diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 16 | ||||
| -rw-r--r-- | nixos/modules/config/console.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/image/repart.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/databases/postgresql.nix | 22 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/tlp.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/tuxedo-rs.nix | 49 | ||||
| -rw-r--r-- | nixos/modules/services/security/usbguard.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/netbox.nix | 13 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 30 | ||||
| -rw-r--r-- | nixos/modules/system/boot/networkd.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd/initrd.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 4 | ||||
| -rw-r--r-- | nixos/tests/web-apps/netbox-upgrade.nix | 10 | ||||
| -rw-r--r-- | nixos/tests/web-apps/netbox.nix | 1 |
16 files changed, 146 insertions, 22 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index b5a1986b7a3e8..123242926e2ab 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -10,6 +10,12 @@ - The `nixos-rebuild` command has been given a `list-generations` subcommand. See `man nixos-rebuild` for more details. +- [systemd](https://systemd.io) has been updated from v253 to v254, see [the release notes](https://github.com/systemd/systemd/blob/v254/NEWS#L3-L659) for more information on the changes. + - `boot.resumeDevice` **must be specified** when hibernating if not in EFI mode. + - systemd may warn your system about the permissions of your ESP partition (often `/boot`), this warning can be ignored for now, we are looking + into a satisfying solution regarding this problem. + - Updating with `nixos-rebuild boot` and rebooting is recommended, since in some rare cases the `nixos-rebuild switch` into the new generation on a live system might fail due to missing mount units. + - [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported. An experimental new module `security.sudo-rs` was added. Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces @@ -20,7 +26,6 @@ [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/ - ## New Services {#sec-release-23.11-new-services} - [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable). @@ -80,6 +85,8 @@ - [NNCP](http://www.nncpgo.org/). Added nncp-daemon and nncp-caller services. Configuration is set with [programs.nncp.settings](#opt-programs.nncp.settings) and the daemons are enabled at [services.nncp](#opt-services.nncp.caller.enable). +- [tuxedo-rs](https://github.com/AaronErhardt/tuxedo-rs), Rust utilities for interacting with hardware from TUXEDO Computers. + ## Backward Incompatibilities {#sec-release-23.11-incompatibilities} - The `boot.loader.raspberryPi` options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs ([before mid-2019](https://github.com/NixOS/nixpkgs/pull/62462)) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices. @@ -112,6 +119,9 @@ - The `services.ananicy.extraRules` option now has the type of `listOf attrs` instead of `string`. +- `buildVimPluginFrom2Nix` has been renamed to `buildVimPlugin`, which now + now skips `configurePhase` and `buildPhase` + - JACK tools (`jack_*` except `jack_control`) have moved from the `jack2` package to `jack-example-tools` - The `matrix-synapse` package & module have undergone some significant internal changes, for most setups no intervention is needed, though: @@ -121,6 +131,8 @@ - A list of all extras (and the extras enabled by default) can be found at the [option's reference for `services.matrix-synapse.extras`](#opt-services.matrix-synapse.extras). - In some cases (e.g. for running synapse workers) it was necessary to re-use the `PYTHONPATH` of `matrix-synapse.service`'s environment to have all plugins available. This isn't necessary anymore, instead `config.services.matrix-synapse.package` can be used as it points to the wrapper with properly configured `extras` and also all plugins defined via [`services.matrix-synapse.plugins`](#opt-services.matrix-synapse.plugins) available. This is also the reason for why the option is read-only now, it's supposed to be set by the module only. +- `netbox` was updated to 3.6. NixOS' `services.netbox.package` still defaults to 3.5 if `stateVersion` is earlier than 23.11. Please review upstream's breaking changes [for 3.6.0](https://github.com/netbox-community/netbox/releases/tag/v3.6.0) and upgrade NetBox by changing `services.netbox.package`. Database migrations will be run automatically. + - `etcd` has been updated to 3.5, you will want to read the [3.3 to 3.4](https://etcd.io/docs/v3.5/upgrades/upgrade_3_4/) and [3.4 to 3.5](https://etcd.io/docs/v3.5/upgrades/upgrade_3_5/) upgrade guides - `gitlab` installations created or updated between versions \[15.11.0, 15.11.2] have an incorrect database schema. This will become a problem when upgrading to `gitlab` >=16.2.0. A workaround for affected users can be found in the [GitLab docs](https://docs.gitlab.com/ee/update/versions/gitlab_16_changes.html#undefined-column-error-upgrading-to-162-or-later). @@ -259,6 +271,8 @@ - New options were added to `services.searx` for better SearXNG support, including options for the built-in rate limiter and bot protection and automatically configuring a local redis server. +- `jq` was updated to 1.7, its [first release in 5 years](https://github.com/jqlang/jq/releases/tag/jq-1.7). + - A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing `virtualisation.vlans` is still supported for cases where the name of the network interface is irrelevant. - DocBook option documentation is no longer supported, all module documentation now uses markdown. diff --git a/nixos/modules/config/console.nix b/nixos/modules/config/console.nix index 1e8bb78f302d6..d06ec0051c4d6 100644 --- a/nixos/modules/config/console.nix +++ b/nixos/modules/config/console.nix @@ -168,6 +168,9 @@ in # ...but only the keymaps if we don't "/etc/kbd/keymaps" = lib.mkIf (!cfg.earlySetup) { source = "${consoleEnv config.boot.initrd.systemd.package.kbd}/share/keymaps"; }; }; + boot.initrd.systemd.additionalUpstreamUnits = [ + "systemd-vconsole-setup.service" + ]; boot.initrd.systemd.storePaths = [ "${config.boot.initrd.systemd.package}/lib/systemd/systemd-vconsole-setup" "${config.boot.initrd.systemd.package.kbd}/bin/setfont" diff --git a/nixos/modules/image/repart.nix b/nixos/modules/image/repart.nix index 4a0021e9a56e5..e567485c9d342 100644 --- a/nixos/modules/image/repart.nix +++ b/nixos/modules/image/repart.nix @@ -188,6 +188,7 @@ in nativeBuildInputs = [ cfg.package pkgs.fakeroot + pkgs.util-linux ] ++ fileSystemTools; } '' amendedRepartDefinitions=$(${amendRepartDefinitions} ${partitions} ${definitionsDirectory}) @@ -195,7 +196,7 @@ in mkdir -p $out cd $out - fakeroot systemd-repart \ + unshare --map-root-user fakeroot systemd-repart \ --dry-run=no \ --empty=create \ --size=auto \ diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 54fd5c7b04031..cbd5e6467f821 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -541,6 +541,7 @@ ./services/hardware/tlp.nix ./services/hardware/trezord.nix ./services/hardware/triggerhappy.nix + ./services/hardware/tuxedo-rs.nix ./services/hardware/udev.nix ./services/hardware/udisks2.nix ./services/hardware/undervolt.nix diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 0acaf0fd00a67..7b30360590ec6 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -106,12 +106,14 @@ in identMap = mkOption { type = types.lines; default = ""; + example = literalExample '' + map-name-0 system-username-0 database-username-0 + map-name-1 system-username-1 database-username-1 + ''; description = lib.mdDoc '' Defines the mapping from system users to database users. - The general form is: - - map-name system-username database-username + See the [auth doc](https://postgresql.org/docs/current/auth-username-maps.html). ''; }; @@ -128,6 +130,11 @@ in initialScript = mkOption { type = types.nullOr types.path; default = null; + example = literalExpression '' + pkgs.writeText "init-sql-script" ''' + alter user postgres with password 'myPassword'; + ''';''; + description = lib.mdDoc '' A file containing SQL statements to execute on first startup. ''; @@ -464,13 +471,16 @@ in services.postgresql.dataDir = mkDefault "/var/lib/postgresql/${cfg.package.psqlSchema}"; - services.postgresql.authentication = mkAfter + services.postgresql.authentication = mkMerge [ + (mkBefore "# Generated file; do not edit!") + (mkAfter '' - # Generated file; do not edit! + # default value of services.postgresql.authentication local all all peer host all all 127.0.0.1/32 md5 host all all ::1/128 md5 - ''; + '') + ]; users.users.postgres = { name = "postgres"; diff --git a/nixos/modules/services/hardware/tlp.nix b/nixos/modules/services/hardware/tlp.nix index d2cc7c661c693..cad510e571cb2 100644 --- a/nixos/modules/services/hardware/tlp.nix +++ b/nixos/modules/services/hardware/tlp.nix @@ -65,7 +65,7 @@ in "tlp.conf".text = (mkTlpConfig cfg.settings) + cfg.extraConfig; } // optionalAttrs enableRDW { "NetworkManager/dispatcher.d/99tlp-rdw-nm".source = - "${tlp}/etc/NetworkManager/dispatcher.d/99tlp-rdw-nm"; + "${tlp}/usr/lib/NetworkManager/dispatcher.d/99tlp-rdw-nm"; }; environment.systemPackages = [ tlp ]; diff --git a/nixos/modules/services/hardware/tuxedo-rs.nix b/nixos/modules/services/hardware/tuxedo-rs.nix new file mode 100644 index 0000000000000..343f6845fabbd --- /dev/null +++ b/nixos/modules/services/hardware/tuxedo-rs.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.hardware.tuxedo-rs; + +in +{ + options = { + hardware.tuxedo-rs = { + enable = mkEnableOption (lib.mdDoc "Rust utilities for interacting with hardware from TUXEDO Computers."); + + tailor-gui.enable = mkEnableOption (lib.mdDoc "Alternative to TUXEDO Control Center, written in Rust."); + }; + }; + + config = mkIf cfg.enable (mkMerge [ + { + hardware.tuxedo-keyboard.enable = true; + + systemd = { + services.tailord = { + enable = true; + description = "Tuxedo Tailor hardware control service"; + after = [ "systemd-logind.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "dbus"; + BusName = "com.tux.Tailor"; + ExecStart = "${pkgs.tuxedo-rs}/bin/tailord"; + Environment = "RUST_BACKTRACE=1"; + Restart = "on-failure"; + }; + }; + }; + + services.dbus.packages = [ pkgs.tuxedo-rs ]; + + environment.systemPackages = [ pkgs.tuxedo-rs ]; + } + (mkIf cfg.tailor-gui.enable { + environment.systemPackages = [ pkgs.tailor-gui ]; + }) + ]); + + meta.maintainers = with maintainers; [ mrcjkb ]; +} diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 483bfe046df2f..071e699751434 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -51,8 +51,8 @@ in ruleFile = mkOption { type = types.nullOr types.path; - default = /var/lib/usbguard/rules.conf; - example = /run/secrets/usbguard-rules; + default = "/var/lib/usbguard/rules.conf"; + example = "/run/secrets/usbguard-rules"; description = lib.mdDoc '' This tells the USBGuard daemon which file to load as policy rule set. diff --git a/nixos/modules/services/web-apps/netbox.nix b/nixos/modules/services/web-apps/netbox.nix index 6d89ffc2a7b70..8ba1852848e5b 100644 --- a/nixos/modules/services/web-apps/netbox.nix +++ b/nixos/modules/services/web-apps/netbox.nix @@ -74,9 +74,18 @@ in { package = lib.mkOption { type = lib.types.package; - default = if lib.versionAtLeast config.system.stateVersion "23.05" then pkgs.netbox else pkgs.netbox_3_3; + default = + if lib.versionAtLeast config.system.stateVersion "23.11" + then pkgs.netbox_3_6 + else if lib.versionAtLeast config.system.stateVersion "23.05" + then pkgs.netbox_3_5 + else pkgs.netbox_3_3; defaultText = lib.literalExpression '' - if versionAtLeast config.system.stateVersion "23.05" then pkgs.netbox else pkgs.netbox_3_3; + if lib.versionAtLeast config.system.stateVersion "23.11" + then pkgs.netbox_3_6 + else if lib.versionAtLeast config.system.stateVersion "23.05" + then pkgs.netbox_3_5 + else pkgs.netbox_3_3; ''; description = lib.mdDoc '' NetBox package to use. diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 7a7fb4061eea5..62e0a8940e2c4 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -146,6 +146,10 @@ let error_log ${cfg.logError}; daemon off; + ${optionalString cfg.enableQuicBPF '' + quic_bpf on; + ''} + ${cfg.config} ${optionalString (cfg.eventsConfig != "" || cfg.config == "") '' @@ -783,6 +787,19 @@ in ''; }; + enableQuicBPF = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enables routing of QUIC packets using eBPF. When enabled, this allows + to support QUIC connection migration. The directive is only supported + on Linux 5.7+. + Note that enabling this option will make nginx run with extended + capabilities that are usually limited to processes running as root + namely `CAP_SYS_ADMIN` and `CAP_NET_ADMIN`. + ''; + }; + user = mkOption { type = types.str; default = "nginx"; @@ -1126,6 +1143,14 @@ in } { + assertion = cfg.package.pname != "nginxQuic" -> !(cfg.enableQuicBPF); + message = '' + services.nginx.enableQuicBPF requires using nginxQuic package, + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`. + ''; + } + + { assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts); message = '' services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic package, @@ -1224,8 +1249,8 @@ in # New file permissions UMask = "0027"; # 0640 / 0750 # Capabilities - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; # Security NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) @@ -1250,6 +1275,7 @@ in # System Call Filtering SystemCallArchitectures = "native"; SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] + ++ optional cfg.enableQuicBPF [ "bpf" ] ++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; }; }; diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 238c6670ea0f8..24bd011fd8b64 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -799,6 +799,8 @@ let "UseAddress" "UseDNS" "UseNTP" + "UseHostname" + "UseDomains" "RouteMetric" "RapidCommit" "MUDURL" @@ -813,16 +815,20 @@ let "DUIDRawData" "IAID" "UseDelegatedPrefix" + "SendRelease" ]) (assertValueOneOf "UseAddress" boolValues) (assertValueOneOf "UseDNS" boolValues) (assertValueOneOf "UseNTP" boolValues) + (assertValueOneOf "UseHostname" boolValues) + (assertValueOneOf "UseDomains" (boolValues ++ ["route"])) (assertInt "RouteMetric") (assertValueOneOf "RapidCommit" boolValues) (assertValueOneOf "WithoutRA" ["no" "solicit" "information-request"]) (assertRange "SendOption" 1 65536) (assertInt "IAID") (assertValueOneOf "UseDelegatedPrefix" boolValues) + (assertValueOneOf "SendRelease" boolValues) ]; sectionDHCPPrefixDelegation = checkUnitConfig "DHCPPrefixDelegation" [ @@ -948,10 +954,12 @@ let "Prefix" "PreferredLifetimeSec" "ValidLifetimeSec" + "Assign" "Token" ]) (assertValueOneOf "AddressAutoconfiguration" boolValues) (assertValueOneOf "OnLink" boolValues) + (assertValueOneOf "Assign" boolValues) ]; sectionIPv6RoutePrefix = checkUnitConfig "IPv6RoutePrefix" [ diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index b6c3085c4f16f..8e38072b4c6db 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -48,6 +48,7 @@ let "rescue.service" # Udev. + "systemd-tmpfiles-setup-dev-early.service" "systemd-udevd-control.socket" "systemd-udevd-kernel.socket" "systemd-udevd.service" diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 5d9fca7a605ee..b20b0168e40f1 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -57,7 +57,6 @@ let "systemd-ask-password-console.service" "systemd-fsck@.service" "systemd-halt.service" - "systemd-hibernate-resume@.service" "systemd-journald-audit.socket" "systemd-journald-dev-log.socket" "systemd-journald.service" diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 9fae33a9b3478..66a6aa252b886 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -531,8 +531,8 @@ in { netdata = handleTest ./netdata.nix {}; networking.networkd = handleTest ./networking.nix { networkd = true; }; networking.scripted = handleTest ./networking.nix { networkd = false; }; - netbox = handleTest ./web-apps/netbox.nix { inherit (pkgs) netbox; }; - netbox_3_3 = handleTest ./web-apps/netbox.nix { netbox = pkgs.netbox_3_3; }; + netbox_3_5 = handleTest ./web-apps/netbox.nix { netbox = pkgs.netbox_3_5; }; + netbox_3_6 = handleTest ./web-apps/netbox.nix { netbox = pkgs.netbox_3_6; }; netbox-upgrade = handleTest ./web-apps/netbox-upgrade.nix {}; # TODO: put in networking.nix after the test becomes more complete networkingProxy = handleTest ./networking-proxy.nix {}; diff --git a/nixos/tests/web-apps/netbox-upgrade.nix b/nixos/tests/web-apps/netbox-upgrade.nix index 602cf8d889d4f..b5403eb678bcb 100644 --- a/nixos/tests/web-apps/netbox-upgrade.nix +++ b/nixos/tests/web-apps/netbox-upgrade.nix @@ -1,13 +1,15 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: let - oldNetbox = pkgs.netbox_3_3; + oldNetbox = pkgs.netbox_3_5; + newNetbox = pkgs.netbox_3_6; in { name = "netbox-upgrade"; meta = with lib.maintainers; { - maintainers = [ minijackson ]; + maintainers = [ minijackson raitobezarius ]; }; nodes.machine = { config, ... }: { + virtualisation.memorySize = 2048; services.netbox = { enable = true; package = oldNetbox; @@ -32,7 +34,7 @@ in { networking.firewall.allowedTCPPorts = [ 80 ]; - specialisation.upgrade.configuration.services.netbox.package = lib.mkForce pkgs.netbox; + specialisation.upgrade.configuration.services.netbox.package = lib.mkForce newNetbox; }; testScript = { nodes, ... }: @@ -43,7 +45,7 @@ in { (lib.concatStringsSep ".") ]; oldApiVersion = apiVersion oldNetbox.version; - newApiVersion = apiVersion pkgs.netbox.version; + newApiVersion = apiVersion newNetbox.version; in '' start_all() diff --git a/nixos/tests/web-apps/netbox.nix b/nixos/tests/web-apps/netbox.nix index 30de74f1886c0..233f16a8fe0de 100644 --- a/nixos/tests/web-apps/netbox.nix +++ b/nixos/tests/web-apps/netbox.nix @@ -16,6 +16,7 @@ in import ../make-test-python.nix ({ lib, pkgs, netbox, ... }: { }; nodes.machine = { config, ... }: { + virtualisation.memorySize = 2048; services.netbox = { enable = true; package = netbox; |