diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-11-20 14:55:32 +0100 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-11-20 14:55:32 +0100 |
commit | 34b58aaefccdb5c64b912903973ba729bae58be3 (patch) | |
tree | e18a96bc0f066422356a8da655453403baa97e64 /nixpkgs/nixos | |
parent | 7be318098d7fe87d896e8787bfadc0345149cb59 (diff) | |
parent | 3fb937a1e9f4157f57011965b99fcb7f4139d9ad (diff) | |
download | nixlib-34b58aaefccdb5c64b912903973ba729bae58be3.tar nixlib-34b58aaefccdb5c64b912903973ba729bae58be3.tar.gz nixlib-34b58aaefccdb5c64b912903973ba729bae58be3.tar.bz2 nixlib-34b58aaefccdb5c64b912903973ba729bae58be3.tar.lz nixlib-34b58aaefccdb5c64b912903973ba729bae58be3.tar.xz nixlib-34b58aaefccdb5c64b912903973ba729bae58be3.tar.zst nixlib-34b58aaefccdb5c64b912903973ba729bae58be3.zip |
Merge branch 'nixos-unstable-small' of https://github.com/NixOS/nixpkgs
Diffstat (limited to 'nixpkgs/nixos')
17 files changed, 444 insertions, 168 deletions
diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index b6519d17b9a4..9f79c70125fc 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -800,6 +800,7 @@ ./services/monitoring/munin.nix ./services/monitoring/nagios.nix ./services/monitoring/netdata.nix + ./services/monitoring/ocsinventory-agent.nix ./services/monitoring/opentelemetry-collector.nix ./services/monitoring/osquery.nix ./services/monitoring/parsedmarc.nix diff --git a/nixpkgs/nixos/modules/services/misc/amazon-ssm-agent.nix b/nixpkgs/nixos/modules/services/misc/amazon-ssm-agent.nix index 0be79e759c31..02e44c73d87a 100644 --- a/nixpkgs/nixos/modules/services/misc/amazon-ssm-agent.nix +++ b/nixpkgs/nixos/modules/services/misc/amazon-ssm-agent.nix @@ -33,19 +33,22 @@ in { }; config = mkIf cfg.enable { + # See https://github.com/aws/amazon-ssm-agent/blob/mainline/packaging/linux/amazon-ssm-agent.service systemd.services.amazon-ssm-agent = { inherit (cfg.package.meta) description; - after = [ "network.target" ]; + after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; path = [ fake-lsb-release pkgs.coreutils ]; + serviceConfig = { ExecStart = "${cfg.package}/bin/amazon-ssm-agent"; KillMode = "process"; # We want this restating pretty frequently. It could be our only means # of accessing the instance. Restart = "always"; - RestartSec = "1min"; + RestartPreventExitStatus = 194; + RestartSec = "90"; }; }; @@ -70,7 +73,7 @@ in { group = "ssm-user"; }; - environment.etc."amazon/ssm/seelog.xml".source = "${cfg.package}/seelog.xml.template"; + environment.etc."amazon/ssm/seelog.xml".source = "${cfg.package}/etc/amazon/ssm/seelog.xml.template"; environment.etc."amazon/ssm/amazon-ssm-agent.json".source = "${cfg.package}/etc/amazon/ssm/amazon-ssm-agent.json.template"; diff --git a/nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.md b/nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.md new file mode 100644 index 000000000000..50e246fb6531 --- /dev/null +++ b/nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.md @@ -0,0 +1,33 @@ +# OCS Inventory Agent {#module-services-ocsinventory-agent} + +[OCS Inventory NG](https://ocsinventory-ng.org/) or Open Computers and Software inventory +is an application designed to help IT administrator to keep track of the hardware and software +configurations of computers that are installed on their network. + +OCS Inventory collects information about the hardware and software of networked machines +through the **OCS Inventory Agent** program. + +This NixOS module enables you to install and configure this agent so that it sends information from your computer to the OCS Inventory server. + +For more technical information about OCS Inventory Agent, refer to [the Wiki documentation](https://wiki.ocsinventory-ng.org/03.Basic-documentation/Setting-up-the-UNIX-agent-manually-on-client-computers/). + + +## Basic Usage {#module-services-ocsinventory-agent-basic-usage} + +A minimal configuration looks like this: + +```nix +{ + services.ocsinventory-agent = { + enable = true; + settings = { + server = "https://ocsinventory.localhost:8080/ocsinventory"; + tag = "01234567890123"; + }; + }; +} +``` + +This configuration will periodically run the ocsinventory-agent SystemD service. + +The OCS Inventory Agent will inventory the computer and then sends the results to the specified OCS Inventory Server. diff --git a/nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix b/nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix new file mode 100644 index 000000000000..7585ae863750 --- /dev/null +++ b/nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix @@ -0,0 +1,134 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.ocsinventory-agent; + + settingsFormat = pkgs.formats.keyValue { + mkKeyValue = lib.generators.mkKeyValueDefault { } "="; + }; + +in +{ + meta = { + doc = ./ocsinventory-agent.md; + maintainers = with lib.maintainers; [ anthonyroussel ]; + }; + + options = { + services.ocsinventory-agent = { + enable = lib.mkEnableOption (lib.mdDoc "OCS Inventory Agent"); + + package = lib.mkPackageOptionMD pkgs "ocsinventory-agent" { }; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type.nestedTypes.elemType; + + options = { + server = lib.mkOption { + type = lib.types.nullOr lib.types.str; + example = "https://ocsinventory.localhost:8080/ocsinventory"; + default = null; + description = lib.mdDoc '' + The URI of the OCS Inventory server where to send the inventory file. + + This option is ignored if {option}`services.ocsinventory-agent.settings.local` is set. + ''; + }; + + local = lib.mkOption { + type = lib.types.nullOr lib.types.path; + example = "/var/lib/ocsinventory-agent/reports"; + default = null; + description = lib.mdDoc '' + If specified, the OCS Inventory Agent will run in offline mode + and the resulting inventory file will be stored in the specified path. + ''; + }; + + ca = lib.mkOption { + type = lib.types.path; + default = "/etc/ssl/certs/ca-certificates.crt"; + description = lib.mdDoc '' + Path to CA certificates file in PEM format, for server + SSL certificate validation. + ''; + }; + + tag = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "01234567890123"; + description = lib.mdDoc "Tag for the generated inventory."; + }; + + debug = lib.mkEnableOption (lib.mdDoc "debug mode"); + }; + }; + default = { }; + example = { + ca = "/etc/ssl/certs/ca-certificates.crt"; + debug = true; + server = "https://ocsinventory.localhost:8080/ocsinventory"; + tag = "01234567890123"; + }; + description = lib.mdDoc '' + Configuration for /etc/ocsinventory-agent/ocsinventory-agent.cfg. + + Refer to + {manpage}`ocsinventory-agent(1)` for available options. + ''; + }; + + interval = lib.mkOption { + type = lib.types.str; + default = "daily"; + example = "06:00"; + description = lib.mdDoc '' + How often we run the ocsinventory-agent service. Runs by default every daily. + + The format is described in + {manpage}`systemd.time(7)`. + ''; + }; + }; + }; + + config = + let + configFile = settingsFormat.generate "ocsinventory-agent.cfg" cfg.settings; + + in lib.mkIf cfg.enable { + # Path of the configuration file is hard-coded and cannot be changed + # https://github.com/OCSInventory-NG/UnixAgent/blob/v2.10.0/lib/Ocsinventory/Agent/Config.pm#L78 + # + environment.etc."ocsinventory-agent/ocsinventory-agent.cfg".source = configFile; + + systemd.services.ocsinventory-agent = { + description = "OCS Inventory Agent service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + reloadTriggers = [ configFile ]; + + serviceConfig = { + ExecStart = lib.getExe cfg.package; + ConfigurationDirectory = "ocsinventory-agent"; + StateDirectory = "ocsinventory-agent"; + }; + }; + + systemd.timers.ocsinventory-agent = { + description = "Launch OCS Inventory Agent regularly"; + wantedBy = [ "timers.target" ]; + + timerConfig = { + OnCalendar = cfg.interval; + AccuracySec = "1h"; + RandomizedDelaySec = 240; + Persistent = true; + Unit = "ocsinventory-agent.service"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/monitoring/thanos.nix b/nixpkgs/nixos/modules/services/monitoring/thanos.nix index e6d8afc66624..db8641aa6146 100644 --- a/nixpkgs/nixos/modules/services/monitoring/thanos.nix +++ b/nixpkgs/nixos/modules/services/monitoring/thanos.nix @@ -1,14 +1,37 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) + collect + concatLists + concatStringsSep + flip + getAttrFromPath + hasPrefix + isList + length + literalExpression + literalMD + mapAttrsRecursiveCond + mapAttrsToList + mdDoc + mkEnableOption + mkIf + mkMerge + mkOption + mkPackageOptionMD + optional + optionalAttrs + optionalString + types + ; + cfg = config.services.thanos; nullOpt = type: description: mkOption { type = types.nullOr type; default = null; - description = lib.mdDoc description; + description = mdDoc description; }; optionToArgs = opt: v : optional (v != null) ''--${opt}="${toString v}"''; @@ -32,7 +55,7 @@ let option = mkOption { type = types.bool; default = false; - description = lib.mdDoc description; + description = mdDoc description; }; }; @@ -41,7 +64,7 @@ let option = mkOption { type = types.listOf types.str; default = []; - description = lib.mdDoc description; + description = mdDoc description; }; }; @@ -50,7 +73,7 @@ let option = mkOption { type = types.attrsOf types.str; default = {}; - description = lib.mdDoc description; + description = mdDoc description; }; }; @@ -59,7 +82,7 @@ let option = mkOption { type = types.str; inherit default; - description = lib.mdDoc description; + description = mdDoc description; }; }; @@ -86,7 +109,7 @@ let defaultText = literalMD '' calculated from `config.services.thanos.${cmd}` ''; - description = lib.mdDoc '' + description = mdDoc '' Arguments to the `thanos ${cmd}` command. Defaults to a list of arguments formed by converting the structured @@ -127,10 +150,10 @@ let if config.services.thanos.<cmd>.tracing.config == null then null else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config); ''; - description = lib.mdDoc '' + description = mdDoc '' Path to YAML file that contains tracing configuration. - See format details: <https://thanos.io/tracing.md/#configuration> + See format details: <https://thanos.io/tip/thanos/tracing.md/#configuration> ''; }; }; @@ -147,7 +170,7 @@ let If {option}`tracing.config-file` is set this option has no effect. - See format details: <https://thanos.io/tracing.md/#configuration> + See format details: <https://thanos.io/tip/thanos/tracing.md/#configuration> ''; }; }; @@ -192,10 +215,10 @@ let if config.services.thanos.<cmd>.objstore.config == null then null else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config); ''; - description = lib.mdDoc '' + description = mdDoc '' Path to YAML file that contains object store configuration. - See format details: <https://thanos.io/storage.md/#configuration> + See format details: <https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage> ''; }; }; @@ -212,7 +235,7 @@ let If {option}`objstore.config-file` is set this option has no effect. - See format details: <https://thanos.io/storage.md/#configuration> + See format details: <https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage> ''; }; }; @@ -231,7 +254,7 @@ let type = types.str; default = "/var/lib/${config.services.prometheus.stateDir}/data"; defaultText = literalExpression ''"/var/lib/''${config.services.prometheus.stateDir}/data"''; - description = lib.mdDoc '' + description = mdDoc '' Data directory of TSDB. ''; }; @@ -266,14 +289,14 @@ let Maximum size of concurrently allocatable bytes for chunks. ''; - store.grpc.series-sample-limit = mkParamDef types.int 0 '' - Maximum amount of samples returned via a single Series call. + store.limits.request-samples = mkParamDef types.int 0 '' + The maximum samples allowed for a single Series request. + The Series call fails if this limit is exceeded. `0` means no limit. - NOTE: for efficiency we take 120 as the number of samples in chunk (it - cannot be bigger than that), so the actual number of samples might be - lower, even though the maximum could be hit. + NOTE: For efficiency the limit is internally implemented as 'chunks limit' + considering each chunk contains a maximum of 120 samples. ''; store.grpc.series-max-concurrency = mkParamDef types.int 20 '' @@ -371,24 +394,25 @@ let Maximum number of queries processed concurrently by query node. ''; - query.replica-label = mkParam types.str '' - Label to treat as a replica indicator along which data is + query.replica-labels = mkAttrsParam "query.replica-label" '' + Labels to treat as a replica indicator along which data is + deduplicated. Still you will be able to query without deduplication using - `dedup=false` parameter. + 'dedup=false' parameter. Data includes time series, recording + rules, and alerting rules. ''; selector-labels = mkAttrsParam "selector-label" '' Query selector labels that will be exposed in info endpoint. ''; - store.addresses = mkListParam "store" '' - Addresses of statically configured store API servers. + endpoints = mkListParam "endpoint" '' + Addresses of statically configured Thanos API servers (repeatable). - The scheme may be prefixed with `dns+` or - `dnssrv+` to detect store API servers through - respective DNS lookups. + The scheme may be prefixed with 'dns+' or 'dnssrv+' to detect + Thanos API servers through respective DNS lookups. ''; store.sd-files = mkListParam "store.sd-files" '' @@ -430,6 +454,12 @@ let ''; }; + query-frontend = params.common cfg.query-frontend // { + query-frontend.downstream-url = mkParamDef types.str "http://localhost:9090" '' + URL of downstream Prometheus Query compatible API. + ''; + }; + rule = params.common cfg.rule // params.objstore cfg.rule // { labels = mkAttrsParam "label" '' @@ -447,7 +477,7 @@ let Rule files that should be used by rule manager. Can be in glob format. ''; - eval-interval = mkParamDef types.str "30s" '' + eval-interval = mkParamDef types.str "1m" '' The default evaluation interval to use. ''; @@ -597,10 +627,6 @@ let to render all samples for a human eye anyway ''; - block-sync-concurrency = mkParamDef types.int 20 '' - Number of goroutines to use when syncing block metadata from object storage. - ''; - compact.concurrency = mkParamDef types.int 1 '' Number of goroutines to use when compacting groups. ''; @@ -625,7 +651,7 @@ let Data directory relative to `/var/lib` of TSDB. ''; - labels = mkAttrsParam "labels" '' + labels = mkAttrsParam "label" '' External labels to announce. This flag will be removed in the future when handling multiple tsdb @@ -656,57 +682,56 @@ in { options.services.thanos = { - package = mkOption { - type = types.package; - default = pkgs.thanos; - defaultText = literalExpression "pkgs.thanos"; - description = lib.mdDoc '' - The thanos package that should be used. - ''; - }; + package = mkPackageOptionMD pkgs "thanos" {}; sidecar = paramsToOptions params.sidecar // { enable = mkEnableOption - (lib.mdDoc "the Thanos sidecar for Prometheus server"); + (mdDoc "the Thanos sidecar for Prometheus server"); arguments = mkArgumentsOption "sidecar"; }; store = paramsToOptions params.store // { enable = mkEnableOption - (lib.mdDoc "the Thanos store node giving access to blocks in a bucket provider."); + (mdDoc "the Thanos store node giving access to blocks in a bucket provider."); arguments = mkArgumentsOption "store"; }; query = paramsToOptions params.query // { enable = mkEnableOption - (lib.mdDoc ("the Thanos query node exposing PromQL enabled Query API " + + (mdDoc ("the Thanos query node exposing PromQL enabled Query API " + "with data retrieved from multiple store nodes")); arguments = mkArgumentsOption "query"; }; + query-frontend = paramsToOptions params.query-frontend // { + enable = mkEnableOption + (mdDoc ("the Thanos query frontend implements a service deployed in front of queriers to + improve query parallelization and caching.")); + arguments = mkArgumentsOption "query-frontend"; + }; + rule = paramsToOptions params.rule // { enable = mkEnableOption - (lib.mdDoc ("the Thanos ruler service which evaluates Prometheus rules against" + + (mdDoc ("the Thanos ruler service which evaluates Prometheus rules against" + " given Query nodes, exposing Store API and storing old blocks in bucket")); arguments = mkArgumentsOption "rule"; }; compact = paramsToOptions params.compact // { enable = mkEnableOption - (lib.mdDoc "the Thanos compactor which continuously compacts blocks in an object store bucket"); + (mdDoc "the Thanos compactor which continuously compacts blocks in an object store bucket"); arguments = mkArgumentsOption "compact"; }; downsample = paramsToOptions params.downsample // { enable = mkEnableOption - (lib.mdDoc "the Thanos downsampler which continuously downsamples blocks in an object store bucket"); + (mdDoc "the Thanos downsampler which continuously downsamples blocks in an object store bucket"); arguments = mkArgumentsOption "downsample"; }; receive = paramsToOptions params.receive // { enable = mkEnableOption - (lib.mdDoc ("the Thanos receiver which accept Prometheus remote write API requests " + - "and write to local tsdb (EXPERIMENTAL, this may change drastically without notice)")); + (mdDoc ("the Thanos receiver which accept Prometheus remote write API requests and write to local tsdb")); arguments = mkArgumentsOption "receive"; }; }; @@ -736,6 +761,7 @@ in { User = "prometheus"; Restart = "always"; ExecStart = thanos "sidecar"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; }; }) @@ -751,6 +777,7 @@ in { StateDirectory = cfg.store.stateDir; Restart = "always"; ExecStart = thanos "store"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; }; } @@ -764,6 +791,20 @@ in { DynamicUser = true; Restart = "always"; ExecStart = thanos "query"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + }; + }) + + (mkIf cfg.query-frontend.enable { + systemd.services.thanos-query-frontend = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + DynamicUser = true; + Restart = "always"; + ExecStart = thanos "query-frontend"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; }; }) @@ -779,6 +820,7 @@ in { StateDirectory = cfg.rule.stateDir; Restart = "always"; ExecStart = thanos "rule"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; }; } @@ -797,6 +839,7 @@ in { DynamicUser = true; StateDirectory = cfg.compact.stateDir; ExecStart = thanos "compact"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; } // optionalAttrs (!wait) { inherit (cfg.compact) startAt; }; } @@ -813,6 +856,7 @@ in { StateDirectory = cfg.downsample.stateDir; Restart = "always"; ExecStart = thanos "downsample"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; }; } @@ -829,6 +873,7 @@ in { StateDirectory = cfg.receive.stateDir; Restart = "always"; ExecStart = thanos "receive"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; }; } diff --git a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix index d370e6946d7b..3f10145033c5 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix @@ -162,7 +162,7 @@ in }; extraFlags = mkOption { - default = []; + default = [ ]; example = [ "-s" ]; type = types.listOf types.str; description = lib.mdDoc "Extra flags passed to the chronyd command."; @@ -178,7 +178,8 @@ in users.groups.chrony.gid = config.ids.gids.chrony; users.users.chrony = - { uid = config.ids.uids.chrony; + { + uid = config.ids.uids.chrony; group = "chrony"; description = "chrony daemon user"; home = stateDir; @@ -202,12 +203,13 @@ in ]; systemd.services.chronyd = - { description = "chrony NTP daemon"; + { + description = "chrony NTP daemon"; wantedBy = [ "multi-user.target" ]; - wants = [ "time-sync.target" ]; - before = [ "time-sync.target" ]; - after = [ "network.target" "nss-lookup.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; + after = [ "network.target" "nss-lookup.target" ]; conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; path = [ chronyPkg ]; @@ -255,5 +257,18 @@ in SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "@chown" ]; }; }; + + assertions = [ + { + assertion = !(cfg.enableRTCTrimming && builtins.any (line: (builtins.match "^ *rtcsync" line) != null) (lib.strings.splitString "\n" cfg.extraConfig)); + message = '' + The chrony module now configures `rtcfile` and `rtcautotrim` for you. + These options conflict with `rtcsync` and cause chrony to crash. + Unless you are very sure the former isn't what you want, please remove + `rtcsync` from `services.chrony.extraConfig`. + Alternatively, disable this behaviour by `services.chrony.enableRTCTrimming = false;` + ''; + } + ]; }; } diff --git a/nixpkgs/nixos/modules/services/networking/pixiecore.nix b/nixpkgs/nixos/modules/services/networking/pixiecore.nix index f410be471646..1f47a1d0b631 100644 --- a/nixpkgs/nixos/modules/services/networking/pixiecore.nix +++ b/nixpkgs/nixos/modules/services/networking/pixiecore.nix @@ -16,7 +16,7 @@ in type = types.bool; default = false; description = lib.mdDoc '' - Open ports (67, 69 UDP and 4011, 'port', 'statusPort' TCP) in the firewall for Pixiecore. + Open ports (67, 69, 4011 UDP and 'port', 'statusPort' TCP) in the firewall for Pixiecore. ''; }; @@ -103,8 +103,8 @@ in }; networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ 4011 cfg.port cfg.statusPort ]; - allowedUDPPorts = [ 67 69 ]; + allowedTCPPorts = [ cfg.port cfg.statusPort ]; + allowedUDPPorts = [ 67 69 4011 ]; }; systemd.services.pixiecore = { diff --git a/nixpkgs/nixos/modules/services/networking/squid.nix b/nixpkgs/nixos/modules/services/networking/squid.nix index 914cd7f320c9..f93bcf19f2b3 100644 --- a/nixpkgs/nixos/modules/services/networking/squid.nix +++ b/nixpkgs/nixos/modules/services/networking/squid.nix @@ -176,7 +176,7 @@ in serviceConfig = { PIDFile="/run/squid.pid"; ExecStart = "${cfg.package}/bin/squid --foreground -YCs -f ${squidConfig}"; - ExecReload="kill -HUP $MAINPID"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; KillMode="mixed"; NotifyAccess="all"; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix index ce74e243a181..dcacb40e4681 100644 --- a/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix @@ -376,7 +376,9 @@ in ReadWriteDirectories = cfg.dataDir; StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") [ "caddy" ]; LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") [ "caddy" ]; - Restart = "on-abnormal"; + Restart = "on-failure"; + RestartPreventExitStatus = 1; + RestartSecs = "5s"; # TODO: attempt to upstream these options NoNewPrivileges = true; diff --git a/nixpkgs/nixos/modules/services/web-servers/tomcat.nix b/nixpkgs/nixos/modules/services/web-servers/tomcat.nix index 4d2c36287be6..30d6b99fcfda 100644 --- a/nixpkgs/nixos/modules/services/web-servers/tomcat.nix +++ b/nixpkgs/nixos/modules/services/web-servers/tomcat.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.services.tomcat; @@ -9,30 +7,20 @@ let in { - meta = { - maintainers = with maintainers; [ danbst ]; + maintainers = with lib.maintainers; [ danbst ]; }; ###### interface options = { - services.tomcat = { - enable = mkEnableOption (lib.mdDoc "Apache Tomcat"); + enable = lib.mkEnableOption (lib.mdDoc "Apache Tomcat"); - package = mkOption { - type = types.package; - default = pkgs.tomcat9; - defaultText = literalExpression "pkgs.tomcat9"; - example = lib.literalExpression "pkgs.tomcat9"; - description = lib.mdDoc '' - Which tomcat package to use. - ''; - }; + package = lib.mkPackageOptionMD pkgs "tomcat9" { }; - purifyOnStart = mkOption { - type = types.bool; + purifyOnStart = lib.mkOption { + type = lib.types.bool; default = false; description = lib.mdDoc '' On startup, the `baseDir` directory is populated with various files, @@ -43,7 +31,7 @@ in ''; }; - baseDir = mkOption { + baseDir = lib.mkOption { type = lib.types.path; default = "/var/tomcat"; description = lib.mdDoc '' @@ -53,64 +41,64 @@ in ''; }; - logDirs = mkOption { - default = []; - type = types.listOf types.path; + logDirs = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.path; description = lib.mdDoc "Directories to create in baseDir/logs/"; }; - extraConfigFiles = mkOption { - default = []; - type = types.listOf types.path; + extraConfigFiles = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.path; description = lib.mdDoc "Extra configuration files to pull into the tomcat conf directory"; }; - extraEnvironment = mkOption { - type = types.listOf types.str; - default = []; + extraEnvironment = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; example = [ "ENVIRONMENT=production" ]; description = lib.mdDoc "Environment Variables to pass to the tomcat service"; }; - extraGroups = mkOption { - default = []; - type = types.listOf types.str; + extraGroups = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; example = [ "users" ]; description = lib.mdDoc "Defines extra groups to which the tomcat user belongs."; }; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; default = "tomcat"; description = lib.mdDoc "User account under which Apache Tomcat runs."; }; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; default = "tomcat"; description = lib.mdDoc "Group account under which Apache Tomcat runs."; }; - javaOpts = mkOption { - type = types.either (types.listOf types.str) types.str; + javaOpts = lib.mkOption { + type = lib.types.either (lib.types.listOf lib.types.str) lib.types.str; default = ""; description = lib.mdDoc "Parameters to pass to the Java Virtual Machine which spawns Apache Tomcat"; }; - catalinaOpts = mkOption { - type = types.either (types.listOf types.str) types.str; + catalinaOpts = lib.mkOption { + type = lib.types.either (lib.types.listOf lib.types.str) lib.types.str; default = ""; description = lib.mdDoc "Parameters to pass to the Java Virtual Machine which spawns the Catalina servlet container"; }; - sharedLibs = mkOption { - type = types.listOf types.str; - default = []; + sharedLibs = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; description = lib.mdDoc "List containing JAR files or directories with JAR files which are libraries shared by the web applications"; }; - serverXml = mkOption { - type = types.lines; + serverXml = lib.mkOption { + type = lib.types.lines; default = ""; description = lib.mdDoc '' Verbatim server.xml configuration. @@ -118,87 +106,74 @@ in ''; }; - commonLibs = mkOption { - type = types.listOf types.str; - default = []; + commonLibs = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; description = lib.mdDoc "List containing JAR files or directories with JAR files which are libraries shared by the web applications and the servlet container"; }; - webapps = mkOption { - type = types.listOf types.path; + webapps = lib.mkOption { + type = lib.types.listOf lib.types.path; default = [ tomcat.webapps ]; - defaultText = literalExpression "[ config.services.tomcat.package.webapps ]"; + defaultText = lib.literalExpression "[ config.services.tomcat.package.webapps ]"; description = lib.mdDoc "List containing WAR files or directories with WAR files which are web applications to be deployed on Tomcat"; }; - virtualHosts = mkOption { - type = types.listOf (types.submodule { + virtualHosts = lib.mkOption { + type = lib.types.listOf (lib.types.submodule { options = { - name = mkOption { - type = types.str; + name = lib.mkOption { + type = lib.types.str; description = lib.mdDoc "name of the virtualhost"; }; - aliases = mkOption { - type = types.listOf types.str; + aliases = lib.mkOption { + type = lib.types.listOf lib.types.str; description = lib.mdDoc "aliases of the virtualhost"; - default = []; + default = [ ]; }; - webapps = mkOption { - type = types.listOf types.path; + webapps = lib.mkOption { + type = lib.types.listOf lib.types.path; description = lib.mdDoc '' List containing web application WAR files and/or directories containing web applications and configuration files for the virtual host. ''; - default = []; + default = [ ]; }; }; }); - default = []; + default = [ ]; description = lib.mdDoc "List consisting of a virtual host name and a list of web applications to deploy on each virtual host"; }; - logPerVirtualHost = mkOption { - type = types.bool; + logPerVirtualHost = lib.mkOption { + type = lib.types.bool; default = false; description = lib.mdDoc "Whether to enable logging per virtual host."; }; - jdk = mkOption { - type = types.package; - default = pkgs.jdk; - defaultText = literalExpression "pkgs.jdk"; - description = lib.mdDoc "Which JDK to use."; - }; + jdk = lib.mkPackageOptionMD pkgs "jdk" { }; axis2 = { + enable = lib.mkEnableOption "Apache Axis2 container"; - enable = mkOption { - default = false; - type = types.bool; - description = lib.mdDoc "Whether to enable an Apache Axis2 container"; - }; - - services = mkOption { - default = []; - type = types.listOf types.str; + services = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; description = lib.mdDoc "List containing AAR files or directories with AAR files which are web services to be deployed on Axis2"; }; - }; - }; - }; - ###### implementation - config = mkIf config.services.tomcat.enable { + config = lib.mkIf config.services.tomcat.enable { users.groups.tomcat.gid = config.ids.gids.tomcat; users.users.tomcat = - { uid = config.ids.uids.tomcat; + { + uid = config.ids.uids.tomcat; description = "Tomcat user"; home = "/homeless-shelter"; group = "tomcat"; @@ -234,7 +209,7 @@ in ln -sfn ${tomcat}/conf/$i ${cfg.baseDir}/conf/`basename $i` done - ${optionalString (cfg.extraConfigFiles != []) '' + ${lib.optionalString (cfg.extraConfigFiles != []) '' for i in ${toString cfg.extraConfigFiles}; do ln -sfn $i ${cfg.baseDir}/conf/`basename $i` done @@ -253,32 +228,32 @@ in hostElementForVirtualHost = virtualHost: '' <Host name="${virtualHost.name}" appBase="virtualhosts/${virtualHost.name}/webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> - '' + concatStrings (innerElementsForVirtualHost virtualHost) + '' + '' + lib.concatStrings (innerElementsForVirtualHost virtualHost) + '' </Host> ''; innerElementsForVirtualHost = virtualHost: (map (alias: '' <Alias>${alias}</Alias> '') virtualHost.aliases) - ++ (optional cfg.logPerVirtualHost '' + ++ (lib.optional cfg.logPerVirtualHost '' <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs/${virtualHost.name}" prefix="${virtualHost.name}_access_log." pattern="combined" resolveHosts="false"/> ''); - hostElementsString = concatMapStringsSep "\n" hostElementForVirtualHost cfg.virtualHosts; - hostElementsSedString = replaceStrings ["\n"] ["\\\n"] hostElementsString; + hostElementsString = lib.concatMapStringsSep "\n" hostElementForVirtualHost cfg.virtualHosts; + hostElementsSedString = lib.replaceStrings ["\n"] ["\\\n"] hostElementsString; in '' # Create a modified server.xml which also includes all virtual hosts - sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\\"${escapeShellArg hostElementsSedString} \ + sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\\"${lib.escapeShellArg hostElementsSedString} \ ${tomcat}/conf/server.xml > ${cfg.baseDir}/conf/server.xml '' } - ${optionalString (cfg.logDirs != []) '' + ${lib.optionalString (cfg.logDirs != []) '' for i in ${toString cfg.logDirs}; do mkdir -p ${cfg.baseDir}/logs/$i chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/$i done ''} - ${optionalString cfg.logPerVirtualHost (toString (map (h: '' + ${lib.optionalString cfg.logPerVirtualHost (toString (map (h: '' mkdir -p ${cfg.baseDir}/logs/${h.name} chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/${h.name} '') cfg.virtualHosts))} @@ -345,7 +320,7 @@ in # Symlink all the given web applications files or paths into the webapps/ directory # of this virtual host - for i in "${optionalString (virtualHost ? webapps) (toString virtualHost.webapps)}"; do + for i in "${lib.optionalString (virtualHost ? webapps) (toString virtualHost.webapps)}"; do if [ -f $i ]; then # If the given web application is a file, symlink it into the webapps/ directory ln -sfn $i ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $i` @@ -368,7 +343,7 @@ in done '') cfg.virtualHosts)} - ${optionalString cfg.axis2.enable '' + ${lib.optionalString cfg.axis2.enable '' # Copy the Axis2 web application cp -av ${pkgs.axis2}/webapps/axis2 ${cfg.baseDir}/webapps @@ -405,10 +380,10 @@ in serviceConfig = { Type = "forking"; PermissionsStartOnly = true; - PIDFile="/run/tomcat/tomcat.pid"; + PIDFile = "/run/tomcat/tomcat.pid"; RuntimeDirectory = "tomcat"; User = cfg.user; - Environment=[ + Environment = [ "CATALINA_BASE=${cfg.baseDir}" "CATALINA_PID=/run/tomcat/tomcat.pid" "JAVA_HOME='${cfg.jdk}'" diff --git a/nixpkgs/nixos/modules/system/boot/stage-1.nix b/nixpkgs/nixos/modules/system/boot/stage-1.nix index 13c71e1495ea..e990aeea7a14 100644 --- a/nixpkgs/nixos/modules/system/boot/stage-1.nix +++ b/nixpkgs/nixos/modules/system/boot/stage-1.nix @@ -435,7 +435,7 @@ let } # mindepth 1 so that we don't change the mode of / - (cd "$tmp" && find . -mindepth 1 -print0 | sort -z | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @-) | \ + (cd "$tmp" && find . -mindepth 1 | xargs touch -amt 197001010000 && find . -mindepth 1 -print0 | sort -z | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @-) | \ ${compressorExe} ${lib.escapeShellArgs initialRamdisk.compressorArgs} >> "$1" ''; diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index 325e99c97749..367e3da29336 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -117,6 +117,7 @@ in { allTerminfo = handleTest ./all-terminfo.nix {}; alps = handleTest ./alps.nix {}; amazon-init-shell = handleTest ./amazon-init-shell.nix {}; + amazon-ssm-agent = handleTest ./amazon-ssm-agent.nix {}; amd-sev = runTest ./amd-sev.nix; anbox = runTest ./anbox.nix; anuko-time-tracker = handleTest ./anuko-time-tracker.nix {}; @@ -616,6 +617,7 @@ in { openstack-image-userdata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).userdata or {}; opentabletdriver = handleTest ./opentabletdriver.nix {}; opentelemetry-collector = handleTest ./opentelemetry-collector.nix {}; + ocsinventory-agent = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./ocsinventory-agent.nix {}; owncast = handleTest ./owncast.nix {}; outline = handleTest ./outline.nix {}; image-contents = handleTest ./image-contents.nix {}; diff --git a/nixpkgs/nixos/tests/amazon-ssm-agent.nix b/nixpkgs/nixos/tests/amazon-ssm-agent.nix new file mode 100644 index 000000000000..957e9e0e02c5 --- /dev/null +++ b/nixpkgs/nixos/tests/amazon-ssm-agent.nix @@ -0,0 +1,17 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "amazon-ssm-agent"; + meta.maintainers = [ lib.maintainers.anthonyroussel ]; + + nodes.machine = { config, pkgs, ... }: { + services.amazon-ssm-agent.enable = true; + }; + + testScript = '' + start_all() + + machine.wait_for_file("/etc/amazon/ssm/seelog.xml") + machine.wait_for_file("/etc/amazon/ssm/amazon-ssm-agent.json") + + machine.wait_for_unit("amazon-ssm-agent.service") + ''; +}) diff --git a/nixpkgs/nixos/tests/ocsinventory-agent.nix b/nixpkgs/nixos/tests/ocsinventory-agent.nix new file mode 100644 index 000000000000..67b0c8c91103 --- /dev/null +++ b/nixpkgs/nixos/tests/ocsinventory-agent.nix @@ -0,0 +1,33 @@ +import ./make-test-python.nix ({ pkgs, ...} : { + name = "ocsinventory-agent"; + + nodes.machine = { pkgs, ... }: { + services.ocsinventory-agent = { + enable = true; + settings = { + debug = true; + local = "/var/lib/ocsinventory-agent/reports"; + tag = "MY_INVENTORY_TAG"; + }; + }; + }; + + testScript = '' + path = "/var/lib/ocsinventory-agent/reports" + + # Run the agent to generate the inventory file in offline mode + start_all() + machine.succeed("mkdir -p {}".format(path)) + machine.wait_for_unit("ocsinventory-agent.service") + machine.wait_until_succeeds("journalctl -u ocsinventory-agent.service | grep 'Inventory saved in'") + + # Fetch the path to the generated inventory file + report_file = machine.succeed("find {}/*.ocs -type f | head -n1".format(path)) + + with subtest("Check the tag value"): + tag = machine.succeed( + "${pkgs.libxml2}/bin/xmllint --xpath 'string(/REQUEST/CONTENT/ACCOUNTINFO/KEYVALUE)' {}".format(report_file) + ).rstrip() + assert tag == "MY_INVENTORY_TAG", f"tag is not valid, was '{tag}'" + ''; +}) diff --git a/nixpkgs/nixos/tests/prometheus.nix b/nixpkgs/nixos/tests/prometheus.nix index a075cfc1f1b7..011127389377 100644 --- a/nixpkgs/nixos/tests/prometheus.nix +++ b/nixpkgs/nixos/tests/prometheus.nix @@ -3,6 +3,7 @@ let queryPort = 9090; minioPort = 9000; pushgwPort = 9091; + frontPort = 9092; s3 = { accessKey = "BKIKJAA5BMMU2RHO6IBB"; @@ -152,10 +153,15 @@ in import ./make-test-python.nix { services.thanos.query = { enable = true; http-address = "0.0.0.0:${toString queryPort}"; - store.addresses = [ + endpoints = [ "prometheus:${toString grpcPort}" ]; }; + services.thanos.query-frontend = { + enable = true; + http-address = "0.0.0.0:${toString frontPort}"; + query-frontend.downstream-url = "http://127.0.0.1:${toString queryPort}"; + }; }; store = { pkgs, ... }: { @@ -178,7 +184,7 @@ in import ./make-test-python.nix { services.thanos.query = { enable = true; http-address = "0.0.0.0:${toString queryPort}"; - store.addresses = [ + endpoints = [ "localhost:${toString grpcPort}" ]; }; @@ -262,6 +268,10 @@ in import ./make-test-python.nix { query.wait_for_unit("thanos-query.service") wait_for_metric(query) + # Test Thanos query frontend service + query.wait_for_unit("thanos-query-frontend.service") + query.succeed("curl -sS http://localhost:${toString frontPort}/-/healthy") + # Test if the Thanos sidecar has correctly uploaded its TSDB to S3, if the # Thanos storage service has correctly downloaded it from S3 and if the Thanos # query service running on $store can correctly retrieve the metric: diff --git a/nixpkgs/nixos/tests/terminal-emulators.nix b/nixpkgs/nixos/tests/terminal-emulators.nix index 6d76cc8e5741..b52801c898eb 100644 --- a/nixpkgs/nixos/tests/terminal-emulators.nix +++ b/nixpkgs/nixos/tests/terminal-emulators.nix @@ -76,6 +76,7 @@ let tests = { rio.pkg = p: p.rio; rio.cmd = "rio -e $command"; + rio.pinkValue = "#FF1261"; roxterm.pkg = p: p.roxterm; roxterm.cmd = "roxterm -e $command"; diff --git a/nixpkgs/nixos/tests/tomcat.nix b/nixpkgs/nixos/tests/tomcat.nix index 4cfb3cc5a7d8..a5f219e104ad 100644 --- a/nixpkgs/nixos/tests/tomcat.nix +++ b/nixpkgs/nixos/tests/tomcat.nix @@ -1,21 +1,26 @@ -import ./make-test-python.nix ({ pkgs, ... }: - -{ +import ./make-test-python.nix ({ pkgs, ... }: { name = "tomcat"; nodes.machine = { pkgs, ... }: { - services.tomcat.enable = true; + services.tomcat = { + enable = true; + axis2.enable = true; + }; }; testScript = '' machine.wait_for_unit("tomcat.service") machine.wait_for_open_port(8080) machine.wait_for_file("/var/tomcat/webapps/examples"); + + machine.succeed( + "curl -sS --fail http://localhost:8080/examples/servlets/servlet/HelloWorldExample | grep 'Hello World!'" + ) machine.succeed( - "curl --fail http://localhost:8080/examples/servlets/servlet/HelloWorldExample | grep 'Hello World!'" + "curl -sS --fail http://localhost:8080/examples/jsp/jsp2/simpletag/hello.jsp | grep 'Hello, world!'" ) machine.succeed( - "curl --fail http://localhost:8080/examples/jsp/jsp2/simpletag/hello.jsp | grep 'Hello, world!'" + "curl -sS --fail http://localhost:8080/axis2/axis2-web/HappyAxis.jsp | grep 'Found Axis2'" ) ''; }) |