs' (n: v: nameValuePair "GF_${n}" (toString v)) envOptions; script = '' set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit - ${optionalString (cfg.auth.azuread.clientSecretFile != null) '' - GF_AUTH_AZUREAD_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.azuread.clientSecretFile})" - export GF_AUTH_AZUREAD_CLIENT_SECRET - ''} - ${optionalString (cfg.auth.google.clientSecretFile != null) '' - GF_AUTH_GOOGLE_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.google.clientSecretFile})" - export GF_AUTH_GOOGLE_CLIENT_SECRET - ''} - ${optionalString (cfg.database.passwordFile != null) '' - GF_DATABASE_PASSWORD="$(<${escapeShellArg cfg.database.passwordFile})" - export GF_DATABASE_PASSWORD - ''} - ${optionalString (cfg.security.adminPasswordFile != null) '' - GF_SECURITY_ADMIN_PASSWORD="$(<${escapeShellArg cfg.security.adminPasswordFile})" - export GF_SECURITY_ADMIN_PASSWORD - ''} - ${optionalString (cfg.security.secretKeyFile != null) '' - GF_SECURITY_SECRET_KEY="$(<${escapeShellArg cfg.security.secretKeyFile})" - export GF_SECURITY_SECRET_KEY - ''} - ${optionalString (cfg.smtp.passwordFile != null) '' - GF_SMTP_PASSWORD="$(<${escapeShellArg cfg.smtp.passwordFile})" - export GF_SMTP_PASSWORD - ''} - ${optionalString cfg.provision.enable '' - export GF_PATHS_PROVISIONING=${provisionConfDir}; - ''} - exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} + exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} -config ${configFile} ''; serviceConfig = { WorkingDirectory = cfg.dataDir; @@ -768,8 +1259,8 @@ in { RuntimeDirectory = "grafana"; RuntimeDirectoryMode = "0755"; # Hardening - AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; - CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ]; + AmbientCapabilities = lib.mkIf (cfg.settings.server.http_port < 1024) [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = if (cfg.settings.server.http_port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ]; DeviceAllow = [ "" ]; LockPersonality = true; NoNewPrivileges = true; diff --git a/nixos/modules/services/monitoring/karma.nix b/nixos/modules/services/monitoring/karma.nix new file mode 100644 index 0000000000000..85dbc81f443f0 --- /dev/null +++ b/nixos/modules/services/monitoring/karma.nix @@ -0,0 +1,128 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.services.karma; + yaml = pkgs.formats.yaml { }; +in +{ + options.services.karma = { + enable = mkEnableOption (mdDoc "the Karma dashboard service"); + + package = mkOption { + type = types.package; + default = pkgs.karma; + defaultText = literalExpression "pkgs.karma"; + description = mdDoc '' + The Karma package that should be used. + ''; + }; + + configFile = mkOption { + type = types.path; + default = yaml.generate "karma.yaml" cfg.settings; + defaultText = "A configuration file generated from the provided nix attributes settings option."; + description = mdDoc '' + A YAML config file which can be used to configure karma instead of the nix-generated file. + ''; + example = "/etc/karma/karma.conf"; + }; + + environment = mkOption { + type = with types; attrsOf str; + default = {}; + description = mdDoc '' + Additional environment variables to provide to karma. + ''; + example = { + ALERTMANAGER_URI = "https://alertmanager.example.com"; + ALERTMANAGER_NAME= "single"; + }; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Whether to open ports in the firewall needed for karma to function. + ''; + }; + + extraOptions = mkOption { + type = with types; listOf str; + default = []; + description = mdDoc '' + Extra command line options. + ''; + example = [ + "--alertmanager.timeout 10s" + ]; + }; + + settings = mkOption { + type = types.submodule { + freeformType = yaml.type; + + options.listen = { + address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = mdDoc '' + Hostname or IP to listen on. + ''; + example = "[::]"; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = mdDoc '' + HTTP port to listen on. + ''; + example = 8182; + }; + }; + }; + default = { + listen = { + address = "127.0.0.1"; + }; + }; + description = mdDoc '' + Karma dashboard configuration as nix attributes. + + Reference: <https://github.com/prymitive/karma/blob/main/docs/CONFIGURATION.md> + ''; + example = { + listen = { + address = "192.168.1.4"; + port = "8000"; + prefix = "/dashboard"; + }; + alertmanager = { + interval = "15s"; + servers = [ + { + name = "prod"; + uri = "http://alertmanager.example.com"; + } + ]; + }; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.karma = { + description = "Alert dashboard for Prometheus Alertmanager"; + wantedBy = [ "multi-user.target" ]; + environment = cfg.environment; + serviceConfig = { + Type = "simple"; + DynamicUser = true; + Restart = "on-failure"; + ExecStart = "${pkgs.karma}/bin/karma --config.file ${cfg.configFile} ${concatStringsSep " " cfg.extraOptions}"; + }; + }; + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.listen.port ]; + }; +} diff --git a/nixos/modules/services/monitoring/parsedmarc.nix b/nixos/modules/services/monitoring/parsedmarc.nix index 7618414d9040f..3540d91fc9f37 100644 --- a/nixos/modules/services/monitoring/parsedmarc.nix +++ b/nixos/modules/services/monitoring/parsedmarc.nix @@ -494,7 +494,7 @@ in Group = "parsedmarc"; DynamicUser = true; RuntimeDirectory = "parsedmarc"; - RuntimeDirectoryMode = 0700; + RuntimeDirectoryMode = "0700"; CapabilityBoundingSet = ""; PrivateDevices = true; PrivateMounts = true; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix index 0682f9da4003a..ed33c72f644f3 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @@ -35,7 +35,7 @@ in { ${pkgs.prometheus-kea-exporter}/bin/kea-exporter \ --address ${cfg.listenAddress} \ --port ${toString cfg.port} \ - ${concatStringsSep " \\n" cfg.controlSocketPaths} + ${concatStringsSep " " cfg.controlSocketPaths} ''; SupplementaryGroups = [ "kea" ]; RestrictAddressFamilies = [ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix index 8906c25d50376..df424ede6066b 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix @@ -50,7 +50,7 @@ in { "CAP_SYS_ADMIN" ]; DevicePolicy = "closed"; - DeviceAllow = lib.mkOverride 100 ( + DeviceAllow = lib.mkOverride 50 ( if cfg.devices != [] then cfg.devices else [ @@ -66,10 +66,7 @@ in { ProtectProc = "invisible"; ProcSubset = "pid"; SupplementaryGroups = [ "disk" ]; - SystemCallFilter = [ - "@system-service" - "~@privileged @resources" - ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; }; }; } diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix new file mode 100644 index 0000000000000..3a6091de679d9 --- /dev/null +++ b/nixos/modules/services/monitoring/uptime-kuma.nix @@ -0,0 +1,76 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.uptime-kuma; +in +{ + + options = { + services.uptime-kuma = { + enable = mkEnableOption (mdDoc "Uptime Kuma, this assumes a reverse proxy to be set."); + + package = mkOption { + type = types.package; + example = literalExpression "pkgs.uptime-kuma"; + default = pkgs.uptime-kuma; + defaultText = "pkgs.uptime-kuma"; + description = lib.mdDoc "Uptime Kuma package to use."; + }; + + settings = lib.mkOption { + type = + lib.types.submodule { freeformType = with lib.types; attrsOf str; }; + default = { }; + example = { + PORT = "4000"; + NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt"; + }; + description = lib.mdDoc '' + Additional configuration for Uptime Kuma, see + <https://github.com/louislam/uptime-kuma/wiki/Environment-Variables"> + for supported values. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + services.uptime-kuma.settings = { + DATA_DIR = "/var/lib/uptime-kuma/"; + NODE_ENV = mkDefault "production"; + }; + + systemd.services.uptime-kuma = { + description = "Uptime Kuma"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = cfg.settings; + serviceConfig = { + Type = "simple"; + StateDirectory = "uptime-kuma"; + DynamicUser = true; + ExecStart = "${cfg.package}/bin/uptime-kuma-server"; + Restart = "on-failure"; + ProtectHome = true; + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + }; + }; + }; +} + diff --git a/nixos/modules/services/monitoring/vmagent.nix b/nixos/modules/services/monitoring/vmagent.nix new file mode 100644 index 0000000000000..c793bb073199c --- /dev/null +++ b/nixos/modules/services/monitoring/vmagent.nix @@ -0,0 +1,100 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.services.vmagent; + settingsFormat = pkgs.formats.json { }; +in { + options.services.vmagent = { + enable = mkEnableOption (lib.mdDoc "vmagent"); + + user = mkOption { + default = "vmagent"; + type = types.str; + description = lib.mdDoc '' + User account under which vmagent runs. + ''; + }; + + group = mkOption { + type = types.str; + default = "vmagent"; + description = lib.mdDoc '' + Group under which vmagent runs. + ''; + }; + + package = mkOption { + default = pkgs.vmagent; + defaultText = lib.literalMD "pkgs.vmagent"; + type = types.package; + description = lib.mdDoc '' + vmagent package to use. + ''; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/vmagent"; + description = lib.mdDoc '' + The directory where vmagent stores its data files. + ''; + }; + + remoteWriteUrl = mkOption { + default = "http://localhost:8428/api/v1/write"; + type = types.str; + description = lib.mdDoc '' + The storage endpoint such as VictoriaMetrics + ''; + }; + + prometheusConfig = mkOption { + type = lib.types.submodule { freeformType = settingsFormat.type; }; + description = lib.mdDoc '' + Config for prometheus style metrics + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to open the firewall for the default ports. + ''; + }; + }; + + config = mkIf cfg.enable { + users.groups = mkIf (cfg.group == "vmagent") { vmagent = { }; }; + + users.users = mkIf (cfg.user == "vmagent") { + vmagent = { + group = cfg.group; + description = "vmagent daemon user"; + home = cfg.dataDir; + isSystemUser = true; + }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ 8429 ]; + + systemd.services.vmagent = let + prometheusConfig = settingsFormat.generate "prometheusConfig.yaml" cfg.prometheusConfig; + in { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "vmagent system service"; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "simple"; + Restart = "on-failure"; + WorkingDirectory = cfg.dataDir; + ExecStart = "${cfg.package}/bin/vmagent -remoteWrite.url=${cfg.remoteWriteUrl} -promscrape.config=${prometheusConfig}"; + }; + }; + + systemd.tmpfiles.rules = + [ "d '${cfg.dataDir}' 0755 ${cfg.user} ${cfg.group} -" ]; + }; +} diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index 9942e4e41ad64..51e1282db4189 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -3,6 +3,8 @@ with lib; let cfg = config.services.kubo; + settingsFormat = pkgs.formats.json {}; + kuboFlags = utils.escapeSystemdExecArgs ( optional cfg.autoMount "--mount" ++ optional cfg.enableGC "--enable-gc" ++ @@ -117,29 +119,6 @@ in description = lib.mdDoc "Where to mount the IPNS namespace to"; }; - gatewayAddress = mkOption { - type = types.str; - default = "/ip4/127.0.0.1/tcp/8080"; - description = lib.mdDoc "Where the IPFS Gateway can be reached"; - }; - - apiAddress = mkOption { - type = types.str; - default = "/ip4/127.0.0.1/tcp/5001"; - description = lib.mdDoc "Where Kubo exposes its API to"; - }; - - swarmAddress = mkOption { - type = types.listOf types.str; - default = [ - "/ip4/0.0.0.0/tcp/4001" - "/ip6/::/tcp/4001" - "/ip4/0.0.0.0/udp/4001/quic" - "/ip6/::/udp/4001/quic" - ]; - description = lib.mdDoc "Where Kubo listens for incoming p2p connections"; - }; - enableGC = mkOption { type = types.bool; default = false; @@ -152,11 +131,38 @@ in description = lib.mdDoc "If set to true, the repo won't be initialized with help files"; }; - extraConfig = mkOption { - type = types.attrs; + settings = mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + + options = { + Addresses.API = mkOption { + type = types.str; + default = "/ip4/127.0.0.1/tcp/5001"; + description = lib.mdDoc "Where Kubo exposes its API to"; + }; + + Addresses.Gateway = mkOption { + type = types.str; + default = "/ip4/127.0.0.1/tcp/8080"; + description = lib.mdDoc "Where the IPFS Gateway can be reached"; + }; + + Addresses.Swarm = mkOption { + type = types.listOf types.str; + default = [ + "/ip4/0.0.0.0/tcp/4001" + "/ip6/::/tcp/4001" + "/ip4/0.0.0.0/udp/4001/quic" + "/ip6/::/udp/4001/quic" + ]; + description = lib.mdDoc "Where Kubo listens for incoming p2p connections"; + }; + }; + }; description = lib.mdDoc '' Attrset of daemon configuration to set using {command}`ipfs config`, every time the daemon starts. - These are applied last, so may override configuration set by other options in this module. + See [https://github.com/ipfs/kubo/blob/master/docs/config.md](https://github.com/ipfs/kubo/blob/master/docs/config.md) for reference. Keep in mind that this configuration is stateful; i.e., unsetting anything in here does not reset the value to the default! ''; default = { }; @@ -244,6 +250,12 @@ in then [ cfg.package.systemd_unit ] else [ cfg.package.systemd_unit_hardened ]; + services.kubo.settings = mkIf cfg.autoMount { + Mounts.FuseAllowOther = lib.mkDefault true; + Mounts.IPFS = lib.mkDefault cfg.ipfsMountDir; + Mounts.IPNS = lib.mkDefault cfg.ipnsMountDir; + }; + systemd.services.ipfs = { path = [ "/run/wrappers" cfg.package ]; environment.IPFS_PATH = cfg.dataDir; @@ -259,22 +271,10 @@ in '' + '' ipfs --offline config profile apply ${profile} >/dev/null fi - '' + optionalString cfg.autoMount '' - ipfs --offline config Mounts.FuseAllowOther --json true - ipfs --offline config Mounts.IPFS ${cfg.ipfsMountDir} - ipfs --offline config Mounts.IPNS ${cfg.ipnsMountDir} '' + '' ipfs --offline config show \ - | ${pkgs.jq}/bin/jq '. * $extraConfig' --argjson extraConfig ${ - escapeShellArg (builtins.toJSON ( - recursiveUpdate - { - Addresses.API = cfg.apiAddress; - Addresses.Gateway = cfg.gatewayAddress; - Addresses.Swarm = cfg.swarmAddress; - } - cfg.extraConfig - )) + | ${pkgs.jq}/bin/jq '. * $settings' --argjson settings ${ + escapeShellArg (builtins.toJSON cfg.settings) } \ | ipfs --offline config replace - ''; @@ -294,12 +294,12 @@ in socketConfig = { ListenStream = let - fromCfg = multiaddrToListenStream cfg.gatewayAddress; + fromCfg = multiaddrToListenStream cfg.settings.Addresses.Gateway; in [ "" ] ++ lib.optional (fromCfg != null) fromCfg; ListenDatagram = let - fromCfg = multiaddrToListenDatagram cfg.gatewayAddress; + fromCfg = multiaddrToListenDatagram cfg.settings.Addresses.Gateway; in [ "" ] ++ lib.optional (fromCfg != null) fromCfg; }; @@ -311,7 +311,7 @@ in # in the multiaddr. socketConfig.ListenStream = let - fromCfg = multiaddrToListenStream cfg.apiAddress; + fromCfg = multiaddrToListenStream cfg.settings.Addresses.API; in [ "" "%t/ipfs.sock" ] ++ lib.optional (fromCfg != null) fromCfg; }; @@ -332,15 +332,19 @@ in (mkRenamedOptionModule [ "services" "ipfs" "autoMigrate" ] [ "services" "kubo" "autoMigrate" ]) (mkRenamedOptionModule [ "services" "ipfs" "ipfsMountDir" ] [ "services" "kubo" "ipfsMountDir" ]) (mkRenamedOptionModule [ "services" "ipfs" "ipnsMountDir" ] [ "services" "kubo" "ipnsMountDir" ]) - (mkRenamedOptionModule [ "services" "ipfs" "gatewayAddress" ] [ "services" "kubo" "gatewayAddress" ]) - (mkRenamedOptionModule [ "services" "ipfs" "apiAddress" ] [ "services" "kubo" "apiAddress" ]) - (mkRenamedOptionModule [ "services" "ipfs" "swarmAddress" ] [ "services" "kubo" "swarmAddress" ]) + (mkRenamedOptionModule [ "services" "ipfs" "gatewayAddress" ] [ "services" "kubo" "settings" "Addresses" "Gateway" ]) + (mkRenamedOptionModule [ "services" "ipfs" "apiAddress" ] [ "services" "kubo" "settings" "Addresses" "API" ]) + (mkRenamedOptionModule [ "services" "ipfs" "swarmAddress" ] [ "services" "kubo" "settings" "Addresses" "Swarm" ]) (mkRenamedOptionModule [ "services" "ipfs" "enableGC" ] [ "services" "kubo" "enableGC" ]) (mkRenamedOptionModule [ "services" "ipfs" "emptyRepo" ] [ "services" "kubo" "emptyRepo" ]) - (mkRenamedOptionModule [ "services" "ipfs" "extraConfig" ] [ "services" "kubo" "extraConfig" ]) + (mkRenamedOptionModule [ "services" "ipfs" "extraConfig" ] [ "services" "kubo" "settings" ]) (mkRenamedOptionModule [ "services" "ipfs" "extraFlags" ] [ "services" "kubo" "extraFlags" ]) (mkRenamedOptionModule [ "services" "ipfs" "localDiscovery" ] [ "services" "kubo" "localDiscovery" ]) (mkRenamedOptionModule [ "services" "ipfs" "serviceFdlimit" ] [ "services" "kubo" "serviceFdlimit" ]) (mkRenamedOptionModule [ "services" "ipfs" "startWhenNeeded" ] [ "services" "kubo" "startWhenNeeded" ]) + (mkRenamedOptionModule [ "services" "kubo" "extraConfig" ] [ "services" "kubo" "settings" ]) + (mkRenamedOptionModule [ "services" "kubo" "gatewayAddress" ] [ "services" "kubo" "settings" "Addresses" "Gateway" ]) + (mkRenamedOptionModule [ "services" "kubo" "apiAddress" ] [ "services" "kubo" "settings" "Addresses" "API" ]) + (mkRenamedOptionModule [ "services" "kubo" "swarmAddress" ] [ "services" "kubo" "settings" "Addresses" "Swarm" ]) ]; } diff --git a/nixos/modules/services/network-filesystems/litestream/litestream.xml b/nixos/modules/services/network-filesystems/litestream/litestream.xml index 598f9be8cf632..8f5597bb6891e 100644 --- a/nixos/modules/services/network-filesystems/litestream/litestream.xml +++ b/nixos/modules/services/network-filesystems/litestream/litestream.xml @@ -15,7 +15,7 @@ <para> Litestream service is managed by a dedicated user named <literal>litestream</literal> which needs permission to the database file. Here's an example config which gives - required permissions to access <link linkend="opt-services.grafana.database.path"> + required permissions to access <link linkend="opt-services.grafana.settings.database.path"> grafana database</link>: <programlisting> { pkgs, ... }: diff --git a/nixos/modules/services/networking/adguardhome.nix b/nixos/modules/services/networking/adguardhome.nix index 13b6f6efcd6d1..eaeaeaeb6a7f2 100644 --- a/nixos/modules/services/networking/adguardhome.nix +++ b/nixos/modules/services/networking/adguardhome.nix @@ -12,36 +12,25 @@ let "--config /var/lib/AdGuardHome/AdGuardHome.yaml" ] ++ cfg.extraArgs); - baseConfig = { - bind_host = cfg.host; - bind_port = cfg.port; - }; - configFile = pkgs.writeTextFile { name = "AdGuardHome.yaml"; - text = builtins.toJSON (recursiveUpdate cfg.settings baseConfig); + text = builtins.toJSON cfg.settings; checkPhase = "${pkgs.adguardhome}/bin/adguardhome -c $out --check-config"; }; -in { - options.services.adguardhome = with types; { - enable = mkEnableOption (lib.mdDoc "AdGuard Home network-wide ad blocker"); +in +{ - host = mkOption { - default = "0.0.0.0"; - type = str; - description = lib.mdDoc '' - Host address to bind HTTP server to. - ''; - }; + imports = + let cfgPath = [ "services" "adguardhome" ]; + in + [ + (mkRenamedOptionModuleWith { sinceRelease = 2211; from = cfgPath ++ [ "host" ]; to = cfgPath ++ [ "settings" "bind_host" ]; }) + (mkRenamedOptionModuleWith { sinceRelease = 2211; from = cfgPath ++ [ "port" ]; to = cfgPath ++ [ "settings" "bind_port" ]; }) + ]; - port = mkOption { - default = 3000; - type = port; - description = lib.mdDoc '' - Port to serve HTTP pages on. - ''; - }; + options.services.adguardhome = with types; { + enable = mkEnableOption (lib.mdDoc "AdGuard Home network-wide ad blocker"); openFirewall = mkOption { default = false; @@ -62,8 +51,35 @@ in { }; settings = mkOption { - type = (pkgs.formats.yaml { }).type; default = { }; + type = submodule { + freeformType = (pkgs.formats.yaml { }).type; + options = { + schema_version = mkOption { + default = pkgs.adguardhome.schema_version; + defaultText = literalExpression "pkgs.adguardhome.schema_version"; + type = int; + description = lib.mdDoc '' + Schema version for the configuration. + Defaults to the `schema_version` supplied by `pkgs.adguardhome`. + ''; + }; + bind_host = mkOption { + default = "0.0.0.0"; + type = str; + description = lib.mdDoc '' + Host address to bind HTTP server to. + ''; + }; + bind_port = mkOption { + default = 3000; + type = port; + description = lib.mdDoc '' + Port to serve HTTP pages on. + ''; + }; + }; + }; description = lib.mdDoc '' AdGuard Home configuration. Refer to <https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file> @@ -135,6 +151,6 @@ in { }; }; - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.bind_port ]; }; } diff --git a/nixos/modules/services/networking/bitcoind.nix b/nixos/modules/services/networking/bitcoind.nix index e8b0fb65ffcf8..6df809a8b7648 100644 --- a/nixos/modules/services/networking/bitcoind.nix +++ b/nixos/modules/services/networking/bitcoind.nix @@ -204,7 +204,7 @@ in ''; in { description = "Bitcoin daemon"; - after = [ "network.target" ]; + after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { User = cfg.user; diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix index d3902611a625a..45bfd447da454 100644 --- a/nixos/modules/services/networking/croc.nix +++ b/nixos/modules/services/networking/croc.nix @@ -72,7 +72,7 @@ in RuntimeDirectoryMode = "700"; SystemCallFilter = [ "@system-service" - "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@setuid" "~@sync" "~@timer" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@setuid" "~@sync" "~@timer" ]; SystemCallArchitectures = "native"; SystemCallErrorNumber = "EPERM"; diff --git a/nixos/modules/services/networking/dnscrypt-proxy2.nix b/nixos/modules/services/networking/dnscrypt-proxy2.nix index 99ff5ee0bd8f9..de1ca0d2f2061 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy2.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy2.nix @@ -111,7 +111,6 @@ in "~@aio" "~@keyring" "~@memlock" - "~@resources" "~@setuid" "~@timer" ]; diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index ec1a7a58b1e09..63bb44256dd69 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -199,7 +199,7 @@ in environment.systemPackages = [ pkgs.hostapd ]; - services.udev.packages = optional (cfg.countryCode != null) [ pkgs.crda ]; + services.udev.packages = optionals (cfg.countryCode != null) [ pkgs.crda ]; systemd.services.hostapd = { description = "hostapd wireless AP"; diff --git a/nixos/modules/services/networking/iwd.nix b/nixos/modules/services/networking/iwd.nix index a9908b01a58a0..993a603c1ed5c 100644 --- a/nixos/modules/services/networking/iwd.nix +++ b/nixos/modules/services/networking/iwd.nix @@ -19,6 +19,15 @@ in options.networking.wireless.iwd = { enable = mkEnableOption (lib.mdDoc "iwd"); + package = mkOption { + type = types.package; + default = pkgs.iwd; + defaultText = lib.literalExpression "pkgs.iwd"; + description = lib.mdDoc '' + The iwd package to use. + ''; + }; + settings = mkOption { type = ini.type; default = { }; @@ -50,11 +59,11 @@ in environment.etc."iwd/${configFile.name}".source = configFile; # for iwctl - environment.systemPackages = [ pkgs.iwd ]; + environment.systemPackages = [ cfg.package ]; - services.dbus.packages = [ pkgs.iwd ]; + services.dbus.packages = [ cfg.package ]; - systemd.packages = [ pkgs.iwd ]; + systemd.packages = [ cfg.package ]; systemd.network.links."80-iwd" = { matchConfig.Type = "wlan"; diff --git a/nixos/modules/services/networking/jibri/default.nix b/nixos/modules/services/networking/jibri/default.nix index 6925ac55840ec..a931831fc2814 100644 --- a/nixos/modules/services/networking/jibri/default.nix +++ b/nixos/modules/services/networking/jibri/default.nix @@ -378,7 +378,7 @@ in '') cfg.xmppEnvironments)) + '' - ${pkgs.jre8_headless}/bin/java -Djava.util.logging.config.file=${./logging.properties-journal} -Dconfig.file=${configFile} -jar ${pkgs.jibri}/opt/jitsi/jibri/jibri.jar --config /var/lib/jibri/jibri.json + ${pkgs.jdk11_headless}/bin/java -Djava.util.logging.config.file=${./logging.properties-journal} -Dconfig.file=${configFile} -jar ${pkgs.jibri}/opt/jitsi/jibri/jibri.jar --config /var/lib/jibri/jibri.json ''; environment.HOME = "/var/lib/jibri"; diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 5ada92adc9b53..6543eb34b4b26 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -56,8 +56,10 @@ let default = null; description = mdDoc '' Specifies the hashed password for the MQTT User. - To generate hashed password install `mosquitto` - package and use `mosquitto_passwd`. + To generate hashed password install the `mosquitto` + package and use `mosquitto_passwd`, then extract + the second field (after the `:`) from the generated + file. ''; }; @@ -68,8 +70,9 @@ let description = mdDoc '' Specifies the path to a file containing the hashed password for the MQTT user. - To generate hashed password install `mosquitto` - package and use `mosquitto_passwd`. + To generate hashed password install the `mosquitto` + package and use `mosquitto_passwd`, then remove the + `username:` prefix from the generated file. ''; }; diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix index 42d55056084db..7eb3761aad37b 100644 --- a/nixos/modules/services/networking/mullvad-vpn.nix +++ b/nixos/modules/services/networking/mullvad-vpn.nix @@ -4,13 +4,24 @@ let in with lib; { - options.services.mullvad-vpn.enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - This option enables Mullvad VPN daemon. - This sets {option}`networking.firewall.checkReversePath` to "loose", which might be undesirable for security. - ''; + options.services.mullvad-vpn = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + This option enables Mullvad VPN daemon. + This sets {option}`networking.firewall.checkReversePath` to "loose", which might be undesirable for security. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.mullvad; + defaultText = literalExpression "pkgs.mullvad"; + description = lib.mdDoc '' + The Mullvad package to use. `pkgs.mullvad` only provides the CLI tool, `pkgs.mullvad-vpn` provides both the CLI and the GUI. + ''; + }; }; config = mkIf cfg.enable { @@ -39,12 +50,12 @@ with lib; startLimitBurst = 5; startLimitIntervalSec = 20; serviceConfig = { - ExecStart = "${pkgs.mullvad}/bin/mullvad-daemon -v --disable-stdout-timestamps"; + ExecStart = "${cfg.package}/bin/mullvad-daemon -v --disable-stdout-timestamps"; Restart = "always"; RestartSec = 1; }; }; }; - meta.maintainers = with maintainers; [ ymarkus ]; + meta.maintainers = with maintainers; [ patricksjackson ymarkus ]; } diff --git a/nixos/modules/services/networking/nats.nix b/nixos/modules/services/networking/nats.nix index dd732d2a9fca4..6c21e21b5cb88 100644 --- a/nixos/modules/services/networking/nats.nix +++ b/nixos/modules/services/networking/nats.nix @@ -137,7 +137,7 @@ in { RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0077"; } ]; diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index a89c7769152e6..7e3bb565d10bf 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -27,7 +27,7 @@ let ${cfg.extraConfig} ''; - chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; + chronyFlags = [ "-n" "-m" "-u" "chrony" "-f" "${configFile}" ] ++ cfg.extraFlags; in { options = { @@ -166,7 +166,7 @@ in unitConfig.ConditionCapability = "CAP_SYS_TIME"; serviceConfig = { Type = "simple"; - ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}"; + ExecStart = "${chronyPkg}/bin/chronyd ${builtins.toString chronyFlags}"; ProtectHome = "yes"; ProtectSystem = "full"; diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix index a9dae2c8667aa..036a8df635db0 100644 --- a/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -25,7 +25,7 @@ let ${cfg.extraConfig} ''; - ntpFlags = "-c ${configFile} -u ntp:ntp ${toString cfg.extraFlags}"; + ntpFlags = [ "-c" "${configFile}" "-u" "ntp:ntp" ] ++ cfg.extraFlags; in @@ -137,7 +137,7 @@ in ''; serviceConfig = { - ExecStart = "@${ntp}/bin/ntpd ntpd -g ${ntpFlags}"; + ExecStart = "@${ntp}/bin/ntpd ntpd -g ${builtins.toString ntpFlags}"; Type = "forking"; }; }; diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index df4f8905ec6f8..3a5fb7dfb9e24 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -318,6 +318,17 @@ in description = "smokeping daemon user"; home = smokepingHome; createHome = true; + # When `cfg.webService` is enabled, `thttpd` makes SmokePing available + # under `${cfg.host}:${cfg.port}/smokeping.fcgi` as per the `ln -s` below. + # We also want that going to `${cfg.host}:${cfg.port}` without `smokeping.fcgi` + # makes it easy for the user to find SmokePing. + # However `thttpd` does not seem to support easy redirections from `/` to `smokeping.fcgi` + # and only allows directory listings or `/` -> `index.html` resolution if the directory + # has `chmod 755` (see https://acme.com/software/thttpd/thttpd_man.html#PERMISSIONS, + # " directories should be 755 if you want to allow indexing"). + # Otherwise it shows `403 Forbidden` on `/`. + # Thus, we need to make `smokepingHome` (which is given to `thttpd -d` below) `755`. + homeMode = "755"; }; users.groups.${cfg.user} = {}; systemd.services.smokeping = { diff --git a/nixos/modules/services/networking/snowflake-proxy.nix b/nixos/modules/services/networking/snowflake-proxy.nix index 7299db7a53e82..ca015ed9d44bc 100644 --- a/nixos/modules/services/networking/snowflake-proxy.nix +++ b/nixos/modules/services/networking/snowflake-proxy.nix @@ -71,7 +71,7 @@ in RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources"; + SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0077"; }; }; diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 0876007a6e732..ea87e5695f87a 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -55,8 +55,8 @@ let # generate the new config by merging with the NixOS config options new_cfg=$(printf '%s\n' "$old_cfg" | ${pkgs.jq}/bin/jq -c '. * { - "devices": (${builtins.toJSON devices}${optionalString (! cfg.overrideDevices) " + .devices"}), - "folders": (${builtins.toJSON folders}${optionalString (! cfg.overrideFolders) " + .folders"}) + "devices": (${builtins.toJSON devices}${optionalString (cfg.devices == {} || ! cfg.overrideDevices) " + .devices"}), + "folders": (${builtins.toJSON folders}${optionalString (cfg.folders == {} || ! cfg.overrideFolders) " + .folders"}) } * ${builtins.toJSON cfg.extraOptions}') # send the new config diff --git a/nixos/modules/services/networking/vdirsyncer.nix b/nixos/modules/services/networking/vdirsyncer.nix new file mode 100644 index 0000000000000..6a069943434da --- /dev/null +++ b/nixos/modules/services/networking/vdirsyncer.nix @@ -0,0 +1,214 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.vdirsyncer; + + toIniJson = with generators; toINI { + mkKeyValue = mkKeyValueDefault { + mkValueString = builtins.toJSON; + } "="; + }; + + toConfigFile = name: cfg': + if + cfg'.configFile != null + then + cfg'.configFile + else + pkgs.writeText "vdirsyncer-${name}.conf" (toIniJson ( + { + general = cfg'.config.general // (lib.optionalAttrs (cfg'.config.statusPath == null) { + status_path = "/var/lib/vdirsyncer/${name}"; + }); + } // ( + mapAttrs' (name: nameValuePair "pair ${name}") cfg'.config.pairs + ) // ( + mapAttrs' (name: nameValuePair "storage ${name}") cfg'.config.storages + ) + )); + + userUnitConfig = name: cfg': { + serviceConfig = { + User = if cfg'.user == null then "vdirsyncer" else cfg'.user; + Group = if cfg'.group == null then "vdirsyncer" else cfg'.group; + } // (optionalAttrs (cfg'.user == null) { + DynamicUser = true; + }) // (optionalAttrs (cfg'.additionalGroups != []) { + SupplementaryGroups = cfg'.additionalGroups; + }) // (optionalAttrs (cfg'.config.statusPath == null) { + StateDirectory = "vdirsyncer/${name}"; + StateDirectoryMode = "0700"; + }); + }; + + commonUnitConfig = { + after = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + # Sandboxing + PrivateTmp = true; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + LockPersonality = true; + }; + }; + +in +{ + options = { + services.vdirsyncer = { + enable = mkEnableOption (mdDoc "vdirsyncer"); + + package = mkPackageOption pkgs "vdirsyncer" {}; + + jobs = mkOption { + description = mdDoc "vdirsyncer job configurations"; + type = types.attrsOf (types.submodule { + options = { + enable = (mkEnableOption (mdDoc "this vdirsyncer job")) // { + default = true; + example = false; + }; + + user = mkOption { + type = types.nullOr types.str; + default = null; + description = mdDoc '' + User account to run vdirsyncer as, otherwise as a systemd + dynamic user + ''; + }; + + group = mkOption { + type = types.nullOr types.str; + default = null; + description = mdDoc "group to run vdirsyncer as"; + }; + + additionalGroups = mkOption { + type = types.listOf types.str; + default = []; + description = mdDoc "additional groups to add the dynamic user to"; + }; + + forceDiscover = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Run `yes | vdirsyncer discover` prior to `vdirsyncer sync` + ''; + }; + + timerConfig = mkOption { + type = types.attrs; + default = { + OnBootSec = "1h"; + OnUnitActiveSec = "6h"; + }; + description = mdDoc "systemd timer configuration"; + }; + + configFile = mkOption { + type = types.nullOr types.path; + default = null; + description = mdDoc "existing configuration file"; + }; + + config = { + statusPath = mkOption { + type = types.nullOr types.str; + default = null; + defaultText = literalExpression "/var/lib/vdirsyncer/\${attrName}"; + description = mdDoc "vdirsyncer's status path"; + }; + + general = mkOption { + type = types.attrs; + default = {}; + description = mdDoc "general configuration"; + }; + + pairs = mkOption { + type = types.attrsOf types.attrs; + default = {}; + description = mdDoc "vdirsyncer pair configurations"; + example = literalExpression '' + { + my_contacts = { + a = "my_cloud_contacts"; + b = "my_local_contacts"; + collections = [ "from a" ]; + conflict_resolution = "a wins"; + metadata = [ "color" "displayname" ]; + }; + }; + ''; + }; + + storages = mkOption { + type = types.attrsOf types.attrs; + default = {}; + description = mdDoc "vdirsyncer storage configurations"; + example = literalExpression '' + { + my_cloud_contacts = { + type = "carddav"; + url = "https://dav.example.com/"; + read_only = true; + username = "user"; + "password.fetch" = [ "command" "cat" "/etc/vdirsyncer/cloud.passwd" ]; + }; + my_local_contacts = { + type = "carddav"; + url = "https://localhost/"; + username = "user"; + "password.fetch" = [ "command" "cat" "/etc/vdirsyncer/local.passwd" ]; + }; + } + ''; + }; + }; + }; + }); + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services = mapAttrs' (name: cfg': nameValuePair "vdirsyncer@${name}" ( + foldr recursiveUpdate {} [ + commonUnitConfig + (userUnitConfig name cfg') + { + description = "synchronize calendars and contacts (${name})"; + environment.VDIRSYNCER_CONFIG = toConfigFile name cfg'; + serviceConfig.ExecStart = + (optional cfg'.forceDiscover ( + pkgs.writeShellScript "vdirsyncer-discover-yes" '' + set -e + yes | ${cfg.package}/bin/vdirsyncer discover + '' + )) ++ [ "${cfg.package}/bin/vdirsyncer sync" ]; + } + ] + )) (filterAttrs (name: cfg': cfg'.enable) cfg.jobs); + + systemd.timers = mapAttrs' (name: cfg': nameValuePair "vdirsyncer@${name}" { + wantedBy = [ "timers.target" ]; + description = "synchronize calendars and contacts (${name})"; + inherit (cfg') timerConfig; + }) cfg.jobs; + }; +} diff --git a/nixos/modules/services/networking/xray.nix b/nixos/modules/services/networking/xray.nix new file mode 100644 index 0000000000000..e2fd83c4dfd9b --- /dev/null +++ b/nixos/modules/services/networking/xray.nix @@ -0,0 +1,96 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + options = { + + services.xray = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to run xray server. + + Either `settingsFile` or `settings` must be specified. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.xray; + defaultText = literalExpression "pkgs.xray"; + description = lib.mdDoc '' + Which xray package to use. + ''; + }; + + settingsFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/xray/config.json"; + description = lib.mdDoc '' + The absolute path to the configuration file. + + Either `settingsFile` or `settings` must be specified. + + See <https://www.v2fly.org/en_US/config/overview.html>. + ''; + }; + + settings = mkOption { + type = types.nullOr (types.attrsOf types.unspecified); + default = null; + example = { + inbounds = [{ + port = 1080; + listen = "127.0.0.1"; + protocol = "http"; + }]; + outbounds = [{ + protocol = "freedom"; + }]; + }; + description = lib.mdDoc '' + The configuration object. + + Either `settingsFile` or `settings` must be specified. + + See <https://www.v2fly.org/en_US/config/overview.html>. + ''; + }; + }; + + }; + + config = let + cfg = config.services.xray; + settingsFile = if cfg.settingsFile != null + then cfg.settingsFile + else pkgs.writeTextFile { + name = "xray.json"; + text = builtins.toJSON cfg.settings; + checkPhase = '' + ${cfg.package}/bin/xray -test -config $out + ''; + }; + + in mkIf cfg.enable { + assertions = [ + { + assertion = (cfg.settingsFile == null) != (cfg.settings == null); + message = "Either but not both `settingsFile` and `settings` should be specified for xray."; + } + ]; + + systemd.services.xray = { + description = "xray Daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = "${cfg.package}/bin/xray -config ${settingsFile}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index e56f169d05ebf..3d5cbdd2dc3ed 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -180,7 +180,7 @@ in { RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources"; + SystemCallFilter = [ "@system-service" "~@privileged @keyring" ]; } // (if (cfg.group != null) then { Group = cfg.group; } else {}); diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index fea7ffb673ca0..ae59dcc226de8 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -134,6 +134,15 @@ in ''; }; + stateless = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + If set, all state directories relating to CUPS will be removed on + startup of the service. + ''; + }; + startWhenNeeded = mkOption { type = types.bool; default = true; @@ -343,8 +352,9 @@ in path = [ cups.out ]; - preStart = - '' + preStart = lib.optionalString cfg.stateless '' + rm -rf /var/cache/cups /var/lib/cups /var/spool/cups + '' + '' mkdir -m 0700 -p /var/cache/cups mkdir -m 0700 -p /var/spool/cups mkdir -m 0755 -p ${cfg.tempDir} diff --git a/nixos/modules/services/search/hound.nix b/nixos/modules/services/search/hound.nix index c81ceee546965..b41a2e2bae1fa 100644 --- a/nixos/modules/services/search/hound.nix +++ b/nixos/modules/services/search/hound.nix @@ -120,7 +120,6 @@ in { " -conf ${pkgs.writeText "hound.json" cfg.config}"; }; - path = [ pkgs.git pkgs.mercurial pkgs.openssh ]; }; }; diff --git a/nixos/modules/services/security/endlessh-go.nix b/nixos/modules/services/security/endlessh-go.nix index 61cca55317394..6557ec953cd86 100644 --- a/nixos/modules/services/security/endlessh-go.nix +++ b/nixos/modules/services/security/endlessh-go.nix @@ -126,7 +126,7 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; }; }; diff --git a/nixos/modules/services/security/endlessh.nix b/nixos/modules/services/security/endlessh.nix new file mode 100644 index 0000000000000..e99b4dadcd581 --- /dev/null +++ b/nixos/modules/services/security/endlessh.nix @@ -0,0 +1,99 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.endlessh; +in +{ + options.services.endlessh = { + enable = mkEnableOption (mdDoc "endlessh service"); + + port = mkOption { + type = types.port; + default = 2222; + example = 22; + description = mdDoc '' + Specifies on which port the endlessh daemon listens for SSH + connections. + + Setting this to `22` may conflict with {option}`services.openssh`. + ''; + }; + + extraOptions = mkOption { + type = with types; listOf str; + default = [ ]; + example = [ "-6" "-d 9000" "-v" ]; + description = mdDoc '' + Additional command line options to pass to the endlessh daemon. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to open a firewall port for the SSH listener. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.endlessh = { + description = "SSH tarpit"; + requires = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = + let + needsPrivileges = cfg.port < 1024; + capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; + rootDirectory = "/run/endlessh"; + in + { + Restart = "always"; + ExecStart = with cfg; concatStringsSep " " ([ + "${pkgs.endlessh}/bin/endlessh" + "-p ${toString port}" + ] ++ extraOptions); + DynamicUser = true; + RootDirectory = rootDirectory; + BindReadOnlyPaths = [ builtins.storeDir ]; + InaccessiblePaths = [ "-+${rootDirectory}" ]; + RuntimeDirectory = baseNameOf rootDirectory; + RuntimeDirectoryMode = "700"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + UMask = "0077"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = !needsPrivileges; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; + }; + }; + + networking.firewall.allowedTCPPorts = with cfg; + optionals openFirewall [ port ]; + }; + + meta.maintainers = with maintainers; [ azahi ]; +} diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 730802d92cfa8..b85b78f269a1d 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -816,13 +816,13 @@ in always create a container/VM with a separate Tor daemon instance. '' ++ flatten (mapAttrsToList (n: o: - optional (o.settings.HiddenServiceVersion == 2) [ + optionals (o.settings.HiddenServiceVersion == 2) [ (optional (o.settings.HiddenServiceExportCircuitID != null) '' HiddenServiceExportCircuitID is used in the HiddenService: ${n} but this option is only for v3 hidden services. '') ] ++ - optional (o.settings.HiddenServiceVersion != 2) [ + optionals (o.settings.HiddenServiceVersion != 2) [ (optional (o.settings.HiddenServiceAuthorizeClient != null) '' HiddenServiceAuthorizeClient is used in the HiddenService: ${n} but this option is only for v2 hidden services. diff --git a/nixos/modules/services/system/cachix-watch-store.nix b/nixos/modules/services/system/cachix-watch-store.nix new file mode 100644 index 0000000000000..ec73c0bcdcfe5 --- /dev/null +++ b/nixos/modules/services/system/cachix-watch-store.nix @@ -0,0 +1,87 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.cachix-watch-store; +in +{ + meta.maintainers = [ lib.maintainers.jfroche lib.maintainers.domenkozar ]; + + options.services.cachix-watch-store = { + enable = mkEnableOption (lib.mdDoc "Cachix Watch Store: https://docs.cachix.org"); + + cacheName = mkOption { + type = types.str; + description = lib.mdDoc "Cachix binary cache name"; + }; + + cachixTokenFile = mkOption { + type = types.path; + description = lib.mdDoc '' + Required file that needs to contain the cachix auth token. + ''; + }; + + compressionLevel = mkOption { + type = types.nullOr types.int; + description = lib.mdDoc "The compression level for XZ compression (between 0 and 9)"; + default = null; + }; + + jobs = mkOption { + type = types.nullOr types.int; + description = lib.mdDoc "Number of threads used for pushing store paths"; + default = null; + }; + + host = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc "Cachix host to connect to"; + }; + + verbose = mkOption { + type = types.bool; + description = lib.mdDoc "Enable verbose output"; + default = false; + }; + + package = mkOption { + type = types.package; + default = pkgs.cachix; + defaultText = literalExpression "pkgs.cachix"; + description = lib.mdDoc "Cachix Client package to use."; + }; + + }; + + config = mkIf cfg.enable { + systemd.services.cachix-watch-store-agent = { + description = "Cachix watch store Agent"; + after = [ "network-online.target" ]; + path = [ config.nix.package ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + # we don't want to kill children processes as those are deployments + KillMode = "process"; + Restart = "on-failure"; + DynamicUser = true; + LoadCredential = [ + "cachix-token:${toString cfg.cachixTokenFile}" + ]; + }; + script = + let + command = [ "${cfg.package}/bin/cachix" ] + ++ (lib.optional cfg.verbose "--verbose") ++ (lib.optionals (cfg.host != null) [ "--host" cfg.host ]) + ++ [ "watch-store" ] ++ (lib.optionals (cfg.compressionLevel != null) [ "--compression-level" (toString cfg.compressionLevel) ]) + ++ (lib.optionals (cfg.jobs != null) [ "--jobs" (toString cfg.jobs) ]) ++ [ cfg.cacheName ]; + in + '' + export CACHIX_AUTH_TOKEN="$(<"$CREDENTIALS_DIRECTORY/cachix-token")" + ${lib.escapeShellArgs command} + ''; + }; + }; +} diff --git a/nixos/modules/services/system/cloud-init.nix b/nixos/modules/services/system/cloud-init.nix index 95ca5fb48dbae..30b2ca568e12f 100644 --- a/nixos/modules/services/system/cloud-init.nix +++ b/nixos/modules/services/system/cloud-init.nix @@ -81,7 +81,8 @@ in - write-files - growpart - resizefs - - update_etc_hosts + - update_hostname + - resolv_conf - ca-certs - rsyslog - users-groups diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix index 0a59feb706642..fdc5190d084b3 100644 --- a/nixos/modules/services/system/nscd.nix +++ b/nixos/modules/services/system/nscd.nix @@ -27,6 +27,15 @@ in ''; }; + enableNsncd = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to use nsncd instead of nscd. + This is a nscd-compatible daemon, that proxies lookups, without any caching. + ''; + }; + user = mkOption { type = types.str; default = "nscd"; @@ -51,7 +60,8 @@ in package = mkOption { type = types.package; - default = if pkgs.stdenv.hostPlatform.libc == "glibc" + default = + if pkgs.stdenv.hostPlatform.libc == "glibc" then pkgs.stdenv.cc.libc.bin else pkgs.glibc.bin; defaultText = lib.literalExpression '' @@ -59,7 +69,10 @@ in then pkgs.stdenv.cc.libc.bin else pkgs.glibc.bin; ''; - description = lib.mdDoc "package containing the nscd binary to be used by the service"; + description = lib.mdDoc '' + package containing the nscd binary to be used by the service. + Ignored when enableNsncd is set to true. + ''; }; }; @@ -77,10 +90,12 @@ in group = cfg.group; }; - users.groups.${cfg.group} = {}; + users.groups.${cfg.group} = { }; systemd.services.nscd = - { description = "Name Service Cache Daemon"; + { + description = "Name Service Cache Daemon" + + lib.optionalString cfg.enableNsncd " (nsncd)"; before = [ "nss-lookup.target" "nss-user-lookup.target" ]; wants = [ "nss-lookup.target" "nss-user-lookup.target" ]; @@ -89,14 +104,14 @@ in environment = { LD_LIBRARY_PATH = nssModulesPath; }; - restartTriggers = [ + restartTriggers = lib.optionals (!cfg.enableNsncd) ([ config.environment.etc.hosts.source config.environment.etc."nsswitch.conf".source config.environment.etc."nscd.conf".source ] ++ optionals config.users.mysql.enable [ config.environment.etc."libnss-mysql.cfg".source config.environment.etc."libnss-mysql-root.cfg".source - ]; + ]); # In some configurations, nscd needs to be started as root; it will # drop privileges after all the NSS modules have read their @@ -106,8 +121,11 @@ in # sill want to read their configuration files after the privilege drop # and so users can set the owner of those files to the nscd user. serviceConfig = - { ExecStart = "!@${cfg.package}/bin/nscd nscd"; - Type = "forking"; + { + ExecStart = + if cfg.enableNsncd then "${pkgs.nsncd}/bin/nsncd" + else "!@${cfg.package}/bin/nscd nscd"; + Type = if cfg.enableNsncd then "notify" else "forking"; User = cfg.user; Group = cfg.group; RemoveIPC = true; @@ -120,12 +138,12 @@ in PIDFile = "/run/nscd/nscd.pid"; Restart = "always"; ExecReload = - [ "${cfg.package}/bin/nscd --invalidate passwd" + lib.optionals (!cfg.enableNsncd) [ + "${cfg.package}/bin/nscd --invalidate passwd" "${cfg.package}/bin/nscd --invalidate group" "${cfg.package}/bin/nscd --invalidate hosts" ]; }; }; - }; } diff --git a/nixos/modules/services/ttys/getty.nix b/nixos/modules/services/ttys/getty.nix index aec65903cecb9..22ae9c27e5bc6 100644 --- a/nixos/modules/services/ttys/getty.nix +++ b/nixos/modules/services/ttys/getty.nix @@ -146,7 +146,7 @@ in enable = mkDefault config.boot.isContainer; }; - environment.etc.issue = + environment.etc.issue = mkDefault { # Friendly greeting on the virtual consoles. source = pkgs.writeText "issue" '' diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix index 3fbccf5400879..eeef77727769b 100644 --- a/nixos/modules/services/web-apps/bookstack.nix +++ b/nixos/modules/services/web-apps/bookstack.nix @@ -372,7 +372,7 @@ in { User = user; WorkingDirectory = "${bookstack}"; RuntimeDirectory = "bookstack/cache"; - RuntimeDirectoryMode = 0700; + RuntimeDirectoryMode = "0700"; }; path = [ pkgs.replace-secret ]; script = diff --git a/nixos/modules/services/web-apps/changedetection-io.nix b/nixos/modules/services/web-apps/changedetection-io.nix new file mode 100644 index 0000000000000..ace4cf1eabc92 --- /dev/null +++ b/nixos/modules/services/web-apps/changedetection-io.nix @@ -0,0 +1,219 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.changedetection-io; +in +{ + options.services.changedetection-io = { + enable = mkEnableOption (lib.mdDoc "changedetection-io"); + + user = mkOption { + default = "changedetection-io"; + type = types.str; + description = lib.mdDoc '' + User account under which changedetection-io runs. + ''; + }; + + group = mkOption { + default = "changedetection-io"; + type = types.str; + description = lib.mdDoc '' + Group account under which changedetection-io runs. + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "localhost"; + description = lib.mdDoc "Address the server will listen on."; + }; + + port = mkOption { + type = types.port; + default = 5000; + description = lib.mdDoc "Port the server will listen on."; + }; + + datastorePath = mkOption { + type = types.str; + default = "/var/lib/changedetection-io"; + description = lib.mdDoc '' + The directory used to store all data for changedetection-io. + ''; + }; + + baseURL = mkOption { + type = types.nullOr types.str; + default = null; + example = "https://changedetection-io.example"; + description = lib.mdDoc '' + The base url used in notifications and `{base_url}` token. + ''; + }; + + behindProxy = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Enable this option when changedetection-io runs behind a reverse proxy, so that it trusts X-* headers. + It is recommend to run changedetection-io behind a TLS reverse proxy. + ''; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/secrets/changedetection-io.env"; + description = lib.mdDoc '' + Securely pass environment variabels to changedetection-io. + + This can be used to set for example a frontend password reproducible via `SALTED_PASS` + which convinetly also deactivates nags about the hosted version. + `SALTED_PASS` should be 64 characters long while the first 32 are the salt and the second the frontend password. + It can easily be retrieved from the settings file when first set via the frontend with the following command: + ``jq -r .settings.application.password /var/lib/changedetection-io/url-watches.json`` + ''; + }; + + webDriverSupport = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Enable support for fetching web pages using WebDriver and Chromium. + This starts a headless chromium controlled by puppeteer in an oci container. + + ::: {.note} + Playwright can currently leak memory. + See https://github.com/dgtlmoon/changedetection.io/wiki/Playwright-content-fetcher#playwright-memory-leak + ::: + ''; + }; + + playwrightSupport = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Enable support for fetching web pages using playwright and Chromium. + This starts a headless Chromium controlled by puppeteer in an oci container. + + ::: {.note} + Playwright can currently leak memory. + See https://github.com/dgtlmoon/changedetection.io/wiki/Playwright-content-fetcher#playwright-memory-leak + ::: + ''; + }; + + chromePort = mkOption { + type = types.port; + default = 4444; + description = lib.mdDoc '' + A free port on which webDriverSupport or playwrightSupport listen on localhost. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = !((cfg.webDriverSupport == true) && (cfg.playwrightSupport == true)); + message = "'services.changedetection-io.webDriverSupport' and 'services.changedetection-io.playwrightSupport' cannot be used together."; + } + ]; + + systemd = let + defaultStateDir = cfg.datastorePath == "/var/lib/changedetection-io"; + in { + services.changedetection-io = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + preStart = '' + mkdir -p ${cfg.datastorePath} + ''; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + StateDirectory = mkIf defaultStateDir "changedetection-io"; + StateDirectoryMode = mkIf defaultStateDir "0750"; + WorkingDirectory = cfg.datastorePath; + Environment = lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}" + ++ lib.optional cfg.behindProxy "USE_X_SETTINGS=1" + ++ lib.optional cfg.webDriverSupport "WEBDRIVER_URL=http://127.0.0.1:${toString cfg.chromePort}/wd/hub" + ++ lib.optional cfg.playwrightSupport "PLAYWRIGHT_DRIVER_URL=ws://127.0.0.1:${toString cfg.chromePort}/?stealth=1&--disable-web-security=true"; + EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; + ExecStart = '' + ${pkgs.changedetection-io}/bin/changedetection.py \ + -h ${cfg.listenAddress} -p ${toString cfg.port} -d ${cfg.datastorePath} + ''; + ProtectHome = true; + ProtectSystem = true; + Restart = "on-failure"; + }; + }; + tmpfiles.rules = mkIf defaultStateDir [ + "d ${cfg.datastorePath} 0750 ${cfg.user} ${cfg.group} - -" + ]; + }; + + users = { + users = optionalAttrs (cfg.user == "changedetection-io") { + "changedetection-io" = { + isSystemUser = true; + group = "changedetection-io"; + }; + }; + + groups = optionalAttrs (cfg.group == "changedetection-io") { + "changedetection-io" = { }; + }; + }; + + virtualisation = { + oci-containers.containers = lib.mkMerge [ + (mkIf cfg.webDriverSupport { + changedetection-io-webdriver = { + image = "selenium/standalone-chrome"; + environment = { + VNC_NO_PASSWORD = "1"; + SCREEN_WIDTH = "1920"; + SCREEN_HEIGHT = "1080"; + SCREEN_DEPTH = "24"; + }; + ports = [ + "127.0.0.1:${toString cfg.chromePort}:4444" + ]; + volumes = [ + "/dev/shm:/dev/shm" + ]; + extraOptions = [ "--network=bridge" ]; + }; + }) + + (mkIf cfg.playwrightSupport { + changedetection-io-playwright = { + image = "browserless/chrome"; + environment = { + SCREEN_WIDTH = "1920"; + SCREEN_HEIGHT = "1024"; + SCREEN_DEPTH = "16"; + ENABLE_DEBUGGER = "false"; + PREBOOT_CHROME = "true"; + CONNECTION_TIMEOUT = "300000"; + MAX_CONCURRENT_SESSIONS = "10"; + CHROME_REFRESH_TIME = "600000"; + DEFAULT_BLOCK_ADS = "true"; + DEFAULT_STEALTH = "true"; + }; + ports = [ + "127.0.0.1:${toString cfg.chromePort}:3000" + ]; + extraOptions = [ "--network=bridge" ]; + }; + }) + ]; + podman.defaultNetwork.dnsname.enable = true; + }; + }; +} diff --git a/nixos/modules/services/web-apps/dex.nix b/nixos/modules/services/web-apps/dex.nix index a171487d4f248..1dcc6f7a7c5bc 100644 --- a/nixos/modules/services/web-apps/dex.nix +++ b/nixos/modules/services/web-apps/dex.nix @@ -58,7 +58,7 @@ in ''; description = lib.mdDoc '' The available options can be found in - [the example configuration](https://github.com/dexidp/dex/blob/v${pkgs.dex.version}/config.yaml.dist). + [the example configuration](https://github.com/dexidp/dex/blob/v${pkgs.dex-oidc.version}/config.yaml.dist). It's also possible to refer to environment variables (defined in [services.dex.environmentFile](#opt-services.dex.environmentFile)) using the syntax `$VARIABLE_NAME`. @@ -119,7 +119,7 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; + SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ]; TemporaryFileSystem = "/:ro"; # Does not work well with the temporary root #UMask = "0066"; diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 66b22ec87db12..9ad451f31f743 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -798,13 +798,13 @@ in "public" "sockets" ]; - RuntimeDirectoryMode = 0750; + RuntimeDirectoryMode = "0750"; StateDirectory = map (p: "discourse/" + p) [ "uploads" "backups" "tmp" ]; - StateDirectoryMode = 0750; + StateDirectoryMode = "0750"; LogsDirectory = "discourse"; TimeoutSec = "infinity"; Restart = "on-failure"; diff --git a/nixos/modules/services/web-apps/dokuwiki.nix b/nixos/modules/services/web-apps/dokuwiki.nix index f4016cd5228e3..f0b3c7b2bcf89 100644 --- a/nixos/modules/services/web-apps/dokuwiki.nix +++ b/nixos/modules/services/web-apps/dokuwiki.nix @@ -7,7 +7,6 @@ let eachSite = cfg.sites; user = "dokuwiki"; webserver = config.services.${cfg.webserver}; - stateDir = hostName: "/var/lib/dokuwiki/${hostName}/data"; dokuwikiAclAuthConfig = hostName: cfg: pkgs.writeText "acl.auth-${hostName}.php" '' # acl.auth.php @@ -325,17 +324,17 @@ in { systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ - "d ${stateDir hostName}/attic 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/cache 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/index 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/locks 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/log 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/media 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/media_attic 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/media_meta 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/meta 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/pages 0750 ${user} ${webserver.group} - -" - "d ${stateDir hostName}/tmp 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/attic 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/cache 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/index 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/locks 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/log 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media_attic 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media_meta 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/meta 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/pages 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -" ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" ) eachSite); @@ -359,7 +358,7 @@ in }; "~ ^/data/" = { - root = "${stateDir hostName}"; + root = "${cfg.stateDir}"; extraConfig = "internal;"; }; diff --git a/nixos/modules/services/web-apps/freshrss.nix b/nixos/modules/services/web-apps/freshrss.nix index 68780a3fe9dd1..c05e7b2c4f7f7 100644 --- a/nixos/modules/services/web-apps/freshrss.nix +++ b/nixos/modules/services/web-apps/freshrss.nix @@ -155,9 +155,17 @@ in virtualHosts.${cfg.virtualHost} = { root = "${cfg.package}/p"; + # php files handling + # this regex is mandatory because of the API locations."~ ^.+?\.php(/.*)?$".extraConfig = '' fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.socket}; fastcgi_split_path_info ^(.+\.php)(/.*)$; + # By default, the variable PATH_INFO is not set under PHP-FPM + # But FreshRSS API greader.php need it. If you have a “Bad Request” error, double check this var! + # NOTE: the separate $path_info variable is required. For more details, see: + # https://trac.nginx.org/nginx/ticket/321 + set $path_info $fastcgi_path_info; + fastcgi_param PATH_INFO $path_info; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; ''; @@ -238,17 +246,17 @@ in # do installation or reconfigure if test -f ${cfg.dataDir}/config.php; then # reconfigure with settings - ${pkgs.php}/bin/php ./cli/reconfigure.php ${settingsFlags} - ${pkgs.php}/bin/php ./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})" + ./cli/reconfigure.php ${settingsFlags} + ./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})" else # Copy the user data template directory cp -r ./data ${cfg.dataDir} # check correct folders in data folder - ${pkgs.php}/bin/php ./cli/prepare.php + ./cli/prepare.php # install with settings - ${pkgs.php}/bin/php ./cli/do-install.php ${settingsFlags} - ${pkgs.php}/bin/php ./cli/create-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})" + ./cli/do-install.php ${settingsFlags} + ./cli/create-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})" fi ''; }; @@ -267,7 +275,7 @@ in Group = "freshrss"; StateDirectory = "freshrss"; WorkingDirectory = cfg.package; - ExecStart = "${pkgs.php}/bin/php ./app/actualize_script.php"; + ExecStart = "${cfg.package}/app/actualize_script.php"; } // systemd-hardening; }; }; diff --git a/nixos/modules/services/web-apps/galene.nix b/nixos/modules/services/web-apps/galene.nix index ded104792bc08..15ef09aa0b879 100644 --- a/nixos/modules/services/web-apps/galene.nix +++ b/nixos/modules/services/web-apps/galene.nix @@ -191,7 +191,7 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0077"; } ]; diff --git a/nixos/modules/services/web-apps/healthchecks.nix b/nixos/modules/services/web-apps/healthchecks.nix index 2c55f5ec8ebb5..7da6dce1f9543 100644 --- a/nixos/modules/services/web-apps/healthchecks.nix +++ b/nixos/modules/services/web-apps/healthchecks.nix @@ -15,14 +15,14 @@ let environmentFile = pkgs.writeText "healthchecks-environment" (lib.generators.toKeyValue { } environment); - healthchecksManageScript = with pkgs; (writeShellScriptBin "healthchecks-manage" '' + healthchecksManageScript = pkgs.writeShellScriptBin "healthchecks-manage" '' + sudo=exec if [[ "$USER" != "${cfg.user}" ]]; then - echo "please run as user 'healtchecks'." >/dev/stderr - exit 1 + sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env --preserve-env=PYTHONPATH' fi - export $(cat ${environmentFile} | xargs); - exec ${pkg}/opt/healthchecks/manage.py "$@" - ''); + export $(cat ${environmentFile} | xargs) + $sudo ${pkg}/opt/healthchecks/manage.py "$@" + ''; in { options.services.healthchecks = { @@ -163,7 +163,7 @@ in WorkingDirectory = cfg.dataDir; User = cfg.user; Group = cfg.group; - EnvironmentFile = environmentFile; + EnvironmentFile = [ environmentFile ]; StateDirectory = mkIf (cfg.dataDir == "/var/lib/healthchecks") "healthchecks"; StateDirectoryMode = mkIf (cfg.dataDir == "/var/lib/healthchecks") "0750"; }; diff --git a/nixos/modules/services/web-apps/invoiceplane.nix b/nixos/modules/services/web-apps/invoiceplane.nix index 156cc238e89af..c54915b10a2db 100644 --- a/nixos/modules/services/web-apps/invoiceplane.nix +++ b/nixos/modules/services/web-apps/invoiceplane.nix @@ -36,10 +36,10 @@ let version = src.version; src = pkgs.invoiceplane; - patchPhase = '' + postPhase = '' # Patch index.php file to load additional config file substituteInPlace index.php \ - --replace "require('vendor/autoload.php');" "require('vendor/autoload.php'); \$dotenv = new \Dotenv\Dotenv(__DIR__, 'extraConfig.php'); \$dotenv->load();"; + --replace "require('vendor/autoload.php');" "require('vendor/autoload.php'); \$dotenv = Dotenv\Dotenv::createImmutable(__DIR__, 'extraConfig.php'); \$dotenv->load();"; ''; installPhase = '' diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index da53d4ea76f40..521cf778a36bf 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -616,7 +616,7 @@ in Group = "keycloak"; DynamicUser = true; RuntimeDirectory = "keycloak"; - RuntimeDirectoryMode = 0700; + RuntimeDirectoryMode = "0700"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; script = '' diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 779e7d4ad44bf..dad8c3d3e38b3 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -475,7 +475,6 @@ in { } // cfgService; after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; }; systemd.services.mastodon-init-db = lib.mkIf cfg.automaticMigrations { @@ -500,16 +499,21 @@ in { # System Call Filtering SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" "pipe" "pipe2" ]; } // cfgService; - after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []); - wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "mastodon-init-dirs.service" ] + ++ lib.optional databaseActuallyCreateLocally "postgresql.service"; + requires = [ "mastodon-init-dirs.service" ] + ++ lib.optional databaseActuallyCreateLocally "postgresql.service"; }; systemd.services.mastodon-streaming = { - after = [ "network.target" ] - ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []) - ++ (if cfg.automaticMigrations then [ "mastodon-init-db.service" ] else [ "mastodon-init-dirs.service" ]); - description = "Mastodon streaming"; + after = [ "network.target" "mastodon-init-dirs.service" ] + ++ lib.optional databaseActuallyCreateLocally "postgresql.service" + ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; + requires = [ "mastodon-init-dirs.service" ] + ++ lib.optional databaseActuallyCreateLocally "postgresql.service" + ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; wantedBy = [ "multi-user.target" ]; + description = "Mastodon streaming"; environment = env // (if cfg.enableUnixSocket then { SOCKET = "/run/mastodon-streaming/streaming.socket"; } else { PORT = toString(cfg.streamingPort); } @@ -529,11 +533,14 @@ in { }; systemd.services.mastodon-web = { - after = [ "network.target" ] - ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []) - ++ (if cfg.automaticMigrations then [ "mastodon-init-db.service" ] else [ "mastodon-init-dirs.service" ]); - description = "Mastodon web"; + after = [ "network.target" "mastodon-init-dirs.service" ] + ++ lib.optional databaseActuallyCreateLocally "postgresql.service" + ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; + requires = [ "mastodon-init-dirs.service" ] + ++ lib.optional databaseActuallyCreateLocally "postgresql.service" + ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; wantedBy = [ "multi-user.target" ]; + description = "Mastodon web"; environment = env // (if cfg.enableUnixSocket then { SOCKET = "/run/mastodon-web/web.socket"; } else { PORT = toString(cfg.webPort); } @@ -554,11 +561,14 @@ in { }; systemd.services.mastodon-sidekiq = { - after = [ "network.target" ] - ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []) - ++ (if cfg.automaticMigrations then [ "mastodon-init-db.service" ] else [ "mastodon-init-dirs.service" ]); - description = "Mastodon sidekiq"; + after = [ "network.target" "mastodon-init-dirs.service" ] + ++ lib.optional databaseActuallyCreateLocally "postgresql.service" + ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; + requires = [ "mastodon-init-dirs.service" ] + ++ lib.optional databaseActuallyCreateLocally "postgresql.service" + ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; wantedBy = [ "multi-user.target" ]; + description = "Mastodon sidekiq"; environment = env // { PORT = toString(cfg.sidekiqPort); DB_POOL = toString cfg.sidekiqThreads; diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index fad5701aeedc4..34a108cebd2b8 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -116,7 +116,7 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0077"; }; diff --git a/nixos/modules/services/web-apps/netbox.nix b/nixos/modules/services/web-apps/netbox.nix index 2826e57f2c776..f09a8dfc5b215 100644 --- a/nixos/modules/services/web-apps/netbox.nix +++ b/nixos/modules/services/web-apps/netbox.nix @@ -46,7 +46,7 @@ let ''; })).override { plugins = ps: ((cfg.plugins ps) - ++ optional cfg.enableLdap [ ps.django-auth-ldap ]); + ++ optionals cfg.enableLdap [ ps.django-auth-ldap ]); }; netboxManageScript = with pkgs; (writeScriptBin "netbox-manage" '' #!${stdenv.shell} diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index fdbaa90ebb7a3..4f7c26be6ab75 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -148,6 +148,15 @@ in { default = 2; description = lib.mdDoc "Log level value between 0 (DEBUG) and 4 (FATAL)."; }; + logType = mkOption { + type = types.enum [ "errorlog" "file" "syslog" "systemd" ]; + default = "syslog"; + description = lib.mdDoc '' + Logging backend to use. + systemd requires the php-systemd package to be added to services.nextcloud.phpExtraExtensions. + See the [nextcloud documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html) for details. + ''; + }; https = mkOption { type = types.bool; default = false; @@ -156,7 +165,7 @@ in { package = mkOption { type = types.package; description = lib.mdDoc "Which package to use for the Nextcloud instance."; - relatedPackages = [ "nextcloud23" "nextcloud24" ]; + relatedPackages = [ "nextcloud24" "nextcloud25" ]; }; phpPackage = mkOption { type = types.package; @@ -637,10 +646,9 @@ in { Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release. Please migrate your configuration to config.services.nextcloud.poolSettings. '') - ++ (optional (versionOlder cfg.package.version "21") (upgradeWarning 20 "21.05")) - ++ (optional (versionOlder cfg.package.version "22") (upgradeWarning 21 "21.11")) ++ (optional (versionOlder cfg.package.version "23") (upgradeWarning 22 "22.05")) ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05")) + ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) ++ (optional isUnsupportedMariadb '' You seem to be using MariaDB at an unsupported version (i.e. at least 10.6)! Please note that this isn't supported officially by Nextcloud. You can either @@ -661,19 +669,13 @@ in { nextcloud defined in an overlay, please set `services.nextcloud.package` to `pkgs.nextcloud`. '' - else if versionOlder stateVersion "22.05" then nextcloud22 - else nextcloud24 + else if versionOlder stateVersion "22.11" then nextcloud24 + else nextcloud25 ); services.nextcloud.phpPackage = if versionOlder cfg.package.version "24" then pkgs.php80 - # FIXME: Use PHP 8.1 with Nextcloud 24 and higher, once issues like this one are fixed: - # - # https://github.com/nextcloud/twofactor_totp/issues/1192 - # - # else if versionOlder cfg.package.version "24" then pkgs.php80 - # else pkgs.php81; - else pkgs.php80; + else pkgs.php81; } { assertions = [ @@ -765,7 +767,7 @@ in { 'datadirectory' => '${datadir}/data', 'skeletondirectory' => '${cfg.skeletonDirectory}', ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"} - 'log_type' => 'syslog', + 'log_type' => '${cfg.logType}', 'loglevel' => '${builtins.toString cfg.logLevel}', ${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"} ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"} diff --git a/nixos/modules/services/web-apps/nextcloud.xml b/nixos/modules/services/web-apps/nextcloud.xml index b46f34420a703..a0b69dbd606ce 100644 --- a/nixos/modules/services/web-apps/nextcloud.xml +++ b/nixos/modules/services/web-apps/nextcloud.xml @@ -11,7 +11,7 @@ desktop client is packaged at <literal>pkgs.nextcloud-client</literal>. </para> <para> - The current default by NixOS is <package>nextcloud24</package> which is also the latest + The current default by NixOS is <package>nextcloud25</package> which is also the latest major version available. </para> <section xml:id="module-services-nextcloud-basic-usage"> diff --git a/nixos/modules/services/web-apps/peertube.nix b/nixos/modules/services/web-apps/peertube.nix index 1ac6c15dace9a..a42d1a1a932e3 100644 --- a/nixos/modules/services/web-apps/peertube.nix +++ b/nixos/modules/services/web-apps/peertube.nix @@ -67,6 +67,12 @@ let node ~/dist/server/tools/peertube.js $@ ''; + nginxCommonHeaders = '' + add_header Access-Control-Allow-Origin '*'; + add_header Access-Control-Allow-Methods 'GET, OPTIONS'; + add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + ''; + in { options.services.peertube = { enable = lib.mkEnableOption (lib.mdDoc "Enable Peertube’s service"); @@ -145,6 +151,12 @@ in { description = lib.mdDoc "Configuration for peertube."; }; + configureNginx = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc "Configure nginx as a reverse proxy for peertube."; + }; + database = { createLocally = lib.mkOption { type = lib.types.bool; @@ -351,6 +363,8 @@ in { systemd.tmpfiles.rules = [ "d '/var/lib/peertube/config' 0700 ${cfg.user} ${cfg.group} - -" "z '/var/lib/peertube/config' 0700 ${cfg.user} ${cfg.group} - -" + "d '/var/lib/peertube/www' 0750 ${cfg.user} ${cfg.group} - -" + "z '/var/lib/peertube/www' 0750 ${cfg.user} ${cfg.group} - -" ]; systemd.services.peertube-init-db = lib.mkIf cfg.database.createLocally { @@ -410,8 +424,11 @@ in { password: '$(cat ${cfg.smtp.passwordFile})' ''} EOF - ln -sf ${cfg.package}/config/default.yaml /var/lib/peertube/config/default.yaml + umask 027 ln -sf ${configFile} /var/lib/peertube/config/production.json + ln -sf ${cfg.package}/config/default.yaml /var/lib/peertube/config/default.yaml + ln -sf ${cfg.package}/client/dist -T /var/lib/peertube/www/client + ln -sf ${cfg.settings.storage.client_overrides} -T /var/lib/peertube/www/client-overrides npm start ''; serviceConfig = { @@ -441,6 +458,269 @@ in { } // cfgService; }; + services.nginx = lib.mkIf cfg.configureNginx { + enable = true; + virtualHosts."${cfg.localDomain}" = { + root = "/var/lib/peertube"; + + # Application + locations."/" = { + tryFiles = "/dev/null @api"; + priority = 1110; + }; + + locations."= /api/v1/videos/upload-resumable" = { + tryFiles = "/dev/null @api"; + priority = 1120; + + extraConfig = '' + client_max_body_size 0; + proxy_request_buffering off; + ''; + }; + + locations."~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$" = { + tryFiles = "/dev/null @api"; + root = cfg.settings.storage.tmp; + priority = 1130; + + extraConfig = '' + client_max_body_size 12G; + add_header X-File-Maximum-Size 8G always; + ''; + }; + + locations."~ ^/api/v1/(videos|video-playlists|video-channels|users/me)" = { + tryFiles = "/dev/null @api"; + priority = 1140; + + extraConfig = '' + client_max_body_size 6M; + add_header X-File-Maximum-Size 4M always; + ''; + }; + + locations."@api" = { + proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; + priority = 1150; + + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_connect_timeout 10m; + + proxy_send_timeout 10m; + proxy_read_timeout 10m; + + client_max_body_size 100k; + send_timeout 10m; + ''; + }; + + # Websocket + locations."/socket.io" = { + tryFiles = "/dev/null @api_websocket"; + priority = 1210; + }; + + locations."/tracker/socket" = { + tryFiles = "/dev/null @api_websocket"; + priority = 1220; + + extraConfig = '' + proxy_read_timeout 15m; + ''; + }; + + locations."@api_websocket" = { + proxyPass = "http://127.0.0.1:${toString cfg.listenHttp}"; + priority = 1230; + + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + + proxy_http_version 1.1; + ''; + }; + + # Bypass PeerTube for performance reasons. + locations."~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$" = { + tryFiles = "/www/client-overrides/$1 /www/client/$1 $1"; + priority = 1310; + }; + + locations."~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$" = { + alias = "${cfg.package}/client/dist/$1"; + priority = 1320; + extraConfig = '' + add_header Cache-Control 'public, max-age=604800, immutable'; + ''; + }; + + locations."~ ^/lazy-static/(avatars|banners)/" = { + tryFiles = "$uri @api"; + root = cfg.settings.storage.avatars; + priority = 1330; + extraConfig = '' + if ($request_method = 'OPTIONS') { + ${nginxCommonHeaders} + add_header Access-Control-Max-Age 1728000; + add_header Cache-Control 'no-cache'; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + + ${nginxCommonHeaders} + add_header Cache-Control 'public, max-age=7200'; + + rewrite ^/lazy-static/avatars/(.*)$ /$1 break; + rewrite ^/lazy-static/banners/(.*)$ /$1 break; + ''; + }; + + locations."^~ /lazy-static/previews/" = { + tryFiles = "$uri @api"; + root = cfg.settings.storage.previews; + priority = 1340; + extraConfig = '' + if ($request_method = 'OPTIONS') { + ${nginxCommonHeaders} + add_header Access-Control-Max-Age 1728000; + add_header Cache-Control 'no-cache'; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + + ${nginxCommonHeaders} + add_header Cache-Control 'public, max-age=7200'; + + rewrite ^/lazy-static/previews/(.*)$ /$1 break; + ''; + }; + + locations."^~ /static/thumbnails/" = { + tryFiles = "$uri @api"; + root = cfg.settings.storage.thumbnails; + priority = 1350; + extraConfig = '' + if ($request_method = 'OPTIONS') { + ${nginxCommonHeaders} + add_header Access-Control-Max-Age 1728000; + add_header Cache-Control 'no-cache'; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + + ${nginxCommonHeaders} + add_header Cache-Control 'public, max-age=7200'; + + rewrite ^/static/thumbnails/(.*)$ /$1 break; + ''; + }; + + locations."^~ /static/redundancy/" = { + tryFiles = "$uri @api"; + root = cfg.settings.storage.redundancy; + priority = 1360; + extraConfig = '' + if ($request_method = 'OPTIONS') { + ${nginxCommonHeaders} + add_header Access-Control-Max-Age 1728000; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + if ($request_method = 'GET') { + ${nginxCommonHeaders} + + access_log off; + } + aio threads; + sendfile on; + sendfile_max_chunk 1M; + + limit_rate_after 5M; + + set $peertube_limit_rate 800k; + set $limit_rate $peertube_limit_rate; + + rewrite ^/static/redundancy/(.*)$ /$1 break; + ''; + }; + + locations."^~ /static/streaming-playlists/" = { + tryFiles = "$uri @api"; + root = cfg.settings.storage.streaming_playlists; + priority = 1370; + extraConfig = '' + if ($request_method = 'OPTIONS') { + ${nginxCommonHeaders} + add_header Access-Control-Max-Age 1728000; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + if ($request_method = 'GET') { + ${nginxCommonHeaders} + + access_log off; + } + + aio threads; + sendfile on; + sendfile_max_chunk 1M; + + limit_rate_after 5M; + + set $peertube_limit_rate 5M; + set $limit_rate $peertube_limit_rate; + + rewrite ^/static/streaming-playlists/(.*)$ /$1 break; + ''; + }; + + locations."~ ^/static/webseed/" = { + tryFiles = "$uri @api"; + root = cfg.settings.storage.videos; + priority = 1380; + extraConfig = '' + if ($request_method = 'OPTIONS') { + ${nginxCommonHeaders} + add_header Access-Control-Max-Age 1728000; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + if ($request_method = 'GET') { + ${nginxCommonHeaders} + + access_log off; + } + + aio threads; + sendfile on; + sendfile_max_chunk 1M; + + limit_rate_after 5M; + + set $peertube_limit_rate 800k; + set $limit_rate $peertube_limit_rate; + + rewrite ^/static/webseed/(.*)$ /$1 break; + ''; + }; + }; + }; + services.postgresql = lib.mkIf cfg.database.createLocally { enable = true; }; @@ -476,8 +756,10 @@ in { (lib.mkIf cfg.redis.enableUnixSocket {${config.services.peertube.user}.extraGroups = [ "redis-peertube" ];}) ]; - users.groups = lib.optionalAttrs (cfg.group == "peertube") { - peertube = { }; + users.groups = { + ${cfg.group} = { + members = lib.optional cfg.configureNginx config.services.nginx.user; + }; }; }; } diff --git a/nixos/modules/services/web-apps/prosody-filer.nix b/nixos/modules/services/web-apps/prosody-filer.nix index 279b4104b0a00..84953546d8e09 100644 --- a/nixos/modules/services/web-apps/prosody-filer.nix +++ b/nixos/modules/services/web-apps/prosody-filer.nix @@ -79,7 +79,7 @@ in { LockPersonality = true; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; }; }; }; diff --git a/nixos/modules/services/web-apps/shiori.nix b/nixos/modules/services/web-apps/shiori.nix index 7bd0a4d2b9b5b..f0505e052e1c7 100644 --- a/nixos/modules/services/web-apps/shiori.nix +++ b/nixos/modules/services/web-apps/shiori.nix @@ -86,7 +86,7 @@ in { SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" ]; }; }; diff --git a/nixos/modules/services/web-apps/snipe-it.nix b/nixos/modules/services/web-apps/snipe-it.nix index 264b72fe837b1..e0d2eb8c6ab2a 100644 --- a/nixos/modules/services/web-apps/snipe-it.nix +++ b/nixos/modules/services/web-apps/snipe-it.nix @@ -394,7 +394,7 @@ in { User = user; WorkingDirectory = snipe-it; RuntimeDirectory = "snipe-it/cache"; - RuntimeDirectoryMode = 0700; + RuntimeDirectoryMode = "0700"; }; path = [ pkgs.replace-secret ]; script = @@ -454,25 +454,43 @@ in { # migrate db ${pkgs.php}/bin/php artisan migrate --force + + # A placeholder file for invalid barcodes + invalid_barcode_location="${cfg.dataDir}/public/uploads/barcodes/invalid_barcode.gif" + [ ! -e "$invalid_barcode_location" ] \ + && cp ${snipe-it}/share/snipe-it/invalid_barcode.gif "$invalid_barcode_location" ''; }; systemd.tmpfiles.rules = [ - "d ${cfg.dataDir} 0710 ${user} ${group} - -" - "d ${cfg.dataDir}/bootstrap 0750 ${user} ${group} - -" - "d ${cfg.dataDir}/bootstrap/cache 0750 ${user} ${group} - -" - "d ${cfg.dataDir}/public 0750 ${user} ${group} - -" - "d ${cfg.dataDir}/public/uploads 0750 ${user} ${group} - -" - "d ${cfg.dataDir}/storage 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/app 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/fonts 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework/cache 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework/sessions 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework/views 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/logs 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/uploads 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/private_uploads 0700 ${user} ${group} - -" + "d ${cfg.dataDir} 0710 ${user} ${group} - -" + "d ${cfg.dataDir}/bootstrap 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/bootstrap/cache 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/accessories 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/assets 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/avatars 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/barcodes 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/categories 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/companies 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/components 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/consumables 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/departments 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/locations 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/manufacturers 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/models 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/public/uploads/suppliers 0750 ${user} ${group} - -" + "d ${cfg.dataDir}/storage 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/app 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/fonts 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/framework 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/framework/cache 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/framework/sessions 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/framework/views 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/logs 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/uploads 0700 ${user} ${group} - -" + "d ${cfg.dataDir}/storage/private_uploads 0700 ${user} ${group} - -" ]; users = { diff --git a/nixos/modules/services/web-apps/wordpress.nix b/nixos/modules/services/web-apps/wordpress.nix index d3dda27c3d695..660f1b2d7f868 100644 --- a/nixos/modules/services/web-apps/wordpress.nix +++ b/nixos/modules/services/web-apps/wordpress.nix @@ -22,6 +22,7 @@ let ln -s ${wpConfig hostName cfg} $out/share/wordpress/wp-config.php # symlink uploads directory ln -s ${cfg.uploadsDir} $out/share/wordpress/wp-content/uploads + ln -s ${cfg.fontsDir} $out/share/wordpress/wp-content/fonts # https://github.com/NixOS/nixpkgs/pull/53399 # @@ -95,6 +96,15 @@ let ''; }; + fontsDir = mkOption { + type = types.path; + default = "/var/lib/wordpress/${name}/fonts"; + description = lib.mdDoc '' + This directory is used to download fonts from a remote location, e.g. + to host google fonts locally. + ''; + }; + plugins = mkOption { type = types.listOf types.path; default = []; diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 6b43d46fdead0..3ccff8aa5008d 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -168,7 +168,7 @@ let <VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listen}> ServerName ${hostOpts.hostName} ${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases} - ServerAdmin ${adminAddr} + ${optionalString (adminAddr != null) "ServerAdmin ${adminAddr}"} <IfModule mod_ssl.c> SSLEngine off </IfModule> @@ -187,7 +187,7 @@ let <VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listenSSL}> ServerName ${hostOpts.hostName} ${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases} - ServerAdmin ${adminAddr} + ${optionalString (adminAddr != null) "ServerAdmin ${adminAddr}"} SSLEngine on SSLCertificateFile ${sslServerCert} SSLCertificateKeyFile ${sslServerKey} @@ -455,8 +455,9 @@ in }; adminAddr = mkOption { - type = types.str; + type = types.nullOr types.str; example = "admin@example.org"; + default = null; description = lib.mdDoc "E-mail address of the server administrator."; }; diff --git a/nixos/modules/services/web-servers/caddy/default.nix b/nixos/modules/services/web-servers/caddy/default.nix index e1456091717d4..50213ec252ff2 100644 --- a/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixos/modules/services/web-servers/caddy/default.nix @@ -290,6 +290,9 @@ in } ''; + # https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size + boot.kernel.sysctl."net.core.rmem_max" = mkDefault 2500000; + systemd.packages = [ cfg.package ]; systemd.services.caddy = { wants = map (hostOpts: "acme-finished-${hostOpts.useACMEHost}.target") acmeVHosts; diff --git a/nixos/modules/services/web-servers/garage.nix b/nixos/modules/services/web-servers/garage.nix new file mode 100644 index 0000000000000..76ab273483eb4 --- /dev/null +++ b/nixos/modules/services/web-servers/garage.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.garage; + toml = pkgs.formats.toml {}; + configFile = toml.generate "garage.toml" cfg.settings; +in +{ + meta.maintainers = [ maintainers.raitobezarius ]; + + options.services.garage = { + enable = mkEnableOption (lib.mdDoc "Garage Object Storage (S3 compatible)"); + + extraEnvironment = mkOption { + type = types.attrsOf types.str; + description = lib.mdDoc "Extra environment variables to pass to the Garage server."; + default = {}; + example = { RUST_BACKTRACE="yes"; }; + }; + + logLevel = mkOption { + type = types.enum (["info" "debug" "trace"]); + default = "info"; + example = "debug"; + description = lib.mdDoc "Garage log level, see <https://garagehq.deuxfleurs.fr/documentation/quick-start/#launching-the-garage-server> for examples."; + }; + + settings = mkOption { + type = types.submodule { + freeformType = toml.type; + + options = { + metadata_dir = mkOption { + default = "/var/lib/garage/meta"; + type = types.path; + description = lib.mdDoc "The metadata directory, put this on a fast disk (e.g. SSD) if possible."; + }; + + data_dir = mkOption { + default = "/var/lib/garage/data"; + type = types.path; + description = lib.mdDoc "The main data storage, put this on your large storage (e.g. high capacity HDD)"; + }; + + replication_mode = mkOption { + default = "none"; + type = types.enum ([ "none" "1" "2" "3" 1 2 3 ]); + apply = v: toString v; + description = lib.mdDoc "Garage replication mode, defaults to none, see: <https://garagehq.deuxfleurs.fr/reference_manual/configuration.html#replication_mode> for reference."; + }; + }; + }; + description = lib.mdDoc "Garage configuration, see <https://garagehq.deuxfleurs.fr/reference_manual/configuration.html> for reference."; + }; + + package = mkOption { + default = pkgs.garage; + defaultText = literalExpression "pkgs.garage"; + type = types.package; + description = lib.mdDoc "Garage package to use."; + }; + }; + + config = mkIf cfg.enable { + environment.etc."garage.toml" = { + source = configFile; + }; + + environment.systemPackages = [ cfg.package ]; # For administration + + systemd.services.garage = { + description = "Garage Object Storage (S3 compatible)"; + after = [ "network.target" "network-online.target" ]; + wants = [ "network.target" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/garage server"; + + StateDirectory = mkIf (hasPrefix "/var/lib/garage" cfg.settings.data_dir && hasPrefix "/var/lib/garage" cfg.settings.metadata_dir) "garage"; + DynamicUser = lib.mkDefault true; + ProtectHome = true; + NoNewPrivileges = true; + }; + environment = { + RUST_LOG = lib.mkDefault "garage=${cfg.logLevel}"; + } // cfg.extraEnvironment; + }; + }; +} diff --git a/nixos/modules/services/web-servers/merecat.nix b/nixos/modules/services/web-servers/merecat.nix new file mode 100644 index 0000000000000..aad93605b7176 --- /dev/null +++ b/nixos/modules/services/web-servers/merecat.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.merecat; + format = pkgs.formats.keyValue { + mkKeyValue = generators.mkKeyValueDefault { + mkValueString = v: + # In merecat.conf, booleans are "true" and "false" + if builtins.isBool v + then if v then "true" else "false" + else generators.mkValueStringDefault {} v; + } "="; + }; + configFile = format.generate "merecat.conf" cfg.settings; + +in { + + options.services.merecat = { + + enable = mkEnableOption (lib.mdDoc "Merecat HTTP server"); + + settings = mkOption { + inherit (format) type; + default = { }; + description = lib.mdDoc '' + Merecat configuration. Refer to merecat(8) for details on supported values. + ''; + example = { + hostname = "localhost"; + port = 8080; + virtual-host = true; + directory = "/srv/www"; + }; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.merecat = { + description = "Merecat HTTP server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.merecat}/bin/merecat -n -f ${configFile}"; + AmbientCapabilities = lib.mkIf ((cfg.settings.port or 80) < 1024) [ "CAP_NET_BIND_SERVICE" ]; + }; + }; + + }; + +} diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index aa782b4267e80..9cbac370612fd 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -275,7 +275,10 @@ let redirectListen = filter (x: !x.ssl) defaultListen; acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) '' - location /.well-known/acme-challenge { + # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) + # We use ^~ here, so that we don't check any regexes (which could + # otherwise easily override this intended match accidentally). + location ^~ /.well-known/acme-challenge/ { ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} ${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"} auth_basic off; diff --git a/nixos/modules/services/x11/gdk-pixbuf.nix b/nixos/modules/services/x11/gdk-pixbuf.nix index c80e2b22792aa..2105224f92ff3 100644 --- a/nixos/modules/services/x11/gdk-pixbuf.nix +++ b/nixos/modules/services/x11/gdk-pixbuf.nix @@ -1,34 +1,17 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.services.xserver.gdk-pixbuf; - # Get packages to generate the cache for. We always include gdk-pixbuf. - effectivePackages = unique ([pkgs.gdk-pixbuf] ++ cfg.modulePackages); - - # Generate the cache file by running gdk-pixbuf-query-loaders for each - # package and concatenating the results. - loadersCache = pkgs.runCommand "gdk-pixbuf-loaders.cache" { preferLocalBuild = true; } '' - ( - for package in ${concatStringsSep " " effectivePackages}; do - module_dir="$package/${pkgs.gdk-pixbuf.moduleDir}" - if [[ ! -d $module_dir ]]; then - echo "Warning (services.xserver.gdk-pixbuf): missing module directory $module_dir" 1>&2 - continue - fi - GDK_PIXBUF_MODULEDIR="$module_dir" \ - ${pkgs.stdenv.hostPlatform.emulator pkgs.buildPackages} ${pkgs.gdk-pixbuf.dev}/bin/gdk-pixbuf-query-loaders - done - ) > "$out" - ''; + loadersCache = pkgs.gnome._gdkPixbufCacheBuilder_DO_NOT_USE { + extraLoaders = lib.unique (cfg.modulePackages); + }; in { options = { - services.xserver.gdk-pixbuf.modulePackages = mkOption { - type = types.listOf types.package; + services.xserver.gdk-pixbuf.modulePackages = lib.mkOption { + type = lib.types.listOf lib.types.package; default = [ ]; description = lib.mdDoc "Packages providing GDK-Pixbuf modules, for cache generation."; }; @@ -37,7 +20,7 @@ in # If there is any package configured in modulePackages, we generate the # loaders.cache based on that and set the environment variable # GDK_PIXBUF_MODULE_FILE to point to it. - config = mkIf (cfg.modulePackages != []) { + config = lib.mkIf (cfg.modulePackages != []) { environment.variables = { GDK_PIXBUF_MODULE_FILE = "${loadersCache}"; }; diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix index 36d5b3c8156d8..48b413beaa865 100644 --- a/nixos/modules/services/x11/window-managers/default.nix +++ b/nixos/modules/services/x11/window-managers/default.nix @@ -23,6 +23,7 @@ in ./fvwm3.nix ./hackedbox.nix ./herbstluftwm.nix + ./hypr.nix ./i3.nix ./jwm.nix ./leftwm.nix diff --git a/nixos/modules/services/x11/window-managers/dwm.nix b/nixos/modules/services/x11/window-managers/dwm.nix index 2dac41dbe988f..1881826944aac 100644 --- a/nixos/modules/services/x11/window-managers/dwm.nix +++ b/nixos/modules/services/x11/window-managers/dwm.nix @@ -13,7 +13,27 @@ in ###### interface options = { - services.xserver.windowManager.dwm.enable = mkEnableOption (lib.mdDoc "dwm"); + services.xserver.windowManager.dwm = { + enable = mkEnableOption (lib.mdDoc "dwm"); + package = mkOption { + type = types.package; + default = pkgs.dwm; + defaultText = literalExpression "pkgs.dwm"; + example = literalExpression '' + pkgs.dwm.overrideAttrs (oldAttrs: rec { + patches = [ + (super.fetchpatch { + url = "https://dwm.suckless.org/patches/steam/dwm-steam-6.2.diff"; + sha256 = "1ld1z3fh6p5f8gr62zknx3axsinraayzxw3rz1qwg73mx2zk5y1f"; + }) + ]; + }) + ''; + description = lib.mdDoc '' + dwm package to use. + ''; + }; + }; }; @@ -30,7 +50,7 @@ in ''; }; - environment.systemPackages = [ pkgs.dwm ]; + environment.systemPackages = [ cfg.package ]; }; diff --git a/nixos/modules/services/x11/window-managers/hypr.nix b/nixos/modules/services/x11/window-managers/hypr.nix new file mode 100644 index 0000000000000..4c1fea71f93e4 --- /dev/null +++ b/nixos/modules/services/x11/window-managers/hypr.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.hypr; +in +{ + ###### interface + options = { + services.xserver.windowManager.hypr.enable = mkEnableOption (lib.mdDoc "hypr"); + }; + + ###### implementation + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton { + name = "hypr"; + start = '' + ${pkgs.hypr}/bin/Hypr & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.hypr ]; + }; +} diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 02b020b61eb60..03d03cb348e82 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -905,9 +905,11 @@ in { assertion = config.boot.initrd.systemd.enable -> !luks.gpgSupport; message = "systemd stage 1 does not support GPG smartcards yet."; } - # TODO { assertion = config.boot.initrd.systemd.enable -> !luks.fido2Support; - message = "systemd stage 1 does not support FIDO2 yet."; + message = '' + systemd stage 1 does not support configuring FIDO2 unlocking through `boot.initrd.luks.devices.<name>.fido2`. + Use systemd-cryptenroll(1) to configure FIDO2 support. + ''; } # TODO { assertion = config.boot.initrd.systemd.enable -> !luks.yubikeySupport; diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index a9b81dd116bbd..28abf820ec097 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -584,6 +584,7 @@ let "Label" "PreferredLifetime" "Scope" + "RouteMetric" "HomeAddress" "DuplicateAddressDetection" "ManageTemporaryAddress" @@ -592,6 +593,7 @@ let ]) (assertHasField "Address") (assertValueOneOf "PreferredLifetime" ["forever" "infinity" "0" 0]) + (assertInt "RouteMetric") (assertValueOneOf "HomeAddress" boolValues) (assertValueOneOf "DuplicateAddressDetection" ["ipv4" "ipv6" "both" "none"]) (assertValueOneOf "ManageTemporaryAddress" boolValues) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 8f2044a0985eb..d28e6ed0e2770 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -151,6 +151,9 @@ let ] ++ optionals cfg.package.withHostnamed [ "dbus-org.freedesktop.hostname1.service" "systemd-hostnamed.service" + ] ++ optionals cfg.package.withPortabled [ + "dbus-org.freedesktop.portable1.service" + "systemd-portabled.service" ] ++ [ "systemd-exit.service" "systemd-update-done.service" diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 03f94c426cb09..31702499b0f14 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -332,7 +332,10 @@ in { config = mkIf (config.boot.initrd.enable && cfg.enable) { system.build = { inherit initialRamdisk; }; - boot.initrd.availableKernelModules = [ "autofs4" ]; # systemd needs this for some features + boot.initrd.availableKernelModules = [ + "autofs4" # systemd needs this for some features + "tpm-tis" "tpm-crb" # systemd-cryptenroll + ]; boot.initrd.systemd = { initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package] ++ config.system.fsPackages; @@ -403,6 +406,17 @@ in { # so NSS can look up usernames "${pkgs.glibc}/lib/libnss_files.so.2" + ] ++ optionals cfg.package.withCryptsetup [ + # tpm2 support + "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so" + pkgs.tpm2-tss + + # fido2 support + "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so" + "${pkgs.libfido2}/lib/libfido2.so.1" + + # the unwrapped systemd-cryptsetup executable + "${cfg.package}/lib/systemd/.systemd-cryptsetup-wrapped" ] ++ jobScripts; targets.initrd.aliases = ["default.target"]; diff --git a/nixos/modules/system/boot/systemd/logind.nix b/nixos/modules/system/boot/systemd/logind.nix index 5980160321367..b0c927f19f9d7 100644 --- a/nixos/modules/system/boot/systemd/logind.nix +++ b/nixos/modules/system/boot/systemd/logind.nix @@ -82,6 +82,8 @@ in "dbus-org.freedesktop.import1.service" ] ++ optionals config.systemd.package.withMachined [ "dbus-org.freedesktop.machine1.service" + ] ++ optionals config.systemd.package.withPortabled [ + "dbus-org.freedesktop.portable1.service" ] ++ [ "dbus-org.freedesktop.login1.service" "user@.service" diff --git a/nixos/modules/system/boot/systemd/nspawn.nix b/nixos/modules/system/boot/systemd/nspawn.nix index d9e42ad5b26b1..cbc89554c9fd9 100644 --- a/nixos/modules/system/boot/systemd/nspawn.nix +++ b/nixos/modules/system/boot/systemd/nspawn.nix @@ -45,7 +45,9 @@ let ]; instanceOptions = { - options = sharedOptions // { + options = + (getAttrs [ "enable" ] sharedOptions) + // { execConfig = mkOption { default = {}; example = { Parameters = "/bin/sh"; }; diff --git a/nixos/modules/system/boot/systemd/tmpfiles.nix b/nixos/modules/system/boot/systemd/tmpfiles.nix index e990e953b0572..32b9b275d3587 100644 --- a/nixos/modules/system/boot/systemd/tmpfiles.nix +++ b/nixos/modules/system/boot/systemd/tmpfiles.nix @@ -79,6 +79,7 @@ in ln -s "${systemd}/example/tmpfiles.d/home.conf" ln -s "${systemd}/example/tmpfiles.d/journal-nocow.conf" + ln -s "${systemd}/example/tmpfiles.d/portables.conf" ln -s "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf" ln -s "${systemd}/example/tmpfiles.d/systemd.conf" ln -s "${systemd}/example/tmpfiles.d/systemd-nologin.conf" diff --git a/nixos/modules/system/boot/uvesafb.nix b/nixos/modules/system/boot/uvesafb.nix new file mode 100644 index 0000000000000..b10dc42887a15 --- /dev/null +++ b/nixos/modules/system/boot/uvesafb.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.boot.uvesafb; + inherit (lib) mkIf mkEnableOption mkOption mdDoc types; +in { + options = { + boot.uvesafb = { + enable = mkEnableOption (mdDoc "uvesafb"); + + gfx-mode = mkOption { + type = types.str; + default = "1024x768-32"; + description = mdDoc "Screen resolution in modedb format. See [uvesafb](https://docs.kernel.org/fb/uvesafb.html) and [modedb](https://docs.kernel.org/fb/modedb.html) documentation for more details. The default value is a sensible default but may be not ideal for all setups."; + }; + + v86d.package = mkOption { + type = types.package; + description = mdDoc "Which v86d package to use with uvesafb"; + defaultText = ''config.boot.kernelPackages.v86d.overrideAttrs (old: { + hardeningDisable = [ "all" ]; + })''; + default = config.boot.kernelPackages.v86d.overrideAttrs (old: { + hardeningDisable = [ "all" ]; + }); + }; + }; + }; + config = mkIf cfg.enable { + boot.initrd = { + kernelModules = [ "uvesafb" ]; + extraFiles."/usr/v86d".source = cfg.v86d.package; + }; + + boot.kernelParams = [ + "video=uvesafb:mode:${cfg.gfx-mode},mtrr:3,ywrap" + ''uvesafb.v86d="${cfg.v86d.package}/bin/v86d"'' + ]; + }; +} diff --git a/nixos/modules/system/etc/setup-etc.pl b/nixos/modules/system/etc/setup-etc.pl index be6b2d9ae71ef..a048261a3df11 100644 --- a/nixos/modules/system/etc/setup-etc.pl +++ b/nixos/modules/system/etc/setup-etc.pl @@ -137,7 +137,7 @@ foreach my $fn (@oldCopied) { # Rewrite /etc/.clean. close CLEAN; -write_file("/etc/.clean", map { "$_\n" } @copied); +write_file("/etc/.clean", map { "$_\n" } sort @copied); # Create /etc/NIXOS tag if not exists. # When /etc is not on a persistent filesystem, it will be wiped after reboot, diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 994747601309c..399ea9eabe08d 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -155,7 +155,7 @@ let makeFstabEntries = let - fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" "apfs" "9p" "cifs" "prl_fs" "vmhgfs" ]; + fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "nfs4" "vboxsf" "glusterfs" "apfs" "9p" "cifs" "prl_fs" "vmhgfs" ]; isBindMount = fs: builtins.elem "bind" fs.options; skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck || isBindMount fs; # https://wiki.archlinux.org/index.php/fstab#Filepath_spaces diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 96222f3b4f645..4b4f4cc801aba 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -226,6 +226,15 @@ in ''; }; + allowHibernation = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Allow hibernation support, this may be a unsafe option depending on your + setup. Make sure to NOT use Swap on ZFS. + ''; + }; + extraPools = mkOption { type = types.listOf types.str; default = []; @@ -498,6 +507,10 @@ in boot = { kernelModules = [ "zfs" ]; + # https://github.com/openzfs/zfs/issues/260 + # https://github.com/openzfs/zfs/issues/12842 + # https://github.com/NixOS/nixpkgs/issues/106093 + kernelParams = lib.optionals (!config.boot.zfs.allowHibernation) [ "nohibernate" ]; extraModulePackages = [ (if config.boot.zfs.enableUnstable then diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 6f01917bcc59f..1982175eac94c 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1356,8 +1356,8 @@ in "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); # networkmanager falls back to "/proc/sys/net/ipv6/conf/default/use_tempaddr" "net.ipv6.conf.default.use_tempaddr" = tempaddrValues.${cfg.tempAddresses}.sysctl; - } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) - (i: [(nameValuePair "net.ipv4.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" true)])) + } // listToAttrs (forEach interfaces + (i: nameValuePair "net.ipv4.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" i.proxyARP)) // listToAttrs (forEach interfaces (i: let opt = i.tempAddress; diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index 94f28ea80d094..a7f5044fb9cdb 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -16,6 +16,9 @@ with lib; # Containers should be light-weight, so start sshd on demand. services.openssh.startWhenNeeded = mkDefault true; + # containers do not need to setup devices + services.udev.enable = false; + # Shut up warnings about not having a boot loader. system.build.installBootLoader = lib.mkDefault "${pkgs.coreutils}/bin/true"; diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index 22be1d5bff92e..fae7c57680521 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }@host: with lib; @@ -284,7 +284,6 @@ let DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; }; - inherit (config.nixpkgs) localSystem; kernelVersion = config.boot.kernelPackages.kernel.version; bindMountOpts = { name, ... }: { @@ -480,10 +479,13 @@ in merge = loc: defs: (import "${toString config.nixpkgs}/nixos/lib/eval-config.nix" { modules = let - extraConfig = { + extraConfig = { options, ... }: { _file = "module at ${__curPos.file}:${toString __curPos.line}"; config = { - nixpkgs = { inherit localSystem; }; + nixpkgs = if options.nixpkgs?hostPlatform && host.options.nixpkgs.hostPlatform.isDefined + then { inherit (host.config.nixpkgs) hostPlatform; } + else { inherit (host.config.nixpkgs) localSystem; } + ; boot.isContainer = true; networking.hostName = mkDefault name; networking.useDHCP = false; @@ -720,7 +722,7 @@ in { config = { config, pkgs, ... }: { services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql_10; + services.postgresql.package = pkgs.postgresql_14; system.stateVersion = "21.05"; }; diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index 36a28efc6ce44..61066c3cbd758 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -304,12 +304,13 @@ let # ExecReload = ...; ### - Environment=if cfg.backend == "podman" then "PODMAN_SYSTEMD_UNIT=podman-${name}.service" else {}; - Type=if cfg.backend == "podman" then "notify" else {}; - NotifyAccess=if cfg.backend == "podman" then "all" else {}; TimeoutStartSec = 0; TimeoutStopSec = 120; Restart = "always"; + } // optionalAttrs (cfg.backend == "podman") { + Environment="PODMAN_SYSTEMD_UNIT=podman-${name}.service"; + Type="notify"; + NotifyAccess="all"; }; }; diff --git a/nixos/modules/virtualisation/vmware-guest.nix b/nixos/modules/virtualisation/vmware-guest.nix index 3b4d484fc8b9f..b8f0a4cf668ef 100644 --- a/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixos/modules/virtualisation/vmware-guest.nix @@ -16,7 +16,8 @@ in enable = mkEnableOption (lib.mdDoc "VMWare Guest Support"); headless = mkOption { type = types.bool; - default = false; + default = !config.services.xserver.enable; + defaultText = "!config.services.xserver.enable"; description = lib.mdDoc "Whether to disable X11-related features."; }; }; diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index a11ee31ab8d04..bd7b452735f1c 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -55,6 +55,7 @@ in rec { (onFullSupported "nixos.manual") (onSystems ["x86_64-linux"] "nixos.ova") (onSystems ["aarch64-linux"] "nixos.sd_image") + (onFullSupported "nixos.tests.acme") (onSystems ["x86_64-linux"] "nixos.tests.boot.biosCdrom") (onSystems ["x86_64-linux"] "nixos.tests.boot.biosUsb") (onFullSupported "nixos.tests.boot-stage1") diff --git a/nixos/release-small.nix b/nixos/release-small.nix index 1719d6738c5cd..deb428d1bec05 100644 --- a/nixos/release-small.nix +++ b/nixos/release-small.nix @@ -31,6 +31,7 @@ in rec { inherit (nixos') channel manual options iso_minimal amazonImage dummy; tests = { inherit (nixos'.tests) + acme containers-imperative containers-ip firewall @@ -110,6 +111,7 @@ in rec { "nixos.iso_minimal" "nixos.amazonImage" "nixos.manual" + "nixos.tests.acme" "nixos.tests.boot.uefiCdrom" "nixos.tests.containers-imperative" "nixos.tests.containers-ip" diff --git a/nixos/tests/adguardhome.nix b/nixos/tests/adguardhome.nix index 1a220f9969985..5be69e22e5329 100644 --- a/nixos/tests/adguardhome.nix +++ b/nixos/tests/adguardhome.nix @@ -2,16 +2,13 @@ name = "adguardhome"; nodes = { - minimalConf = { ... }: { - services.adguardhome = { enable = true; }; - }; - declarativeConf = { ... }: { services.adguardhome = { enable = true; mutableSettings = false; settings = { + schema_version = 0; dns = { bind_host = "0.0.0.0"; bootstrap_dns = "127.0.0.1"; @@ -26,6 +23,7 @@ mutableSettings = true; settings = { + schema_version = 0; dns = { bind_host = "0.0.0.0"; bootstrap_dns = "127.0.0.1"; @@ -36,10 +34,6 @@ }; testScript = '' - with subtest("Minimal config test"): - minimalConf.wait_for_unit("adguardhome.service") - minimalConf.wait_for_open_port(3000) - with subtest("Declarative config test, DNS will be reachable"): declarativeConf.wait_for_unit("adguardhome.service") declarativeConf.wait_for_open_port(53) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 0fc08e841ec07..cb3b9a248c0ef 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -102,6 +102,7 @@ in { brscan5 = handleTest ./brscan5.nix {}; btrbk = handleTest ./btrbk.nix {}; btrbk-no-timer = handleTest ./btrbk-no-timer.nix {}; + btrbk-section-order = handleTest ./btrbk-section-order.nix {}; buildbot = handleTest ./buildbot.nix {}; buildkite-agents = handleTest ./buildkite-agents.nix {}; caddy = handleTest ./caddy.nix {}; @@ -109,8 +110,6 @@ in { cage = handleTest ./cage.nix {}; cagebreak = handleTest ./cagebreak.nix {}; calibre-web = handleTest ./calibre-web.nix {}; - cassandra_2_1 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_2_1; }; - cassandra_2_2 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_2_2; }; cassandra_3_0 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_3_0; }; cassandra_3_11 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_3_11; }; ceph-multi-node = handleTestOn ["x86_64-linux"] ./ceph-multi-node.nix {}; @@ -124,6 +123,7 @@ in { cjdns = handleTest ./cjdns.nix {}; clickhouse = handleTest ./clickhouse.nix {}; cloud-init = handleTest ./cloud-init.nix {}; + cloud-init-hostname = handleTest ./cloud-init-hostname.nix {}; cntr = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cntr.nix {}; cockroachdb = handleTestOn ["x86_64-linux"] ./cockroachdb.nix {}; collectd = handleTest ./collectd.nix {}; @@ -170,6 +170,7 @@ in { documentation = pkgs.callPackage ../modules/misc/documentation/test.nix { inherit nixosLib; }; doh-proxy-rust = handleTest ./doh-proxy-rust.nix {}; dokuwiki = handleTest ./dokuwiki.nix {}; + dolibarr = handleTest ./dolibarr.nix {}; domination = handleTest ./domination.nix {}; dovecot = handleTest ./dovecot.nix {}; drbd = handleTest ./drbd.nix {}; @@ -180,6 +181,7 @@ in { ejabberd = handleTest ./xmpp/ejabberd.nix {}; elk = handleTestOn ["x86_64-linux"] ./elk.nix {}; emacs-daemon = handleTest ./emacs-daemon.nix {}; + endlessh = handleTest ./endlessh.nix {}; endlessh-go = handleTest ./endlessh-go.nix {}; engelsystem = handleTest ./engelsystem.nix {}; enlightenment = handleTest ./enlightenment.nix {}; @@ -213,6 +215,7 @@ in { fsck = handleTest ./fsck.nix {}; ft2-clone = handleTest ./ft2-clone.nix {}; mimir = handleTest ./mimir.nix {}; + garage = handleTest ./garage.nix {}; gerrit = handleTest ./gerrit.nix {}; geth = handleTest ./geth.nix {}; ghostunnel = handleTest ./ghostunnel.nix {}; @@ -231,7 +234,7 @@ in { gollum = handleTest ./gollum.nix {}; google-oslogin = handleTest ./google-oslogin {}; gotify-server = handleTest ./gotify-server.nix {}; - grafana = handleTest ./grafana.nix {}; + grafana = handleTest ./grafana {}; grafana-agent = handleTest ./grafana-agent.nix {}; graphite = handleTest ./graphite.nix {}; graylog = handleTest ./graylog.nix {}; @@ -299,6 +302,7 @@ in { k3s = handleTest ./k3s {}; kafka = handleTest ./kafka.nix {}; kanidm = handleTest ./kanidm.nix {}; + karma = handleTest ./karma.nix {}; kbd-setfont-decompress = handleTest ./kbd-setfont-decompress.nix {}; kbd-update-search-paths-patch = handleTest ./kbd-update-search-paths-patch.nix {}; kea = handleTest ./kea.nix {}; @@ -364,6 +368,7 @@ in { mediawiki = handleTest ./mediawiki.nix {}; meilisearch = handleTest ./meilisearch.nix {}; memcached = handleTest ./memcached.nix {}; + merecat = handleTest ./merecat.nix {}; metabase = handleTest ./metabase.nix {}; minecraft = handleTest ./minecraft.nix {}; minecraft-server = handleTest ./minecraft-server.nix {}; @@ -443,6 +448,7 @@ in { novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {}; nscd = handleTest ./nscd.nix {}; nsd = handleTest ./nsd.nix {}; + ntfy-sh = handleTest ./ntfy-sh.nix {}; nzbget = handleTest ./nzbget.nix {}; nzbhydra2 = handleTest ./nzbhydra2.nix {}; oh-my-zsh = handleTest ./oh-my-zsh.nix {}; @@ -527,6 +533,7 @@ in { pulseaudio = discoverTests (import ./pulseaudio.nix); qboot = handleTestOn ["x86_64-linux" "i686-linux"] ./qboot.nix {}; quorum = handleTest ./quorum.nix {}; + quake3 = handleTest ./quake3.nix {}; rabbitmq = handleTest ./rabbitmq.nix {}; radarr = handleTest ./radarr.nix {}; radicale = handleTest ./radicale.nix {}; @@ -598,8 +605,10 @@ in { systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {}; systemd-escaping = handleTest ./systemd-escaping.nix {}; systemd-initrd-btrfs-raid = handleTest ./systemd-initrd-btrfs-raid.nix {}; + systemd-initrd-luks-fido2 = handleTest ./systemd-initrd-luks-fido2.nix {}; systemd-initrd-luks-keyfile = handleTest ./systemd-initrd-luks-keyfile.nix {}; systemd-initrd-luks-password = handleTest ./systemd-initrd-luks-password.nix {}; + systemd-initrd-luks-tpm2 = handleTest ./systemd-initrd-luks-tpm2.nix {}; systemd-initrd-modprobe = handleTest ./systemd-initrd-modprobe.nix {}; systemd-initrd-shutdown = handleTest ./systemd-shutdown.nix { systemdStage1 = true; }; systemd-initrd-simple = handleTest ./systemd-initrd-simple.nix {}; @@ -611,8 +620,10 @@ in { systemd-networkd-dhcpserver-static-leases = handleTest ./systemd-networkd-dhcpserver-static-leases.nix {}; systemd-networkd-ipv6-prefix-delegation = handleTest ./systemd-networkd-ipv6-prefix-delegation.nix {}; systemd-networkd-vrf = handleTest ./systemd-networkd-vrf.nix {}; + systemd-no-tainted = handleTest ./systemd-no-tainted.nix {}; systemd-nspawn = handleTest ./systemd-nspawn.nix {}; systemd-oomd = handleTest ./systemd-oomd.nix {}; + systemd-portabled = handleTest ./systemd-portabled.nix {}; systemd-shutdown = handleTest ./systemd-shutdown.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-misc = handleTest ./systemd-misc.nix {}; @@ -652,6 +663,7 @@ in { unit-php = handleTest ./web-servers/unit-php.nix {}; upnp = handleTest ./upnp.nix {}; uptermd = handleTest ./uptermd.nix {}; + uptime-kuma = handleTest ./uptime-kuma.nix {}; usbguard = handleTest ./usbguard.nix {}; user-activation-scripts = handleTest ./user-activation-scripts.nix {}; user-home-mode = handleTest ./user-home-mode.nix {}; diff --git a/nixos/tests/bazarr.nix b/nixos/tests/bazarr.nix index efcd9de010804..13b27bb530c04 100644 --- a/nixos/tests/bazarr.nix +++ b/nixos/tests/bazarr.nix @@ -16,11 +16,15 @@ in enable = true; listenPort = port; }; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["unrar"]; + # Workaround for https://github.com/morpheus65535/bazarr/issues/1983 + # ("Crash when running without timezone info"). + time.timeZone = "UTC"; }; testScript = '' machine.wait_for_unit("bazarr.service") - machine.wait_for_open_port(port) + machine.wait_for_open_port(${toString port}) machine.succeed("curl --fail http://localhost:${toString port}/") ''; }) diff --git a/nixos/tests/btrbk-section-order.nix b/nixos/tests/btrbk-section-order.nix new file mode 100644 index 0000000000000..20f1afcf80ec7 --- /dev/null +++ b/nixos/tests/btrbk-section-order.nix @@ -0,0 +1,51 @@ +# This tests validates the order of generated sections that may contain +# other sections. +# When a `volume` section has both `subvolume` and `target` children, +# `target` must go before `subvolume`. Otherwise, `target` will become +# a child of the last `subvolume` instead of `volume`, due to the +# order-sensitive config format. +# +# Issue: https://github.com/NixOS/nixpkgs/issues/195660 +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "btrbk-section-order"; + meta.maintainers = with lib.maintainers; [ oxalica ]; + + nodes.machine = { ... }: { + services.btrbk.instances.local = { + onCalendar = null; + settings = { + timestamp_format = "long"; + target."ssh://global-target/".ssh_user = "root"; + volume."/btrfs" = { + snapshot_dir = "/volume-snapshots"; + target."ssh://volume-target/".ssh_user = "root"; + subvolume."@subvolume" = { + snapshot_dir = "/subvolume-snapshots"; + target."ssh://subvolume-target/".ssh_user = "root"; + }; + }; + }; + }; + }; + + testScript = '' + machine.wait_for_unit("basic.target") + got = machine.succeed("cat /etc/btrbk/local.conf") + expect = """ + backend btrfs-progs-sudo + timestamp_format long + target ssh://global-target/ + ssh_user root + volume /btrfs + snapshot_dir /volume-snapshots + target ssh://volume-target/ + ssh_user root + subvolume @subvolume + snapshot_dir /subvolume-snapshots + target ssh://subvolume-target/ + ssh_user root + """.strip() + print(got) + assert got == expect + ''; +}) diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index 6b296fe8a61ae..618633935213e 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -39,7 +39,9 @@ mapAttrs (channel: chromiumPkg: makeTest { name = "chromium-${channel}"; meta = { maintainers = with maintainers; [ aszlig primeos ]; + } // optionalAttrs (chromiumPkg.meta ? timeout) { # https://github.com/NixOS/hydra/issues/591#issuecomment-435125621 + # Note: optionalAttrs is used since meta.timeout is not set for Google Chrome inherit (chromiumPkg.meta) timeout; }; @@ -65,6 +67,9 @@ mapAttrs (channel: chromiumPkg: makeTest { from contextlib import contextmanager + major_version = "${versions.major (getVersion chromiumPkg.name)}" + + # Run as user alice def ru(cmd): return "su - ${user} -c " + shlex.quote(cmd) @@ -84,7 +89,6 @@ mapAttrs (channel: chromiumPkg: makeTest { binary = pname # Add optional CLI options: options = [] - major_version = "${versions.major (getVersion chromiumPkg.name)}" if major_version > "95" and not pname.startswith("google-chrome"): # Workaround to avoid a GPU crash: options.append("--use-gl=swiftshader") @@ -242,9 +246,11 @@ mapAttrs (channel: chromiumPkg: makeTest { machine.screenshot("after_copy_from_chromium") - with test_new_win("gpu_info", "chrome://gpu", "chrome://gpu"): - # To check the text rendering (catches regressions like #131074): - machine.wait_for_text("Graphics Feature Status") + if major_version < "107": + # TODO: Fix the chrome://gpu test for M107+ + with test_new_win("gpu_info", "chrome://gpu", "chrome://gpu"): + # To check the text rendering (catches regressions like #131074): + machine.wait_for_text("Graphics Feature Status") with test_new_win("version_info", "chrome://version", "About Version") as clipboard: diff --git a/nixos/tests/cloud-init-hostname.nix b/nixos/tests/cloud-init-hostname.nix new file mode 100644 index 0000000000000..7c657cc9f6f98 --- /dev/null +++ b/nixos/tests/cloud-init-hostname.nix @@ -0,0 +1,46 @@ +{ system ? builtins.currentSystem, + config ? {}, + pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +let + # Hostname can also be set through "hostname" in user-data. + # This is how proxmox configures hostname through cloud-init. + metadataDrive = pkgs.stdenv.mkDerivation { + name = "metadata"; + buildCommand = '' + mkdir -p $out/iso + + cat << EOF > $out/iso/user-data + #cloud-config + hostname: testhostname + EOF + + cat << EOF > $out/iso/meta-data + instance-id: iid-local02 + EOF + + ${pkgs.cdrkit}/bin/genisoimage -volid cidata -joliet -rock -o $out/metadata.iso $out/iso + ''; + }; + +in makeTest { + name = "cloud-init-hostname"; + meta = with pkgs.lib.maintainers; { + maintainers = [ lewo illustris ]; + }; + + nodes.machine2 = { ... }: { + virtualisation.qemu.options = [ "-cdrom" "${metadataDrive}/metadata.iso" ]; + services.cloud-init.enable = true; + networking.hostName = ""; + }; + + testScript = '' + unnamed.wait_for_unit("cloud-final.service") + assert "testhostname" in unnamed.succeed("hostname") + ''; +} diff --git a/nixos/tests/cloud-init.nix b/nixos/tests/cloud-init.nix index 9feb8d5c1526e..786e01add7d4b 100644 --- a/nixos/tests/cloud-init.nix +++ b/nixos/tests/cloud-init.nix @@ -49,18 +49,17 @@ let gateway: '12.34.56.9' - type: nameserver address: - - '8.8.8.8' + - '6.7.8.9' search: - 'example.com' EOF ${pkgs.cdrkit}/bin/genisoimage -volid cidata -joliet -rock -o $out/metadata.iso $out/iso ''; }; + in makeTest { name = "cloud-init"; - meta = with pkgs.lib.maintainers; { - maintainers = [ lewo ]; - }; + meta.maintainers = with pkgs.lib.maintainers; [ lewo illustris ]; nodes.machine = { ... }: { virtualisation.qemu.options = [ "-cdrom" "${metadataDrive}/metadata.iso" ]; @@ -89,21 +88,27 @@ in makeTest { # we should be able to log in as the root user, as well as the created nixos user unnamed.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentityFile=~/.ssh/id_snakeoil root@localhost 'true'" + "timeout 10 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentityFile=~/.ssh/id_snakeoil root@localhost 'true'" ) unnamed.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentityFile=~/.ssh/id_snakeoil nixos@localhost 'true'" + "timeout 10 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentityFile=~/.ssh/id_snakeoil nixos@localhost 'true'" ) # test changing hostname via cloud-init worked assert ( unnamed.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentityFile=~/.ssh/id_snakeoil nixos@localhost 'hostname'" + "timeout 10 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentityFile=~/.ssh/id_snakeoil nixos@localhost 'hostname'" ).strip() == "test" ) + # check IP and route configs assert "default via 12.34.56.9 dev eth0 proto static" in unnamed.succeed("ip route") assert "12.34.56.0/24 dev eth0 proto kernel scope link src 12.34.56.78" in unnamed.succeed("ip route") + + # check nameserver and search configs + assert "6.7.8.9" in unnamed.succeed("resolvectl status") + assert "example.com" in unnamed.succeed("resolvectl status") + ''; } diff --git a/nixos/tests/custom-ca.nix b/nixos/tests/custom-ca.nix index 73e47c3c9d0d6..25a7b6fdea46e 100644 --- a/nixos/tests/custom-ca.nix +++ b/nixos/tests/custom-ca.nix @@ -191,5 +191,5 @@ in firefox = { error = "Security Risk"; }; chromium = { error = "not private"; }; qutebrowser = { args = "-T"; error = "Certificate error"; }; - midori = { error = "Security"; }; + midori = { args = "-p"; error = "Security"; }; } diff --git a/nixos/tests/dnscrypt-proxy2.nix b/nixos/tests/dnscrypt-proxy2.nix index 1ba5d983e9b92..4435d77bbf3b2 100644 --- a/nixos/tests/dnscrypt-proxy2.nix +++ b/nixos/tests/dnscrypt-proxy2.nix @@ -1,4 +1,6 @@ -import ./make-test-python.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: let + localProxyPort = 43; +in { name = "dnscrypt-proxy2"; meta = with pkgs.lib.maintainers; { maintainers = [ joachifm ]; @@ -9,7 +11,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { # for a caching DNS client. client = { ... }: - let localProxyPort = 43; in { security.apparmor.enable = true; @@ -32,5 +33,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { testScript = '' client.wait_for_unit("dnsmasq") client.wait_for_unit("dnscrypt-proxy2") + client.wait_until_succeeds("ss --numeric --udp --listening | grep -q ${toString localProxyPort}") ''; }) diff --git a/nixos/tests/domination.nix b/nixos/tests/domination.nix index 09027740ab8de..409a7f3029c42 100644 --- a/nixos/tests/domination.nix +++ b/nixos/tests/domination.nix @@ -20,7 +20,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.wait_for_x() machine.execute("domination >&2 &") machine.wait_for_window("Menu") - machine.wait_for_text("New Game") + machine.wait_for_text(r"(New Game|Start Server|Load Game|Help Manual|Join Game|About|Play Online)") machine.screenshot("screen") ''; }) diff --git a/nixos/tests/endlessh.nix b/nixos/tests/endlessh.nix new file mode 100644 index 0000000000000..be742a749fdd8 --- /dev/null +++ b/nixos/tests/endlessh.nix @@ -0,0 +1,43 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: +{ + name = "endlessh"; + meta.maintainers = with lib.maintainers; [ azahi ]; + + nodes = { + server = { ... }: { + services.endlessh = { + enable = true; + openFirewall = true; + }; + + specialisation = { + unprivileged.configuration.services.endlessh.port = 2222; + + privileged.configuration.services.endlessh.port = 22; + }; + }; + + client = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ curl netcat ]; + }; + }; + + testScript = '' + def activate_specialisation(name: str): + server.succeed(f"/run/booted-system/specialisation/{name}/bin/switch-to-configuration test >&2") + + start_all() + + with subtest("Unprivileged"): + activate_specialisation("unprivileged") + server.wait_for_unit("endlessh.service") + server.wait_for_open_port(2222) + client.succeed("nc -dvW5 server 2222") + + with subtest("Privileged"): + activate_specialisation("privileged") + server.wait_for_unit("endlessh.service") + server.wait_for_open_port(22) + client.succeed("nc -dvW5 server 22") + ''; +}) diff --git a/nixos/tests/garage.nix b/nixos/tests/garage.nix new file mode 100644 index 0000000000000..dc1f83e7f8f3c --- /dev/null +++ b/nixos/tests/garage.nix @@ -0,0 +1,169 @@ +import ./make-test-python.nix ({ pkgs, ...} : +let + mkNode = { replicationMode, publicV6Address ? "::1" }: { pkgs, ... }: { + networking.interfaces.eth1.ipv6.addresses = [{ + address = publicV6Address; + prefixLength = 64; + }]; + + networking.firewall.allowedTCPPorts = [ 3901 3902 ]; + + services.garage = { + enable = true; + settings = { + replication_mode = replicationMode; + + rpc_bind_addr = "[::]:3901"; + rpc_public_addr = "[${publicV6Address}]:3901"; + rpc_secret = "5c1915fa04d0b6739675c61bf5907eb0fe3d9c69850c83820f51b4d25d13868c"; + + s3_api = { + s3_region = "garage"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.garage"; + }; + + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".web.garage"; + index = "index.html"; + }; + }; + }; + environment.systemPackages = [ pkgs.minio-client ]; + + # Garage requires at least 1GiB of free disk space to run. + virtualisation.diskSize = 2 * 1024; + }; + + +in { + name = "garage"; + meta = { + maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + }; + + nodes = { + single_node = mkNode { replicationMode = "none"; }; + node1 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::1"; }; + node2 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::2"; }; + node3 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::3"; }; + node4 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::4"; }; + }; + + testScript = '' + from typing import List + from dataclasses import dataclass + import re + start_all() + + cur_version_regex = re.compile('Current cluster layout version: (?P<ver>\d*)') + key_creation_regex = re.compile('Key name: (?P<key_name>.*)\nKey ID: (?P<key_id>.*)\nSecret key: (?P<secret_key>.*)') + + @dataclass + class S3Key: + key_name: str + key_id: str + secret_key: str + + @dataclass + class GarageNode: + node_id: str + host: str + + def get_node_fqn(machine: Machine) -> GarageNode: + node_id, host = machine.succeed("garage node id").split('@') + return GarageNode(node_id=node_id, host=host) + + def get_node_id(machine: Machine) -> str: + return get_node_fqn(machine).node_id + + def get_layout_version(machine: Machine) -> int: + version_data = machine.succeed("garage layout show") + m = cur_version_regex.search(version_data) + if m and m.group('ver') is not None: + return int(m.group('ver')) + 1 + else: + raise ValueError('Cannot find current layout version') + + def apply_garage_layout(machine: Machine, layouts: List[str]): + for layout in layouts: + machine.succeed(f"garage layout assign {layout}") + version = get_layout_version(machine) + machine.succeed(f"garage layout apply --version {version}") + + def create_api_key(machine: Machine, key_name: str) -> S3Key: + output = machine.succeed(f"garage key new --name {key_name}") + m = key_creation_regex.match(output) + if not m or not m.group('key_id') or not m.group('secret_key'): + raise ValueError('Cannot parse API key data') + return S3Key(key_name=key_name, key_id=m.group('key_id'), secret_key=m.group('secret_key')) + + def get_api_key(machine: Machine, key_pattern: str) -> S3Key: + output = machine.succeed(f"garage key info {key_pattern}") + m = key_creation_regex.match(output) + if not m or not m.group('key_name') or not m.group('key_id') or not m.group('secret_key'): + raise ValueError('Cannot parse API key data') + return S3Key(key_name=m.group('key_name'), key_id=m.group('key_id'), secret_key=m.group('secret_key')) + + def test_bucket_writes(node): + node.succeed("garage bucket create test-bucket") + s3_key = create_api_key(node, "test-api-key") + node.succeed("garage bucket allow --read --write test-bucket --key test-api-key") + other_s3_key = get_api_key(node, 'test-api-key') + assert other_s3_key.secret_key == other_s3_key.secret_key + node.succeed( + f"mc alias set test-garage http://[::1]:3900 {s3_key.key_id} {s3_key.secret_key} --api S3v4" + ) + node.succeed("echo test | mc pipe test-garage/test-bucket/test.txt") + assert node.succeed("mc cat test-garage/test-bucket/test.txt").strip() == "test" + + def test_bucket_over_http(node, bucket='test-bucket', url=None): + if url is None: + url = f"{bucket}.web.garage" + + node.succeed(f'garage bucket website --allow {bucket}') + node.succeed(f'echo hello world | mc pipe test-garage/{bucket}/index.html') + assert (node.succeed(f"curl -H 'Host: {url}' http://localhost:3902")).strip() == 'hello world' + + with subtest("Garage works as a single-node S3 storage"): + single_node.wait_for_unit("garage.service") + single_node.wait_for_open_port(3900) + # Now Garage is initialized. + single_node_id = get_node_id(single_node) + apply_garage_layout(single_node, [f'-z qemutest -c 1 "{single_node_id}"']) + # Now Garage is operational. + test_bucket_writes(single_node) + test_bucket_over_http(single_node) + + with subtest("Garage works as a multi-node S3 storage"): + nodes = ('node1', 'node2', 'node3', 'node4') + rev_machines = {m.name: m for m in machines} + def get_machine(key): return rev_machines[key] + for key in nodes: + node = get_machine(key) + node.wait_for_unit("garage.service") + node.wait_for_open_port(3900) + + # Garage is initialized on all nodes. + node_ids = {key: get_node_fqn(get_machine(key)) for key in nodes} + + for key in nodes: + for other_key in nodes: + if other_key != key: + other_id = node_ids[other_key] + get_machine(key).succeed(f"garage node connect {other_id.node_id}@{other_id.host}") + + # Provide multiple zones for the nodes. + zones = ["nixcon", "nixcon", "paris_meetup", "fosdem"] + apply_garage_layout(node1, + [ + f'{ndata.node_id} -z {zones[index]} -c 1' + for index, ndata in enumerate(node_ids.values()) + ]) + # Now Garage is operational. + test_bucket_writes(node1) + for node in nodes: + test_bucket_over_http(get_machine(node)) + ''; +}) diff --git a/nixos/tests/grafana.nix b/nixos/tests/grafana/basic.nix index 174d664d8772b..f6566d4497098 100644 --- a/nixos/tests/grafana.nix +++ b/nixos/tests/grafana/basic.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ lib, pkgs, ... }: +import ../make-test-python.nix ({ lib, pkgs, ... }: let inherit (lib) mkMerge nameValuePair maintainers; @@ -6,23 +6,31 @@ let baseGrafanaConf = { services.grafana = { enable = true; - addr = "localhost"; - analytics.reporting.enable = false; - domain = "localhost"; - security = { - adminUser = "testadmin"; - adminPassword = "snakeoilpwd"; + settings = { + analytics.reporting_enabled = false; + + server = { + http_addr = "localhost"; + domain = "localhost"; + }; + + security = { + admin_user = "testadmin"; + admin_password = "snakeoilpwd"; + }; }; }; }; extraNodeConfs = { + sqlite = {}; + declarativePlugins = { services.grafana.declarativePlugins = [ pkgs.grafanaPlugins.grafana-clock-panel ]; }; postgresql = { - services.grafana.database = { + services.grafana.settings.database = { host = "127.0.0.1:5432"; user = "grafana"; }; @@ -38,7 +46,7 @@ let }; mysql = { - services.grafana.database.user = "grafana"; + services.grafana.settings.database.user = "grafana"; services.mysql = { enable = true; ensureDatabases = [ "grafana" ]; @@ -52,14 +60,9 @@ let }; }; - nodes = builtins.listToAttrs (map (dbName: - nameValuePair dbName (mkMerge [ - baseGrafanaConf - (extraNodeConfs.${dbName} or {}) - ])) [ "sqlite" "declarativePlugins" "postgresql" "mysql" ]); - + nodes = builtins.mapAttrs (_: val: mkMerge [ val baseGrafanaConf ]) extraNodeConfs; in { - name = "grafana"; + name = "grafana-basic"; meta = with maintainers; { maintainers = [ willibutz ]; @@ -81,8 +84,11 @@ in { with subtest("Successful API query as admin user with sqlite db"): sqlite.wait_for_unit("grafana.service") sqlite.wait_for_open_port(3000) + print(sqlite.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users -i" + )) sqlite.succeed( - "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep testadmin\@localhost" + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep admin\@localhost" ) sqlite.shutdown() @@ -92,7 +98,7 @@ in { postgresql.wait_for_open_port(3000) postgresql.wait_for_open_port(5432) postgresql.succeed( - "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep testadmin\@localhost" + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep admin\@localhost" ) postgresql.shutdown() @@ -102,7 +108,7 @@ in { mysql.wait_for_open_port(3000) mysql.wait_for_open_port(3306) mysql.succeed( - "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep testadmin\@localhost" + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep admin\@localhost" ) mysql.shutdown() ''; diff --git a/nixos/tests/grafana/default.nix b/nixos/tests/grafana/default.nix new file mode 100644 index 0000000000000..9c26225718001 --- /dev/null +++ b/nixos/tests/grafana/default.nix @@ -0,0 +1,9 @@ +{ system ? builtins.currentSystem +, config ? { } +, pkgs ? import ../../.. { inherit system config; } +}: + +{ + basic = import ./basic.nix { inherit system pkgs; }; + provision = import ./provision { inherit system pkgs; }; +} diff --git a/nixos/tests/grafana/provision/contact-points.yaml b/nixos/tests/grafana/provision/contact-points.yaml new file mode 100644 index 0000000000000..2a5f14e75e2db --- /dev/null +++ b/nixos/tests/grafana/provision/contact-points.yaml @@ -0,0 +1,9 @@ +apiVersion: 1 + +contactPoints: + - name: "Test Contact Point" + receivers: + - uid: "test_contact_point" + type: prometheus-alertmanager + settings: + url: http://localhost:9000 diff --git a/nixos/tests/grafana/provision/dashboards.yaml b/nixos/tests/grafana/provision/dashboards.yaml new file mode 100644 index 0000000000000..dc83fe6b892dc --- /dev/null +++ b/nixos/tests/grafana/provision/dashboards.yaml @@ -0,0 +1,6 @@ +apiVersion: 1 + +providers: + - name: 'default' + options: + path: /var/lib/grafana/dashboards diff --git a/nixos/tests/grafana/provision/datasources.yaml b/nixos/tests/grafana/provision/datasources.yaml new file mode 100644 index 0000000000000..ccf9481db7f3f --- /dev/null +++ b/nixos/tests/grafana/provision/datasources.yaml @@ -0,0 +1,7 @@ +apiVersion: 1 + +datasources: + - name: 'Test Datasource' + type: 'testdata' + access: 'proxy' + uid: 'test_datasource' diff --git a/nixos/tests/grafana/provision/default.nix b/nixos/tests/grafana/provision/default.nix new file mode 100644 index 0000000000000..7a707ab9fed1f --- /dev/null +++ b/nixos/tests/grafana/provision/default.nix @@ -0,0 +1,229 @@ +import ../../make-test-python.nix ({ lib, pkgs, ... }: + +let + inherit (lib) mkMerge nameValuePair maintainers; + + baseGrafanaConf = { + services.grafana = { + enable = true; + provision.enable = true; + settings = { + analytics.reporting_enabled = false; + + server = { + http_addr = "localhost"; + domain = "localhost"; + }; + + security = { + admin_user = "testadmin"; + admin_password = "snakeoilpwd"; + }; + }; + }; + + systemd.tmpfiles.rules = [ + "L /var/lib/grafana/dashboards/test.json 0700 grafana grafana - ${pkgs.writeText "test.json" (builtins.readFile ./test_dashboard.json)}" + ]; + }; + + extraNodeConfs = { + provisionOld = { + services.grafana.provision = { + datasources = [{ + name = "Test Datasource"; + type = "testdata"; + access = "proxy"; + uid = "test_datasource"; + }]; + + dashboards = [{ options.path = "/var/lib/grafana/dashboards"; }]; + + notifiers = [{ + uid = "test_notifiers"; + name = "Test Notifiers"; + type = "email"; + settings = { + singleEmail = true; + addresses = "test@test.com"; + }; + }]; + }; + }; + + provisionNix = { + services.grafana.provision = { + datasources.settings = { + apiVersion = 1; + datasources = [{ + name = "Test Datasource"; + type = "testdata"; + access = "proxy"; + uid = "test_datasource"; + }]; + }; + + dashboards.settings = { + apiVersion = 1; + providers = [{ + name = "default"; + options.path = "/var/lib/grafana/dashboards"; + }]; + }; + + alerting = { + rules.settings = { + groups = [{ + name = "test_rule_group"; + folder = "test_folder"; + interval = "60s"; + rules = [{ + uid = "test_rule"; + title = "Test Rule"; + condition = "A"; + data = [{ + refId = "A"; + datasourceUid = "-100"; + model = { + conditions = [{ + evaluator = { + params = [ 3 ]; + type = "git"; + }; + operator.type = "and"; + query.params = [ "A" ]; + reducer.type = "last"; + type = "query"; + }]; + datasource = { + type = "__expr__"; + uid = "-100"; + }; + expression = "1==0"; + intervalMs = 1000; + maxDataPoints = 43200; + refId = "A"; + type = "math"; + }; + }]; + for = "60s"; + }]; + }]; + }; + + contactPoints.settings = { + contactPoints = [{ + name = "Test Contact Point"; + receivers = [{ + uid = "test_contact_point"; + type = "prometheus-alertmanager"; + settings.url = "http://localhost:9000"; + }]; + }]; + }; + + policies.settings = { + policies = [{ + receiver = "Test Contact Point"; + }]; + }; + + templates.settings = { + templates = [{ + name = "Test Template"; + template = "Test message"; + }]; + }; + + muteTimings.settings = { + muteTimes = [{ + name = "Test Mute Timing"; + }]; + }; + }; + }; + }; + + provisionYaml = { + services.grafana.provision = { + datasources.path = ./datasources.yaml; + dashboards.path = ./dashboards.yaml; + alerting = { + rules.path = ./rules.yaml; + contactPoints.path = ./contact-points.yaml; + policies.path = ./policies.yaml; + templates.path = ./templates.yaml; + muteTimings.path = ./mute-timings.yaml; + }; + }; + }; + }; + + nodes = builtins.mapAttrs (_: val: mkMerge [ val baseGrafanaConf ]) extraNodeConfs; +in { + name = "grafana-provision"; + + meta = with maintainers; { + maintainers = [ kfears willibutz ]; + }; + + inherit nodes; + + testScript = '' + start_all() + + nodeOld = ("Nix (old format)", provisionOld) + nodeNix = ("Nix (new format)", provisionNix) + nodeYaml = ("Nix (YAML)", provisionYaml) + + for nodeInfo in [nodeOld, nodeNix, nodeYaml]: + with subtest(f"Should start provision node: {nodeInfo[0]}"): + nodeInfo[1].wait_for_unit("grafana.service") + nodeInfo[1].wait_for_open_port(3000) + + with subtest(f"Successful datasource provision with {nodeInfo[0]}"): + nodeInfo[1].succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/datasources/uid/test_datasource | grep Test\ Datasource" + ) + + with subtest(f"Successful dashboard provision with {nodeInfo[0]}"): + nodeInfo[1].succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/dashboards/uid/test_dashboard | grep Test\ Dashboard" + ) + + + + with subtest(f"Successful notifiers provision with {nodeOld[0]}"): + nodeOld[1].succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/alert-notifications/uid/test_notifiers | grep Test\ Notifiers" + ) + + + + for nodeInfo in [nodeNix, nodeYaml]: + with subtest(f"Successful rule provision with {nodeInfo[0]}"): + nodeInfo[1].succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/alert-rules/test_rule | grep Test\ Rule" + ) + + with subtest(f"Successful contact point provision with {nodeInfo[0]}"): + nodeInfo[1].succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/contact-points | grep Test\ Contact\ Point" + ) + + with subtest(f"Successful policy provision with {nodeInfo[0]}"): + nodeInfo[1].succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/policies | grep Test\ Contact\ Point" + ) + + with subtest(f"Successful template provision with {nodeInfo[0]}"): + nodeInfo[1].succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/templates | grep Test\ Template" + ) + + with subtest("Successful mute timings provision with {nodeInfo[0]}"): + nodeInfo[1].succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/v1/provisioning/mute-timings | grep Test\ Mute\ Timing" + ) + ''; +}) diff --git a/nixos/tests/grafana/provision/mute-timings.yaml b/nixos/tests/grafana/provision/mute-timings.yaml new file mode 100644 index 0000000000000..1f47f7c18f0c9 --- /dev/null +++ b/nixos/tests/grafana/provision/mute-timings.yaml @@ -0,0 +1,4 @@ +apiVersion: 1 + +muteTimes: + - name: "Test Mute Timing" diff --git a/nixos/tests/grafana/provision/policies.yaml b/nixos/tests/grafana/provision/policies.yaml new file mode 100644 index 0000000000000..eb31126c4ba5c --- /dev/null +++ b/nixos/tests/grafana/provision/policies.yaml @@ -0,0 +1,4 @@ +apiVersion: 1 + +policies: + - receiver: "Test Contact Point" diff --git a/nixos/tests/grafana/provision/rules.yaml b/nixos/tests/grafana/provision/rules.yaml new file mode 100644 index 0000000000000..946539c8cb699 --- /dev/null +++ b/nixos/tests/grafana/provision/rules.yaml @@ -0,0 +1,36 @@ +apiVersion: 1 + +groups: + - name: "test_rule_group" + folder: "test_group" + interval: 60s + rules: + - uid: "test_rule" + title: "Test Rule" + condition: A + data: + - refId: A + datasourceUid: '-100' + model: + conditions: + - evaluator: + params: + - 3 + type: gt + operator: + type: and + query: + params: + - A + reducer: + type: last + type: query + datasource: + type: __expr__ + uid: '-100' + expression: 1==0 + intervalMs: 1000 + maxDataPoints: 43200 + refId: A + type: math + for: 60s diff --git a/nixos/tests/grafana/provision/templates.yaml b/nixos/tests/grafana/provision/templates.yaml new file mode 100644 index 0000000000000..09df247b34513 --- /dev/null +++ b/nixos/tests/grafana/provision/templates.yaml @@ -0,0 +1,5 @@ +apiVersion: 1 + +templates: + - name: "Test Template" + template: "Test message" diff --git a/nixos/tests/grafana/provision/test_dashboard.json b/nixos/tests/grafana/provision/test_dashboard.json new file mode 100644 index 0000000000000..6e7a5b37f22b8 --- /dev/null +++ b/nixos/tests/grafana/provision/test_dashboard.json @@ -0,0 +1,47 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 28, + "links": [], + "liveNow": false, + "panels": [], + "schemaVersion": 37, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Test Dashboard", + "uid": "test_dashboard", + "version": 1, + "weekStart": "" +} diff --git a/nixos/tests/installed-tests/default.nix b/nixos/tests/installed-tests/default.nix index 2e38cd389c74a..78a6325a245ea 100644 --- a/nixos/tests/installed-tests/default.nix +++ b/nixos/tests/installed-tests/default.nix @@ -28,7 +28,7 @@ let , withX11 ? false # Extra flags to pass to gnome-desktop-testing-runner. - , testRunnerFlags ? "" + , testRunnerFlags ? [] # Extra attributes to pass to makeTest. # They will be recursively merged into the attrset created by this function. @@ -67,7 +67,7 @@ let '' + '' machine.succeed( - "gnome-desktop-testing-runner ${testRunnerFlags} -d '${tested.installedTests}/share'" + "gnome-desktop-testing-runner ${escapeShellArgs testRunnerFlags} -d '${tested.installedTests}/share'" ) ''; } diff --git a/nixos/tests/installed-tests/flatpak-builder.nix b/nixos/tests/installed-tests/flatpak-builder.nix index 41f4060fb69e5..d5e04fcf975ce 100644 --- a/nixos/tests/installed-tests/flatpak-builder.nix +++ b/nixos/tests/installed-tests/flatpak-builder.nix @@ -11,5 +11,5 @@ makeInstalledTest { virtualisation.diskSize = 2048; }; - testRunnerFlags = "--timeout 3600"; + testRunnerFlags = [ "--timeout" "3600" ]; } diff --git a/nixos/tests/installed-tests/flatpak.nix b/nixos/tests/installed-tests/flatpak.nix index c7fe9cf458822..9524d890c4025 100644 --- a/nixos/tests/installed-tests/flatpak.nix +++ b/nixos/tests/installed-tests/flatpak.nix @@ -13,5 +13,5 @@ makeInstalledTest { virtualisation.diskSize = 3072; }; - testRunnerFlags = "--timeout 3600"; + testRunnerFlags = [ "--timeout" "3600" ]; } diff --git a/nixos/tests/installed-tests/gdk-pixbuf.nix b/nixos/tests/installed-tests/gdk-pixbuf.nix index 3d0011a427a44..110efdbf710f2 100644 --- a/nixos/tests/installed-tests/gdk-pixbuf.nix +++ b/nixos/tests/installed-tests/gdk-pixbuf.nix @@ -9,5 +9,5 @@ makeInstalledTest { virtualisation.memorySize = if pkgs.stdenv.isi686 then 2047 else 4096; }; - testRunnerFlags = "--timeout 1800"; + testRunnerFlags = [ "--timeout" "1800" ]; } diff --git a/nixos/tests/invoiceplane.nix b/nixos/tests/invoiceplane.nix index 4e63f8ac21c95..260e49db54d33 100644 --- a/nixos/tests/invoiceplane.nix +++ b/nixos/tests/invoiceplane.nix @@ -13,12 +13,12 @@ import ./make-test-python.nix ({ pkgs, ... }: services.invoiceplane.webserver = "caddy"; services.invoiceplane.sites = { "site1.local" = { - #database.name = "invoiceplane1"; + database.name = "invoiceplane1"; database.createLocally = true; enable = true; }; "site2.local" = { - #database.name = "invoiceplane2"; + database.name = "invoiceplane2"; database.createLocally = true; enable = true; }; diff --git a/nixos/tests/jenkins.nix b/nixos/tests/jenkins.nix index 3f111426db388..a1ede6dc917bf 100644 --- a/nixos/tests/jenkins.nix +++ b/nixos/tests/jenkins.nix @@ -18,8 +18,6 @@ import ./make-test-python.nix ({ pkgs, ...} : { enable = true; jobBuilder = { enable = true; - accessUser = "admin"; - accessTokenFile = "/var/lib/jenkins/secrets/initialAdminPassword"; nixJobs = [ { job = { name = "job-1"; diff --git a/nixos/tests/jibri.nix b/nixos/tests/jibri.nix index 223120cdb2291..45e30af9a9a55 100644 --- a/nixos/tests/jibri.nix +++ b/nixos/tests/jibri.nix @@ -35,9 +35,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.wait_for_unit("jibri.service") machine.wait_until_succeeds( - "journalctl -b -u jitsi-videobridge2 -o cat | grep -q 'Performed a successful health check'", timeout=30 - ) - machine.wait_until_succeeds( "journalctl -b -u prosody -o cat | grep -q 'Authenticated as focus@auth.machine'", timeout=31 ) machine.wait_until_succeeds( diff --git a/nixos/tests/k3s/multi-node.nix b/nixos/tests/k3s/multi-node.nix index ce7e4b6ead148..9a6c7fd465739 100644 --- a/nixos/tests/k3s/multi-node.nix +++ b/nixos/tests/k3s/multi-node.nix @@ -54,15 +54,15 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: role = "server"; package = pkgs.k3s; clusterInit = true; - extraFlags = '' - --disable coredns \ - --disable local-storage \ - --disable metrics-server \ - --disable servicelb \ - --disable traefik \ - --node-ip 192.168.1.1 \ - --pause-image test.local/pause:local - ''; + extraFlags = builtins.toString [ + "--disable" "coredns" + "--disable" "local-storage" + "--disable" "metrics-server" + "--disable" "servicelb" + "--disable" "traefik" + "--node-ip" "192.168.1.1" + "--pause-image" "test.local/pause:local" + ]; }; networking.firewall.allowedTCPPorts = [ 2379 2380 6443 ]; networking.firewall.allowedUDPPorts = [ 8472 ]; @@ -84,15 +84,15 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: enable = true; serverAddr = "https://192.168.1.1:6443"; clusterInit = false; - extraFlags = '' - --disable coredns \ - --disable local-storage \ - --disable metrics-server \ - --disable servicelb \ - --disable traefik \ - --node-ip 192.168.1.3 \ - --pause-image test.local/pause:local - ''; + extraFlags = builtins.toString [ + "--disable" "coredns" + "--disable" "local-storage" + "--disable" "metrics-server" + "--disable" "servicelb" + "--disable" "traefik" + "--node-ip" "192.168.1.3" + "--pause-image" "test.local/pause:local" + ]; }; networking.firewall.allowedTCPPorts = [ 2379 2380 6443 ]; networking.firewall.allowedUDPPorts = [ 8472 ]; @@ -112,7 +112,10 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: enable = true; role = "agent"; serverAddr = "https://192.168.1.3:6443"; - extraFlags = "--pause-image test.local/pause:local --node-ip 192.168.1.2"; + extraFlags = lib.concatStringsSep " " [ + "--pause-image" "test.local/pause:local" + "--node-ip" "192.168.1.2" + ]; }; networking.firewall.allowedTCPPorts = [ 6443 ]; networking.firewall.allowedUDPPorts = [ 8472 ]; @@ -135,12 +138,15 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: m.start() m.wait_for_unit("k3s") + is_aarch64 = "${toString pkgs.stdenv.isAarch64}" == "1" + # wait for the agent to show up server.wait_until_succeeds("k3s kubectl get node agent") for m in machines: - '' # Fix-Me: Tests fail for 'aarch64-linux' as: "CONFIG_CGROUP_FREEZER: missing (fail)" - + lib.optionalString (!pkgs.stdenv.isAarch64) ''m.succeed("k3s check-config")'' + '' + # Fix-Me: Tests fail for 'aarch64-linux' as: "CONFIG_CGROUP_FREEZER: missing (fail)" + if not is_aarch64: + m.succeed("k3s check-config") m.succeed( "${pauseImage} | k3s ctr image import -" ) diff --git a/nixos/tests/k3s/single-node.nix b/nixos/tests/k3s/single-node.nix index ab562500f5d21..a95fa4a031e3f 100644 --- a/nixos/tests/k3s/single-node.nix +++ b/nixos/tests/k3s/single-node.nix @@ -40,15 +40,14 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: services.k3s.role = "server"; services.k3s.package = pkgs.k3s; # Slightly reduce resource usage - services.k3s.extraFlags = '' - --disable coredns \ - --disable local-storage \ - --disable metrics-server \ - --disable servicelb \ - --disable traefik \ - --pause-image \ - test.local/pause:local - ''; + services.k3s.extraFlags = builtins.toString [ + "--disable" "coredns" + "--disable" "local-storage" + "--disable" "metrics-server" + "--disable" "servicelb" + "--disable" "traefik" + "--pause-image" "test.local/pause:local" + ]; users.users = { noprivs = { diff --git a/nixos/tests/kafka.nix b/nixos/tests/kafka.nix index 5def759ca24d9..79af02710c32b 100644 --- a/nixos/tests/kafka.nix +++ b/nixos/tests/kafka.nix @@ -50,7 +50,7 @@ let kafka.wait_until_succeeds( "${kafkaPackage}/bin/kafka-topics.sh --create " - + "--zookeeper zookeeper1:2181 --partitions 1 " + + "--bootstrap-server localhost:9092 --partitions 1 " + "--replication-factor 1 --topic testtopic" ) kafka.succeed( @@ -58,22 +58,19 @@ let + "${kafkaPackage}/bin/kafka-console-producer.sh " + "--broker-list localhost:9092 --topic testtopic" ) - '' + (if name == "kafka_0_9" then '' - assert "test 1" in kafka.succeed( - "${kafkaPackage}/bin/kafka-console-consumer.sh " - + "--zookeeper zookeeper1:2181 --topic testtopic " - + "--from-beginning --max-messages 1" - ) - '' else '' assert "test 1" in kafka.succeed( "${kafkaPackage}/bin/kafka-console-consumer.sh " + "--bootstrap-server localhost:9092 --topic testtopic " + "--from-beginning --max-messages 1" ) - ''); + ''; }) { inherit system; }); in with pkgs; { - kafka_2_7 = makeKafkaTest "kafka_2_7" apacheKafka_2_7; kafka_2_8 = makeKafkaTest "kafka_2_8" apacheKafka_2_8; + kafka_3_0 = makeKafkaTest "kafka_3_0" apacheKafka_3_0; + kafka_3_1 = makeKafkaTest "kafka_3_1" apacheKafka_3_1; + kafka_3_2 = makeKafkaTest "kafka_3_2" apacheKafka_3_2; + kafka_3_3 = makeKafkaTest "kafka_3_3" apacheKafka_3_3; + kafka = makeKafkaTest "kafka" apacheKafka; } diff --git a/nixos/tests/karma.nix b/nixos/tests/karma.nix new file mode 100644 index 0000000000000..5ac2983b8aa3e --- /dev/null +++ b/nixos/tests/karma.nix @@ -0,0 +1,84 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "karma"; + nodes = { + server = { ... }: { + services.prometheus.alertmanager = { + enable = true; + logLevel = "debug"; + port = 9093; + openFirewall = true; + configuration = { + global = { + resolve_timeout = "1m"; + }; + route = { + # Root route node + receiver = "test"; + group_by = ["..."]; + continue = false; + group_wait = "1s"; + group_interval="15s"; + repeat_interval = "24h"; + }; + receivers = [ + { + name = "test"; + webhook_configs = [ + { + url = "http://localhost:1234"; + send_resolved = true; + max_alerts = 0; + } + ]; + } + ]; + }; + }; + services.karma = { + enable = true; + openFirewall = true; + settings = { + listen = { + address = "0.0.0.0"; + port = 8081; + }; + alertmanager = { + servers = [ + { + name = "alertmanager"; + uri = "https://127.0.0.1:9093"; + } + ]; + }; + karma.name = "test-dashboard"; + log.config = true; + log.requests = true; + log.timestamp = true; + }; + }; + }; + }; + + testScript = '' + start_all() + + with subtest("Wait for server to come up"): + + server.wait_for_unit("alertmanager.service") + server.wait_for_unit("karma.service") + + server.sleep(5) # wait for both services to settle + + server.wait_for_open_port(9093) + server.wait_for_open_port(8081) + + with subtest("Test alertmanager readiness"): + server.succeed("curl -s http://127.0.0.1:9093/-/ready") + + # Karma only starts serving the dashboard once it has established connectivity to all alertmanagers in its config + # Therefore, this will fail if karma isn't able to reach alertmanager + server.succeed("curl -s http://127.0.0.1:8081") + + server.shutdown() + ''; +}) diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index 452c15a3a058d..7ee734a1eff05 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -30,7 +30,7 @@ let linux_5_4_hardened linux_5_10_hardened linux_5_15_hardened - linux_5_19_hardened + linux_6_0_hardened linux_testing; }; diff --git a/nixos/tests/kubernetes/default.nix b/nixos/tests/kubernetes/default.nix index 60ba482758fbe..a3de9ed115d4c 100644 --- a/nixos/tests/kubernetes/default.nix +++ b/nixos/tests/kubernetes/default.nix @@ -4,8 +4,6 @@ let dns = import ./dns.nix { inherit system pkgs; }; rbac = import ./rbac.nix { inherit system pkgs; }; - # TODO kubernetes.e2e should eventually replace kubernetes.rbac when it works - # e2e = import ./e2e.nix { inherit system pkgs; }; in { dns-single-node = dns.singlenode.test; diff --git a/nixos/tests/kubernetes/e2e.nix b/nixos/tests/kubernetes/e2e.nix deleted file mode 100644 index fb29d9cc6953f..0000000000000 --- a/nixos/tests/kubernetes/e2e.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ system ? builtins.currentSystem, pkgs ? import ../../.. { inherit system; } }: -with import ./base.nix { inherit system; }; -let - domain = "my.zyx"; - certs = import ./certs.nix { externalDomain = domain; kubelets = ["machine1" "machine2"]; }; - kubeconfig = pkgs.writeText "kubeconfig.json" (builtins.toJSON { - apiVersion = "v1"; - kind = "Config"; - clusters = [{ - name = "local"; - cluster.certificate-authority = "${certs.master}/ca.pem"; - cluster.server = "https://api.${domain}"; - }]; - users = [{ - name = "kubelet"; - user = { - client-certificate = "${certs.admin}/admin.pem"; - client-key = "${certs.admin}/admin-key.pem"; - }; - }]; - contexts = [{ - context = { - cluster = "local"; - user = "kubelet"; - }; - current-context = "kubelet-context"; - }]; - }); - - base = { - name = "e2e"; - inherit domain certs; - test = '' - $machine1->succeed("e2e.test -kubeconfig ${kubeconfig} -provider local -ginkgo.focus '\\[Conformance\\]' -ginkgo.skip '\\[Flaky\\]|\\[Serial\\]'"); - ''; - }; -in { - singlenode = mkKubernetesSingleNodeTest base; - multinode = mkKubernetesMultiNodeTest base; -} diff --git a/nixos/tests/kubo.nix b/nixos/tests/kubo.nix index e84a873a1a18d..94aa24a9204fe 100644 --- a/nixos/tests/kubo.nix +++ b/nixos/tests/kubo.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { enable = true; # Also will add a unix domain socket socket API address, see module. startWhenNeeded = true; - apiAddress = "/ip4/127.0.0.1/tcp/2324"; + settings.Addresses.API = "/ip4/127.0.0.1/tcp/2324"; dataDir = "/mnt/ipfs"; }; }; @@ -17,7 +17,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { nodes.fuse = { ... }: { services.kubo = { enable = true; - apiAddress = "/ip4/127.0.0.1/tcp/2324"; + settings.Addresses.API = "/ip4/127.0.0.1/tcp/2324"; autoMount = true; }; }; diff --git a/nixos/tests/lxd-image-server.nix b/nixos/tests/lxd-image-server.nix index 072f4570c2c9f..e5a292b61bd97 100644 --- a/nixos/tests/lxd-image-server.nix +++ b/nixos/tests/lxd-image-server.nix @@ -8,8 +8,8 @@ let }; }; - lxd-image-metadata = lxd-image.lxdMeta.${pkgs.system}; - lxd-image-rootfs = lxd-image.lxdImage.${pkgs.system}; + lxd-image-metadata = lxd-image.lxdMeta.${pkgs.stdenv.hostPlatform.system}; + lxd-image-rootfs = lxd-image.lxdImage.${pkgs.stdenv.hostPlatform.system}; in { name = "lxd-image-server"; diff --git a/nixos/tests/lxd.nix b/nixos/tests/lxd.nix index 15d16564d641c..2c2c19e0eecf7 100644 --- a/nixos/tests/lxd.nix +++ b/nixos/tests/lxd.nix @@ -11,8 +11,8 @@ let }; }; - lxd-image-metadata = lxd-image.lxdMeta.${pkgs.system}; - lxd-image-rootfs = lxd-image.lxdImage.${pkgs.system}; + lxd-image-metadata = lxd-image.lxdMeta.${pkgs.stdenv.hostPlatform.system}; + lxd-image-rootfs = lxd-image.lxdImage.${pkgs.stdenv.hostPlatform.system}; in { name = "lxd"; @@ -23,7 +23,7 @@ in { nodes.machine = { lib, ... }: { virtualisation = { - diskSize = 2048; + diskSize = 4096; # Since we're testing `limits.cpu`, we've gotta have a known number of # cores to lean on diff --git a/nixos/tests/make-test-python.nix b/nixos/tests/make-test-python.nix index c3bbd67423726..7a96f538d8d7a 100644 --- a/nixos/tests/make-test-python.nix +++ b/nixos/tests/make-test-python.nix @@ -6,6 +6,4 @@ f: { with import ../lib/testing-python.nix { inherit system pkgs; }; -let testConfig = makeTest (if pkgs.lib.isFunction f then f (args // { inherit pkgs; inherit (pkgs) lib; }) else f); -in testConfig.test # For nix-build - // testConfig # For all-tests.nix +makeTest (if pkgs.lib.isFunction f then f (args // { inherit pkgs; inherit (pkgs) lib; }) else f) diff --git a/nixos/tests/matrix/mjolnir.nix b/nixos/tests/matrix/mjolnir.nix index cb843e2e9e3e8..b1ac55d951cef 100644 --- a/nixos/tests/matrix/mjolnir.nix +++ b/nixos/tests/matrix/mjolnir.nix @@ -32,6 +32,7 @@ import ../make-test-python.nix ( name = "mjolnir"; meta = with pkgs.lib; { maintainers = teams.matrix.members; + broken = true; # times out after spending many hours }; nodes = { diff --git a/nixos/tests/merecat.nix b/nixos/tests/merecat.nix new file mode 100644 index 0000000000000..9d8f66165ee90 --- /dev/null +++ b/nixos/tests/merecat.nix @@ -0,0 +1,28 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "merecat"; + meta = with pkgs.lib.maintainers; { + maintainers = [ fgaz ]; + }; + + nodes.machine = { config, pkgs, ... }: { + services.merecat = { + enable = true; + settings = { + hostname = "localhost"; + virtual-host = true; + directory = toString (pkgs.runCommand "merecat-webdir" {} '' + mkdir -p $out/foo.localhost $out/bar.localhost + echo '<h1>Hello foo</h1>' > $out/foo.localhost/index.html + echo '<h1>Hello bar</h1>' > $out/bar.localhost/index.html + ''); + }; + }; + }; + + testScript = '' + machine.wait_for_unit("merecat") + machine.wait_for_open_port(80) + machine.succeed("curl --fail foo.localhost | grep 'Hello foo'") + machine.succeed("curl --fail bar.localhost | grep 'Hello bar'") + ''; +}) diff --git a/nixos/tests/mosquitto.nix b/nixos/tests/mosquitto.nix index d516d3373d9f6..70eecc89278b3 100644 --- a/nixos/tests/mosquitto.nix +++ b/nixos/tests/mosquitto.nix @@ -4,7 +4,7 @@ let port = 1888; tlsPort = 1889; anonPort = 1890; - bindTestPort = 1891; + bindTestPort = 18910; password = "VERY_secret"; hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw=="; topic = "test/foo"; @@ -165,6 +165,10 @@ in { for t in threads: t.start() for t in threads: t.join() + def wait_uuid(uuid): + server.wait_for_console_text(uuid) + return None + start_all() server.wait_for_unit("mosquitto.service") @@ -203,14 +207,14 @@ in { parallel( lambda: client1.succeed(subscribe("-i 3688cdd7-aa07-42a4-be22-cb9352917e40", "reader")), lambda: [ - server.wait_for_console_text("3688cdd7-aa07-42a4-be22-cb9352917e40"), + wait_uuid("3688cdd7-aa07-42a4-be22-cb9352917e40"), client2.succeed(publish("-m test", "writer")) ]) parallel( lambda: client1.fail(subscribe("-i 24ff16a2-ae33-4a51-9098-1b417153c712", "reader")), lambda: [ - server.wait_for_console_text("24ff16a2-ae33-4a51-9098-1b417153c712"), + wait_uuid("24ff16a2-ae33-4a51-9098-1b417153c712"), client2.succeed(publish("-m test", "reader")) ]) @@ -229,7 +233,7 @@ in { lambda: client1.succeed(subscribe("-i fd56032c-d9cb-4813-a3b4-6be0e04c8fc3", "anonReader", port=${toString anonPort})), lambda: [ - server.wait_for_console_text("fd56032c-d9cb-4813-a3b4-6be0e04c8fc3"), + wait_uuid("fd56032c-d9cb-4813-a3b4-6be0e04c8fc3"), client2.succeed(publish("-m test", "anonWriter", port=${toString anonPort})) ]) ''; diff --git a/nixos/tests/mysql/common.nix b/nixos/tests/mysql/common.nix index 040d360b6d99c..c0e8f7e3b5d2a 100644 --- a/nixos/tests/mysql/common.nix +++ b/nixos/tests/mysql/common.nix @@ -4,7 +4,7 @@ inherit (pkgs.darwin.apple_sdk.frameworks) CoreServices; }); mysqlPackages = { - inherit (pkgs) mysql57 mysql80; + inherit (pkgs) mysql80; }; mkTestName = pkg: "mariadb_${builtins.replaceStrings ["."] [""] (lib.versions.majorMinor pkg.version)}"; } diff --git a/nixos/tests/nextcloud/default.nix b/nixos/tests/nextcloud/default.nix index 9e378fe6a52d3..7dbdff9882387 100644 --- a/nixos/tests/nextcloud/default.nix +++ b/nixos/tests/nextcloud/default.nix @@ -22,4 +22,4 @@ foldl }; }) { } - [ 23 24 ] + [ 24 25 ] diff --git a/nixos/tests/nscd.nix b/nixos/tests/nscd.nix index 7bb6d90c3d4e0..1922812ef8c89 100644 --- a/nixos/tests/nscd.nix +++ b/nixos/tests/nscd.nix @@ -21,10 +21,31 @@ in 192.0.2.1 somehost.test ''; + systemd.services.sockdump = { + wantedBy = [ "multi-user.target" ]; + path = [ + # necessary for bcc to unpack kernel headers and invoke modprobe + pkgs.gnutar + pkgs.xz.bin + pkgs.kmod + ]; + environment.PYTHONUNBUFFERED = "1"; + + serviceConfig = { + ExecStart = "${pkgs.sockdump}/bin/sockdump /var/run/nscd/socket"; + Restart = "on-failure"; + RestartSec = "1"; + Type = "simple"; + }; + }; + specialisation = { withUnscd.configuration = { ... }: { services.nscd.package = pkgs.unscd; }; + withNsncd.configuration = { ... }: { + services.nscd.enableNsncd = true; + }; }; }; @@ -40,9 +61,10 @@ in "systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami" ) - # Test resolution of somehost.test with getent', to make sure we go via nscd + # Test resolution of somehost.test with getent', to make sure we go via + # nscd protocol def test_host_lookups(): - with subtest("host lookups via nscd"): + with subtest("host lookups via nscd protocol"): # ahosts output = machine.succeed("${getent'} ahosts somehost.test") assert "192.0.2.1" in output @@ -62,6 +84,7 @@ in assert "somehost.test" in machine.succeed("${getent'} hosts 2001:db8::1") assert "somehost.test" in machine.succeed("${getent'} hosts 192.0.2.1") + # Test host resolution via nss modules works # We rely on nss-myhostname in this case, which resolves *.localhost and # _gateway. @@ -87,6 +110,9 @@ in start_all() machine.wait_for_unit("default.target") + # give sockdump some time to finish attaching. + machine.sleep(5) + # Test all tests with glibc-nscd. test_dynamic_user() test_host_lookups() @@ -103,5 +129,13 @@ in # known to fail, unscd doesn't load external NSS modules # test_nss_myhostname() + + with subtest("nsncd"): + machine.succeed('${specialisations}/withNsncd/bin/switch-to-configuration test') + machine.wait_for_unit("default.target") + + test_dynamic_user() + test_host_lookups() + test_nss_myhostname() ''; }) diff --git a/nixos/tests/ntfy-sh.nix b/nixos/tests/ntfy-sh.nix new file mode 100644 index 0000000000000..c0c289b904b6e --- /dev/null +++ b/nixos/tests/ntfy-sh.nix @@ -0,0 +1,20 @@ +import ./make-test-python.nix { + + nodes.machine = { ... }: { + services.ntfy-sh.enable = true; + }; + + testScript = '' + import json + + msg = "Test notification" + + machine.wait_for_unit("multi-user.target") + + machine.succeed(f"curl -d '{msg}' localhost:80/test") + + notif = json.loads(machine.succeed("curl -s localhost:80/test/json?poll=1")) + + assert msg == notif["message"], "Wrong message" + ''; +} diff --git a/nixos/tests/printing.nix b/nixos/tests/printing.nix index 6338fd8d8ac10..cfebe232d92a0 100644 --- a/nixos/tests/printing.nix +++ b/nixos/tests/printing.nix @@ -4,6 +4,7 @@ import ./make-test-python.nix ({pkgs, ... }: let printingServer = startWhenNeeded: { services.printing.enable = true; + services.printing.stateless = true; services.printing.startWhenNeeded = startWhenNeeded; services.printing.listenAddresses = [ "*:631" ]; services.printing.defaultShared = true; diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 596a4eafcd642..a8737eb504d98 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -374,25 +374,34 @@ let }; kea = let - controlSocketPath = "/run/kea/dhcp6.sock"; + controlSocketPathV4 = "/run/kea/dhcp4.sock"; + controlSocketPathV6 = "/run/kea/dhcp6.sock"; in { exporterConfig = { enable = true; controlSocketPaths = [ - controlSocketPath + controlSocketPathV4 + controlSocketPathV6 ]; }; metricProvider = { - systemd.services.prometheus-kea-exporter.after = [ "kea-dhcp6-server.service" ]; - services.kea = { + dhcp4 = { + enable = true; + settings = { + control-socket = { + socket-type = "unix"; + socket-name = controlSocketPathV4; + }; + }; + }; dhcp6 = { enable = true; settings = { control-socket = { socket-type = "unix"; - socket-name = controlSocketPath; + socket-name = controlSocketPathV6; }; }; }; @@ -400,8 +409,10 @@ let }; exporterTest = '' + wait_for_unit("kea-dhcp4-server.service") wait_for_unit("kea-dhcp6-server.service") - wait_for_file("${controlSocketPath}") + wait_for_file("${controlSocketPathV4}") + wait_for_file("${controlSocketPathV6}") wait_for_unit("prometheus-kea-exporter.service") wait_for_open_port(9547) succeed( diff --git a/nixos/tests/quake3.nix b/nixos/tests/quake3.nix new file mode 100644 index 0000000000000..82af1af463d03 --- /dev/null +++ b/nixos/tests/quake3.nix @@ -0,0 +1,95 @@ +import ./make-test-python.nix ({ pkgs, ...} : + +let + + # Build Quake with coverage instrumentation. + overrides = pkgs: + { + quake3game = pkgs.quake3game.override (args: { + stdenv = pkgs.stdenvAdapters.addCoverageInstrumentation args.stdenv; + }); + }; + + # Only allow the demo data to be used (only if it's unfreeRedistributable). + unfreePredicate = pkg: with pkgs.lib; let + allowPackageNames = [ "quake3-demodata" "quake3-pointrelease" ]; + allowLicenses = [ pkgs.lib.licenses.unfreeRedistributable ]; + in elem pkg.pname allowPackageNames && + elem (pkg.meta.license or null) allowLicenses; + + client = + { pkgs, ... }: + + { imports = [ ./common/x11.nix ]; + hardware.opengl.driSupport = true; + environment.systemPackages = [ pkgs.quake3demo ]; + nixpkgs.config.packageOverrides = overrides; + nixpkgs.config.allowUnfreePredicate = unfreePredicate; + }; + +in + +rec { + name = "quake3"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ domenkozar eelco ]; + }; + + # TODO: lcov doesn't work atm + #makeCoverageReport = true; + + nodes = + { server = + { pkgs, ... }: + + { systemd.services.quake3-server = + { wantedBy = [ "multi-user.target" ]; + script = + "${pkgs.quake3demo}/bin/quake3-server +set g_gametype 0 " + + "+map q3dm7 +addbot grunt +addbot daemia 2> /tmp/log"; + }; + nixpkgs.config.packageOverrides = overrides; + nixpkgs.config.allowUnfreePredicate = unfreePredicate; + networking.firewall.allowedUDPPorts = [ 27960 ]; + }; + + client1 = client; + client2 = client; + }; + + testScript = + '' + start_all() + + server.wait_for_unit("quake3-server") + client1.wait_for_x() + client2.wait_for_x() + + client1.execute("quake3 +set r_fullscreen 0 +set name Foo +connect server &") + client2.execute("quake3 +set r_fullscreen 0 +set name Bar +connect server &") + + server.wait_until_succeeds("grep -q 'Foo.*entered the game' /tmp/log") + server.wait_until_succeeds("grep -q 'Bar.*entered the game' /tmp/log") + + server.sleep(10) # wait for a while to get a nice screenshot + + client1.block() + + server.sleep(20) + + client1.screenshot("screen1") + client2.screenshot("screen2") + + client1.unblock() + + server.sleep(10) + + client1.screenshot("screen3") + client2.screenshot("screen4") + + client1.shutdown() + client2.shutdown() + server.stop_job("quake3-server") + ''; + +}) diff --git a/nixos/tests/shadow.nix b/nixos/tests/shadow.nix index 50a9f71246469..baa2e5945c05d 100644 --- a/nixos/tests/shadow.nix +++ b/nixos/tests/shadow.nix @@ -3,6 +3,8 @@ let password2 = "helloworld"; password3 = "bazqux"; password4 = "asdf123"; + hashed_bcrypt = "$2b$05$8xIEflrk2RxQtcVXbGIxs.Vl0x7dF1/JSv3cyX6JJt0npzkTCWvxK"; # fnord + hashed_yeshash = "$y$j9T$d8Z4EAf8P1SvM/aDFbxMS0$VnTXMp/Hnc7QdCBEaLTq5ZFOAFo2/PM0/xEAFuOE88."; # fnord in import ./make-test-python.nix ({ pkgs, ... }: { name = "shadow"; meta = with pkgs.lib.maintainers; { maintainers = [ nequissimus ]; }; @@ -27,6 +29,16 @@ in import ./make-test-python.nix ({ pkgs, ... }: { password = password4; shell = pkgs.bash; }; + users.berta = { + isNormalUser = true; + hashedPassword = hashed_bcrypt; + shell = pkgs.bash; + }; + users.yesim = { + isNormalUser = true; + hashedPassword = hashed_yeshash; + shell = pkgs.bash; + }; }; }; @@ -115,5 +127,23 @@ in import ./make-test-python.nix ({ pkgs, ... }: { shadow.wait_until_succeeds("pgrep login") shadow.send_chars("${password2}\n") shadow.wait_until_tty_matches("5", "login:") + + with subtest("check alternate password hashes"): + shadow.send_key("alt-f6") + shadow.wait_until_succeeds("[ $(fgconsole) = 6 ]") + for u in ["berta", "yesim"]: + shadow.wait_for_unit("getty@tty6.service") + shadow.wait_until_succeeds("pgrep -f 'agetty.*tty6'") + shadow.wait_until_tty_matches("6", "login: ") + shadow.send_chars(f"{u}\n") + shadow.wait_until_tty_matches("6", f"login: {u}") + shadow.wait_until_succeeds("pgrep login") + shadow.sleep(2) + shadow.send_chars("fnord\n") + shadow.send_chars(f"whoami > /tmp/{u}\n") + shadow.wait_for_file(f"/tmp/{u}") + print(shadow.succeed(f"cat /tmp/{u}")) + assert u in shadow.succeed(f"cat /tmp/{u}") + shadow.send_chars("logout\n") ''; }) diff --git a/nixos/tests/smokeping.nix b/nixos/tests/smokeping.nix index ccacf60cfe4bd..04f8139642918 100644 --- a/nixos/tests/smokeping.nix +++ b/nixos/tests/smokeping.nix @@ -28,6 +28,8 @@ import ./make-test-python.nix ({ pkgs, ...} : { sm.wait_for_unit("thttpd") sm.wait_for_file("/var/lib/smokeping/data/Local/LocalMachine.rrd") sm.succeed("curl -s -f localhost:8081/smokeping.fcgi?target=Local") + # Check that there's a helpful page without explicit path as well. + sm.succeed("curl -s -f localhost:8081") sm.succeed("ls /var/lib/smokeping/cache/Local/LocalMachine_mini.png") sm.succeed("ls /var/lib/smokeping/cache/index.html") ''; diff --git a/nixos/tests/systemd-cryptenroll.nix b/nixos/tests/systemd-cryptenroll.nix index 055ae7d1681f2..9ee2d280fbbea 100644 --- a/nixos/tests/systemd-cryptenroll.nix +++ b/nixos/tests/systemd-cryptenroll.nix @@ -2,6 +2,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "systemd-cryptenroll"; meta = with pkgs.lib.maintainers; { maintainers = [ ymatsiuk ]; + broken = true; # times out after two hours, details -> https://github.com/NixOS/nixpkgs/issues/167994 }; nodes.machine = { pkgs, lib, ... }: { diff --git a/nixos/tests/systemd-initrd-luks-fido2.nix b/nixos/tests/systemd-initrd-luks-fido2.nix new file mode 100644 index 0000000000000..133e552a3dc99 --- /dev/null +++ b/nixos/tests/systemd-initrd-luks-fido2.nix @@ -0,0 +1,45 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "systemd-initrd-luks-fido2"; + + nodes.machine = { pkgs, config, ... }: { + # Use systemd-boot + virtualisation = { + emptyDiskImages = [ 512 ]; + useBootLoader = true; + useEFIBoot = true; + qemu.package = lib.mkForce (pkgs.qemu_test.override { canokeySupport = true; }); + qemu.options = [ "-device canokey,file=/tmp/canokey-file" ]; + }; + boot.loader.systemd-boot.enable = true; + + boot.initrd.systemd.enable = true; + + environment.systemPackages = with pkgs; [ cryptsetup ]; + + specialisation.boot-luks.configuration = { + boot.initrd.luks.devices = lib.mkVMOverride { + cryptroot = { + device = "/dev/vdc"; + crypttabExtraOpts = [ "fido2-device=auto" ]; + }; + }; + virtualisation.bootDevice = "/dev/mapper/cryptroot"; + }; + }; + + testScript = '' + # Create encrypted volume + machine.wait_for_unit("multi-user.target") + machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") + machine.succeed("PASSWORD=supersecret SYSTEMD_LOG_LEVEL=debug systemd-cryptenroll --fido2-device=auto /dev/vdc |& systemd-cat") + + # Boot from the encrypted disk + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") + machine.succeed("sync") + machine.crash() + + # Boot and decrypt the disk + machine.wait_for_unit("multi-user.target") + assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") + ''; +}) diff --git a/nixos/tests/systemd-initrd-luks-tpm2.nix b/nixos/tests/systemd-initrd-luks-tpm2.nix new file mode 100644 index 0000000000000..085088d2ee25e --- /dev/null +++ b/nixos/tests/systemd-initrd-luks-tpm2.nix @@ -0,0 +1,72 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "systemd-initrd-luks-tpm2"; + + nodes.machine = { pkgs, ... }: { + # Use systemd-boot + virtualisation = { + emptyDiskImages = [ 512 ]; + useBootLoader = true; + useEFIBoot = true; + qemu.options = ["-chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"]; + }; + boot.loader.systemd-boot.enable = true; + + boot.initrd.availableKernelModules = [ "tpm_tis" ]; + + environment.systemPackages = with pkgs; [ cryptsetup ]; + boot.initrd.systemd = { + enable = true; + }; + + specialisation.boot-luks.configuration = { + boot.initrd.luks.devices = lib.mkVMOverride { + cryptroot = { + device = "/dev/vdc"; + crypttabExtraOpts = [ "tpm2-device=auto" ]; + }; + }; + virtualisation.bootDevice = "/dev/mapper/cryptroot"; + }; + }; + + testScript = '' + import subprocess + import os + import time + + + class Tpm: + def __init__(self): + os.mkdir("/tmp/mytpm1") + self.start() + + def start(self): + self.proc = subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir=/tmp/mytpm1", "--ctrl", "type=unixio,path=/tmp/mytpm1/swtpm-sock", "--log", "level=20", "--tpm2"]) + + def wait_for_death_then_restart(self): + while self.proc.poll() is None: + print("waiting for tpm to die") + time.sleep(1) + assert self.proc.returncode == 0 + self.start() + + tpm = Tpm() + + + # Create encrypted volume + machine.wait_for_unit("multi-user.target") + machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -") + machine.succeed("PASSWORD=supersecret SYSTEMD_LOG_LEVEL=debug systemd-cryptenroll --tpm2-pcrs= --tpm2-device=auto /dev/vdc |& systemd-cat") + + # Boot from the encrypted disk + machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf") + machine.succeed("sync") + machine.crash() + + tpm.wait_for_death_then_restart() + + # Boot and decrypt the disk + machine.wait_for_unit("multi-user.target") + assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") + ''; +}) diff --git a/nixos/tests/systemd-machinectl.nix b/nixos/tests/systemd-machinectl.nix index 7a4888ab85f6a..b8ed0c33e8e4a 100644 --- a/nixos/tests/systemd-machinectl.nix +++ b/nixos/tests/systemd-machinectl.nix @@ -41,6 +41,17 @@ import ./make-test-python.nix ({ pkgs, ... }: systemd.targets.machines.wants = [ "systemd-nspawn@${containerName}.service" ]; virtualisation.additionalPaths = [ containerSystem ]; + + # not needed, but we want to test the nspawn file generation + systemd.nspawn.${containerName} = { }; + + systemd.services."systemd-nspawn@${containerName}" = { + serviceConfig.Environment = [ + # Disable tmpfs for /tmp + "SYSTEMD_NSPAWN_TMPFS_TMP=0" + ]; + overrideStrategy = "asDropin"; + }; }; testScript = '' @@ -92,6 +103,9 @@ import ./make-test-python.nix ({ pkgs, ... }: machine.succeed("machinectl stop ${containerName}"); machine.wait_until_succeeds("test $(systemctl is-active systemd-nspawn@${containerName}) = inactive"); + # Test tmpfs for /tmp + machine.fail("mountpoint /tmp"); + # Show to to delete the container machine.succeed("chattr -i ${containerRoot}/var/empty"); machine.succeed("rm -rf ${containerRoot}"); diff --git a/nixos/tests/systemd-no-tainted.nix b/nixos/tests/systemd-no-tainted.nix new file mode 100644 index 0000000000000..f0504065f2a48 --- /dev/null +++ b/nixos/tests/systemd-no-tainted.nix @@ -0,0 +1,14 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "systemd-no-tainted"; + + nodes.machine = { }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + with subtest("systemctl should not report tainted with unmerged-usr"): + output = machine.succeed("systemctl status") + print(output) + assert "Tainted" not in output + assert "unmerged-usr" not in output + ''; +}) diff --git a/nixos/tests/systemd-portabled.nix b/nixos/tests/systemd-portabled.nix new file mode 100644 index 0000000000000..ef38258b0d866 --- /dev/null +++ b/nixos/tests/systemd-portabled.nix @@ -0,0 +1,51 @@ +import ./make-test-python.nix ({pkgs, lib, ...}: let + demo-program = pkgs.writeShellScriptBin "demo" '' + while ${pkgs.coreutils}/bin/sleep 3; do + echo Hello World > /dev/null + done + ''; + demo-service = pkgs.writeText "demo.service" '' + [Unit] + Description=demo service + Requires=demo.socket + After=demo.socket + + [Service] + Type=simple + ExecStart=${demo-program}/bin/demo + Restart=always + + [Install] + WantedBy=multi-user.target + Also=demo.socket + ''; + demo-socket = pkgs.writeText "demo.socket" '' + [Unit] + Description=demo socket + + [Socket] + ListenStream=/run/demo.sock + SocketMode=0666 + + [Install] + WantedBy=sockets.target + ''; + demo-portable = pkgs.portableService { + pname = "demo"; + version = "1.0"; + description = ''A demo "Portable Service" for a shell program built with nix''; + units = [ demo-service demo-socket ]; + }; +in { + + name = "systemd-portabled"; + nodes.machine = {}; + testScript = '' + machine.succeed("portablectl") + machine.wait_for_unit("systemd-portabled.service") + machine.succeed("portablectl attach --now --runtime ${demo-portable}/demo_1.0.raw") + machine.wait_for_unit("demo.service") + machine.succeed("portablectl detach --now --runtime demo_1.0") + machine.fail("systemctl status demo.service") + ''; +}) diff --git a/nixos/tests/terminal-emulators.nix b/nixos/tests/terminal-emulators.nix index c724608b91554..4269d05056d8c 100644 --- a/nixos/tests/terminal-emulators.nix +++ b/nixos/tests/terminal-emulators.nix @@ -23,8 +23,9 @@ with pkgs.lib; let tests = { alacritty.pkg = p: p.alacritty; - contour.pkg = p: p.contour; - contour.cmd = "contour $command"; + # times out after spending many hours + #contour.pkg = p: p.contour; + #contour.cmd = "contour $command"; cool-retro-term.pkg = p: p.cool-retro-term; cool-retro-term.colourTest = false; # broken by gloss effect @@ -103,7 +104,8 @@ let tests = { wayst.pkg = p: p.wayst; wayst.pinkValue = "#FF0066"; - wezterm.pkg = p: p.wezterm; + # times out after spending many hours + #wezterm.pkg = p: p.wezterm; xfce4-terminal.pkg = p: p.xfce.xfce4-terminal; diff --git a/nixos/tests/tracee.nix b/nixos/tests/tracee.nix index 26d0ada931b1c..72e82ec0b7edf 100644 --- a/nixos/tests/tracee.nix +++ b/nixos/tests/tracee.nix @@ -14,15 +14,18 @@ import ./make-test-python.nix ({ pkgs, ... }: { patches = oa.patches or [] ++ [ # change the prefix from /usr/bin to /run to find nix processes ../../pkgs/tools/security/tracee/test-EventFilters-prefix-nix-friendly.patch - # skip magic_write test that currently fails - ../../pkgs/tools/security/tracee/test-EventFilters-magic_write-skip.patch ]; buildPhase = '' runHook preBuild # just build the static lib we need for the go test binary - make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES} bpf-core ./dist/btfhub ./dist/libbpf/libbpf.a + make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES} bpf-core ./dist/btfhub + + # remove the /usr/bin prefix to work with the patch above + substituteInPlace tests/integration/integration_test.go \ + --replace "/usr/bin/ls" "ls" + # then compile the tests to be ran later - CGO_CFLAGS="-I$PWD/dist/libbpf" CGO_LDFLAGS="-lelf -lz $PWD/dist/libbpf/libbpf.a" go test -tags core,ebpf,integration -p 1 -c -o $GOPATH/tracee-integration ./tests/integration/... + CGO_LDFLAGS="$(pkg-config --libs libbpf)" go test -tags core,ebpf,integration -p 1 -c -o $GOPATH/tracee-integration ./tests/integration/... runHook postBuild ''; doCheck = false; diff --git a/nixos/tests/upnp.nix b/nixos/tests/upnp.nix index 451c8607d0ebd..af7cc1fe24130 100644 --- a/nixos/tests/upnp.nix +++ b/nixos/tests/upnp.nix @@ -47,7 +47,7 @@ in client1 = { pkgs, nodes, ... }: - { environment.systemPackages = [ pkgs.miniupnpc_2 pkgs.netcat ]; + { environment.systemPackages = [ pkgs.miniupnpc pkgs.netcat ]; virtualisation.vlans = [ 2 ]; networking.defaultGateway = internalRouterAddress; networking.interfaces.eth1.ipv4.addresses = [ @@ -65,7 +65,7 @@ in client2 = { pkgs, ... }: - { environment.systemPackages = [ pkgs.miniupnpc_2 ]; + { environment.systemPackages = [ pkgs.miniupnpc ]; virtualisation.vlans = [ 1 ]; networking.interfaces.eth1.ipv4.addresses = [ { address = externalClient2Address; prefixLength = 24; } diff --git a/nixos/tests/uptime-kuma.nix b/nixos/tests/uptime-kuma.nix new file mode 100644 index 0000000000000..3d588d73cdb5c --- /dev/null +++ b/nixos/tests/uptime-kuma.nix @@ -0,0 +1,19 @@ +import ./make-test-python.nix ({ lib, ... }: + +with lib; + +{ + name = "uptime-kuma"; + meta.maintainers = with maintainers; [ julienmalka ]; + + nodes.machine = + { pkgs, ... }: + { services.uptime-kuma.enable = true; }; + + testScript = '' + machine.start() + machine.wait_for_unit("uptime-kuma.service") + machine.wait_for_open_port(3001) + machine.succeed("curl --fail http://localhost:3001/") + ''; +}) diff --git a/nixos/tests/web-apps/healthchecks.nix b/nixos/tests/web-apps/healthchecks.nix index 41374f5e314bb..41c40cd5dd8d4 100644 --- a/nixos/tests/web-apps/healthchecks.nix +++ b/nixos/tests/web-apps/healthchecks.nix @@ -33,10 +33,10 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: { ) with subtest("Manage script works"): - # Should fail if not called by healthchecks user - machine.fail("echo 'print(\"foo\")' | healthchecks-manage help") - # "shell" sucommand should succeed, needs python in PATH. assert "foo\n" == machine.succeed("echo 'print(\"foo\")' | sudo -u healthchecks healthchecks-manage shell") + + # Shouldn't fail if not called by healthchecks user + assert "foo\n" == machine.succeed("echo 'print(\"foo\")' | healthchecks-manage shell") ''; }) diff --git a/nixos/tests/wine.nix b/nixos/tests/wine.nix index 8a64c3179c518..7cbe7ac94f1e7 100644 --- a/nixos/tests/wine.nix +++ b/nixos/tests/wine.nix @@ -44,5 +44,8 @@ in listToAttrs ( map (makeWineTest "winePackages" [ hello32 ]) variants ++ optionals pkgs.stdenv.is64bit - (map (makeWineTest "wineWowPackages" [ hello32 hello64 ]) variants) + (map (makeWineTest "wineWowPackages" [ hello32 hello64 ]) + # This wayland combination times out after spending many hours. + # https://hydra.nixos.org/job/nixos/trunk-combined/nixos.tests.wine.wineWowPackages-wayland.x86_64-linux + (pkgs.lib.remove "wayland" variants)) ) |