diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2020-05-28 22:05:36 +0200 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2020-05-28 22:05:36 +0200 |
commit | 03de4c02fbd35d1b730ba0957f71df9a7a82bacf (patch) | |
tree | 78ed2f7dfa2efae85c9a76dd53320d875a8ff678 /nixos | |
parent | 99d25675152f30caf6354db93f01fac87f640c8f (diff) | |
parent | e27e3ae169d4ac64856befb6bbf044f2153e337d (diff) | |
download | nixlib-03de4c02fbd35d1b730ba0957f71df9a7a82bacf.tar nixlib-03de4c02fbd35d1b730ba0957f71df9a7a82bacf.tar.gz nixlib-03de4c02fbd35d1b730ba0957f71df9a7a82bacf.tar.bz2 nixlib-03de4c02fbd35d1b730ba0957f71df9a7a82bacf.tar.lz nixlib-03de4c02fbd35d1b730ba0957f71df9a7a82bacf.tar.xz nixlib-03de4c02fbd35d1b730ba0957f71df9a7a82bacf.tar.zst nixlib-03de4c02fbd35d1b730ba0957f71df9a7a82bacf.zip |
Merge staging-next into staging
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/installer/tools/nix-fallback-paths.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/databases/mysql.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/databases/rethinkdb.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/desktops/deepin/deepin.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-wrapper.nix | 94 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/plasma5.nix | 19 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/dnscrypt-wrapper/default.nix | 71 | ||||
-rw-r--r-- | nixos/tests/dnscrypt-wrapper/public.key | 1 | ||||
-rw-r--r-- | nixos/tests/dnscrypt-wrapper/secret.key | 1 |
10 files changed, 185 insertions, 25 deletions
diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 842976c3574f..bfd8970d2b2b 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/8928ygfyf9iassfrnj76v55s6zid58ja-nix-2.3.4"; - i686-linux = "/nix/store/b5cx3nmba9ahx3wk5ybxa67k40pdpdxn-nix-2.3.4"; - aarch64-linux = "/nix/store/p6j4mis6agdjlk4j0cyg7yh58wpm3kif-nix-2.3.4"; - x86_64-darwin = "/nix/store/aizhr07dljmlbf17wfrj40x3s0b5iv3d-nix-2.3.4"; + x86_64-linux = "/nix/store/xb0nl3z356n0sfrhswfli2g19a19slys-nix-2.3.5"; + i686-linux = "/nix/store/k8kdd4yy1yap6lai5idyhmzcwsjh1fik-nix-2.3.5"; + aarch64-linux = "/nix/store/dr86cbipxqjcb8pf2k0v8wvw0h0adfpz-nix-2.3.5"; + x86_64-darwin = "/nix/store/n6dqdndkv9kac66kdr988kaiyavl44x8-nix-2.3.5"; } diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 44183788d936..51885881cf73 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -32,13 +32,7 @@ in services.mysql = { - enable = mkOption { - type = types.bool; - default = false; - description = " - Whether to enable the MySQL server. - "; - }; + enable = mkEnableOption "MySQL server"; package = mkOption { type = types.package; diff --git a/nixos/modules/services/databases/rethinkdb.nix b/nixos/modules/services/databases/rethinkdb.nix index f18fbaf5b062..c764d6c21c6c 100644 --- a/nixos/modules/services/databases/rethinkdb.nix +++ b/nixos/modules/services/databases/rethinkdb.nix @@ -15,10 +15,7 @@ in services.rethinkdb = { - enable = mkOption { - default = false; - description = "Whether to enable the RethinkDB server."; - }; + enable = mkEnableOption "RethinkDB server"; #package = mkOption { # default = pkgs.rethinkdb; diff --git a/nixos/modules/services/desktops/deepin/deepin.nix b/nixos/modules/services/desktops/deepin/deepin.nix index 931bac58aceb..f8fb73701af6 100644 --- a/nixos/modules/services/desktops/deepin/deepin.nix +++ b/nixos/modules/services/desktops/deepin/deepin.nix @@ -41,7 +41,6 @@ pkgs.deepin.dde-session-ui pkgs.deepin.deepin-anything pkgs.deepin.deepin-image-viewer - pkgs.deepin.deepin-screenshot ]; services.dbus.packages = [ @@ -55,7 +54,6 @@ pkgs.deepin.dde-session-ui pkgs.deepin.deepin-anything pkgs.deepin.deepin-image-viewer - pkgs.deepin.deepin-screenshot ]; systemd.packages = [ diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index e53fb7a15782..b9333cd19a2a 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -5,12 +5,20 @@ let cfg = config.services.dnscrypt-wrapper; dataDir = "/var/lib/dnscrypt-wrapper"; + mkPath = path: default: + if path != null + then toString path + else default; + + publicKey = mkPath cfg.providerKey.public "${dataDir}/public.key"; + secretKey = mkPath cfg.providerKey.secret "${dataDir}/secret.key"; + daemonArgs = with cfg; [ "--listen-address=${address}:${toString port}" "--resolver-address=${upstream.address}:${toString upstream.port}" "--provider-name=${providerName}" - "--provider-publickey-file=public.key" - "--provider-secretkey-file=secret.key" + "--provider-publickey-file=${publicKey}" + "--provider-secretkey-file=${secretKey}" "--provider-cert-file=${providerName}.crt" "--crypt-secretkey-file=${providerName}.key" ]; @@ -24,17 +32,19 @@ let dnscrypt-wrapper --gen-cert-file \ --crypt-secretkey-file=${cfg.providerName}.key \ --provider-cert-file=${cfg.providerName}.crt \ - --provider-publickey-file=public.key \ - --provider-secretkey-file=secret.key \ + --provider-publickey-file=${publicKey} \ + --provider-secretkey-file=${secretKey} \ --cert-file-expire-days=${toString cfg.keys.expiration} } cd ${dataDir} # generate provider keypair (first run only) - if [ ! -f public.key ] || [ ! -f secret.key ]; then - dnscrypt-wrapper --gen-provider-keypair - fi + ${optionalString (cfg.providerKey.public == null || cfg.providerKey.secret == null) '' + if [ ! -f ${publicKey} ] || [ ! -f ${secretKey} ]; then + dnscrypt-wrapper --gen-provider-keypair + fi + ''} # generate new keys for rotation if [ ! -f ${cfg.providerName}.key ] || [ ! -f ${cfg.providerName}.crt ]; then @@ -64,6 +74,47 @@ let fi ''; + + # This is the fork of the original dnscrypt-proxy maintained by Dyne.org. + # dnscrypt-proxy2 doesn't provide the `--test` feature that is needed to + # correctly implement key rotation of dnscrypt-wrapper ephemeral keys. + dnscrypt-proxy1 = pkgs.callPackage + ({ stdenv, fetchFromGitHub, autoreconfHook + , pkgconfig, libsodium, ldns, openssl, systemd }: + + stdenv.mkDerivation rec { + pname = "dnscrypt-proxy"; + version = "2019-08-20"; + + src = fetchFromGitHub { + owner = "dyne"; + repo = "dnscrypt-proxy"; + rev = "07ac3825b5069adc28e2547c16b1d983a8ed8d80"; + sha256 = "0c4mq741q4rpmdn09agwmxap32kf0vgfz7pkhcdc5h54chc3g3xy"; + }; + + configureFlags = optional stdenv.isLinux "--with-systemd"; + + nativeBuildInputs = [ autoreconfHook pkgconfig ]; + + # <ldns/ldns.h> depends on <openssl/ssl.h> + buildInputs = [ libsodium openssl.dev ldns ] ++ optional stdenv.isLinux systemd; + + postInstall = '' + # Previous versions required libtool files to load plugins; they are + # now strictly optional. + rm $out/lib/dnscrypt-proxy/*.la + ''; + + meta = { + description = "A tool for securing communications between a client and a DNS resolver"; + homepage = "https://github.com/dyne/dnscrypt-proxy"; + license = licenses.isc; + maintainers = with maintainers; [ rnhmjoj ]; + platforms = platforms.linux; + }; + }) { }; + in { @@ -98,6 +149,26 @@ in { ''; }; + providerKey.public = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/secrets/public.key"; + description = '' + The filepath to the provider public key. If not given a new + provider key pair will be generated on the first run. + ''; + }; + + providerKey.secret = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/secrets/secret.key"; + description = '' + The filepath to the provider secret key. If not given a new + provider key pair will be generated on the first run. + ''; + }; + upstream.address = mkOption { type = types.str; default = "127.0.0.1"; @@ -179,7 +250,7 @@ in { requires = [ "dnscrypt-wrapper.service" ]; description = "Rotates DNSCrypt wrapper keys if soon to expire"; - path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy gawk ]; + path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ]; script = rotateKeys; serviceConfig.User = "dnscrypt-wrapper"; }; @@ -196,6 +267,13 @@ in { }; }; + assertions = with cfg; [ + { assertion = (providerKey.public == null && providerKey.secret == null) || + (providerKey.secret != null && providerKey.public != null); + message = "The secret and public provider key must be set together."; + } + ]; + }; meta.maintainers = with lib.maintainers; [ rnhmjoj ]; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 60ef0159ff1a..6d48b899d231 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -158,6 +158,19 @@ in example = "vlc"; description = "Phonon audio backend to install."; }; + + supportDDC = mkOption { + type = types.bool; + default = false; + description = '' + Support setting monitor brightness via DDC. + </para> + <para> + This is not needed for controlling brightness of the internal monitor + of a laptop and as it is considered experimental by upstream, it is + disabled by default. + ''; + }; }; }; @@ -184,6 +197,12 @@ in }; }; + # DDC support + boot.kernelModules = lib.optional cfg.supportDDC "i2c_dev"; + services.udev.extraRules = lib.optionalString cfg.supportDDC '' + KERNEL=="i2c-[0-9]*", TAG+="uaccess" + ''; + environment.systemPackages = with pkgs; with qt5; with libsForQt5; with plasma5; with kdeApplications; [ frameworkintegration diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 611e89b7285b..f3b36e5fa13f 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -70,6 +70,7 @@ in deluge = handleTest ./deluge.nix {}; dhparams = handleTest ./dhparams.nix {}; dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {}; + dnscrypt-wrapper = handleTestOn ["x86_64-linux"] ./dnscrypt-wrapper {}; doas = handleTest ./doas.nix {}; docker = handleTestOn ["x86_64-linux"] ./docker.nix {}; oci-containers = handleTestOn ["x86_64-linux"] ./oci-containers.nix {}; diff --git a/nixos/tests/dnscrypt-wrapper/default.nix b/nixos/tests/dnscrypt-wrapper/default.nix new file mode 100644 index 000000000000..1dc925f4de7a --- /dev/null +++ b/nixos/tests/dnscrypt-wrapper/default.nix @@ -0,0 +1,71 @@ +import ../make-test-python.nix ({ pkgs, ... }: { + name = "dnscrypt-wrapper"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ rnhmjoj ]; + }; + + nodes = { + server = { lib, ... }: + { services.dnscrypt-wrapper = with builtins; + { enable = true; + address = "192.168.1.1"; + keys.expiration = 5; # days + keys.checkInterval = 2; # min + # The keypair was generated by the command: + # dnscrypt-wrapper --gen-provider-keypair \ + # --provider-name=2.dnscrypt-cert.server \ + # --ext-address=192.168.1.1:5353 + providerKey.public = toFile "public.key" (readFile ./public.key); + providerKey.secret = toFile "secret.key" (readFile ./secret.key); + }; + services.tinydns.enable = true; + services.tinydns.data = '' + ..:192.168.1.1:a + +it.works:1.2.3.4 + ''; + networking.firewall.allowedUDPPorts = [ 5353 ]; + networking.firewall.allowedTCPPorts = [ 5353 ]; + networking.interfaces.eth1.ipv4.addresses = lib.mkForce + [ { address = "192.168.1.1"; prefixLength = 24; } ]; + }; + + client = { lib, ... }: + { services.dnscrypt-proxy2.enable = true; + services.dnscrypt-proxy2.settings = { + server_names = [ "server" ]; + static.server.stamp = "sdns://AQAAAAAAAAAAEDE5Mi4xNjguMS4xOjUzNTMgFEHYOv0SCKSuqR5CDYa7-58cCBuXO2_5uTSVU9wNQF0WMi5kbnNjcnlwdC1jZXJ0LnNlcnZlcg"; + }; + networking.nameservers = [ "127.0.0.1" ]; + networking.interfaces.eth1.ipv4.addresses = lib.mkForce + [ { address = "192.168.1.2"; prefixLength = 24; } ]; + }; + + }; + + testScript = '' + start_all() + + with subtest("The server can generate the ephemeral keypair"): + server.wait_for_unit("dnscrypt-wrapper") + server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.key") + server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.crt") + + with subtest("The client can connect to the server"): + server.wait_for_unit("tinydns") + client.wait_for_unit("dnscrypt-proxy2") + assert "1.2.3.4" in client.succeed( + "host it.works" + ), "The IP address of 'it.works' does not match 1.2.3.4" + + with subtest("The server rotates the ephemeral keys"): + # advance time by a little less than 5 days + server.succeed("date -s \"$(date --date '4 days 6 hours')\"") + client.succeed("date -s \"$(date --date '4 days 6 hours')\"") + server.wait_for_file("/var/lib/dnscrypt-wrapper/oldkeys") + + with subtest("The client can still connect to the server"): + server.wait_for_unit("dnscrypt-wrapper") + client.succeed("host it.works") + ''; +}) + diff --git a/nixos/tests/dnscrypt-wrapper/public.key b/nixos/tests/dnscrypt-wrapper/public.key new file mode 100644 index 000000000000..80232b97f529 --- /dev/null +++ b/nixos/tests/dnscrypt-wrapper/public.key @@ -0,0 +1 @@ +A:B ;o4S @] \ No newline at end of file diff --git a/nixos/tests/dnscrypt-wrapper/secret.key b/nixos/tests/dnscrypt-wrapper/secret.key new file mode 100644 index 000000000000..01fbf8e08b7a --- /dev/null +++ b/nixos/tests/dnscrypt-wrapper/secret.key @@ -0,0 +1 @@ +G>Ʃ>(J=lA:B ;o4S @] \ No newline at end of file |