diff options
| author | Frederik Rietdijk <fridh@fridh.nl> | 2020-01-02 21:41:13 +0100 |
|---|---|---|
| committer | Frederik Rietdijk <fridh@fridh.nl> | 2020-01-02 21:41:13 +0100 |
| commit | f08e3e38d4bf983480fcde77911136bab70d8e80 (patch) | |
| tree | 6286ff43b53a5df79fcfcf31d22443a18f0455ee /nixos | |
| parent | bdfb1bd01b2da393a3cdf567764a79e418f2b62e (diff) | |
| parent | 129c73802fdddacb20cf194bd2968d73ebced590 (diff) | |
| download | nixlib-f08e3e38d4bf983480fcde77911136bab70d8e80.tar nixlib-f08e3e38d4bf983480fcde77911136bab70d8e80.tar.gz nixlib-f08e3e38d4bf983480fcde77911136bab70d8e80.tar.bz2 nixlib-f08e3e38d4bf983480fcde77911136bab70d8e80.tar.lz nixlib-f08e3e38d4bf983480fcde77911136bab70d8e80.tar.xz nixlib-f08e3e38d4bf983480fcde77911136bab70d8e80.tar.zst nixlib-f08e3e38d4bf983480fcde77911136bab70d8e80.zip | |
Merge master into staging-next
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/development/option-types.xml | 60 | ||||
| -rw-r--r-- | nixos/modules/hardware/video/nvidia.nix | 9 | ||||
| -rw-r--r-- | nixos/modules/services/misc/redmine.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/connman.nix | 32 | ||||
| -rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/networking/syncthing.nix | 12 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/apache-httpd/default.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/docker-containers.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/3proxy.nix | 57 | ||||
| -rw-r--r-- | nixos/tests/haka.nix | 10 | ||||
| -rw-r--r-- | nixos/tests/kexec.nix | 18 | ||||
| -rw-r--r-- | nixos/tests/mysql.nix | 18 | ||||
| -rw-r--r-- | nixos/tests/netdata.nix | 1 |
13 files changed, 172 insertions, 52 deletions
diff --git a/nixos/doc/manual/development/option-types.xml b/nixos/doc/manual/development/option-types.xml index 8fcbb627342b..173fdfcbbc83 100644 --- a/nixos/doc/manual/development/option-types.xml +++ b/nixos/doc/manual/development/option-types.xml @@ -257,14 +257,68 @@ <listitem> <para> A set of sub options <replaceable>o</replaceable>. - <replaceable>o</replaceable> can be an attribute set or a function - returning an attribute set. Submodules are used in composed types to - create modular options. Submodule are detailed in + <replaceable>o</replaceable> can be an attribute set, a function + returning an attribute set, or a path to a file containing such a value. Submodules are used in + composed types to create modular options. This is equivalent to + <literal>types.submoduleWith { modules = toList o; shorthandOnlyDefinesConfig = true; }</literal>. + Submodules are detailed in <xref linkend='section-option-types-submodule' />. </para> </listitem> </varlistentry> + <varlistentry> + <term> + <varname>types.submoduleWith</varname> { + <replaceable>modules</replaceable>, + <replaceable>specialArgs</replaceable> ? {}, + <replaceable>shorthandOnlyDefinesConfig</replaceable> ? false } + </term> + <listitem> + <para> + Like <varname>types.submodule</varname>, but more flexible and with better defaults. + It has parameters + <itemizedlist> + <listitem><para> + <replaceable>modules</replaceable> + A list of modules to use by default for this submodule type. This gets combined + with all option definitions to build the final list of modules that will be included. + <note><para> + Only options defined with this argument are included in rendered documentation. + </para></note> + </para></listitem> + <listitem><para> + <replaceable>specialArgs</replaceable> + An attribute set of extra arguments to be passed to the module functions. + The option <literal>_module.args</literal> should be used instead + for most arguments since it allows overriding. <replaceable>specialArgs</replaceable> should only be + used for arguments that can't go through the module fixed-point, because of + infinite recursion or other problems. An example is overriding the + <varname>lib</varname> argument, because <varname>lib</varname> itself is used + to define <literal>_module.args</literal>, which makes using + <literal>_module.args</literal> to define it impossible. + </para></listitem> + <listitem><para> + <replaceable>shorthandOnlyDefinesConfig</replaceable> + Whether definitions of this type should default to the <literal>config</literal> + section of a module (see <xref linkend='ex-module-syntax'/>) if it is an attribute + set. Enabling this only has a benefit when the submodule defines an option named + <literal>config</literal> or <literal>options</literal>. In such a case it would + allow the option to be set with <literal>the-submodule.config = "value"</literal> + instead of requiring <literal>the-submodule.config.config = "value"</literal>. + This is because only when modules <emphasis>don't</emphasis> set the + <literal>config</literal> or <literal>options</literal> keys, all keys are interpreted + as option definitions in the <literal>config</literal> section. Enabling this option + implicitly puts all attributes in the <literal>config</literal> section. + </para> + <para> + With this option enabled, defining a non-<literal>config</literal> section requires + using a function: <literal>the-submodule = { ... }: { options = { ... }; }</literal>. + </para></listitem> + </itemizedlist> + </para> + </listitem> + </varlistentry> </variablelist> </section> diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index fcb30187fa2f..1794bb4b433d 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -198,10 +198,11 @@ in # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. services.udev.extraRules = '' - KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" - KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" - KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'" - KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" + KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" + KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" + KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" ''; boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ]; diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index bf9a6914a483..8bd687d08385 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -66,7 +66,7 @@ in type = types.package; default = pkgs.redmine; description = "Which Redmine package to use."; - example = "pkgs.redmine.override { ruby = pkgs.ruby_2_4; }"; + example = "pkgs.redmine.override { ruby = pkgs.ruby_2_7; }"; }; user = mkOption { diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index 8402be939fe5..e8eadc4e187d 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -11,6 +11,7 @@ let ${cfg.extraConfig} ''; + enableIwd = cfg.wifi.backend == "iwd"; in { imports = [ @@ -56,6 +57,17 @@ in { ''; }; + wifi = { + backend = mkOption { + type = types.enum [ "wpa_supplicant" "iwd" ]; + default = "wpa_supplicant"; + description = '' + Specify the Wi-Fi backend used. + Currently supported are <option>wpa_supplicant</option> or <option>iwd</option>. + ''; + }; + }; + extraFlags = mkOption { type = with types; listOf str; default = [ ]; @@ -77,9 +89,6 @@ in { assertion = !config.networking.useDHCP; message = "You can not use services.connman with networking.useDHCP"; }{ - assertion = config.networking.wireless.enable; - message = "You must use services.connman with networking.wireless"; - }{ assertion = !config.networking.networkmanager.enable; message = "You can not use services.connman with networking.networkmanager"; }]; @@ -89,12 +98,18 @@ in { systemd.services.connman = { description = "Connection service"; wantedBy = [ "multi-user.target" ]; - after = [ "syslog.target" ]; + after = [ "syslog.target" ] ++ optional enableIwd "iwd.service"; + requires = optional enableIwd "iwd.service"; serviceConfig = { Type = "dbus"; BusName = "net.connman"; Restart = "on-failure"; - ExecStart = "${pkgs.connman}/sbin/connmand --config=${configFile} --nodaemon ${toString cfg.extraFlags}"; + ExecStart = toString ([ + "${pkgs.connman}/sbin/connmand" + "--config=${configFile}" + "--nodaemon" + ] ++ optional enableIwd "--wifi=iwd_agent" + ++ cfg.extraFlags); StandardOutput = "null"; }; }; @@ -125,7 +140,12 @@ in { networking = { useDHCP = false; - wireless.enable = true; + wireless = { + enable = mkIf (!enableIwd) true; + iwd = mkIf enableIwd { + enable = true; + }; + }; networkmanager.enable = false; }; }; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 53029b590677..a949e0e0ec3d 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -308,6 +308,7 @@ in { if [ "$2" != "up" ]; then logger "exit: event $2 != up" + exit fi # coreutils and iproute are in PATH too diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index b3f2af5b1794..47b10e408c02 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -112,12 +112,12 @@ in { addresses = [ "tcp://192.168.0.10:51820" ]; }; }; - type = types.attrsOf (types.submodule ({ config, ... }: { + type = types.attrsOf (types.submodule ({ name, ... }: { options = { name = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' Name of the device ''; @@ -175,7 +175,7 @@ in { devices = [ "bigbox" ]; }; }; - type = types.attrsOf (types.submodule ({ config, ... }: { + type = types.attrsOf (types.submodule ({ name, ... }: { options = { enable = mkOption { @@ -190,7 +190,7 @@ in { path = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' The path to the folder which should be shared. ''; @@ -198,7 +198,7 @@ in { id = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' The id of the folder. Must be the same on all devices. ''; @@ -206,7 +206,7 @@ in { label = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' The label of the folder. ''; diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 8e3be3162988..3020fd68fc82 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -567,7 +567,7 @@ in sslProtocols = mkOption { type = types.str; - default = "All -SSLv2 -SSLv3 -TLSv1"; + default = "All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"; example = "All -SSLv2 -SSLv3"; description = "Allowed SSL/TLS protocol versions."; }; diff --git a/nixos/modules/virtualisation/docker-containers.nix b/nixos/modules/virtualisation/docker-containers.nix index 59b0943f591f..760cb9122a2f 100644 --- a/nixos/modules/virtualisation/docker-containers.nix +++ b/nixos/modules/virtualisation/docker-containers.nix @@ -186,7 +186,7 @@ let ++ map escapeShellArg container.cmd ); ExecStartPre = "-${pkgs.docker}/bin/docker rm -f %n"; - ExecStop = "${pkgs.docker}/bin/docker stop %n"; + ExecStop = ''${pkgs.bash}/bin/sh -c "[ $SERVICE_RESULT = success ] || ${pkgs.docker}/bin/docker stop %n"''; ExecStopPost = "-${pkgs.docker}/bin/docker rm -f %n"; ### There is no generalized way of supporting `reload` for docker diff --git a/nixos/tests/3proxy.nix b/nixos/tests/3proxy.nix index b8e1dac0e89e..3e2061d7e42f 100644 --- a/nixos/tests/3proxy.nix +++ b/nixos/tests/3proxy.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "3proxy"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ misuzu ]; @@ -134,29 +134,52 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - - $peer1->waitForUnit("3proxy.service"); + peer1.wait_for_unit("3proxy.service") + peer1.wait_for_open_port("9999") # test none auth - $peer0->succeed("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.2:3128 -S -O /dev/null http://216.58.211.112:9999"); - $peer0->succeed("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.2:3128 -S -O /dev/null http://192.168.0.2:9999"); - $peer0->succeed("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.2:3128 -S -O /dev/null http://127.0.0.1:9999"); + peer0.succeed( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.2:3128 -S -O /dev/null http://216.58.211.112:9999" + ) + peer0.succeed( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.2:3128 -S -O /dev/null http://192.168.0.2:9999" + ) + peer0.succeed( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.2:3128 -S -O /dev/null http://127.0.0.1:9999" + ) - $peer2->waitForUnit("3proxy.service"); + peer2.wait_for_unit("3proxy.service") + peer2.wait_for_open_port("9999") # test iponly auth - $peer0->succeed("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.3:3128 -S -O /dev/null http://216.58.211.113:9999"); - $peer0->fail("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.3:3128 -S -O /dev/null http://192.168.0.3:9999"); - $peer0->fail("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.3:3128 -S -O /dev/null http://127.0.0.1:9999"); + peer0.succeed( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.3:3128 -S -O /dev/null http://216.58.211.113:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.3:3128 -S -O /dev/null http://192.168.0.3:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.3:3128 -S -O /dev/null http://127.0.0.1:9999" + ) - $peer3->waitForUnit("3proxy.service"); + peer3.wait_for_unit("3proxy.service") + peer3.wait_for_open_port("9999") # test strong auth - $peer0->succeed("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://admin:bigsecret\@192.168.0.4:3128 -S -O /dev/null http://216.58.211.114:9999"); - $peer0->fail("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://admin:bigsecret\@192.168.0.4:3128 -S -O /dev/null http://192.168.0.4:9999"); - $peer0->fail("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.4:3128 -S -O /dev/null http://216.58.211.114:9999"); - $peer0->fail("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.4:3128 -S -O /dev/null http://192.168.0.4:9999"); - $peer0->fail("${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.4:3128 -S -O /dev/null http://127.0.0.1:9999"); + peer0.succeed( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://admin:bigsecret\@192.168.0.4:3128 -S -O /dev/null http://216.58.211.114:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://admin:bigsecret\@192.168.0.4:3128 -S -O /dev/null http://192.168.0.4:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.4:3128 -S -O /dev/null http://216.58.211.114:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.4:3128 -S -O /dev/null http://192.168.0.4:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.4:3128 -S -O /dev/null http://127.0.0.1:9999" + ) ''; }) diff --git a/nixos/tests/haka.nix b/nixos/tests/haka.nix index 6277ebb4933f..3ca19cb0971c 100644 --- a/nixos/tests/haka.nix +++ b/nixos/tests/haka.nix @@ -1,6 +1,6 @@ # This test runs haka and probes it with hakactl -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "haka"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ tvestelind ]; @@ -15,10 +15,10 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $haka->waitForUnit("haka.service"); - $haka->succeed("hakactl status"); - $haka->succeed("hakactl stop"); + haka.wait_for_unit("haka.service") + haka.succeed("hakactl status") + haka.succeed("hakactl stop") ''; }) diff --git a/nixos/tests/kexec.nix b/nixos/tests/kexec.nix index b13b4131091f..ec0cd9796b0e 100644 --- a/nixos/tests/kexec.nix +++ b/nixos/tests/kexec.nix @@ -1,9 +1,15 @@ # Test whether fast reboots via kexec work. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ...} : { name = "kexec"; - meta = with pkgs.stdenv.lib.maintainers; { + meta = with lib.maintainers; { maintainers = [ eelco ]; + # Currently hangs forever; last output is: + # machine # [ 10.239914] dhcpcd[707]: eth0: adding default route via fe80::2 + # machine: waiting for the VM to finish booting + # machine # Cannot find the ESP partition mount point. + # machine # [ 28.681197] nscd[692]: 692 checking for monitored file `/etc/netgroup': No such file or directory + broken = true; }; machine = { ... }: @@ -11,9 +17,9 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - $machine->waitForUnit("multi-user.target"); - $machine->execute("systemctl kexec &"); - $machine->{connected} = 0; - $machine->waitForUnit("multi-user.target"); + machine.wait_for_unit("multi-user.target") + machine.execute("systemctl kexec &") + machine.connected = False + machine.wait_for_unit("multi-user.target") ''; }) diff --git a/nixos/tests/mysql.nix b/nixos/tests/mysql.nix index 2c0d212c2f1d..924bac84e26c 100644 --- a/nixos/tests/mysql.nix +++ b/nixos/tests/mysql.nix @@ -27,6 +27,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { { users.users.testuser = { }; + users.users.testuser2 = { }; services.mysql.enable = true; services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' ALTER USER root@localhost IDENTIFIED WITH unix_socket; @@ -34,12 +35,17 @@ import ./make-test-python.nix ({ pkgs, ...} : { DELETE FROM mysql.user WHERE user = '''; FLUSH PRIVILEGES; ''; - services.mysql.ensureDatabases = [ "testdb" ]; + services.mysql.ensureDatabases = [ "testdb" "testdb2" ]; services.mysql.ensureUsers = [{ name = "testuser"; ensurePermissions = { "testdb.*" = "ALL PRIVILEGES"; }; + } { + name = "testuser2"; + ensurePermissions = { + "testdb2.*" = "ALL PRIVILEGES"; + }; }]; services.mysql.package = pkgs.mariadb; }; @@ -47,7 +53,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { }; testScript = '' - start_all + start_all() mysql.wait_for_unit("mysql") mysql.succeed("echo 'use empty_testdb;' | mysql -u root") @@ -62,6 +68,14 @@ import ./make-test-python.nix ({ pkgs, ...} : { mariadb.succeed( "echo 'use testdb; insert into tests values (42);' | sudo -u testuser mysql -u testuser" ) + # Ensure testuser2 is not able to insert into testdb as mysql testuser2 + mariadb.fail( + "echo 'use testdb; insert into tests values (23);' | sudo -u testuser2 mysql -u testuser2" + ) + # Ensure testuser2 is not able to authenticate as mysql testuser + mariadb.fail( + "echo 'use testdb; insert into tests values (23);' | sudo -u testuser2 mysql -u testuser" + ) mariadb.succeed( "echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42" ) diff --git a/nixos/tests/netdata.nix b/nixos/tests/netdata.nix index 8dd5eafb0977..4ddc96e8bc22 100644 --- a/nixos/tests/netdata.nix +++ b/nixos/tests/netdata.nix @@ -25,6 +25,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { # check if the netdata main page loads. netdata.succeed("curl --fail http://localhost:19999/") + netdata.succeed("sleep 4") # check if netdata can read disk ops for root owned processes. # if > 0, successful. verifies both netdata working and |