diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2305.section.xml | 16 | ||||
-rw-r--r-- | nixos/doc/manual/man-nixos-rebuild.xml | 6 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2305.section.md | 4 | ||||
-rw-r--r-- | nixos/modules/services/amqp/activemq/default.nix | 25 | ||||
-rw-r--r-- | nixos/modules/services/hardware/throttled.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/networking/blocky.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/dhcpcd.nix | 9 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/mastodon.nix | 24 | ||||
-rwxr-xr-x | nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py | 21 | ||||
-rw-r--r-- | nixos/modules/system/boot/modprobe.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 4 | ||||
-rw-r--r-- | nixos/tests/kernel-generic.nix | 1 | ||||
-rw-r--r-- | nixos/tests/pantheon.nix | 11 | ||||
-rw-r--r-- | nixos/tests/systemd-boot.nix | 4 |
14 files changed, 90 insertions, 44 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index a657e751eee97..8613bf8b03ba2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -350,6 +350,15 @@ </listitem> <listitem> <para> + The <literal>--target-host</literal> and + <literal>--build-host</literal> options of + <literal>nixos-rebuild</literal> no longer treat the + <literal>localhost</literal> value specially – to build + on/deploy to local machine, omit the relevant flag. + </para> + </listitem> + <listitem> + <para> The <literal>nix.readOnlyStore</literal> option has been renamed to <literal>boot.readOnlyNixStore</literal> to clarify that it configures the NixOS boot process, not the Nix daemon. @@ -534,6 +543,13 @@ </listitem> <listitem> <para> + <literal>services.dhcpcd</literal> service now don’t solicit + or accept IPv6 Router Advertisements on interfaces that use + static IPv6 addresses. + </para> + </listitem> + <listitem> + <para> The module <literal>services.headscale</literal> was refactored to be compliant with <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC diff --git a/nixos/doc/manual/man-nixos-rebuild.xml b/nixos/doc/manual/man-nixos-rebuild.xml index c80bfaaf51a41..bf0f4aafa1429 100644 --- a/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixos/doc/manual/man-nixos-rebuild.xml @@ -583,15 +583,15 @@ <listitem> <para> Specifies the NixOS target host. By setting this to something other than - <replaceable>localhost</replaceable>, the system activation will happen + an empty string, the system activation will happen on the remote host instead of the local machine. The remote host needs to be accessible over ssh, and for the commands <option>switch</option>, <option>boot</option> and <option>test</option> you need root access. </para> <para> - If <option>--build-host</option> is not explicitly specified, building - will take place locally. + If <option>--build-host</option> is not explicitly specified or empty, + building will take place locally. </para> <para> diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 19c559b0b55a9..b950691c24058 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -85,6 +85,8 @@ In addition to numerous new and upgraded packages, this release has the followin - In `mastodon` it is now necessary to specify location of file with `PostgreSQL` database password. In `services.mastodon.database.passwordFile` parameter default value `/var/lib/mastodon/secrets/db-password` has been changed to `null`. +- The `--target-host` and `--build-host` options of `nixos-rebuild` no longer treat the `localhost` value specially – to build on/deploy to local machine, omit the relevant flag. + - The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon. - Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constitutents: `xorg.libX11`, `freetype` and others. @@ -137,6 +139,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.chronyd` is now started with additional systemd sandbox/hardening options for better security. +- `services.dhcpcd` service now don't solicit or accept IPv6 Router Advertisements on interfaces that use static IPv6 addresses. + - The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed: - Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that diff --git a/nixos/modules/services/amqp/activemq/default.nix b/nixos/modules/services/amqp/activemq/default.nix index bd37fe3b55742..b1f9b7a3bb1fb 100644 --- a/nixos/modules/services/amqp/activemq/default.nix +++ b/nixos/modules/services/amqp/activemq/default.nix @@ -7,20 +7,19 @@ let cfg = config.services.activemq; - activemqBroker = stdenv.mkDerivation { - name = "activemq-broker"; - phases = [ "installPhase" ]; - buildInputs = [ jdk ]; - installPhase = '' - mkdir -p $out/lib - source ${activemq}/lib/classpath.env - export CLASSPATH - ln -s "${./ActiveMQBroker.java}" ActiveMQBroker.java - javac -d $out/lib ActiveMQBroker.java - ''; - }; + activemqBroker = runCommand "activemq-broker" + { + nativeBuildInputs = [ jdk ]; + } '' + mkdir -p $out/lib + source ${activemq}/lib/classpath.env + export CLASSPATH + ln -s "${./ActiveMQBroker.java}" ActiveMQBroker.java + javac -d $out/lib ActiveMQBroker.java + ''; -in { +in +{ options = { services.activemq = { diff --git a/nixos/modules/services/hardware/throttled.nix b/nixos/modules/services/hardware/throttled.nix index 99735ff6519d5..2d801a7e838ff 100644 --- a/nixos/modules/services/hardware/throttled.nix +++ b/nixos/modules/services/hardware/throttled.nix @@ -22,10 +22,10 @@ in { # The upstream package has this in Install, but that's not enough, see the NixOS manual systemd.services.lenovo_fix.wantedBy = [ "multi-user.target" ]; - environment.etc."lenovo_fix.conf".source = + environment.etc."throttled.conf".source = if cfg.extraConfig != "" - then pkgs.writeText "lenovo_fix.conf" cfg.extraConfig - else "${pkgs.throttled}/etc/lenovo_fix.conf"; + then pkgs.writeText "throttled.conf" cfg.extraConfig + else "${pkgs.throttled}/etc/throttled.conf"; # Kernel 5.9 spams warnings whenever userspace writes to CPU MSRs. # See https://github.com/erpalma/throttled/issues/215 diff --git a/nixos/modules/services/networking/blocky.nix b/nixos/modules/services/networking/blocky.nix index 9714485456161..30a41fa6a421d 100644 --- a/nixos/modules/services/networking/blocky.nix +++ b/nixos/modules/services/networking/blocky.nix @@ -31,6 +31,7 @@ in serviceConfig = { DynamicUser = true; ExecStart = "${pkgs.blocky}/bin/blocky --config ${configFile}"; + Restart = "on-failure"; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix index ac5d45a65e3b8..9a0b29fbe5a7f 100644 --- a/nixos/modules/services/networking/dhcpcd.nix +++ b/nixos/modules/services/networking/dhcpcd.nix @@ -33,6 +33,13 @@ let (if !config.networking.useDHCP && enableDHCP then map (i: i.name) (filter (i: i.useDHCP == true) interfaces) else null); + staticIPv6Addresses = map (i: i.name) (filter (i: i.ipv6.addresses != [ ]) interfaces); + + noIPv6rs = concatStringsSep "\n" (map (name: '' + interface ${name} + noipv6rs + '') staticIPv6Addresses); + # Config file adapted from the one that ships with dhcpcd. dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' @@ -75,6 +82,8 @@ let ''} ${cfg.extraConfig} + + ${optionalString config.networking.enableIPv6 noIPv6rs} ''; exitHook = pkgs.writeText "dhcpcd.exit-hook" diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index cc30896c80bd0..1b6e1ac583af2 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -94,11 +94,14 @@ let ] else [] ) env)))); - mastodonTootctl = pkgs.writeShellScriptBin "mastodon-tootctl" '' + mastodonTootctl = let + sourceExtraEnv = lib.concatMapStrings (p: "source ${p}\n") cfg.extraEnvFiles; + in pkgs.writeShellScriptBin "mastodon-tootctl" '' set -a export RAILS_ROOT="${cfg.package}" source "${envFile}" source /var/lib/mastodon/.secrets_env + ${sourceExtraEnv} sudo=exec if [[ "$USER" != ${cfg.user} ]]; then @@ -427,6 +430,15 @@ in { ''; }; + extraEnvFiles = lib.mkOption { + type = with lib.types; listOf path; + default = []; + description = lib.mdDoc '' + Extra environment files to pass to all mastodon services. Useful for passing down environemntal secrets. + ''; + example = [ "/etc/mastodon/s3config.env" ]; + }; + automaticMigrations = lib.mkOption { type = lib.types.bool; default = true; @@ -579,7 +591,7 @@ in { }; serviceConfig = { Type = "oneshot"; - EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles; WorkingDirectory = cfg.package; # System Call Filtering SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" "pipe" "pipe2" ]; @@ -607,7 +619,7 @@ in { ExecStart = "${cfg.package}/run-streaming.sh"; Restart = "always"; RestartSec = 20; - EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles; WorkingDirectory = cfg.package; # Runtime directory and mode RuntimeDirectory = "mastodon-streaming"; @@ -634,7 +646,7 @@ in { ExecStart = "${cfg.package}/bin/puma -C config/puma.rb"; Restart = "always"; RestartSec = 20; - EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles; WorkingDirectory = cfg.package; # Runtime directory and mode RuntimeDirectory = "mastodon-web"; @@ -662,7 +674,7 @@ in { ExecStart = "${cfg.package}/bin/sidekiq -c ${toString cfg.sidekiqThreads} -r ${cfg.package}"; Restart = "always"; RestartSec = 20; - EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles; WorkingDirectory = cfg.package; # System Call Filtering SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ]; @@ -675,7 +687,7 @@ in { environment = env; serviceConfig = { Type = "oneshot"; - EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles; } // cfgService; script = let olderThanDays = toString cfg.mediaAutoRemove.olderThanDays; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 6741e9d8452bc..3e3683211f1e0 100755 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -242,20 +242,21 @@ def main() -> None: warnings.warn("NIXOS_INSTALL_GRUB env var deprecated, use NIXOS_INSTALL_BOOTLOADER", DeprecationWarning) os.environ["NIXOS_INSTALL_BOOTLOADER"] = "1" + # flags to pass to bootctl install/update + bootctl_flags = [] + + if "@canTouchEfiVariables@" != "1": + bootctl_flags.append("--no-variables") + + if "@graceful@" == "1": + bootctl_flags.append("--graceful") + if os.getenv("NIXOS_INSTALL_BOOTLOADER") == "1": # bootctl uses fopen() with modes "wxe" and fails if the file exists. if os.path.exists("@efiSysMountPoint@/loader/loader.conf"): os.unlink("@efiSysMountPoint@/loader/loader.conf") - flags = [] - - if "@canTouchEfiVariables@" != "1": - flags.append("--no-variables") - - if "@graceful@" == "1": - flags.append("--graceful") - - subprocess.check_call(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@"] + flags + ["install"]) + subprocess.check_call(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@"] + bootctl_flags + ["install"]) else: # Update bootloader to latest if needed available_out = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[2] @@ -284,7 +285,7 @@ def main() -> None: print("skipping systemd-boot update to %s because of known regression" % available_version) else: print("updating systemd-boot from %s to %s" % (installed_version, available_version)) - subprocess.check_call(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@", "update"]) + subprocess.check_call(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@"] + bootctl_flags + ["update"]) mkdir_p("@efiSysMountPoint@/efi/nixos") mkdir_p("@efiSysMountPoint@/loader/entries") diff --git a/nixos/modules/system/boot/modprobe.nix b/nixos/modules/system/boot/modprobe.nix index 54bb7ea9ddd76..d751c4462d3f1 100644 --- a/nixos/modules/system/boot/modprobe.nix +++ b/nixos/modules/system/boot/modprobe.nix @@ -7,7 +7,7 @@ with lib; ###### interface options = { - boot.modprobeConfig.enable = mkEnableOption (lib.mdDoc "modprobe config. This is useful for systemds like containers which do not require a kernel.") // { + boot.modprobeConfig.enable = mkEnableOption (lib.mdDoc "modprobe config. This is useful for systems like containers which do not require a kernel") // { default = true; }; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 4520408ca3379..06210529eb8c4 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -211,7 +211,7 @@ let '' mkdir $out diskImage=$out/disk.img - ${qemu}/bin/qemu-img create -f qcow2 $diskImage "60M" + ${qemu}/bin/qemu-img create -f qcow2 $diskImage "120M" ${if cfg.useEFIBoot then '' efiVars=$out/efi-vars.fd cp ${cfg.efi.variables} $efiVars @@ -225,7 +225,7 @@ let + " -drive if=pflash,format=raw,unit=1,file=$efiVars"); } '' - # Create a /boot EFI partition with 60M and arbitrary but fixed GUIDs for reproducibility + # Create a /boot EFI partition with 120M and arbitrary but fixed GUIDs for reproducibility ${pkgs.gptfdisk}/bin/sgdisk \ --set-alignment=1 --new=1:34:2047 --change-name=1:BIOSBootPartition --typecode=1:ef02 \ --set-alignment=512 --largest-new=2 --change-name=2:EFISystem --typecode=2:ef00 \ diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index ae3d47a49bd31..3e74554de3396 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -30,7 +30,6 @@ let linux_5_4_hardened linux_5_10_hardened linux_5_15_hardened - linux_6_0_hardened linux_6_1_hardened linux_testing; diff --git a/nixos/tests/pantheon.nix b/nixos/tests/pantheon.nix index 52f85f5c07da8..0773fc0472aa3 100644 --- a/nixos/tests/pantheon.nix +++ b/nixos/tests/pantheon.nix @@ -20,8 +20,8 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : enableOCR = true; testScript = { nodes, ... }: let - user = nodes.machine.config.users.users.alice; - bob = nodes.machine.config.users.users.bob; + user = nodes.machine.users.users.alice; + bob = nodes.machine.users.users.bob; in '' machine.wait_for_unit("display-manager.service") @@ -40,7 +40,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with subtest("Check that logging in has given the user ownership of devices"): machine.succeed("getfacl -p /dev/snd/timer | grep -q ${user.name}") - # TODO: DBus API could eliminate this? Pantheon uses Bamf. with subtest("Check if pantheon session components actually start"): machine.wait_until_succeeds("pgrep gala") machine.wait_for_window("gala") @@ -49,6 +48,12 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : machine.wait_until_succeeds("pgrep plank") machine.wait_for_window("plank") + with subtest("Open system settings"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0 io.elementary.switchboard >&2 &'") + # Wait for all plugins to be loaded before we check if the window is still there. + machine.sleep(5) + machine.wait_for_window("io.elementary.switchboard") + with subtest("Open elementary terminal"): machine.execute("su - ${user.name} -c 'DISPLAY=:0 io.elementary.terminal >&2 &'") machine.wait_for_window("io.elementary.terminal") diff --git a/nixos/tests/systemd-boot.nix b/nixos/tests/systemd-boot.nix index 039e6bdd9d5ab..94e269ff37bb8 100644 --- a/nixos/tests/systemd-boot.nix +++ b/nixos/tests/systemd-boot.nix @@ -101,13 +101,13 @@ in # Replace version inside sd-boot with something older. See magic[] string in systemd src/boot/efi/boot.c machine.succeed( """ - find /boot -iname '*.efi' -print0 | \ + find /boot -iname '*boot*.efi' -print0 | \ xargs -0 -I '{}' sed -i 's/#### LoaderInfo: systemd-boot .* ####/#### LoaderInfo: systemd-boot 000.0-1-notnixos ####/' '{}' """ ) output = machine.succeed("/run/current-system/bin/switch-to-configuration boot") - assert "updating systemd-boot from (000.0-1-notnixos) to " in output + assert "updating systemd-boot from 000.0-1-notnixos to " in output ''; }; |