diff options
author | Alyssa Ross <hi@alyssa.is> | 2020-01-22 15:26:58 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2020-01-22 16:56:33 +0000 |
commit | 542f80867c380b0ac79250b6e5358dda8bc49e0d (patch) | |
tree | aa5903f228b2f32c524a9a6e4f6dd94f8c5b869e /nixpkgs/nixos | |
parent | f69898c7d5b757342e6ab90d5fcc7c9aea9f5ff4 (diff) | |
parent | 90441b4b47fc7280de6a5bd1a228017caaa0f97f (diff) | |
download | nixlib-542f80867c380b0ac79250b6e5358dda8bc49e0d.tar nixlib-542f80867c380b0ac79250b6e5358dda8bc49e0d.tar.gz nixlib-542f80867c380b0ac79250b6e5358dda8bc49e0d.tar.bz2 nixlib-542f80867c380b0ac79250b6e5358dda8bc49e0d.tar.lz nixlib-542f80867c380b0ac79250b6e5358dda8bc49e0d.tar.xz nixlib-542f80867c380b0ac79250b6e5358dda8bc49e0d.tar.zst nixlib-542f80867c380b0ac79250b6e5358dda8bc49e0d.zip |
Merge commit '90441b4b47fc7280de6a5bd1a228017caaa0f97f'
Diffstat (limited to 'nixpkgs/nixos')
52 files changed, 885 insertions, 385 deletions
diff --git a/nixpkgs/nixos/doc/manual/configuration/declarative-packages.xml b/nixpkgs/nixos/doc/manual/configuration/declarative-packages.xml index 5fb3bcb9f8f5..cd84d1951d24 100644 --- a/nixpkgs/nixos/doc/manual/configuration/declarative-packages.xml +++ b/nixpkgs/nixos/doc/manual/configuration/declarative-packages.xml @@ -19,6 +19,12 @@ <command>nixos-rebuild switch</command>. </para> + <note> + <para> + Some packages require additional global configuration such as D-Bus or systemd service registration so adding them to <xref linkend="opt-environment.systemPackages"/> might not be sufficient. You are advised to check the <link xlink:href="#ch-options">list of options</link> whether a NixOS module for the package does not exist. + </para> + </note> + <para> You can get a list of the available packages as follows: <screen> diff --git a/nixpkgs/nixos/doc/manual/development/option-types.xml b/nixpkgs/nixos/doc/manual/development/option-types.xml index 55d9c123e3f1..957349ad1811 100644 --- a/nixpkgs/nixos/doc/manual/development/option-types.xml +++ b/nixpkgs/nixos/doc/manual/development/option-types.xml @@ -257,9 +257,9 @@ <listitem> <para> A set of sub options <replaceable>o</replaceable>. - <replaceable>o</replaceable> can be an attribute set or a function - returning an attribute set. Submodules are used in composed types to - create modular options. This is equivalent to + <replaceable>o</replaceable> can be an attribute set, a function + returning an attribute set, or a path to a file containing such a value. Submodules are used in + composed types to create modular options. This is equivalent to <literal>types.submoduleWith { modules = toList o; shorthandOnlyDefinesConfig = true; }</literal>. Submodules are detailed in <xref diff --git a/nixpkgs/nixos/doc/manual/man-pages.xml b/nixpkgs/nixos/doc/manual/man-pages.xml index f5a1dd2d69f4..49acfe7330b6 100644 --- a/nixpkgs/nixos/doc/manual/man-pages.xml +++ b/nixpkgs/nixos/doc/manual/man-pages.xml @@ -6,7 +6,7 @@ <author><personname><firstname>Eelco</firstname><surname>Dolstra</surname></personname> <contrib>Author</contrib> </author> - <copyright><year>2007-2019</year><holder>Eelco Dolstra</holder> + <copyright><year>2007-2020</year><holder>Eelco Dolstra</holder> </copyright> </info> <xi:include href="man-configuration.xml" /> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml index ca319dfea411..1eef4f08c4fd 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml @@ -170,6 +170,12 @@ services.xserver.displayManager.defaultSession = "xfce+icewm"; </listitem> <listitem> <para> + The Way Cooler wayland compositor has been removed, as the project has been officially canceled. + There are no more <literal>way-cooler</literal> attribute and <literal>programs.way-cooler</literal> options. + </para> + </listitem> + <listitem> + <para> The BEAM package set has been deleted. You will only find there the different interpreters. You should now use the different build tools coming with the languages with sandbox mode disabled. </para> @@ -391,6 +397,54 @@ users.users.me = <link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR #63103</link>. </para> </listitem> + <listitem> + <para> + For NixOS modules, the types <literal>types.submodule</literal> and <literal>types.submoduleWith</literal> now support + paths as allowed values, similar to how <literal>imports</literal> supports paths. + Because of this, if you have a module that defines an option of type + <literal>either (submodule ...) path</literal>, it will break since a path + is now treated as the first type instead of the second. To fix this, change + the type to <literal>either path (submodule ...)</literal>. + </para> + </listitem> + <listitem> + <para> + The <link linkend="opt-services.buildkite-agent.enable">Buildkite Agent</link> + module and corresponding packages have been updated to 3.x. + While doing so, the following options have been changed: + </para> + <itemizedlist> + <listitem> + <para> + <literal>services.buildkite-agent.meta-data</literal> has been renamed to + <link linkend="opt-services.buildkite-agent.tags">services.buildkite-agent.tags</link>, + to match upstreams naming for 3.x. + Its type has also changed - it now accepts an attrset of strings. + </para> + </listitem> + <listitem> + <para> + The<literal>services.buildkite-agent.openssh.publicKeyPath</literal> option + has been removed, as it's not necessary to deploy public keys to clone private + repositories. + </para> + </listitem> + <listitem> + <para> + <literal>services.buildkite-agent.openssh.privateKeyPath</literal> + has been renamed to + <link linkend="opt-services.buildkite-agent.privateSshKeyPath">buildkite-agent.privateSshKeyPath</link>, + as the whole <literal>openssh</literal> now only contained that single option. + </para> + </listitem> + <listitem> + <para> + <link linkend="opt-services.buildkite-agent.shell">services.buildkite-agent.shell</link> + has been introduced, allowing to specify a custom shell to be used. + </para> + </listitem> + </itemizedlist> + </listitem> </itemizedlist> </section> diff --git a/nixpkgs/nixos/lib/test-driver/test-driver.py b/nixpkgs/nixos/lib/test-driver/test-driver.py index 7e575189209a..cf204a2619f5 100644 --- a/nixpkgs/nixos/lib/test-driver/test-driver.py +++ b/nixpkgs/nixos/lib/test-driver/test-driver.py @@ -84,7 +84,7 @@ CHAR_TO_KEY = { # Forward references nr_tests: int -nr_succeeded: int +failed_tests: list log: "Logger" machines: "List[Machine]" @@ -221,7 +221,7 @@ class Machine: return path self.state_dir = create_dir("vm-state-{}".format(self.name)) - self.shared_dir = create_dir("{}/xchg".format(self.state_dir)) + self.shared_dir = create_dir("shared-xchg") self.booted = False self.connected = False @@ -576,7 +576,7 @@ class Machine: vm_src = pathlib.Path(source) with tempfile.TemporaryDirectory(dir=self.shared_dir) as shared_td: shared_temp = pathlib.Path(shared_td) - vm_shared_temp = pathlib.Path("/tmp/xchg") / shared_temp.name + vm_shared_temp = pathlib.Path("/tmp/shared") / shared_temp.name vm_intermediate = vm_shared_temp / vm_src.name intermediate = shared_temp / vm_src.name # Copy the file to the shared directory inside VM @@ -704,7 +704,8 @@ class Machine: def process_serial_output() -> None: for _line in self.process.stdout: - line = _line.decode("unicode_escape").replace("\r", "").rstrip() + # Ignore undecodable bytes that may occur in boot menus + line = _line.decode(errors="ignore").replace("\r", "").rstrip() eprint("{} # {}".format(self.name, line)) self.logger.enqueue({"msg": line, "machine": self.name}) @@ -841,23 +842,31 @@ def run_tests() -> None: machine.execute("sync") if nr_tests != 0: + nr_succeeded = nr_tests - len(failed_tests) eprint("{} out of {} tests succeeded".format(nr_succeeded, nr_tests)) - if nr_tests > nr_succeeded: + if len(failed_tests) > 0: + eprint( + "The following tests have failed:\n - {}".format( + "\n - ".join(failed_tests) + ) + ) sys.exit(1) @contextmanager def subtest(name: str) -> Iterator[None]: global nr_tests - global nr_succeeded + global failed_tests with log.nested(name): nr_tests += 1 try: yield - nr_succeeded += 1 return True except Exception as e: + failed_tests.append( + 'Test "{}" failed with error: "{}"'.format(name, str(e)) + ) log.log("error: {}".format(str(e))) return False @@ -879,7 +888,7 @@ if __name__ == "__main__": exec("\n".join(machine_eval)) nr_tests = 0 - nr_succeeded = 0 + failed_tests = [] @atexit.register def clean_up() -> None: diff --git a/nixpkgs/nixos/lib/testing-python.nix b/nixpkgs/nixos/lib/testing-python.nix index 3d09be3b6cd5..a7f6d7926514 100644 --- a/nixpkgs/nixos/lib/testing-python.nix +++ b/nixpkgs/nixos/lib/testing-python.nix @@ -155,7 +155,7 @@ in rec { --add-flags "''${vms[*]}" \ ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin:${imagemagick_tiff}/bin'"} \ - --run "export testScript=\"\$(cat $out/test-script)\"" \ + --run "export testScript=\"\$(${coreutils}/bin/cat $out/test-script)\"" \ --set VLANS '${toString vlans}' ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms wrapProgram $out/bin/nixos-run-vms \ diff --git a/nixpkgs/nixos/modules/hardware/opengl.nix b/nixpkgs/nixos/modules/hardware/opengl.nix index 89dc5008df58..28cddea8b79c 100644 --- a/nixpkgs/nixos/modules/hardware/opengl.nix +++ b/nixpkgs/nixos/modules/hardware/opengl.nix @@ -43,11 +43,11 @@ in description = '' Whether to enable OpenGL drivers. This is needed to enable OpenGL support in X11 systems, as well as for Wayland compositors - like sway, way-cooler and Weston. It is enabled by default + like sway and Weston. It is enabled by default by the corresponding modules, so you do not usually have to set it yourself, only if there is no module for your wayland - compositor of choice. See services.xserver.enable, - programs.sway.enable, and programs.way-cooler.enable. + compositor of choice. See services.xserver.enable and + programs.sway.enable. ''; type = types.bool; default = false; diff --git a/nixpkgs/nixos/modules/hardware/usb-wwan.nix b/nixpkgs/nixos/modules/hardware/usb-wwan.nix index 2d20421586a7..679a6c6497cb 100644 --- a/nixpkgs/nixos/modules/hardware/usb-wwan.nix +++ b/nixpkgs/nixos/modules/hardware/usb-wwan.nix @@ -21,6 +21,19 @@ with lib; ###### implementation config = mkIf config.hardware.usbWwan.enable { + # Attaches device specific handlers. services.udev.packages = with pkgs; [ usb-modeswitch-data ]; + + # Triggered by udev, usb-modeswitch creates systemd services via a + # template unit in the usb-modeswitch package. + systemd.packages = with pkgs; [ usb-modeswitch ]; + + # The systemd service requires the usb-modeswitch-data. The + # usb-modeswitch package intends to discover this via the + # filesystem at /usr/share/usb_modeswitch, and merge it with user + # configuration in /etc/usb_modeswitch.d. Configuring the correct + # path in the package is difficult, as it would cause a cyclic + # dependency. + environment.etc."usb_modeswitch.d".source = "${pkgs.usb-modeswitch-data}/share/usb_modeswitch"; }; } diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh b/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh index c53dc1000c4a..61b4af110273 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh @@ -22,7 +22,7 @@ repair= profile=/nix/var/nix/profiles/system buildHost= targetHost= -maybeSudo= +maybeSudo=() while [ "$#" -gt 0 ]; do i="$1"; shift 1 @@ -92,7 +92,7 @@ while [ "$#" -gt 0 ]; do ;; --use-remote-sudo) # note the trailing space - maybeSudo="sudo " + maybeSudo=(sudo --) shift 1 ;; *) @@ -102,6 +102,10 @@ while [ "$#" -gt 0 ]; do esac done +if [ -n "$SUDO_USER" ]; then + maybeSudo=(sudo --) +fi + if [ -z "$buildHost" -a -n "$targetHost" ]; then buildHost="$targetHost" fi @@ -116,17 +120,17 @@ buildHostCmd() { if [ -z "$buildHost" ]; then "$@" elif [ -n "$remoteNix" ]; then - ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "$maybeSudo$@" + ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "${maybeSudo[@]}" "$@" else - ssh $SSHOPTS "$buildHost" "$maybeSudo$@" + ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" "$@" fi } targetHostCmd() { if [ -z "$targetHost" ]; then - "$@" + "${maybeSudo[@]}" "$@" else - ssh $SSHOPTS "$targetHost" "$maybeSudo$@" + ssh $SSHOPTS "$targetHost" "${maybeSudo[@]}" "$@" fi } diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index b85614771ee4..ddbd3963cc57 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -91,8 +91,8 @@ in # These defaults are set here rather than up there so that # changing them would not rebuild the manual version = mkDefault (cfg.release + cfg.versionSuffix); - revision = mkIf (pathIsDirectory gitRepo) (mkDefault gitCommitId); - versionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId)); + revision = mkIf (pathExists gitRepo) (mkDefault gitCommitId); + versionSuffix = mkIf (pathExists gitRepo) (mkDefault (".git." + gitCommitId)); }; # Generate /etc/os-release. See diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 105c86c6ba52..58628cf8c0bd 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -127,6 +127,7 @@ ./programs/java.nix ./programs/kbdlight.nix ./programs/less.nix + ./programs/liboping.nix ./programs/light.nix ./programs/mosh.nix ./programs/mininet.nix @@ -152,13 +153,13 @@ ./programs/system-config-printer.nix ./programs/thefuck.nix ./programs/tmux.nix + ./programs/traceroute.nix ./programs/tsm-client.nix ./programs/udevil.nix ./programs/usbtop.nix ./programs/venus.nix ./programs/vim.nix ./programs/wavemon.nix - ./programs/way-cooler.nix ./programs/waybar.nix ./programs/wireshark.nix ./programs/x2goserver.nix @@ -579,6 +580,7 @@ ./services/networking/connman.nix ./services/networking/consul.nix ./services/networking/coredns.nix + ./services/networking/corerad.nix ./services/networking/coturn.nix ./services/networking/dante.nix ./services/networking/ddclient.nix @@ -737,6 +739,7 @@ ./services/networking/wicd.nix ./services/networking/wireguard.nix ./services/networking/wpa_supplicant.nix + ./services/networking/xandikos.nix ./services/networking/xinetd.nix ./services/networking/xl2tpd.nix ./services/networking/xrdp.nix @@ -871,7 +874,6 @@ ./services/x11/display-managers/xpra.nix ./services/x11/fractalart.nix ./services/x11/hardware/libinput.nix - ./services/x11/hardware/multitouch.nix ./services/x11/hardware/synaptics.nix ./services/x11/hardware/wacom.nix ./services/x11/hardware/digimend.nix diff --git a/nixpkgs/nixos/modules/programs/liboping.nix b/nixpkgs/nixos/modules/programs/liboping.nix new file mode 100644 index 000000000000..4e4c235ccde4 --- /dev/null +++ b/nixpkgs/nixos/modules/programs/liboping.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.liboping; +in { + options.programs.liboping = { + enable = mkEnableOption "liboping"; + }; + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ liboping ]; + security.wrappers = mkMerge (map ( + exec: { + "${exec}" = { + source = "${pkgs.liboping}/bin/${exec}"; + capabilities = "cap_net_raw+p"; + }; + } + ) [ "oping" "noping" ]); + }; +} diff --git a/nixpkgs/nixos/modules/programs/traceroute.nix b/nixpkgs/nixos/modules/programs/traceroute.nix new file mode 100644 index 000000000000..4eb0be3f0e0b --- /dev/null +++ b/nixpkgs/nixos/modules/programs/traceroute.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.traceroute; +in { + options = { + programs.traceroute = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to configure a setcap wrapper for traceroute. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + security.wrappers.traceroute = { + source = "${pkgs.traceroute}/bin/traceroute"; + capabilities = "cap_net_raw+p"; + }; + }; +} diff --git a/nixpkgs/nixos/modules/programs/way-cooler.nix b/nixpkgs/nixos/modules/programs/way-cooler.nix deleted file mode 100644 index f27bd42bd764..000000000000 --- a/nixpkgs/nixos/modules/programs/way-cooler.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.programs.way-cooler; - way-cooler = pkgs.way-cooler; - - wcWrapped = pkgs.writeShellScriptBin "way-cooler" '' - ${cfg.extraSessionCommands} - exec ${pkgs.dbus}/bin/dbus-run-session ${way-cooler}/bin/way-cooler - ''; - wcJoined = pkgs.symlinkJoin { - name = "way-cooler-wrapped"; - paths = [ wcWrapped way-cooler ]; - }; - configFile = readFile "${way-cooler}/etc/way-cooler/init.lua"; - spawnBar = '' - util.program.spawn_at_startup("lemonbar"); - ''; -in -{ - options.programs.way-cooler = { - enable = mkEnableOption "way-cooler"; - - extraSessionCommands = mkOption { - default = ""; - type = types.lines; - example = '' - export XKB_DEFAULT_LAYOUT=us,de - export XKB_DEFAULT_VARIANT=,nodeadkeys - export XKB_DEFAULT_OPTIONS=grp:caps_toggle, - ''; - description = '' - Shell commands executed just before way-cooler is started. - ''; - }; - - extraPackages = mkOption { - type = with types; listOf package; - default = with pkgs; [ - westonLite xwayland dmenu - ]; - example = literalExample '' - with pkgs; [ - westonLite xwayland dmenu - ] - ''; - description = '' - Extra packages to be installed system wide. - ''; - }; - - enableBar = mkOption { - type = types.bool; - default = true; - description = '' - Whether to enable an unofficial bar. - ''; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ wcJoined ] ++ cfg.extraPackages; - - security.pam.services.wc-lock = {}; - environment.etc."way-cooler/init.lua".text = '' - ${configFile} - ${optionalString cfg.enableBar spawnBar} - ''; - - hardware.opengl.enable = mkDefault true; - fonts.enableDefaultFonts = mkDefault true; - programs.dconf.enable = mkDefault true; - }; - - meta.maintainers = with maintainers; [ gnidorah ]; -} diff --git a/nixpkgs/nixos/modules/rename.nix b/nixpkgs/nixos/modules/rename.nix index 7109ab5a1099..26de8a18d922 100644 --- a/nixpkgs/nixos/modules/rename.nix +++ b/nixpkgs/nixos/modules/rename.nix @@ -27,6 +27,13 @@ with lib; (mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed") (mkRemovedOptionModule [ "services.fourStore" ] "The fourStore module has been removed") (mkRemovedOptionModule [ "services.fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed") + (mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " + + "https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html")) + (mkRemovedOptionModule [ "services" "xserver" "multitouch" ] '' + services.xserver.multitouch (which uses xf86_input_mtrack) has been removed + as the underlying package isn't being maintained. Working alternatives are + libinput and synaptics. + '') # Do NOT add any option renames here, see top of the file ]; diff --git a/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix b/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix index 697732426ccf..35fb49f709a6 100644 --- a/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix @@ -165,7 +165,10 @@ in { after = [ "network.target" "epmd.socket" ]; wants = [ "network.target" "epmd.socket" ]; - path = [ cfg.package pkgs.procps ]; + path = [ + cfg.package + pkgs.coreutils # mkdir/chown/chmod for preStart + ]; environment = { RABBITMQ_MNESIA_BASE = "${cfg.dataDir}/mnesia"; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix index 733479e24c97..4275563f1a36 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix @@ -20,6 +20,7 @@ let size = 2048; }; CN = top.masterAddress; + hosts = cfg.cfsslAPIExtraSANs; }); cfsslAPITokenBaseName = "apitoken.secret"; @@ -66,6 +67,15 @@ in type = bool; }; + cfsslAPIExtraSANs = mkOption { + description = '' + Extra x509 Subject Alternative Names to be added to the cfssl API webserver TLS cert. + ''; + default = []; + example = [ "subdomain.example.com" ]; + type = listOf str; + }; + genCfsslAPIToken = mkOption { description = '' Whether to automatically generate cfssl API-token secret, diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix index 326d2cbd82cc..e3da3092d459 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -222,7 +222,7 @@ in { }; config = mkIf cfg.enable { - users.groups = optional (cfg.group == "buildbot") { + users.groups = optionalAttrs (cfg.group == "buildbot") { buildbot = { }; }; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix index 7613692f0a34..52f24b8cee3c 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix @@ -136,7 +136,7 @@ in { config = mkIf cfg.enable { services.buildbot-worker.workerPassFile = mkDefault (pkgs.writeText "buildbot-worker-password" cfg.workerPass); - users.groups = optional (cfg.group == "bbworker") { + users.groups = optionalAttrs (cfg.group == "bbworker") { bbworker = { }; }; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix index 32f361454bc1..58bce6549414 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -50,8 +50,8 @@ in }; runtimePackages = mkOption { - default = [ pkgs.bash pkgs.nix ]; - defaultText = "[ pkgs.bash pkgs.nix ]"; + default = [ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]; + defaultText = "[ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]"; description = "Add programs to the buildkite-agent environment"; type = types.listOf types.package; }; @@ -74,13 +74,12 @@ in ''; }; - meta-data = mkOption { - type = types.str; - default = ""; - example = "queue=default,docker=true,ruby2=true"; + tags = mkOption { + type = types.attrsOf types.str; + default = {}; + example = { queue = "default"; docker = "true"; ruby2 ="true"; }; description = '' - Meta data for the agent. This is a comma-separated list of - <code>key=value</code> pairs. + Tags for the agent. ''; }; @@ -93,26 +92,20 @@ in ''; }; - openssh = - { privateKeyPath = mkOption { - type = types.path; - description = '' - Private agent key. + privateSshKeyPath = mkOption { + type = types.nullOr types.path; + default = null; + ## maximum care is taken so that secrets (ssh keys and the CI token) + ## don't end up in the Nix store. + apply = final: if final == null then null else toString final; - A run-time path to the key file, which is supposed to be provisioned - outside of Nix store. - ''; - }; - publicKeyPath = mkOption { - type = types.path; - description = '' - Public agent key. - - A run-time path to the key file, which is supposed to be provisioned - outside of Nix store. - ''; - }; - }; + description = '' + OpenSSH private key + + A run-time path to the key file, which is supposed to be provisioned + outside of Nix store. + ''; + }; hooks = mkHookOptions [ { name = "checkout"; @@ -181,18 +174,26 @@ in instead. ''; }; + + shell = mkOption { + type = types.str; + default = "${pkgs.bash}/bin/bash -e -c"; + description = '' + Command that buildkite-agent 3 will execute when it spawns a shell. + ''; + }; }; }; config = mkIf config.services.buildkite-agent.enable { - users.users.buildkite-agent = - { name = "buildkite-agent"; - home = cfg.dataDir; - createHome = true; - description = "Buildkite agent user"; - extraGroups = [ "keys" ]; - isSystemUser = true; - }; + users.users.buildkite-agent = { + name = "buildkite-agent"; + home = cfg.dataDir; + createHome = true; + description = "Buildkite agent user"; + extraGroups = [ "keys" ]; + isSystemUser = true; + }; environment.systemPackages = [ cfg.package ]; @@ -210,17 +211,18 @@ in ## don't end up in the Nix store. preStart = let sshDir = "${cfg.dataDir}/.ssh"; + tagStr = lib.concatStringsSep "," (lib.mapAttrsToList (name: value: "${name}=${value}") cfg.tags); in - '' + optionalString (cfg.privateSshKeyPath != null) '' mkdir -m 0700 -p "${sshDir}" - cp -f "${toString cfg.openssh.privateKeyPath}" "${sshDir}/id_rsa" - cp -f "${toString cfg.openssh.publicKeyPath}" "${sshDir}/id_rsa.pub" - chmod 600 "${sshDir}"/id_rsa* - + cp -f "${toString cfg.privateSshKeyPath}" "${sshDir}/id_rsa" + chmod 600 "${sshDir}"/id_rsa + '' + '' cat > "${cfg.dataDir}/buildkite-agent.cfg" <<EOF token="$(cat ${toString cfg.tokenPath})" name="${cfg.name}" - meta-data="${cfg.meta-data}" + shell="${cfg.shell}" + tags="${tagStr}" build-path="${cfg.dataDir}/builds" hooks-path="${cfg.hooksPath}" ${cfg.extraConfig} @@ -228,11 +230,14 @@ in ''; serviceConfig = - { ExecStart = "${pkgs.buildkite-agent}/bin/buildkite-agent start --config /var/lib/buildkite-agent/buildkite-agent.cfg"; + { ExecStart = "${cfg.package}/bin/buildkite-agent start --config /var/lib/buildkite-agent/buildkite-agent.cfg"; User = "buildkite-agent"; RestartSec = 5; Restart = "on-failure"; TimeoutSec = 10; + # set a long timeout to give buildkite-agent a chance to finish current builds + TimeoutStopSec = "2 min"; + KillMode = "mixed"; }; }; @@ -246,8 +251,11 @@ in ]; }; imports = [ - (mkRenamedOptionModule [ "services" "buildkite-agent" "token" ] [ "services" "buildkite-agent" "tokenPath" ]) - (mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "privateKey" ] [ "services" "buildkite-agent" "openssh" "privateKeyPath" ]) - (mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "publicKey" ] [ "services" "buildkite-agent" "openssh" "publicKeyPath" ]) + (mkRenamedOptionModule [ "services" "buildkite-agent" "token" ] [ "services" "buildkite-agent" "tokenPath" ]) + (mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "privateKey" ] [ "services" "buildkite-agent" "privateSshKeyPath" ]) + (mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "privateKeyPath" ] [ "services" "buildkite-agent" "privateSshKeyPath" ]) + (mkRemovedOptionModule [ "services" "buildkite-agent" "openssh" "publicKey" ] "SSH public keys aren't necessary to clone private repos.") + (mkRemovedOptionModule [ "services" "buildkite-agent" "openssh" "publicKeyPath" ] "SSH public keys aren't necessary to clone private repos.") + (mkRenamedOptionModule [ "services" "buildkite-agent" "meta-data"] [ "services" "buildkite-agent" "tags" ]) ]; } diff --git a/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix index 30c5550f71c5..8b56207590a1 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix @@ -167,7 +167,7 @@ in buildMachinesFiles = mkOption { type = types.listOf types.path; - default = [ "/etc/nix/machines" ]; + default = optional (config.nix.buildMachines != []) "/etc/nix/machines"; example = [ "/etc/nix/machines" "/var/lib/hydra/provisioner/machines" ]; description = "List of files containing build machines."; }; @@ -333,7 +333,7 @@ in IN_SYSTEMD = "1"; # to get log severity levels }; serviceConfig = - { ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v --option build-use-substitutes ${boolToString cfg.useSubstitutes}"; + { ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v"; ExecStopPost = "${cfg.package}/bin/hydra-queue-runner --unlock"; User = "hydra-queue-runner"; Restart = "always"; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix index 26368cb94e47..3c0e6f78e74c 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix @@ -50,7 +50,7 @@ in { }; config = mkIf (cfg.enable && !masterCfg.enable) { - users.groups = optional (cfg.group == "jenkins") { + users.groups = optionalAttrs (cfg.group == "jenkins") { jenkins.gid = config.ids.gids.jenkins; }; diff --git a/nixpkgs/nixos/modules/services/databases/openldap.nix b/nixpkgs/nixos/modules/services/databases/openldap.nix index 5bf57a1bf9cb..809f61cfa818 100644 --- a/nixpkgs/nixos/modules/services/databases/openldap.nix +++ b/nixpkgs/nixos/modules/services/databases/openldap.nix @@ -259,6 +259,8 @@ in ${openldap.out}/bin/slapadd ${configOpts} -l ${dataFile} ''} chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}" + + ${openldap}/bin/slaptest ${configOpts} ''; serviceConfig.ExecStart = "${openldap.out}/libexec/slapd -d '${cfg.logLevel}' " + diff --git a/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix b/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix index 50b931dcb487..11a4b0a858f9 100644 --- a/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix +++ b/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix @@ -51,7 +51,7 @@ in }; }; - users.groups = optional (cfg.group == defaultUserGroup) { + users.groups = optionalAttrs (cfg.group == defaultUserGroup) { ${cfg.group} = { }; }; diff --git a/nixpkgs/nixos/modules/services/mail/postfix.nix b/nixpkgs/nixos/modules/services/mail/postfix.nix index d7378821440d..19e11b31d9ca 100644 --- a/nixpkgs/nixos/modules/services/mail/postfix.nix +++ b/nixpkgs/nixos/modules/services/mail/postfix.nix @@ -612,10 +612,7 @@ in { environment = { - etc = singleton - { source = "/var/lib/postfix/conf"; - target = "postfix"; - }; + etc.postfix.source = "/var/lib/postfix/conf"; # This makes it comfortable to run 'postqueue/postdrop' for example. systemPackages = [ pkgs.postfix ]; diff --git a/nixpkgs/nixos/modules/services/misc/gitea.nix b/nixpkgs/nixos/modules/services/misc/gitea.nix index 258476dd9feb..38910a5a005d 100644 --- a/nixpkgs/nixos/modules/services/misc/gitea.nix +++ b/nixpkgs/nixos/modules/services/misc/gitea.nix @@ -364,7 +364,7 @@ in ''} sed -e "s,#secretkey#,$KEY,g" \ -e "s,#dbpass#,$DBPASS,g" \ - -e "s,#jwtsecet#,$JWTSECET,g" \ + -e "s,#jwtsecret#,$JWTSECRET,g" \ -e "s,#mailerpass#,$MAILERPASSWORD,g" \ -i ${runConfig} chmod 640 ${runConfig} ${secretKey} ${jwtSecret} diff --git a/nixpkgs/nixos/modules/services/misc/paperless.nix b/nixpkgs/nixos/modules/services/misc/paperless.nix index 3985dc0b303c..bfaf760fb836 100644 --- a/nixpkgs/nixos/modules/services/misc/paperless.nix +++ b/nixpkgs/nixos/modules/services/misc/paperless.nix @@ -123,9 +123,9 @@ in config = mkIf cfg.enable { systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${cfg.user} - -" + "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" ] ++ (optional cfg.consumptionDirIsPublic - "d '${cfg.consumptionDir}' 777 ${cfg.user} ${cfg.user} - -" + "d '${cfg.consumptionDir}' 777 - - - -" # If the consumption dir is not created here, it's automatically created by # 'manage' with the default permissions. ); @@ -169,17 +169,15 @@ in }; users = optionalAttrs (cfg.user == defaultUser) { - users = [{ - name = defaultUser; + users.${defaultUser} = { group = defaultUser; uid = config.ids.uids.paperless; home = cfg.dataDir; - }]; + }; - groups = [{ - name = defaultUser; + groups.${defaultUser} = { gid = config.ids.gids.paperless; - }]; + }; }; }; } diff --git a/nixpkgs/nixos/modules/services/networking/corerad.nix b/nixpkgs/nixos/modules/services/networking/corerad.nix new file mode 100644 index 000000000000..1a2c4aec6651 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/corerad.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.corerad; +in { + meta = { + maintainers = with maintainers; [ mdlayher ]; + }; + + options.services.corerad = { + enable = mkEnableOption "CoreRAD IPv6 NDP RA daemon"; + + configFile = mkOption { + type = types.path; + example = literalExample "\"\${pkgs.corerad}/etc/corerad/corerad.toml\""; + description = "Path to CoreRAD TOML configuration file."; + }; + + package = mkOption { + default = pkgs.corerad; + defaultText = literalExample "pkgs.corerad"; + type = types.package; + description = "CoreRAD package to use."; + }; + }; + + config = mkIf cfg.enable { + systemd.services.corerad = { + description = "CoreRAD IPv6 NDP RA daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + LimitNPROC = 512; + LimitNOFILE = 1048576; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; + AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW"; + NoNewPrivileges = true; + DynamicUser = true; + ExecStart = "${getBin cfg.package}/bin/corerad -c=${cfg.configFile}"; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/matterbridge.nix b/nixpkgs/nixos/modules/services/networking/matterbridge.nix index bad35133459a..b8b4f37c84a8 100644 --- a/nixpkgs/nixos/modules/services/networking/matterbridge.nix +++ b/nixpkgs/nixos/modules/services/networking/matterbridge.nix @@ -111,7 +111,7 @@ in serviceConfig = { User = cfg.user; Group = cfg.group; - ExecStart = "${pkgs.matterbridge.bin}/bin/matterbridge -conf ${matterbridgeConfToml}"; + ExecStart = "${pkgs.matterbridge}/bin/matterbridge -conf ${matterbridgeConfToml}"; Restart = "always"; RestartSec = "10"; }; diff --git a/nixpkgs/nixos/modules/services/networking/ndppd.nix b/nixpkgs/nixos/modules/services/networking/ndppd.nix index 92088623517f..e015f76f622b 100644 --- a/nixpkgs/nixos/modules/services/networking/ndppd.nix +++ b/nixpkgs/nixos/modules/services/networking/ndppd.nix @@ -161,7 +161,25 @@ in { documentation = [ "man:ndppd(1)" "man:ndppd.conf(5)" ]; after = [ "network-pre.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.ndppd}/bin/ndppd -c ${ndppdConf}"; + serviceConfig = { + ExecStart = "${pkgs.ndppd}/bin/ndppd -c ${ndppdConf}"; + + # Sandboxing + CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN"; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = "AF_INET6 AF_PACKET AF_NETLINK"; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; }; }; } diff --git a/nixpkgs/nixos/modules/services/networking/syncthing.nix b/nixpkgs/nixos/modules/services/networking/syncthing.nix index 47b10e408c02..5b3eb6f04b42 100644 --- a/nixpkgs/nixos/modules/services/networking/syncthing.nix +++ b/nixpkgs/nixos/modules/services/networking/syncthing.nix @@ -484,6 +484,24 @@ in { -gui-address=${cfg.guiAddress} \ -home=${cfg.configDir} ''; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + CapabilityBoundingSet = [ + "~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN" + "~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP" + "~CAP_SYS_TIME" "~CAP_KILL" + ]; }; }; syncthing-init = mkIf ( diff --git a/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix b/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix index 8f05c3949fba..de0f11595a94 100644 --- a/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix @@ -233,6 +233,7 @@ in { path = [ pkgs.wpa_supplicant ]; script = '' + iface_args="-s -u -D${cfg.driver} -c ${configFile}" ${if ifaces == [] then '' for i in $(cd /sys/class/net && echo *); do DEVTYPE= @@ -240,14 +241,14 @@ in { if [ -e "$UEVENT_PATH" ]; then source "$UEVENT_PATH" if [ "$DEVTYPE" = "wlan" -o -e /sys/class/net/$i/wireless ]; then - ifaces="$ifaces''${ifaces:+ -N} -i$i" + args+="''${args:+ -N} -i$i $iface_args" fi fi done '' else '' - ifaces="${concatStringsSep " -N " (map (i: "-i${i}") ifaces)}" + args="${concatMapStringsSep " -N " (i: "-i${i} $iface_args") ifaces}" ''} - exec wpa_supplicant -s -u -D${cfg.driver} -c ${configFile} $ifaces + exec wpa_supplicant $args ''; }; diff --git a/nixpkgs/nixos/modules/services/networking/xandikos.nix b/nixpkgs/nixos/modules/services/networking/xandikos.nix new file mode 100644 index 000000000000..87c029156b9e --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/xandikos.nix @@ -0,0 +1,148 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xandikos; +in +{ + + options = { + services.xandikos = { + enable = mkEnableOption "Xandikos CalDAV and CardDAV server"; + + package = mkOption { + type = types.package; + default = pkgs.xandikos; + defaultText = "pkgs.xandikos"; + description = "The Xandikos package to use."; + }; + + address = mkOption { + type = types.str; + default = "localhost"; + description = '' + The IP address on which Xandikos will listen. + By default listens on localhost. + ''; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = "The port of the Xandikos web application"; + }; + + routePrefix = mkOption { + type = types.str; + default = "/"; + description = '' + Path to Xandikos. + Useful when Xandikos is behind a reverse proxy. + ''; + }; + + extraOptions = mkOption { + default = []; + type = types.listOf types.str; + example = literalExample '' + [ "--autocreate" + "--defaults" + "--current-user-principal user" + "--dump-dav-xml" + ] + ''; + description = '' + Extra command line arguments to pass to xandikos. + ''; + }; + + nginx = mkOption { + default = {}; + description = '' + Configuration for nginx reverse proxy. + ''; + + type = types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Configure the nginx reverse proxy settings. + ''; + }; + + hostName = mkOption { + type = types.str; + description = '' + The hostname use to setup the virtualhost configuration + ''; + }; + }; + }; + }; + + }; + + }; + + config = mkIf cfg.enable ( + mkMerge [ + { + meta.maintainers = [ lib.maintainers."0x4A6F" ]; + + systemd.services.xandikos = { + description = "A Simple Calendar and Contact Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "xandikos"; + Group = "xandikos"; + DynamicUser = "yes"; + RuntimeDirectory = "xandikos"; + StateDirectory = "xandikos"; + StateDirectoryMode = "0700"; + PrivateDevices = true; + # Sandboxing + CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN"; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_PACKET AF_NETLINK"; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + ExecStart = '' + ${cfg.package}/bin/xandikos \ + --directory /var/lib/xandikos \ + --listen_address ${cfg.address} \ + --port ${toString cfg.port} \ + --route-prefix ${cfg.routePrefix} \ + ${lib.concatStringsSep " " cfg.extraOptions} + ''; + }; + }; + } + + ( + mkIf cfg.nginx.enable { + services.nginx = { + enable = true; + virtualHosts."${cfg.nginx.hostName}" = { + locations."/" = { + proxyPass = "http://${cfg.address}:${toString cfg.port}/"; + }; + }; + }; + } + ) + ] + ); +} diff --git a/nixpkgs/nixos/modules/services/networking/zerotierone.nix b/nixpkgs/nixos/modules/services/networking/zerotierone.nix index 764af3846fe5..069e15a909b7 100644 --- a/nixpkgs/nixos/modules/services/networking/zerotierone.nix +++ b/nixpkgs/nixos/modules/services/networking/zerotierone.nix @@ -38,10 +38,13 @@ in config = mkIf cfg.enable { systemd.services.zerotierone = { description = "ZeroTierOne"; - path = [ cfg.package ]; - bindsTo = [ "network-online.target" ]; - after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + wants = [ "network-online.target" ]; + + path = [ cfg.package ]; + preStart = '' mkdir -p /var/lib/zerotier-one/networks.d chmod 700 /var/lib/zerotier-one @@ -53,6 +56,7 @@ in ExecStart = "${cfg.package}/bin/zerotier-one -p${toString cfg.port}"; Restart = "always"; KillMode = "process"; + TimeoutStopSec = 5; }; }; diff --git a/nixpkgs/nixos/modules/services/security/certmgr.nix b/nixpkgs/nixos/modules/services/security/certmgr.nix index e89078883ebe..94c0ba141179 100644 --- a/nixpkgs/nixos/modules/services/security/certmgr.nix +++ b/nixpkgs/nixos/modules/services/security/certmgr.nix @@ -113,7 +113,7 @@ in otherCert = "/var/certmgr/specs/other-cert.json"; } ''; - type = with types; attrsOf (either (submodule { + type = with types; attrsOf (either path (submodule { options = { service = mkOption { type = nullOr str; @@ -148,7 +148,7 @@ in description = "certmgr spec request object."; }; }; - }) path); + })); description = '' Certificate specs as described by: <link xlink:href="https://github.com/cloudflare/certmgr#certificate-specs" /> diff --git a/nixpkgs/nixos/modules/services/torrent/transmission.nix b/nixpkgs/nixos/modules/services/torrent/transmission.nix index aa1acdf7d20b..5ba72e8d7730 100644 --- a/nixpkgs/nixos/modules/services/torrent/transmission.nix +++ b/nixpkgs/nixos/modules/services/torrent/transmission.nix @@ -129,19 +129,23 @@ in # It's useful to have transmission in path, e.g. for remote control environment.systemPackages = [ pkgs.transmission ]; - users.users = optionalAttrs (cfg.user == "transmission") (singleton - { name = "transmission"; + users.users = optionalAttrs (cfg.user == "transmission") ({ + transmission = { + name = "transmission"; group = cfg.group; uid = config.ids.uids.transmission; description = "Transmission BitTorrent user"; home = homeDir; createHome = true; - }); + }; + }); - users.groups = optionalAttrs (cfg.group == "transmission") (singleton - { name = "transmission"; + users.groups = optionalAttrs (cfg.group == "transmission") ({ + transmission = { + name = "transmission"; gid = config.ids.gids.transmission; - }); + }; + }); # AppArmor profile security.apparmor.profiles = mkIf apparmor [ diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix index 4460f89ec5c1..fd17e4b54f0f 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -629,6 +629,9 @@ in environment.systemPackages = [httpd]; + # required for "apachectl configtest" + environment.etc."httpd/httpd.conf".source = httpdConf; + services.httpd.phpOptions = '' ; Needed for PHP's mail() function. diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix index 272fd1480185..f7fb07bb7975 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix @@ -3,8 +3,9 @@ with lib; let - cfg = config.services.gitweb; - package = pkgs.gitweb.override (optionalAttrs cfg.gitwebTheme { + cfg = config.services.nginx.gitweb; + gitwebConfig = config.services.gitweb; + package = pkgs.gitweb.override (optionalAttrs gitwebConfig.gitwebTheme { gitwebTheme = true; }); @@ -17,13 +18,45 @@ in default = false; type = types.bool; description = '' - If true, enable gitweb in nginx. Access it at http://yourserver/gitweb + If true, enable gitweb in nginx. + ''; + }; + + location = mkOption { + default = "/gitweb"; + type = types.str; + description = '' + Location to serve gitweb on. + ''; + }; + + user = mkOption { + default = "nginx"; + type = types.str; + description = '' + Existing user that the CGI process will belong to. (Default almost surely will do.) + ''; + }; + + group = mkOption { + default = "nginx"; + type = types.str; + description = '' + Group that the CGI process will belong to. (Set to <literal>config.services.gitolite.group</literal> if you are using gitolite.) + ''; + }; + + virtualHost = mkOption { + default = "_"; + type = types.str; + description = '' + VirtualHost to serve gitweb on. Default is catch-all. ''; }; }; - config = mkIf config.services.nginx.gitweb.enable { + config = mkIf cfg.enable { systemd.services.gitweb = { description = "GitWeb service"; @@ -32,22 +65,22 @@ in FCGI_SOCKET_PATH = "/run/gitweb/gitweb.sock"; }; serviceConfig = { - User = "nginx"; - Group = "nginx"; + User = cfg.user; + Group = cfg.group; RuntimeDirectory = [ "gitweb" ]; }; wantedBy = [ "multi-user.target" ]; }; services.nginx = { - virtualHosts.default = { - locations."/gitweb/static/" = { + virtualHosts.${cfg.virtualHost} = { + locations."${cfg.location}/static/" = { alias = "${package}/static/"; }; - locations."/gitweb/" = { + locations."${cfg.location}/" = { extraConfig = '' include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param GITWEB_CONFIG ${cfg.gitwebConfigFile}; + fastcgi_param GITWEB_CONFIG ${gitwebConfig.gitwebConfigFile}; fastcgi_pass unix:/run/gitweb/gitweb.sock; ''; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix index 2303dfa95404..b0b837cd1929 100644 --- a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix @@ -111,7 +111,7 @@ in { AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; # Security NoNewPrivileges = true; - # Sanboxing + # Sandboxing ProtectSystem = "full"; ProtectHome = true; RuntimeDirectory = "unit"; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix index 6d9bd284bc72..ba9906072b3f 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -144,7 +144,7 @@ in services.gnome3.core-shell.enable = true; services.gnome3.core-utilities.enable = mkDefault true; - services.xserver.displayManager.sessionPackages = [ pkgs.gnome3.gnome-session ]; + services.xserver.displayManager.sessionPackages = [ pkgs.gnome3.gnome-session.sessions ]; environment.extraInit = '' ${concatMapStrings (p: '' @@ -249,11 +249,17 @@ in services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.telepathy.enable = mkDefault true; - systemd.packages = with pkgs.gnome3; [ vino gnome-session ]; + systemd.packages = with pkgs.gnome3; [ + gnome-session + gnome-shell + vino + ]; services.avahi.enable = mkDefault true; - xdg.portal.extraPortals = [ pkgs.gnome3.gnome-shell ]; + xdg.portal.extraPortals = [ + pkgs.gnome3.gnome-shell + ]; services.geoclue2.enable = mkDefault true; services.geoclue2.enableDemoAgent = false; # GNOME has its own geoclue agent diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix index 2f8c8cc90137..325023f4121a 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix @@ -174,6 +174,10 @@ in "f /run/gdm/.config/gnome-initial-setup-done 0711 gdm gdm - yes" ]; + # Otherwise GDM will not be able to start correctly and display Wayland sessions + systemd.packages = with pkgs.gnome3; [ gnome-session gnome-shell ]; + environment.systemPackages = [ pkgs.gnome3.adwaita-icon-theme ]; + systemd.services.display-manager.wants = [ # Because sd_login_monitor_new requires /run/systemd/machines "systemd-machined.service" diff --git a/nixpkgs/nixos/modules/services/x11/hardware/multitouch.nix b/nixpkgs/nixos/modules/services/x11/hardware/multitouch.nix deleted file mode 100644 index c03bb3b494fb..000000000000 --- a/nixpkgs/nixos/modules/services/x11/hardware/multitouch.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let cfg = config.services.xserver.multitouch; - disabledTapConfig = '' - Option "MaxTapTime" "0" - Option "MaxTapMove" "0" - Option "TapButton1" "0" - Option "TapButton2" "0" - Option "TapButton3" "0" - ''; -in { - - options = { - - services.xserver.multitouch = { - - enable = mkOption { - default = false; - description = "Whether to enable multitouch touchpad support."; - }; - - invertScroll = mkOption { - default = false; - type = types.bool; - description = "Whether to invert scrolling direction à la OSX Lion"; - }; - - ignorePalm = mkOption { - default = false; - type = types.bool; - description = "Whether to ignore touches detected as being the palm (i.e when typing)"; - }; - - tapButtons = mkOption { - type = types.bool; - default = true; - description = "Whether to enable tap buttons."; - }; - - buttonsMap = mkOption { - type = types.listOf types.int; - default = [3 2 0]; - example = [1 3 2]; - description = "Remap touchpad buttons."; - apply = map toString; - }; - - additionalOptions = mkOption { - type = types.str; - default = ""; - example = '' - Option "ScaleDistance" "50" - Option "RotateDistance" "60" - ''; - description = '' - Additional options for mtrack touchpad driver. - ''; - }; - - }; - - }; - - config = mkIf cfg.enable { - - services.xserver.modules = [ pkgs.xf86_input_mtrack ]; - - services.xserver.config = - '' - # Automatically enable the multitouch driver - Section "InputClass" - MatchIsTouchpad "on" - Identifier "Touchpads" - Driver "mtrack" - Option "IgnorePalm" "${boolToString cfg.ignorePalm}" - Option "ClickFinger1" "${builtins.elemAt cfg.buttonsMap 0}" - Option "ClickFinger2" "${builtins.elemAt cfg.buttonsMap 1}" - Option "ClickFinger3" "${builtins.elemAt cfg.buttonsMap 2}" - ${optionalString (!cfg.tapButtons) disabledTapConfig} - ${optionalString cfg.invertScroll '' - Option "ScrollUpButton" "5" - Option "ScrollDownButton" "4" - Option "ScrollLeftButton" "7" - Option "ScrollRightButton" "6" - ''} - ${cfg.additionalOptions} - EndSection - ''; - - }; - -} diff --git a/nixpkgs/nixos/modules/services/x11/unclutter.nix b/nixpkgs/nixos/modules/services/x11/unclutter.nix index 2478aaabb799..c0868604a688 100644 --- a/nixpkgs/nixos/modules/services/x11/unclutter.nix +++ b/nixpkgs/nixos/modules/services/x11/unclutter.nix @@ -32,7 +32,7 @@ in { default = 1; }; - threeshold = mkOption { + threshold = mkOption { description = "Minimum number of pixels considered cursor movement"; type = types.int; default = 1; @@ -72,6 +72,11 @@ in { }; }; + imports = [ + (mkRenamedOptionModule [ "services" "unclutter" "threeshold" ] + [ "services" "unclutter" "threshold" ]) + ]; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; } diff --git a/nixpkgs/nixos/modules/system/boot/networkd.nix b/nixpkgs/nixos/modules/system/boot/networkd.nix index 3e289a63139f..56a9d6b11380 100644 --- a/nixpkgs/nixos/modules/system/boot/networkd.nix +++ b/nixpkgs/nixos/modules/system/boot/networkd.nix @@ -49,7 +49,7 @@ let (assertValueOneOf "Kind" [ "bond" "bridge" "dummy" "gre" "gretap" "ip6gre" "ip6tnl" "ip6gretap" "ipip" "ipvlan" "macvlan" "macvtap" "sit" "tap" "tun" "veth" "vlan" "vti" "vti6" - "vxlan" "geneve" "vrf" "vcan" "vxcan" "wireguard" "netdevsim" + "vxlan" "geneve" "vrf" "vcan" "vxcan" "wireguard" "netdevsim" "xfrm" ]) (assertByteFormat "MTUBytes") (assertMacAddress "MACAddress") @@ -172,6 +172,14 @@ let (assertValueOneOf "AllSlavesActive" boolValues) ]; + checkXfrm = checkUnitConfig "Xfrm" [ + (assertOnlyFields [ + "InterfaceId" "Independent" + ]) + (assertRange "InterfaceId" 1 4294967295) + (assertValueOneOf "Independent" boolValues) + ]; + checkNetwork = checkUnitConfig "Network" [ (assertOnlyFields [ "Description" "DHCP" "DHCPServer" "LinkLocalAddressing" "IPv4LLRoute" @@ -182,7 +190,7 @@ let "IPv6HopLimit" "IPv4ProxyARP" "IPv6ProxyNDP" "IPv6ProxyNDPAddress" "IPv6PrefixDelegation" "IPv6MTUBytes" "Bridge" "Bond" "VRF" "VLAN" "IPVLAN" "MACVLAN" "VXLAN" "Tunnel" "ActiveSlave" "PrimarySlave" - "ConfigureWithoutCarrier" + "ConfigureWithoutCarrier" "Xfrm" ]) # Note: For DHCP the values both, none, v4, v6 are deprecated (assertValueOneOf "DHCP" ["yes" "no" "ipv4" "ipv6" "both" "none" "v4" "v6"]) @@ -477,6 +485,18 @@ let ''; }; + xfrmConfig = mkOption { + default = {}; + example = { InterfaceId = 1; }; + type = types.addCheck (types.attrsOf unitOption) checkXfrm; + description = '' + Each attribute in this set specifies an option in the + <literal>[Xfrm]</literal> section of the unit. See + <citerefentry><refentrytitle>systemd.netdev</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + }; addressOptions = { @@ -712,6 +732,16 @@ let ''; }; + xfrm = mkOption { + default = [ ]; + type = types.listOf types.str; + description = '' + A list of xfrm interfaces to be added to the network section of the + unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for details. + ''; + }; + addresses = mkOption { default = [ ]; type = with types; listOf (submodule addressOptions); @@ -810,6 +840,11 @@ let ${attrsToSection def.bondConfig} ''} + ${optionalString (def.xfrmConfig != { }) '' + [Xfrm] + ${attrsToSection def.xfrmConfig} + + ''} ${optionalString (def.wireguardConfig != { }) '' [WireGuard] ${attrsToSection def.wireguardConfig} @@ -847,6 +882,7 @@ let ${concatStringsSep "\n" (map (s: "MACVLAN=${s}") def.macvlan)} ${concatStringsSep "\n" (map (s: "VXLAN=${s}") def.vxlan)} ${concatStringsSep "\n" (map (s: "Tunnel=${s}") def.tunnel)} + ${concatStringsSep "\n" (map (s: "Xfrm=${s}") def.xfrm)} ${optionalString (def.dhcpConfig != { }) '' [DHCP] diff --git a/nixpkgs/nixos/modules/system/boot/systemd-lib.nix b/nixpkgs/nixos/modules/system/boot/systemd-lib.nix index 28ad4f121bbe..fd1a5b9f62c5 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd-lib.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd-lib.nix @@ -147,7 +147,13 @@ in rec { done # Symlink all units provided listed in systemd.packages. - for i in ${toString cfg.packages}; do + packages="${toString cfg.packages}" + + # Filter duplicate directories + declare -A unique_packages + for k in $packages ; do unique_packages[$k]=1 ; done + + for i in ''${!unique_packages[@]}; do for fn in $i/etc/systemd/${type}/* $i/lib/systemd/${type}/*; do if ! [[ "$fn" =~ .wants$ ]]; then if [[ -d "$fn" ]]; then diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index fe9c4df1416f..eb69457fb7e9 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -33,6 +33,7 @@ in bind = handleTest ./bind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; #blivet = handleTest ./blivet.nix {}; # broken since 2017-07024 + buildkite-agent = handleTest ./buildkite-agent.nix {}; boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64 boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; @@ -61,6 +62,7 @@ in containers-portforward = handleTest ./containers-portforward.nix {}; containers-restart_networking = handleTest ./containers-restart_networking.nix {}; containers-tmpfs = handleTest ./containers-tmpfs.nix {}; + corerad = handleTest ./corerad.nix {}; couchdb = handleTest ./couchdb.nix {}; deluge = handleTest ./deluge.nix {}; dhparams = handleTest ./dhparams.nix {}; @@ -295,6 +297,7 @@ in wireguard-generated = handleTest ./wireguard/generated.nix {}; wireguard-namespaces = handleTest ./wireguard/namespaces.nix {}; wordpress = handleTest ./wordpress.nix {}; + xandikos = handleTest ./xandikos.nix {}; xautolock = handleTest ./xautolock.nix {}; xfce = handleTest ./xfce.nix {}; xmonad = handleTest ./xmonad.nix {}; diff --git a/nixpkgs/nixos/tests/bittorrent.nix b/nixpkgs/nixos/tests/bittorrent.nix index e5be652c7112..0a97d5556a26 100644 --- a/nixpkgs/nixos/tests/bittorrent.nix +++ b/nixpkgs/nixos/tests/bittorrent.nix @@ -18,6 +18,17 @@ let externalRouterAddress = "80.100.100.1"; externalClient2Address = "80.100.100.2"; externalTrackerAddress = "80.100.100.3"; + + transmissionConfig = { ... }: { + environment.systemPackages = [ pkgs.transmission ]; + services.transmission = { + enable = true; + settings = { + dht-enabled = false; + message-level = 3; + }; + }; + }; in { @@ -26,88 +37,79 @@ in maintainers = [ domenkozar eelco rob bobvanderlinden ]; }; - nodes = - { tracker = - { pkgs, ... }: - { environment.systemPackages = [ pkgs.transmission ]; - - virtualisation.vlans = [ 1 ]; - networking.interfaces.eth1.ipv4.addresses = [ - { address = externalTrackerAddress; prefixLength = 24; } - ]; - - # We need Apache on the tracker to serve the torrents. - services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - services.httpd.documentRoot = "/tmp"; - - networking.firewall.enable = false; - - services.opentracker.enable = true; - - services.transmission.enable = true; - services.transmission.settings.dht-enabled = false; - services.transmission.settings.port-forwaring-enabled = false; - }; - - router = - { pkgs, nodes, ... }: - { virtualisation.vlans = [ 1 2 ]; - networking.nat.enable = true; - networking.nat.internalInterfaces = [ "eth2" ]; - networking.nat.externalInterface = "eth1"; - networking.firewall.enable = true; - networking.firewall.trustedInterfaces = [ "eth2" ]; - networking.interfaces.eth0.ipv4.addresses = []; - networking.interfaces.eth1.ipv4.addresses = [ - { address = externalRouterAddress; prefixLength = 24; } - ]; - networking.interfaces.eth2.ipv4.addresses = [ - { address = internalRouterAddress; prefixLength = 24; } - ]; - services.miniupnpd = { - enable = true; - externalInterface = "eth1"; - internalIPs = [ "eth2" ]; - appendConfig = '' - ext_ip=${externalRouterAddress} - ''; + nodes = { + tracker = { pkgs, ... }: { + imports = [ transmissionConfig ]; + + virtualisation.vlans = [ 1 ]; + networking.firewall.enable = false; + networking.interfaces.eth1.ipv4.addresses = [ + { address = externalTrackerAddress; prefixLength = 24; } + ]; + + # We need Apache on the tracker to serve the torrents. + services.httpd = { + enable = true; + virtualHosts = { + "torrentserver.org" = { + adminAddr = "foo@example.org"; + documentRoot = "/tmp"; }; }; + }; + services.opentracker.enable = true; + }; - client1 = - { pkgs, nodes, ... }: - { environment.systemPackages = [ pkgs.transmission pkgs.miniupnpc ]; - virtualisation.vlans = [ 2 ]; - networking.interfaces.eth0.ipv4.addresses = []; - networking.interfaces.eth1.ipv4.addresses = [ - { address = internalClient1Address; prefixLength = 24; } - ]; - networking.defaultGateway = internalRouterAddress; - networking.firewall.enable = false; - services.transmission.enable = true; - services.transmission.settings.dht-enabled = false; - services.transmission.settings.message-level = 3; - }; + router = { pkgs, nodes, ... }: { + virtualisation.vlans = [ 1 2 ]; + networking.nat.enable = true; + networking.nat.internalInterfaces = [ "eth2" ]; + networking.nat.externalInterface = "eth1"; + networking.firewall.enable = true; + networking.firewall.trustedInterfaces = [ "eth2" ]; + networking.interfaces.eth0.ipv4.addresses = []; + networking.interfaces.eth1.ipv4.addresses = [ + { address = externalRouterAddress; prefixLength = 24; } + ]; + networking.interfaces.eth2.ipv4.addresses = [ + { address = internalRouterAddress; prefixLength = 24; } + ]; + services.miniupnpd = { + enable = true; + externalInterface = "eth1"; + internalIPs = [ "eth2" ]; + appendConfig = '' + ext_ip=${externalRouterAddress} + ''; + }; + }; - client2 = - { pkgs, ... }: - { environment.systemPackages = [ pkgs.transmission ]; - virtualisation.vlans = [ 1 ]; - networking.interfaces.eth0.ipv4.addresses = []; - networking.interfaces.eth1.ipv4.addresses = [ - { address = externalClient2Address; prefixLength = 24; } - ]; - networking.firewall.enable = false; - services.transmission.enable = true; - services.transmission.settings.dht-enabled = false; - services.transmission.settings.port-forwaring-enabled = false; - }; + client1 = { pkgs, nodes, ... }: { + imports = [ transmissionConfig ]; + environment.systemPackages = [ pkgs.miniupnpc ]; + + virtualisation.vlans = [ 2 ]; + networking.interfaces.eth0.ipv4.addresses = []; + networking.interfaces.eth1.ipv4.addresses = [ + { address = internalClient1Address; prefixLength = 24; } + ]; + networking.defaultGateway = internalRouterAddress; + networking.firewall.enable = false; }; - testScript = - { nodes, ... }: - '' + client2 = { pkgs, ... }: { + imports = [ transmissionConfig ]; + + virtualisation.vlans = [ 1 ]; + networking.interfaces.eth0.ipv4.addresses = []; + networking.interfaces.eth1.ipv4.addresses = [ + { address = externalClient2Address; prefixLength = 24; } + ]; + networking.firewall.enable = false; + }; + }; + + testScript = { nodes, ... }: '' start_all() # Wait for network and miniupnpd. @@ -159,5 +161,4 @@ in "cmp /tmp/test.tar.bz2 ${file}" ) ''; - }) diff --git a/nixpkgs/nixos/tests/buildkite-agent.nix b/nixpkgs/nixos/tests/buildkite-agent.nix new file mode 100644 index 000000000000..3c824c9aedf5 --- /dev/null +++ b/nixpkgs/nixos/tests/buildkite-agent.nix @@ -0,0 +1,36 @@ +import ./make-test-python.nix ({ pkgs, ... }: + +{ + name = "buildkite-agent"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ flokli ]; + }; + + nodes = { + node1 = { pkgs, ... }: { + services.buildkite-agent = { + enable = true; + privateSshKeyPath = (import ./ssh-keys.nix pkgs).snakeOilPrivateKey; + tokenPath = (pkgs.writeText "my-token" "5678"); + }; + }; + # don't configure ssh key, run as a separate user + node2 = { pkgs, ...}: { + services.buildkite-agent = { + enable = true; + tokenPath = (pkgs.writeText "my-token" "1234"); + }; + }; + }; + + testScript = '' + start_all() + # we can't wait on the unit to start up, as we obviously can't connect to buildkite, + # but we can look whether files are set up correctly + + node1.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg") + node1.wait_for_file("/var/lib/buildkite-agent/.ssh/id_rsa") + + node2.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg") + ''; +}) diff --git a/nixpkgs/nixos/tests/certmgr.nix b/nixpkgs/nixos/tests/certmgr.nix index cb69f35e862f..ef32f54400e3 100644 --- a/nixpkgs/nixos/tests/certmgr.nix +++ b/nixpkgs/nixos/tests/certmgr.nix @@ -9,8 +9,8 @@ let inherit action; authority = { file = { - group = "nobody"; - owner = "nobody"; + group = "nginx"; + owner = "nginx"; path = "/tmp/${host}-ca.pem"; }; label = "www_ca"; @@ -18,14 +18,14 @@ let remote = "localhost:8888"; }; certificate = { - group = "nobody"; - owner = "nobody"; + group = "nginx"; + owner = "nginx"; path = "/tmp/${host}-cert.pem"; }; private_key = { - group = "nobody"; + group = "nginx"; mode = "0600"; - owner = "nobody"; + owner = "nginx"; path = "/tmp/${host}-key.pem"; }; request = { diff --git a/nixpkgs/nixos/tests/corerad.nix b/nixpkgs/nixos/tests/corerad.nix new file mode 100644 index 000000000000..68b698857b4e --- /dev/null +++ b/nixpkgs/nixos/tests/corerad.nix @@ -0,0 +1,71 @@ +import ./make-test-python.nix ( + { + nodes = { + router = {config, pkgs, ...}: { + config = { + # This machines simulates a router with IPv6 forwarding and a static IPv6 address. + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = true; + }; + networking.interfaces.eth1 = { + ipv6.addresses = [ { address = "fd00:dead:beef:dead::1"; prefixLength = 64; } ]; + }; + services.corerad = { + enable = true; + # Serve router advertisements to the client machine with prefix information matching + # any IPv6 /64 prefixes configured on this interface. + configFile = pkgs.writeText "corerad.toml" '' + [[interfaces]] + name = "eth1" + send_advertisements = true + [[interfaces.plugins]] + name = "prefix" + prefix = "::/64" + ''; + }; + }; + }; + client = {config, pkgs, ...}: { + # Use IPv6 SLAAC from router advertisements, and install rdisc6 so we can + # trigger one immediately. + config = { + boot.kernel.sysctl = { + "net.ipv6.conf.all.autoconf" = true; + }; + environment.systemPackages = with pkgs; [ + ndisc6 + ]; + }; + }; + }; + + testScript = '' + start_all() + + with subtest("Wait for CoreRAD and network ready"): + # Ensure networking is online and CoreRAD is ready. + router.wait_for_unit("network-online.target") + client.wait_for_unit("network-online.target") + router.wait_for_unit("corerad.service") + + # Ensure the client can reach the router. + client.wait_until_succeeds("ping -c 1 fd00:dead:beef:dead::1") + + with subtest("Verify SLAAC on client"): + # Trigger a router solicitation and verify a SLAAC address is assigned from + # the prefix configured on the router. + client.wait_until_succeeds("rdisc6 -1 -r 10 eth1") + client.wait_until_succeeds( + "ip -6 addr show dev eth1 | grep -q 'fd00:dead:beef:dead:'" + ) + + addrs = client.succeed("ip -6 addr show dev eth1") + + assert ( + "fd00:dead:beef:dead:" in addrs + ), "SLAAC prefix was not found in client addresses after router advertisement" + assert ( + "/64 scope global temporary" in addrs + ), "SLAAC temporary address was not configured on client after router advertisement" + ''; + }) diff --git a/nixpkgs/nixos/tests/elk.nix b/nixpkgs/nixos/tests/elk.nix index 80db0967d400..d3dc6dde1359 100644 --- a/nixpkgs/nixos/tests/elk.nix +++ b/nixpkgs/nixos/tests/elk.nix @@ -10,8 +10,7 @@ let esUrl = "http://localhost:9200"; mkElkTest = name : elk : - let elasticsearchGe7 = builtins.compareVersions elk.elasticsearch.version "7" >= 0; - in import ./make-test-python.nix ({ + import ./make-test-python.nix ({ inherit name; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco offline basvandijk ]; @@ -91,8 +90,7 @@ let }; elasticsearch-curator = { - # The current version of curator (5.6) doesn't support elasticsearch >= 7.0.0. - enable = !elasticsearchGe7; + enable = true; actionYAML = '' --- actions: @@ -173,7 +171,7 @@ let one.wait_until_succeeds( total_hits("Supercalifragilisticexpialidocious") + " | grep -v 0" ) - '' + pkgs.lib.optionalString (!elasticsearchGe7) '' + with subtest("Elasticsearch-curator works"): one.systemctl("stop logstash") one.systemctl("start elasticsearch-curator") diff --git a/nixpkgs/nixos/tests/xandikos.nix b/nixpkgs/nixos/tests/xandikos.nix new file mode 100644 index 000000000000..0fded20ff1a9 --- /dev/null +++ b/nixpkgs/nixos/tests/xandikos.nix @@ -0,0 +1,70 @@ +import ./make-test-python.nix ( + { pkgs, lib, ... }: + + { + name = "xandikos"; + + meta.maintainers = [ lib.maintainers."0x4A6F" ]; + + nodes = { + xandikos_client = {}; + xandikos_default = { + networking.firewall.allowedTCPPorts = [ 8080 ]; + services.xandikos.enable = true; + }; + xandikos_proxy = { + networking.firewall.allowedTCPPorts = [ 80 8080 ]; + services.xandikos.enable = true; + services.xandikos.address = "localhost"; + services.xandikos.port = 8080; + services.xandikos.routePrefix = "/xandikos/"; + services.xandikos.extraOptions = [ + "--defaults" + ]; + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts."xandikos" = { + serverName = "xandikos.local"; + basicAuth.xandikos = "snakeOilPassword"; + locations."/xandikos/" = { + proxyPass = "http://localhost:8080/"; + }; + }; + }; + }; + }; + + testScript = '' + start_all() + + with subtest("Xandikos default"): + xandikos_default.wait_for_unit("multi-user.target") + xandikos_default.wait_for_unit("xandikos.service") + xandikos_default.wait_for_open_port(8080) + xandikos_default.succeed("curl --fail http://localhost:8080/") + xandikos_default.succeed( + "curl -s --fail --location http://localhost:8080/ | grep -qi Xandikos" + ) + xandikos_client.wait_for_unit("network.target") + xandikos_client.fail("curl --fail http://xandikos_default:8080/") + + with subtest("Xandikos proxy"): + xandikos_proxy.wait_for_unit("multi-user.target") + xandikos_proxy.wait_for_unit("xandikos.service") + xandikos_proxy.wait_for_open_port(8080) + xandikos_proxy.succeed("curl --fail http://localhost:8080/") + xandikos_proxy.succeed( + "curl -s --fail --location http://localhost:8080/ | grep -qi Xandikos" + ) + xandikos_client.wait_for_unit("network.target") + xandikos_client.fail("curl --fail http://xandikos_proxy:8080/") + xandikos_client.succeed( + "curl -s --fail -u xandikos:snakeOilPassword -H 'Host: xandikos.local' http://xandikos_proxy/xandikos/ | grep -qi Xandikos" + ) + xandikos_client.succeed( + "curl -s --fail -u xandikos:snakeOilPassword -H 'Host: xandikos.local' http://xandikos_proxy/xandikos/user/ | grep -qi Xandikos" + ) + ''; + } +) |