diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-11-05 16:15:01 +0100 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-11-05 16:15:01 +0100 |
| commit | a2c1eff83c3118a9aee8076c7f84f58137416b6e (patch) | |
| tree | 4668c9ad2bba229a0eb3ccc8adbe78402e04ab07 /nixpkgs/nixos/modules | |
| parent | fa7e5142244bb8fd1c51b66df6e623a7f41cc0d3 (diff) | |
| parent | 85f1ba3e51676fa8cc604a3d863d729026a6b8eb (diff) | |
| download | nixlib-a2c1eff83c3118a9aee8076c7f84f58137416b6e.tar nixlib-a2c1eff83c3118a9aee8076c7f84f58137416b6e.tar.gz nixlib-a2c1eff83c3118a9aee8076c7f84f58137416b6e.tar.bz2 nixlib-a2c1eff83c3118a9aee8076c7f84f58137416b6e.tar.lz nixlib-a2c1eff83c3118a9aee8076c7f84f58137416b6e.tar.xz nixlib-a2c1eff83c3118a9aee8076c7f84f58137416b6e.tar.zst nixlib-a2c1eff83c3118a9aee8076c7f84f58137416b6e.zip | |
Merge branch 'nixos-unstable' of https://github.com/NixOS/nixpkgs into HEAD
Diffstat (limited to 'nixpkgs/nixos/modules')
13 files changed, 318 insertions, 62 deletions
diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/channel.nix b/nixpkgs/nixos/modules/installer/cd-dvd/channel.nix index 8426ba8fac00..bc70dc985fe0 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/channel.nix @@ -3,8 +3,6 @@ { config, lib, pkgs, ... }: -with lib; - let # This is copied into the installer image, so it's important that it is filtered # to avoid including a large .git directory. @@ -27,38 +25,40 @@ let if [ ! -e $out/nixos/nixpkgs ]; then ln -s . $out/nixos/nixpkgs fi - ${optionalString (config.system.nixos.revision != null) '' + ${lib.optionalString (config.system.nixos.revision != null) '' echo -n ${config.system.nixos.revision} > $out/nixos/.git-revision ''} echo -n ${config.system.nixos.versionSuffix} > $out/nixos/.version-suffix echo ${config.system.nixos.versionSuffix} | sed -e s/pre// > $out/nixos/svn-revision ''; - in { - # Pin the nixpkgs flake in the installer to our cleaned up nixpkgs source. - # FIXME: this might be surprising and is really only needed for offline installations, - # see discussion in https://github.com/NixOS/nixpkgs/pull/204178#issuecomment-1336289021 - nix.registry.nixpkgs.to = { - type = "path"; - path = "${channelSources}/nixos"; - }; + options.system.installer.channel.enable = (lib.mkEnableOption "bundling NixOS/Nixpkgs channel in the installer") // { default = true; }; + config = lib.mkIf config.system.installer.channel.enable { + # Pin the nixpkgs flake in the installer to our cleaned up nixpkgs source. + # FIXME: this might be surprising and is really only needed for offline installations, + # see discussion in https://github.com/NixOS/nixpkgs/pull/204178#issuecomment-1336289021 + nix.registry.nixpkgs.to = { + type = "path"; + path = "${channelSources}/nixos"; + }; - # Provide the NixOS/Nixpkgs sources in /etc/nixos. This is required - # for nixos-install. - boot.postBootCommands = mkAfter - '' - if ! [ -e /var/lib/nixos/did-channel-init ]; then - echo "unpacking the NixOS/Nixpkgs sources..." - mkdir -p /nix/var/nix/profiles/per-user/root - ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ - -i ${channelSources} --quiet --option build-use-substitutes false \ - ${optionalString config.boot.initrd.systemd.enable "--option sandbox false"} # There's an issue with pivot_root - mkdir -m 0700 -p /root/.nix-defexpr - ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels - mkdir -m 0755 -p /var/lib/nixos - touch /var/lib/nixos/did-channel-init - fi - ''; + # Provide the NixOS/Nixpkgs sources in /etc/nixos. This is required + # for nixos-install. + boot.postBootCommands = lib.mkAfter + '' + if ! [ -e /var/lib/nixos/did-channel-init ]; then + echo "unpacking the NixOS/Nixpkgs sources..." + mkdir -p /nix/var/nix/profiles/per-user/root + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \ + -i ${channelSources} --quiet --option build-use-substitutes false \ + ${lib.optionalString config.boot.initrd.systemd.enable "--option sandbox false"} # There's an issue with pivot_root + mkdir -m 0700 -p /root/.nix-defexpr + ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels + mkdir -m 0755 -p /var/lib/nixos + touch /var/lib/nixos/did-channel-init + fi + ''; + }; } diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 92b49036a0de..5af65957f1bb 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -267,6 +267,7 @@ ./programs/udevil.nix ./programs/usbtop.nix ./programs/vim.nix + ./programs/virt-manager.nix ./programs/wavemon.nix ./programs/wayland/cardboard.nix ./programs/wayland/river.nix @@ -1507,6 +1508,7 @@ ./virtualisation/docker.nix ./virtualisation/ecs-agent.nix ./virtualisation/hyperv-guest.nix + ./virtualisation/incus.nix ./virtualisation/kvmgt.nix ./virtualisation/libvirtd.nix ./virtualisation/lxc.nix diff --git a/nixpkgs/nixos/modules/programs/firefox.nix b/nixpkgs/nixos/modules/programs/firefox.nix index 85f47530cf5a..1edf935d1649 100644 --- a/nixpkgs/nixos/modules/programs/firefox.nix +++ b/nixpkgs/nixos/modules/programs/firefox.nix @@ -90,7 +90,7 @@ in description = mdDoc '' Group policies to install. - See [Mozilla's documentation](https://github.com/mozilla/policy-templates/blob/master/README.md) + See [Mozilla's documentation](https://mozilla.github.io/policy-templates/) for a list of available options. This can be used to install extensions declaratively! Check out the diff --git a/nixpkgs/nixos/modules/security/sudo.nix b/nixpkgs/nixos/modules/security/sudo.nix index d225442773c6..c665c15242a5 100644 --- a/nixpkgs/nixos/modules/security/sudo.nix +++ b/nixpkgs/nixos/modules/security/sudo.nix @@ -6,8 +6,6 @@ let cfg = config.security.sudo; - inherit (pkgs) sudo; - toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; @@ -247,7 +245,7 @@ in }; }; - environment.systemPackages = [ sudo ]; + environment.systemPackages = [ cfg.package ]; security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/woodpecker/server.nix b/nixpkgs/nixos/modules/services/continuous-integration/woodpecker/server.nix index cae5ed7cf116..38b42f7288c0 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/woodpecker/server.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/woodpecker/server.nix @@ -31,9 +31,9 @@ in description = lib.mdDoc "woodpecker-server config environment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/server-config)"; }; environmentFile = lib.mkOption { - type = lib.types.nullOr lib.types.path; - default = null; - example = "/root/woodpecker-server.env"; + type = with lib.types; coercedTo path (f: [ f ]) (listOf path); + default = [ ]; + example = [ "/root/woodpecker-server.env" ]; description = lib.mdDoc '' File to load environment variables from. This is helpful for specifying secrets. @@ -61,7 +61,7 @@ in StateDirectoryMode = "0700"; UMask = "0007"; ConfigurationDirectory = "woodpecker-server"; - EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; + EnvironmentFile = cfg.environmentFile; ExecStart = "${cfg.package}/bin/woodpecker-server"; Restart = "on-failure"; RestartSec = 15; diff --git a/nixpkgs/nixos/modules/services/hardware/fwupd.nix b/nixpkgs/nixos/modules/services/hardware/fwupd.nix index 4e5913fd2751..7a938459d0cb 100644 --- a/nixpkgs/nixos/modules/services/hardware/fwupd.nix +++ b/nixpkgs/nixos/modules/services/hardware/fwupd.nix @@ -181,7 +181,18 @@ in { # required to update the firmware of disks services.udisks2.enable = true; - systemd.packages = [ cfg.package ]; + systemd = { + packages = [ cfg.package ]; + + # fwupd-refresh expects a user that we do not create, so just run with DynamicUser + # instead and ensure we take ownership of /var/lib/fwupd + services.fwupd-refresh.serviceConfig = { + DynamicUser = true; + StateDirectory = "fwupd"; + }; + + timers.fwupd-refresh.wantedBy = [ "timers.target" ]; + }; security.polkit.enable = true; }; diff --git a/nixpkgs/nixos/modules/services/hardware/throttled.nix b/nixpkgs/nixos/modules/services/hardware/throttled.nix index 9fa495886119..0f1f00348ee8 100644 --- a/nixpkgs/nixos/modules/services/hardware/throttled.nix +++ b/nixpkgs/nixos/modules/services/hardware/throttled.nix @@ -27,6 +27,7 @@ in { then pkgs.writeText "throttled.conf" cfg.extraConfig else "${pkgs.throttled}/etc/throttled.conf"; + hardware.cpu.x86.msr.enable = true; # Kernel 5.9 spams warnings whenever userspace writes to CPU MSRs. # See https://github.com/erpalma/throttled/issues/215 hardware.cpu.x86.msr.settings.allow-writes = diff --git a/nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix b/nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix index 36258866646a..afe9eb4d7b95 100644 --- a/nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix +++ b/nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix @@ -108,7 +108,7 @@ in { services.grafana.settings.rendering = mkIf cfg.provisionGrafana { server_url = "http://localhost:${toString cfg.settings.service.port}/render"; - callback_url = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; + callback_url = "http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}"; }; services.grafana-image-renderer.chromium = mkDefault pkgs.chromium; diff --git a/nixpkgs/nixos/modules/services/web-apps/akkoma.nix b/nixpkgs/nixos/modules/services/web-apps/akkoma.nix index eaee70c712bb..5f9bbbd66374 100644 --- a/nixpkgs/nixos/modules/services/web-apps/akkoma.nix +++ b/nixpkgs/nixos/modules/services/web-apps/akkoma.nix @@ -86,7 +86,7 @@ let # Erlang/Elixir uses a somewhat special format for IP addresses erlAddr = addr: fileContents (pkgs.runCommand addr { - nativeBuildInputs = with pkgs; [ elixir ]; + nativeBuildInputs = [ cfg.package.elixirPackage ]; code = '' case :inet.parse_address('${addr}') do {:ok, addr} -> IO.inspect addr @@ -96,7 +96,7 @@ let passAsFile = [ "code" ]; } ''elixir "$codePath" >"$out"''); - format = pkgs.formats.elixirConf { }; + format = pkgs.formats.elixirConf { elixir = cfg.package.elixirPackage; }; configFile = format.generate "config.exs" (replaceSec (attrsets.updateManyAttrsByPath [{ @@ -146,7 +146,7 @@ let initSecretsScript = writeShell { name = "akkoma-init-secrets"; - runtimeInputs = with pkgs; [ coreutils elixir ]; + runtimeInputs = with pkgs; [ coreutils cfg.package.elixirPackage ]; text = let key-base = web.secret_key_base; jwt-signer = ex.":joken".":default_signer"; diff --git a/nixpkgs/nixos/modules/services/web-apps/freshrss.nix b/nixpkgs/nixos/modules/services/web-apps/freshrss.nix index ffc05d0e41f8..8b4ea2aa53c9 100644 --- a/nixpkgs/nixos/modules/services/web-apps/freshrss.nix +++ b/nixpkgs/nixos/modules/services/web-apps/freshrss.nix @@ -220,7 +220,7 @@ in "catch_workers_output" = true; }; phpEnv = { - FRESHRSS_DATA_PATH = "${cfg.dataDir}"; + DATA_PATH = "${cfg.dataDir}"; }; }; }; @@ -267,7 +267,7 @@ in WorkingDirectory = cfg.package; }; environment = { - FRESHRSS_DATA_PATH = cfg.dataDir; + DATA_PATH = cfg.dataDir; }; script = @@ -302,7 +302,7 @@ in wantedBy = [ "multi-user.target" ]; startAt = "*:0/5"; environment = { - FRESHRSS_DATA_PATH = cfg.dataDir; + DATA_PATH = cfg.dataDir; }; serviceConfig = defaultServiceConfig //{ ExecStart = "${cfg.package}/app/actualize_script.php"; diff --git a/nixpkgs/nixos/modules/services/web-apps/mobilizon.nix b/nixpkgs/nixos/modules/services/web-apps/mobilizon.nix index e9264a38f0e6..343c5cead2b1 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mobilizon.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mobilizon.nix @@ -8,7 +8,7 @@ let user = "mobilizon"; group = "mobilizon"; - settingsFormat = pkgs.formats.elixirConf { elixir = pkgs.elixir_1_14; }; + settingsFormat = pkgs.formats.elixirConf { elixir = cfg.package.elixirPackage; }; configFile = settingsFormat.generate "mobilizon-config.exs" cfg.settings; @@ -309,7 +309,7 @@ in genCookie = "IO.puts(Base.encode32(:crypto.strong_rand_bytes(32)))"; evalElixir = str: '' - ${pkgs.elixir_1_14}/bin/elixir --eval '${str}' + ${cfg.package.elixirPackage}/bin/elixir --eval '${str}' ''; in '' diff --git a/nixpkgs/nixos/modules/services/x11/extra-layouts.nix b/nixpkgs/nixos/modules/services/x11/extra-layouts.nix index 3941f50b7550..ab7e39739eeb 100644 --- a/nixpkgs/nixos/modules/services/x11/extra-layouts.nix +++ b/nixpkgs/nixos/modules/services/x11/extra-layouts.nix @@ -3,7 +3,7 @@ with lib; let - layouts = config.services.xserver.extraLayouts; + layouts = config.services.xserver.xkb.extraLayouts; layoutOpts = { options = { @@ -15,10 +15,10 @@ let languages = mkOption { type = types.listOf types.str; description = - lib.mdDoc '' - A list of languages provided by the layout. - (Use ISO 639-2 codes, for example: "eng" for english) - ''; + lib.mdDoc '' + A list of languages provided by the layout. + (Use ISO 639-2 codes, for example: "eng" for english) + ''; }; compatFile = mkOption { @@ -80,29 +80,37 @@ let }; xkb_patched = pkgs.xorg.xkeyboardconfig_custom { - layouts = config.services.xserver.extraLayouts; + layouts = config.services.xserver.xkb.extraLayouts; }; in { + imports = [ + (lib.mkRenamedOptionModuleWith { + sinceRelease = 2311; + from = [ "services" "xserver" "extraLayouts" ]; + to = [ "services" "xserver" "xkb" "extraLayouts" ]; + }) + ]; + ###### interface - options.services.xserver = { + options.services.xserver.xkb = { extraLayouts = mkOption { type = types.attrsOf (types.submodule layoutOpts); - default = {}; + default = { }; example = literalExpression - '' - { - mine = { - description = "My custom xkb layout."; - languages = [ "eng" ]; - symbolsFile = /path/to/my/layout; - }; - } - ''; + '' + { + mine = { + description = "My custom xkb layout."; + languages = [ "eng" ]; + symbolsFile = /path/to/my/layout; + }; + } + ''; description = lib.mdDoc '' Extra custom layouts that will be included in the xkb configuration. Information on how to create a new layout can be found here: diff --git a/nixpkgs/nixos/modules/virtualisation/incus.nix b/nixpkgs/nixos/modules/virtualisation/incus.nix new file mode 100644 index 000000000000..3a4f0d7157a0 --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/incus.nix @@ -0,0 +1,236 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.virtualisation.incus; + preseedFormat = pkgs.formats.yaml { }; +in +{ + meta.maintainers = [ lib.maintainers.adamcstephens ]; + + options = { + virtualisation.incus = { + enable = lib.mkEnableOption (lib.mdDoc '' + incusd, a daemon that manages containers and virtual machines. + + Users in the "incus-admin" group can interact with + the daemon (e.g. to start or stop containers) using the + {command}`incus` command line tool, among others. + ''); + + package = lib.mkPackageOptionMD pkgs "incus" { }; + + lxcPackage = lib.mkPackageOptionMD pkgs "lxc" { }; + + preseed = lib.mkOption { + type = lib.types.nullOr ( + lib.types.submodule { freeformType = preseedFormat.type; } + ); + + default = null; + + description = lib.mdDoc '' + Configuration for Incus preseed, see + <https://linuxcontainers.org/incus/docs/main/howto/initialize/#non-interactive-configuration> + for supported values. + + Changes to this will be re-applied to Incus which will overwrite existing entities or create missing ones, + but entities will *not* be removed by preseed. + ''; + + example = { + networks = [ + { + name = "incusbr0"; + type = "bridge"; + config = { + "ipv4.address" = "10.0.100.1/24"; + "ipv4.nat" = "true"; + }; + } + ]; + profiles = [ + { + name = "default"; + devices = { + eth0 = { + name = "eth0"; + network = "incusbr0"; + type = "nic"; + }; + root = { + path = "/"; + pool = "default"; + size = "35GiB"; + type = "disk"; + }; + }; + } + ]; + storage_pools = [ + { + name = "default"; + driver = "dir"; + config = { + source = "/var/lib/incus/storage-pools/default"; + }; + } + ]; + }; + }; + + socketActivation = lib.mkEnableOption ( + lib.mdDoc '' + socket-activation for starting incus.service. Enabling this option + will stop incus.service from starting automatically on boot. + '' + ); + + startTimeout = lib.mkOption { + type = lib.types.ints.unsigned; + default = 600; + apply = toString; + description = lib.mdDoc '' + Time to wait (in seconds) for incusd to become ready to process requests. + If incusd does not reply within the configured time, `incus.service` will be + considered failed and systemd will attempt to restart it. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + # https://github.com/lxc/incus/blob/f145309929f849b9951658ad2ba3b8f10cbe69d1/doc/reference/server_settings.md + boot.kernel.sysctl = { + "fs.aio-max-nr" = lib.mkDefault 524288; + "fs.inotify.max_queued_events" = lib.mkDefault 1048576; + "fs.inotify.max_user_instances" = lib.mkOverride 1050 1048576; # override in case conflict nixos/modules/services/x11/xserver.nix + "fs.inotify.max_user_watches" = lib.mkOverride 1050 1048576; # override in case conflict nixos/modules/services/x11/xserver.nix + "kernel.dmesg_restrict" = lib.mkDefault 1; + "kernel.keys.maxbytes" = lib.mkDefault 2000000; + "kernel.keys.maxkeys" = lib.mkDefault 2000; + "net.core.bpf_jit_limit" = lib.mkDefault 1000000000; + "net.ipv4.neigh.default.gc_thresh3" = lib.mkDefault 8192; + "net.ipv6.neigh.default.gc_thresh3" = lib.mkDefault 8192; + # vm.max_map_count is set higher in nixos/modules/config/sysctl.nix + }; + + boot.kernelModules = [ + "veth" + "xt_comment" + "xt_CHECKSUM" + "xt_MASQUERADE" + "vhost_vsock" + ] ++ lib.optionals (!config.networking.nftables.enable) [ "iptable_mangle" ]; + + environment.systemPackages = [ cfg.package ]; + + # Note: the following options are also declared in virtualisation.lxc, but + # the latter can't be simply enabled to reuse the formers, because it + # does a bunch of unrelated things. + systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; + + security.apparmor = { + packages = [ cfg.lxcPackage ]; + policies = { + "bin.lxc-start".profile = '' + include ${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start + ''; + "lxc-containers".profile = '' + include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers + ''; + }; + }; + + systemd.services.incus = { + description = "Incus Container and Virtual Machine Management Daemon"; + + wantedBy = lib.mkIf (!cfg.socketActivation) [ "multi-user.target" ]; + after = [ + "network-online.target" + "lxcfs.service" + ] ++ (lib.optional cfg.socketActivation "incus.socket"); + requires = [ + "lxcfs.service" + ] ++ (lib.optional cfg.socketActivation "incus.socket"); + wants = [ + "network-online.target" + ]; + + path = lib.mkIf config.boot.zfs.enabled [ config.boot.zfs.package ]; + + environment = { + # Override Path to the LXC template configuration directory + INCUS_LXC_TEMPLATE_CONFIG = "${pkgs.lxcfs}/share/lxc/config"; + }; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/incusd --group incus-admin"; + ExecStartPost = "${cfg.package}/bin/incusd waitready --timeout=${cfg.startTimeout}"; + ExecStop = "${cfg.package}/bin/incus admin shutdown"; + + KillMode = "process"; # when stopping, leave the containers alone + Delegate = "yes"; + LimitMEMLOCK = "infinity"; + LimitNOFILE = "1048576"; + LimitNPROC = "infinity"; + TasksMax = "infinity"; + + Restart = "on-failure"; + TimeoutStartSec = "${cfg.startTimeout}s"; + TimeoutStopSec = "30s"; + }; + }; + + systemd.sockets.incus = lib.mkIf cfg.socketActivation { + description = "Incus UNIX socket"; + wantedBy = [ "sockets.target" ]; + + socketConfig = { + ListenStream = "/var/lib/incus/unix.socket"; + SocketMode = "0660"; + SocketGroup = "incus-admin"; + Service = "incus.service"; + }; + }; + + systemd.services.incus-preseed = lib.mkIf (cfg.preseed != null) { + description = "Incus initialization with preseed file"; + + wantedBy = ["incus.service"]; + after = ["incus.service"]; + bindsTo = ["incus.service"]; + partOf = ["incus.service"]; + + script = '' + ${cfg.package}/bin/incus admin init --preseed <${ + preseedFormat.generate "incus-preseed.yaml" cfg.preseed + } + ''; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + }; + + users.groups.incus-admin = { }; + + users.users.root = { + # match documented default ranges https://linuxcontainers.org/incus/docs/main/userns-idmap/#allowed-ranges + subUidRanges = [ + { + startUid = 1000000; + count = 1000000000; + } + ]; + subGidRanges = [ + { + startGid = 1000000; + count = 1000000000; + } + ]; + }; + + virtualisation.lxc.lxcfs.enable = true; + }; +} |