diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-11-16 12:53:32 +0100 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-11-16 12:53:32 +0100 |
| commit | 67419f0e56f99b0ebbe14574d3492110ac84c8d6 (patch) | |
| tree | 3abc8e1606a2c80b6f5d14fef175e50800202163 /nixpkgs/nixos | |
| parent | a2c1eff83c3118a9aee8076c7f84f58137416b6e (diff) | |
| parent | 9008bc4eb62c878d0812105ea1b34255d651df88 (diff) | |
| download | nixlib-67419f0e56f99b0ebbe14574d3492110ac84c8d6.tar nixlib-67419f0e56f99b0ebbe14574d3492110ac84c8d6.tar.gz nixlib-67419f0e56f99b0ebbe14574d3492110ac84c8d6.tar.bz2 nixlib-67419f0e56f99b0ebbe14574d3492110ac84c8d6.tar.lz nixlib-67419f0e56f99b0ebbe14574d3492110ac84c8d6.tar.xz nixlib-67419f0e56f99b0ebbe14574d3492110ac84c8d6.tar.zst nixlib-67419f0e56f99b0ebbe14574d3492110ac84c8d6.zip | |
Merge branch 'nixos-unstable-small' of https://github.com/NixOS/nixpkgs into HEAD
Diffstat (limited to 'nixpkgs/nixos')
169 files changed, 1611 insertions, 945 deletions
diff --git a/nixpkgs/nixos/README.md b/nixpkgs/nixos/README.md index b3cd9d234fa6..07e82bf0ad93 100644 --- a/nixpkgs/nixos/README.md +++ b/nixpkgs/nixos/README.md @@ -8,6 +8,27 @@ https://nixos.org/nixos and in the manual in doc/manual. You can add new module to your NixOS configuration file (usually it’s `/etc/nixos/configuration.nix`). And do `sudo nixos-rebuild test -I nixpkgs=<path to your local nixpkgs folder> --fast`. +## Commit conventions + +- Make sure you read about the [commit conventions](../CONTRIBUTING.md#commit-conventions) common to Nixpkgs as a whole. + +- Format the commit messages in the following way: + + ``` + nixos/(module): (init module | add setting | refactor | etc) + + (Motivation for change. Link to release notes. Additional information.) + ``` + + Examples: + + * nixos/hydra: add bazBaz option + + Dual baz behavior is needed to do foo. + * nixos/nginx: refactor config generation + + The old config generation system used impure shell scripts and could break in specific circumstances (see #1234). + ## Reviewing contributions When changing the bootloader installation process, extra care must be taken. Grub installations cannot be rolled back, hence changes may break people’s installations forever. For any non-trivial change to the bootloader please file a PR asking for review, especially from \@edolstra. @@ -21,12 +42,14 @@ Reviewing process: - Ensure that the module maintainers are notified. - [CODEOWNERS](https://help.github.com/articles/about-codeowners/) will make GitHub notify users based on the submitted changes, but it can happen that it misses some of the package maintainers. - Ensure that the module tests, if any, are succeeding. + - You may invoke OfBorg with `@ofborg test <module>` to build `nixosTests.<module>` - Ensure that the introduced options are correct. - Type should be appropriate (string related types differs in their merging capabilities, `loaOf` and `string` types are deprecated). - Description, default and example should be provided. - Ensure that option changes are backward compatible. - - `mkRenamedOptionModuleWith` provides a way to make option changes backward compatible. -- Ensure that removed options are declared with `mkRemovedOptionModule` + - `mkRenamedOptionModuleWith` provides a way to make renamed option backward compatible. + - Use `lib.versionAtLeast config.system.stateVersion "23.11"` on backward incompatible changes which may corrupt, change or update the state stored on existing setups. +- Ensure that removed options are declared with `mkRemovedOptionModule`. - Ensure that changes that are not backward compatible are mentioned in release notes. - Ensure that documentations affected by the change is updated. @@ -55,6 +78,7 @@ New modules submissions introduce a new module to NixOS. Reviewing process: +- Ensure that all file paths [fit the guidelines](../CONTRIBUTING.md#file-naming-and-organisation). - Ensure that the module tests, if any, are succeeding. - Ensure that the introduced options are correct. - Type should be appropriate (string related types differs in their merging capabilities, `loaOf` and `string` types are deprecated). @@ -76,9 +100,9 @@ Sample template for a new module review is provided below. - [ ] options have default - [ ] options have example - [ ] options have descriptions -- [ ] No unneeded package is added to environment.systemPackages -- [ ] meta.maintainers is set -- [ ] module documentation is declared in meta.doc +- [ ] No unneeded package is added to `environment.systemPackages` +- [ ] `meta.maintainers` is set +- [ ] module documentation is declared in `meta.doc` ##### Possible improvements diff --git a/nixpkgs/nixos/doc/manual/configuration/declarative-packages.section.md b/nixpkgs/nixos/doc/manual/configuration/declarative-packages.section.md index 02eaa56192e4..480e250da8c7 100644 --- a/nixpkgs/nixos/doc/manual/configuration/declarative-packages.section.md +++ b/nixpkgs/nixos/doc/manual/configuration/declarative-packages.section.md @@ -37,7 +37,7 @@ Note: the `nixos` prefix tells us that we want to get the package from the `nixos` channel and works only in CLI tools. In declarative configuration use `pkgs` prefix (variable). -To "uninstall" a package, simply remove it from +To "uninstall" a package, remove it from [](#opt-environment.systemPackages) and run `nixos-rebuild switch`. ```{=include=} sections diff --git a/nixpkgs/nixos/doc/manual/configuration/modularity.section.md b/nixpkgs/nixos/doc/manual/configuration/modularity.section.md index 2eff15387987..f4a566d66973 100644 --- a/nixpkgs/nixos/doc/manual/configuration/modularity.section.md +++ b/nixpkgs/nixos/doc/manual/configuration/modularity.section.md @@ -36,8 +36,8 @@ Here, we include two modules from the same directory, `vpn.nix` and Note that both `configuration.nix` and `kde.nix` define the option [](#opt-environment.systemPackages). When multiple modules define an option, NixOS will try to *merge* the definitions. In the case of -[](#opt-environment.systemPackages), that's easy: the lists of -packages can simply be concatenated. The value in `configuration.nix` is +[](#opt-environment.systemPackages) the lists of packages will be +concatenated. The value in `configuration.nix` is merged last, so for list-type options, it will appear at the end of the merged list. If you want it to appear first, you can use `mkBefore`: diff --git a/nixpkgs/nixos/doc/manual/configuration/subversion.chapter.md b/nixpkgs/nixos/doc/manual/configuration/subversion.chapter.md index 84f9c2703378..ff870f5c40b9 100644 --- a/nixpkgs/nixos/doc/manual/configuration/subversion.chapter.md +++ b/nixpkgs/nixos/doc/manual/configuration/subversion.chapter.md @@ -2,7 +2,7 @@ [Subversion](https://subversion.apache.org/) is a centralized version-control system. It can use a [variety of -protocols](http://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.choosing) +protocols](https://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.choosing) for communication between client and server. ## Subversion inside Apache HTTP {#module-services-subversion-apache-httpd} @@ -14,7 +14,7 @@ for communication. For more information on the general setup, please refer to the [the appropriate section of the Subversion -book](http://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.httpd). +book](https://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.httpd). To configure, include in `/etc/nixos/configuration.nix` code to activate Apache HTTP, setting [](#opt-services.httpd.adminAddr) diff --git a/nixpkgs/nixos/doc/manual/configuration/xfce.chapter.md b/nixpkgs/nixos/doc/manual/configuration/xfce.chapter.md index a80be2b523e2..9ec4a51d6e35 100644 --- a/nixpkgs/nixos/doc/manual/configuration/xfce.chapter.md +++ b/nixpkgs/nixos/doc/manual/configuration/xfce.chapter.md @@ -28,7 +28,7 @@ manually (system wide), put them into your Thunar (the Xfce file manager) is automatically enabled when Xfce is enabled. To enable Thunar without enabling Xfce, use the configuration -option [](#opt-programs.thunar.enable) instead of simply adding +option [](#opt-programs.thunar.enable) instead of adding `pkgs.xfce.thunar` to [](#opt-environment.systemPackages). If you'd like to add extra plugins to Thunar, add them to diff --git a/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.section.md b/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.section.md index 54002941d634..4b8385d7e0d9 100644 --- a/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.section.md +++ b/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.section.md @@ -57,6 +57,27 @@ using: Once the connection is established, you can enter commands in the socat terminal where socat is running. +## Port forwarding to NixOS test VMs {#sec-nixos-test-port-forwarding} + +If your test has only a single VM, you may use e.g. + +```ShellSession +$ QEMU_NET_OPTS="hostfwd=tcp:127.0.0.1:2222-:22" ./result/bin/nixos-test-driver +``` + +to port-forward a port in the VM (here `22`) to the host machine (here port `2222`). + +This naturally does not work when multiple machines are involved, +since a single port on the host cannot forward to multiple VMs. + +If the test defines multiple machines, you may opt to _temporarily_ set +`virtualisation.forwardPorts` in the test definition for debugging. + +Such port forwardings connect via the VM's virtual network interface. +Thus they cannot connect to ports that are only bound to the VM's +loopback interface (`127.0.0.1`), and the VM's NixOS firewall +must be configured to allow these connections. + ## Reuse VM state {#sec-nixos-test-reuse-vm-state} You can re-use the VM states coming from a previous run by setting the diff --git a/nixpkgs/nixos/doc/manual/development/writing-documentation.chapter.md b/nixpkgs/nixos/doc/manual/development/writing-documentation.chapter.md index 8cb6823d0985..3d9bd318cf33 100644 --- a/nixpkgs/nixos/doc/manual/development/writing-documentation.chapter.md +++ b/nixpkgs/nixos/doc/manual/development/writing-documentation.chapter.md @@ -33,13 +33,13 @@ symlink at `./result/share/doc/nixos/index.html`. ## Editing DocBook XML {#sec-writing-docs-editing-docbook-xml} For general information on how to write in DocBook, see [DocBook 5: The -Definitive Guide](http://www.docbook.org/tdg5/en/html/docbook.html). +Definitive Guide](https://tdg.docbook.org/tdg/5.1/). Emacs nXML Mode is very helpful for editing DocBook XML because it validates the document as you write, and precisely locates errors. To use it, see [](#sec-emacs-docbook-xml). -[Pandoc](http://pandoc.org) can generate DocBook XML from a multitude of +[Pandoc](https://pandoc.org/) can generate DocBook XML from a multitude of formats, which makes a good starting point. Here is an example of Pandoc invocation to convert GitHub-Flavoured MarkDown to DocBook 5 XML: @@ -50,7 +50,7 @@ pandoc -f markdown_github -t docbook5 docs.md -o my-section.md Pandoc can also quickly convert a single `section.xml` to HTML, which is helpful when drafting. -Sometimes writing valid DocBook is simply too difficult. In this case, +Sometimes writing valid DocBook is too difficult. In this case, submit your documentation updates in a [GitHub Issue](https://github.com/NixOS/nixpkgs/issues/new) and someone will handle the conversion to XML for you. @@ -62,9 +62,9 @@ topic from scratch. Keep the following guidelines in mind when you create and add a topic: -- The NixOS [`book`](http://www.docbook.org/tdg5/en/html/book.html) +- The NixOS [`book`](https://tdg.docbook.org/tdg/5.0/book.html) element is in `nixos/doc/manual/manual.xml`. It includes several - [`parts`](http://www.docbook.org/tdg5/en/html/book.html) which are in + [`parts`](https://tdg.docbook.org/tdg/5.0/book.html) which are in subdirectories. - Store the topic file in the same directory as the `part` to which it diff --git a/nixpkgs/nixos/doc/manual/installation/changing-config.chapter.md b/nixpkgs/nixos/doc/manual/installation/changing-config.chapter.md index 11b49ccb1f67..12abf90b718f 100644 --- a/nixpkgs/nixos/doc/manual/installation/changing-config.chapter.md +++ b/nixpkgs/nixos/doc/manual/installation/changing-config.chapter.md @@ -89,7 +89,7 @@ guest. For instance, the following will forward host port 2222 to guest port 22 (SSH): ```ShellSession -$ QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-*-vm +$ QEMU_NET_OPTS="hostfwd=tcp:127.0.0.1:2222-:22" ./result/bin/run-*-vm ``` allowing you to log in via SSH (assuming you have set the appropriate @@ -98,3 +98,8 @@ passwords or SSH authorized keys): ```ShellSession $ ssh -p 2222 localhost ``` + +Such port forwardings connect via the VM's virtual network interface. +Thus they cannot connect to ports that are only bound to the VM's +loopback interface (`127.0.0.1`), and the VM's NixOS firewall +must be configured to allow these connections. diff --git a/nixpkgs/nixos/doc/manual/installation/installing-pxe.section.md b/nixpkgs/nixos/doc/manual/installation/installing-pxe.section.md index 4fbd6525f8c3..c1cad99d39f3 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing-pxe.section.md +++ b/nixpkgs/nixos/doc/manual/installation/installing-pxe.section.md @@ -4,7 +4,7 @@ Advanced users may wish to install NixOS using an existing PXE or iPXE setup. These instructions assume that you have an existing PXE or iPXE -infrastructure and simply want to add the NixOS installer as another +infrastructure and want to add the NixOS installer as another option. To build the necessary files from your current version of nixpkgs, you can run: diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1609.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-1609.section.md index ad3478d0ca17..0cbabf58ca03 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-1609.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1609.section.md @@ -46,7 +46,7 @@ When upgrading from a previous release, please be aware of the following incompa Other notable improvements: -- Revamped grsecurity/PaX support. There is now only a single general-purpose distribution kernel and the configuration interface has been streamlined. Desktop users should be able to simply set +- Revamped grsecurity/PaX support. There is now only a single general-purpose distribution kernel and the configuration interface has been streamlined. Desktop users should be able to set ```nix { diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.section.md index 22cef05d4fa7..2bd04f8dd40a 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.section.md @@ -198,7 +198,7 @@ When upgrading from a previous release, please be aware of the following incompa For nginx, the dependencies are still automatically managed when `services.nginx.virtualhosts.<name>.enableACME` is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all `acme-certificates.target`. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at [NixOS/nixpkgs\#60180](https://github.com/NixOS/nixpkgs/issues/60180). -- The old deprecated `emacs` package sets have been dropped. What used to be called `emacsPackagesNg` is now simply called `emacsPackages`. +- The old deprecated `emacs` package sets have been dropped. What used to be called `emacsPackagesNg` is now called `emacsPackages`. - `services.xserver.desktopManager.xterm` is now disabled by default if `stateVersion` is 19.09 or higher. Previously the xterm desktopManager was enabled when xserver was enabled, but it isn't useful for all people so it didn't make sense to have any desktopManager enabled default. diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.section.md index 76cee8858e80..695f8a2c95ca 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.section.md @@ -482,7 +482,7 @@ When upgrading from a previous release, please be aware of the following incompa - If you use `postgresql` on a different server, you don't need to change anything as well since this module was never designed to configure remote databases. - - If you use `postgresql` and configured your synapse initially on `19.09` or older, you simply need to enable postgresql-support explicitly: + - If you use `postgresql` and configured your synapse initially on `19.09` or older, you need to enable postgresql-support explicitly: ```nix { ... }: { diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2009.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2009.section.md index 6bb75a04b3e8..eac02a8ff445 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2009.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2009.section.md @@ -422,7 +422,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `systemd-networkd` option `systemd.network.networks._name_.dhcpConfig` has been renamed to [systemd.network.networks._name_.dhcpV4Config](options.html#opt-systemd.network.networks._name_.dhcpV4Config) following upstream systemd's documentation change. See systemd.network 5 for details. -- In the `picom` module, several options that accepted floating point numbers encoded as strings (for example [services.picom.activeOpacity](options.html#opt-services.picom.activeOpacity)) have been changed to the (relatively) new native `float` type. To migrate your configuration simply remove the quotes around the numbers. +- In the `picom` module, several options that accepted floating point numbers encoded as strings (for example [services.picom.activeOpacity](options.html#opt-services.picom.activeOpacity)) have been changed to the (relatively) new native `float` type. To migrate your configuration remove the quotes around the numbers. - When using `buildBazelPackage` from Nixpkgs, `flat` hash mode is now used for dependencies instead of `recursive`. This is to better allow using hashed mirrors where needed. As a result, these hashes will have changed. diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2211.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2211.section.md index 37079c20967b..1c73d0c9790d 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2211.section.md @@ -14,7 +14,7 @@ In addition to numerous new and upgraded packages, this release includes the fol - Support for algorithms that `libxcrypt` [does not consider strong](https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41) are **deprecated** as of this release, and will be removed in NixOS 23.05. - This includes system login passwords. Given this, we **strongly encourage** all users to update their system passwords, as you will be unable to login if password hashes are not migrated by the time their support is removed. - When using `users.users.<name>.hashedPassword` to configure user passwords, run `mkpasswd`, and use the yescrypt hash that is provided as the new value. - - On the other hand, for interactively configured user passwords, simply re-set the passwords for all users with `passwd`. + - On the other hand, for interactively configured user passwords, re-set the passwords for all users with `passwd`. - This release introduces warnings for the use of deprecated hash algorithms for both methods of configuring passwords. To make sure you migrated correctly, run `nixos-rebuild switch`. - The NixOS documentation is now generated from markdown. While docbook is still part of the documentation build process, it's a big step towards the full migration. diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md index 3d27d3fef8fa..0b54b8b32a35 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md @@ -611,7 +611,7 @@ If you are: - adding new rules with `*.rules` - running custom PulseAudio commands with `pulse.cmd` -Simply move the definitions into the drop-in. +Move the definitions into the drop-in. Note that the use of `context.exec` is not recommended and other methods of running your thing are likely a better option. diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md index c5406e183c39..08fd671e2a71 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md @@ -33,6 +33,8 @@ - All [ROCm](https://rocm.docs.amd.com/en/latest/) packages have been updated to 5.7.0. - [ROCm](https://rocm.docs.amd.com/en/latest/) package attribute sets are versioned: `rocmPackages` -> `rocmPackages_5`. +- `yarn-berry` has been updated to 4.0.1. This means that NodeJS versions less than `18.12` are no longer supported by it. More details at the [upstream changelog](https://github.com/yarnpkg/berry/blob/master/CHANGELOG.md). + - If the user has a custom shell enabled via `users.users.${USERNAME}.shell = ${CUSTOMSHELL}`, the assertion will require them to also set `programs.${CUSTOMSHELL}.enable = true`. This is generally safe behavior, but for anyone needing to opt out from @@ -104,6 +106,8 @@ - hardware/infiniband.nix adds infiniband subnet manager support using an [opensm](https://github.com/linux-rdma/opensm) systemd-template service, instantiated on card guids. The module also adds kernel modules and cli tooling to help administrators debug and measure performance. Available as [hardware.infiniband.enable](#opt-hardware.infiniband.enable). +- [zwave-js](https://github.com/zwave-js/zwave-js-server), a small server wrapper around Z-Wave JS to access it via a WebSocket. Available as [services.zwave-js](#opt-services.zwave-js.enable). + - [Honk](https://humungus.tedunangst.com/r/honk), a complete ActivityPub server with minimal setup and support costs. Available as [services.honk](#opt-services.honk.enable). @@ -123,6 +127,8 @@ - [ZITADEL](https://zitadel.com), a turnkey identity and access management platform. Available as [services.zitadel](#opt-services.zitadel.enable). +- [exportarr](https://github.com/onedr0p/exportarr), Prometheus Exporters for Bazarr, Lidarr, Prowlarr, Radarr, Readarr, and Sonarr. Available as [services.prometheus.exporters.exportarr-bazarr](#opt-services.prometheus.exporters.exportarr-bazarr.enable)/[services.prometheus.exporters.exportarr-lidarr](#opt-services.prometheus.exporters.exportarr-lidarr.enable)/[services.prometheus.exporters.exportarr-prowlarr](#opt-services.prometheus.exporters.exportarr-prowlarr.enable)/[services.prometheus.exporters.exportarr-radarr](#opt-services.prometheus.exporters.exportarr-radarr.enable)/[services.prometheus.exporters.exportarr-readarr](#opt-services.prometheus.exporters.exportarr-readarr.enable)/[services.prometheus.exporters.exportarr-sonarr](#opt-services.prometheus.exporters.exportarr-sonarr.enable). + - [netclient](https://github.com/gravitl/netclient), an automated WireGuard® Management Client. Available as [services.netclient](#opt-services.netclient.enable). - [trunk-ng](https://github.com/ctron/trunk), A fork of `trunk`: Build, bundle & ship your Rust WASM application to the web @@ -148,6 +154,8 @@ - The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`. +- `services.mastodon` doesn't support providing a TCP port to its `streaming` component anymore, as upstream implemented parallelization by running multiple instances instead of running multiple processes in one instance. Please create a PR if you are interested in this feature. + - The `services.hostapd` module was rewritten to support `passwordFile` like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations. - `hostapd` is now started with additional systemd sandbox/hardening options for better security. - `services.hostapd.interface` was replaced with a per-radio and per-bss configuration scheme using [services.hostapd.radios](#opt-services.hostapd.radios). @@ -183,6 +191,8 @@ - JACK tools (`jack_*` except `jack_control`) have moved from the `jack2` package to `jack-example-tools` +- The `waagent` service does provisioning now + - The `matrix-synapse` package & module have undergone some significant internal changes, for most setups no intervention is needed, though: - The option [`services.matrix-synapse.package`](#opt-services.matrix-synapse.package) is now read-only. For modifying the package, use an overlay which modifies `matrix-synapse-unwrapped` instead. More on that below. - The `enableSystemd` & `enableRedis` arguments have been removed and `matrix-synapse` has been renamed to `matrix-synapse-unwrapped`. Also, several optional dependencies (such as `psycopg2` or `authlib`) have been removed. @@ -302,7 +312,7 @@ - Emacs macport version 29 was introduced. -- The option `services.networking.networkmanager.enableFccUnlock` was removed in favor of `networking.networkmanager.fccUnlockScripts`, which allows specifying unlock scripts explicitly. The previous option simply did enable all unlock scripts bundled with ModemManager, which is risky, and didn't allow using vendor-provided unlock scripts at all. +- The option `services.networking.networkmanager.enableFccUnlock` was removed in favor of `networking.networkmanager.fccUnlockScripts`, which allows specifying unlock scripts explicitly. The previous option enabled all unlock scripts bundled with ModemManager, which is risky, and didn't allow using vendor-provided unlock scripts at all. - The `html-proofer` package has been updated from major version 3 to major version 5, which includes [breaking changes](https://github.com/gjtorikian/html-proofer/blob/v5.0.8/UPGRADING.md). @@ -317,6 +327,8 @@ - Package `pash` was removed due to being archived upstream. Use `powershell` as an alternative. +- The option `services.plausible.releaseCookiePath` has been removed: Plausible does not use any distributed Erlang features, and does not plan to (see [discussion](https://github.com/NixOS/nixpkgs/pull/130297#issuecomment-1805851333)), so NixOS now disables them, and the Erlang cookie becomes unnecessary. You may delete the file that `releaseCookiePath` was set to. + - `security.sudo.extraRules` now includes `root`'s default rule, with ordering priority 400. This is functionally identical for users not specifying rule order, or relying on `mkBefore` and `mkAfter`, but may impact users calling @@ -359,6 +371,10 @@ - The `junicode` font package has been updated to [major version 2](https://github.com/psb1558/Junicode-font/releases/tag/v2.001), which is now a font family. In particular, plain `Junicode.ttf` no longer exists. In addition, TrueType font files are now placed in `font/truetype` instead of `font/junicode-ttf`; this change does not affect use via `fonts.packages` NixOS option. +- The `prayer` package as well as `services.prayer` have been removed because it's been unmaintained for several years and the author's website has vanished. + +- The `chrony` NixOS module now tracks the Real-Time Clock drift from the System Clock with `rtcfile` and automatically adjusts it with `rtcautotrim` when it exceeds the maximum error specified in `services.chrony.autotrimThreshold` (default 30 seconds). If you enabled `rtcsync` in `extraConfig`, you should remove RTC related options from `extraConfig`. If you do not want chrony configured to keep the RTC in check, you can set `services.chrony.enableRTCTrimming = false;` + ## Other Notable Changes {#sec-release-23.11-notable-changes} - A new option `system.switch.enable` was added. By default, this is option is @@ -483,6 +499,8 @@ The module update takes care of the new config syntax and the data itself (user - `keepTerminfo` controls whether `TERMINFO` and `TERMINFO_DIRS` are preserved for `root` and the `wheel` group. +- `virtualisation.googleComputeImage` now provides `efi` option to support UEFI booting. + - CoreDNS can now be built with external plugins by overriding `externalPlugins` and `vendorHash` arguments like this: ``` @@ -509,6 +527,10 @@ The module update takes care of the new config syntax and the data itself (user - `services.bitcoind` now properly respects the `enable` option. +- The Home Assistant module now offers support for installing custom components and lovelace modules. Available at [`services.home-assistant.customComponents`](#opt-services.home-assistant.customComponents) and [`services.home-assistant.customLovelaceModules`](#opt-services.home-assistant.customLovelaceModules). + +- The argument `vendorSha256` of `buildGoModule` is deprecated. Use `vendorHash` instead. ([\#259999](https://github.com/NixOS/nixpkgs/pull/259999)) + ## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals} - The use of `sourceRoot = "source";`, `sourceRoot = "source/subdir";`, and similar lines in package derivations using the default `unpackPhase` is deprecated as it requires `unpackPhase` to always produce a directory named "source". Use `sourceRoot = src.name`, `sourceRoot = "${src.name}/subdir";`, or `setSourceRoot = "sourceRoot=$(echo */subdir)";` or similar instead. @@ -552,3 +574,7 @@ The module update takes care of the new config syntax and the data itself (user - `teleport` has been upgraded from major version 12 to major version 14. Please see upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) and release notes for versions [13](https://goteleport.com/docs/changelog/#1300-050823) and [14](https://goteleport.com/docs/changelog/#1400-092023). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 13.x version by setting `services.teleport.package = pkgs.teleport_13`. Afterwards, this option can be removed to upgrade to the default version (14). - The Linux kernel module `msr` (see [`msr(4)`](https://man7.org/linux/man-pages/man4/msr.4.html)), which provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU, can now be configured via `hardware.cpu.x86.msr`. + +- Docker now defaults to 24, as 20.10 is stopping to receive security updates and bug fixes after [December 10, 2023](https://github.com/moby/moby/discussions/45104). + +- There is a new NixOS option when writing NixOS tests `testing.initrdBackdoor`, that enables `backdoor.service` in initrd. Requires `boot.initrd.systemd.enable` to be enabled. Boot will pause in stage 1 at `initrd.target`, and will listen for commands from the `Machine` python interface, just like stage 2 normally does. This enables commands to be sent to test and debug stage 1. Use `machine.switch_root()` to leave stage 1 and proceed to stage 2. diff --git a/nixpkgs/nixos/lib/make-btrfs-fs.nix b/nixpkgs/nixos/lib/make-btrfs-fs.nix index 225666f9a50e..277ff6a4dca8 100644 --- a/nixpkgs/nixos/lib/make-btrfs-fs.nix +++ b/nixpkgs/nixos/lib/make-btrfs-fs.nix @@ -15,6 +15,8 @@ , volumeLabel , uuid ? "44444444-4444-4444-8888-888888888888" , btrfs-progs +, libfaketime +, fakeroot }: let @@ -23,7 +25,7 @@ in pkgs.stdenv.mkDerivation { name = "btrfs-fs.img${lib.optionalString compressImage ".zst"}"; - nativeBuildInputs = [ btrfs-progs ] ++ lib.optional compressImage zstd; + nativeBuildInputs = [ btrfs-progs libfaketime fakeroot ] ++ lib.optional compressImage zstd; buildCommand = '' @@ -50,7 +52,7 @@ pkgs.stdenv.mkDerivation { cp ${sdClosureInfo}/registration ./rootImage/nix-path-registration touch $img - mkfs.btrfs -L ${volumeLabel} -U ${uuid} -r ./rootImage --shrink $img + faketime -f "1970-01-01 00:00:01" fakeroot mkfs.btrfs -L ${volumeLabel} -U ${uuid} -r ./rootImage --shrink $img if ! btrfs check $img; then echo "--- 'btrfs check' failed for BTRFS image ---" diff --git a/nixpkgs/nixos/lib/systemd-lib.nix b/nixpkgs/nixos/lib/systemd-lib.nix index 7b600464bb41..820ccbcbf72a 100644 --- a/nixpkgs/nixos/lib/systemd-lib.nix +++ b/nixpkgs/nixos/lib/systemd-lib.nix @@ -376,24 +376,23 @@ in rec { serviceToUnit = name: def: { inherit (def) aliases wantedBy requiredBy enable overrideStrategy; - text = commonUnitText def + - '' - [Service] - ${let env = cfg.globalEnvironment // def.environment; - in concatMapStrings (n: - let s = optionalString (env.${n} != null) - "Environment=${builtins.toJSON "${n}=${env.${n}}"}\n"; - # systemd max line length is now 1MiB - # https://github.com/systemd/systemd/commit/e6dde451a51dc5aaa7f4d98d39b8fe735f73d2af - in if stringLength s >= 1048576 then throw "The value of the environment variable ‘${n}’ in systemd service ‘${name}.service’ is too long." else s) (attrNames env)} - ${if def ? reloadIfChanged && def.reloadIfChanged then '' - X-ReloadIfChanged=true - '' else if (def ? restartIfChanged && !def.restartIfChanged) then '' - X-RestartIfChanged=false - '' else ""} - ${optionalString (def ? stopIfChanged && !def.stopIfChanged) "X-StopIfChanged=false"} - ${attrsToSection def.serviceConfig} - ''; + text = commonUnitText def + '' + [Service] + '' + (let env = cfg.globalEnvironment // def.environment; + in concatMapStrings (n: + let s = optionalString (env.${n} != null) + "Environment=${builtins.toJSON "${n}=${env.${n}}"}\n"; + # systemd max line length is now 1MiB + # https://github.com/systemd/systemd/commit/e6dde451a51dc5aaa7f4d98d39b8fe735f73d2af + in if stringLength s >= 1048576 then throw "The value of the environment variable ‘${n}’ in systemd service ‘${name}.service’ is too long." else s) (attrNames env)) + + (if def ? reloadIfChanged && def.reloadIfChanged then '' + X-ReloadIfChanged=true + '' else if (def ? restartIfChanged && !def.restartIfChanged) then '' + X-RestartIfChanged=false + '' else "") + + optionalString (def ? stopIfChanged && !def.stopIfChanged) '' + X-StopIfChanged=false + '' + attrsToSection def.serviceConfig; }; socketToUnit = name: def: diff --git a/nixpkgs/nixos/lib/test-driver/test_driver/machine.py b/nixpkgs/nixos/lib/test-driver/test_driver/machine.py index 529de41d892a..f430321bb607 100644 --- a/nixpkgs/nixos/lib/test-driver/test_driver/machine.py +++ b/nixpkgs/nixos/lib/test-driver/test_driver/machine.py @@ -1278,3 +1278,19 @@ class Machine: def run_callbacks(self) -> None: for callback in self.callbacks: callback() + + def switch_root(self) -> None: + """ + Transition from stage 1 to stage 2. This requires the + machine to be configured with `testing.initrdBackdoor = true` + and `boot.initrd.systemd.enable = true`. + """ + self.wait_for_unit("initrd.target") + self.execute( + "systemctl isolate --no-block initrd-switch-root.target 2>/dev/null >/dev/null", + check_return=False, + check_output=False, + ) + self.wait_for_console_text(r"systemd\[1\]:.*Switching root\.") + self.connected = False + self.connect() diff --git a/nixpkgs/nixos/lib/testing/nodes.nix b/nixpkgs/nixos/lib/testing/nodes.nix index a47d1c98ecec..73e6d386fd1d 100644 --- a/nixpkgs/nixos/lib/testing/nodes.nix +++ b/nixpkgs/nixos/lib/testing/nodes.nix @@ -32,9 +32,6 @@ let key = "nodes.nix-pkgs"; config = optionalAttrs (!config.node.pkgsReadOnly) ( mkIf (!options.nixpkgs.pkgs.isDefined) { - # Ensure we do not use aliases. Ideally this is only set - # when the test framework is used by Nixpkgs NixOS tests. - nixpkgs.config.allowAliases = false; # TODO: switch to nixpkgs.hostPlatform and make sure containers-imperative test still evaluates. nixpkgs.system = hostPkgs.stdenv.hostPlatform.system; } diff --git a/nixpkgs/nixos/modules/config/terminfo.nix b/nixpkgs/nixos/modules/config/terminfo.nix index d1dbc4e0d059..ebd1aaea8f04 100644 --- a/nixpkgs/nixos/modules/config/terminfo.nix +++ b/nixpkgs/nixos/modules/config/terminfo.nix @@ -16,10 +16,7 @@ with lib; }; security.sudo.keepTerminfo = mkOption { - default = config.security.sudo.package.pname != "sudo-rs"; - defaultText = literalMD '' - `true` unless using `sudo-rs` - ''; + default = true; type = types.bool; description = lib.mdDoc '' Whether to preserve the `TERMINFO` and `TERMINFO_DIRS` diff --git a/nixpkgs/nixos/modules/config/users-groups.nix b/nixpkgs/nixos/modules/config/users-groups.nix index b4251214876e..39aac9fb821b 100644 --- a/nixpkgs/nixos/modules/config/users-groups.nix +++ b/nixpkgs/nixos/modules/config/users-groups.nix @@ -153,7 +153,7 @@ let {file}`pam_mount.conf.xml`. Useful attributes might include `path`, `options`, `fstype`, and `server`. - See <http://pam-mount.sourceforge.net/pam_mount.conf.5.html> + See <https://pam-mount.sourceforge.net/pam_mount.conf.5.html> for more information. ''; }; diff --git a/nixpkgs/nixos/modules/hardware/all-firmware.nix b/nixpkgs/nixos/modules/hardware/all-firmware.nix index 08141bb0e87b..6f58e848b38a 100644 --- a/nixpkgs/nixos/modules/hardware/all-firmware.nix +++ b/nixpkgs/nixos/modules/hardware/all-firmware.nix @@ -18,29 +18,16 @@ in { options = { - hardware.enableAllFirmware = mkOption { - default = false; - type = types.bool; - description = lib.mdDoc '' - Turn on this option if you want to enable all the firmware. - ''; - }; + hardware.enableAllFirmware = mkEnableOption "all firmware regardless of license"; - hardware.enableRedistributableFirmware = mkOption { + hardware.enableRedistributableFirmware = mkEnableOption "firmware with a license allowing redistribution" // { default = config.hardware.enableAllFirmware; defaultText = lib.literalExpression "config.hardware.enableAllFirmware"; - type = types.bool; - description = lib.mdDoc '' - Turn on this option if you want to enable all the firmware with a license allowing redistribution. - ''; }; - hardware.wirelessRegulatoryDatabase = mkOption { - default = false; - type = types.bool; - description = lib.mdDoc '' - Load the wireless regulatory database at boot. - ''; + hardware.wirelessRegulatoryDatabase = mkEnableOption "loading the wireless regulatory database at boot" // { + default = cfg.enableRedistributableFirmware || cfg.enableAllFirmware; + defaultText = literalMD "Enabled if proprietary firmware is allowed via {option}`enableRedistributableFirmware` or {option}`enableAllFirmware`."; }; }; @@ -65,7 +52,6 @@ in { ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [ rtl8723bs-firmware ]; - hardware.wirelessRegulatoryDatabase = true; }) (mkIf cfg.enableAllFirmware { assertions = [{ diff --git a/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix index 10c37a46fdac..e4241e965403 100644 --- a/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,7 +1,7 @@ { - x86_64-linux = "/nix/store/3wqasl97rjiza3vd7fxjnvli2w9l30mk-nix-2.17.0"; - i686-linux = "/nix/store/z360xswxfx55pmm1fng3hw748rbs0kkj-nix-2.17.0"; - aarch64-linux = "/nix/store/9670sxa916xmv8n1kqs7cdvmnsrhrdjv-nix-2.17.0"; - x86_64-darwin = "/nix/store/2rdbky9j8hc3mbgl6pnda4hkjllyfwnn-nix-2.17.0"; - aarch64-darwin = "/nix/store/jl9qma14fb4zk9lq1k0syw2k9qm2gqjw-nix-2.17.0"; + x86_64-linux = "/nix/store/azvn85cras6xv4z5j85fiy406f24r1q0-nix-2.18.1"; + i686-linux = "/nix/store/9bnwy7f9h0kzdzmcnjjsjg0aak5waj40-nix-2.18.1"; + aarch64-linux = "/nix/store/hh65xwqm9s040s3cgn9vzcmrxj0sf5ij-nix-2.18.1"; + x86_64-darwin = "/nix/store/6zi5fqzn9n17wrk8r41rhdw4j7jqqsi3-nix-2.18.1"; + aarch64-darwin = "/nix/store/0pbq6wzr2f1jgpn5212knyxpwmkjgjah-nix-2.18.1"; } diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl index 85180bf2d1b4..71737cd8ebc4 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl @@ -130,7 +130,7 @@ sub pciCheck { debug "\n"; if (defined $module) { - # See the bottom of http://pciids.sourceforge.net/pci.ids for + # See the bottom of https://pciids.sourceforge.net/pci.ids for # device classes. if (# Mass-storage controller. Definitely important. $class =~ /^0x01/ || diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/default.nix b/nixpkgs/nixos/modules/installer/tools/nixos-option/default.nix deleted file mode 100644 index 061460f38a3b..000000000000 --- a/nixpkgs/nixos/modules/installer/tools/nixos-option/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ pkgs, ... }: pkgs.nixos-option diff --git a/nixpkgs/nixos/modules/misc/ids.nix b/nixpkgs/nixos/modules/misc/ids.nix index 5b278b5e8062..18928a6bf21b 100644 --- a/nixpkgs/nixos/modules/misc/ids.nix +++ b/nixpkgs/nixos/modules/misc/ids.nix @@ -86,7 +86,7 @@ in #rtkit = 45; # dynamically allocated 2021-09-03 dovecot2 = 46; dovenull2 = 47; - prayer = 49; + # prayer = 49; # dropped in 23.11 mpd = 50; clamav = 51; #fprot = 52; # unused @@ -411,7 +411,7 @@ in #rtkit = 45; # unused dovecot2 = 46; dovenull2 = 47; - prayer = 49; + # prayer = 49; # dropped in 23.11 mpd = 50; clamav = 51; #fprot = 52; # unused diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 5af65957f1bb..16728ba18df8 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -565,6 +565,7 @@ ./services/home-automation/home-assistant.nix ./services/home-automation/homeassistant-satellite.nix ./services/home-automation/zigbee2mqtt.nix + ./services/home-automation/zwave-js.nix ./services/logging/SystemdJournal2Gelf.nix ./services/logging/awstats.nix ./services/logging/filebeat.nix @@ -1041,7 +1042,6 @@ ./services/networking/powerdns.nix ./services/networking/pppd.nix ./services/networking/pptpd.nix - ./services/networking/prayer.nix ./services/networking/privoxy.nix ./services/networking/prosody.nix ./services/networking/quassel.nix diff --git a/nixpkgs/nixos/modules/programs/ausweisapp.nix b/nixpkgs/nixos/modules/programs/ausweisapp.nix index ef1f059568c6..91870df20246 100644 --- a/nixpkgs/nixos/modules/programs/ausweisapp.nix +++ b/nixpkgs/nixos/modules/programs/ausweisapp.nix @@ -7,11 +7,11 @@ let in { options.programs.ausweisapp = { - enable = mkEnableOption (lib.mdDoc "AusweisApp2"); + enable = mkEnableOption (lib.mdDoc "AusweisApp"); openFirewall = mkOption { description = lib.mdDoc '' - Whether to open the required firewall ports for the Smartphone as Card Reader (SaC) functionality of AusweisApp2. + Whether to open the required firewall ports for the Smartphone as Card Reader (SaC) functionality of AusweisApp. ''; default = false; type = lib.types.bool; @@ -19,7 +19,7 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ AusweisApp2 ]; + environment.systemPackages = with pkgs; [ ausweisapp ]; networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ 24727 ]; }; } diff --git a/nixpkgs/nixos/modules/programs/fish.nix b/nixpkgs/nixos/modules/programs/fish.nix index e6ac6e9957ba..a4c20560bc9b 100644 --- a/nixpkgs/nixos/modules/programs/fish.nix +++ b/nixpkgs/nixos/modules/programs/fish.nix @@ -268,7 +268,7 @@ in '' mkdir -p $out if [ -d $package/share/man ]; then - find $package/share/man -type f | xargs ${pkgs.python3.pythonForBuild.interpreter} ${patchedGenerator}/create_manpage_completions.py --directory $out >/dev/null + find $package/share/man -type f | xargs ${pkgs.python3.pythonOnBuildForHost.interpreter} ${patchedGenerator}/create_manpage_completions.py --directory $out >/dev/null fi ''; in diff --git a/nixpkgs/nixos/modules/programs/npm.nix b/nixpkgs/nixos/modules/programs/npm.nix index 48dc48e668f3..c41fea326149 100644 --- a/nixpkgs/nixos/modules/programs/npm.nix +++ b/nixpkgs/nixos/modules/programs/npm.nix @@ -34,7 +34,7 @@ in prefix = ''${HOME}/.npm https-proxy=proxy.example.com init-license=MIT - init-author-url=http://npmjs.org + init-author-url=https://www.npmjs.com/ color=true ''; }; diff --git a/nixpkgs/nixos/modules/programs/wayland/sway.nix b/nixpkgs/nixos/modules/programs/wayland/sway.nix index de739faabee9..698d9c2b46c4 100644 --- a/nixpkgs/nixos/modules/programs/wayland/sway.nix +++ b/nixpkgs/nixos/modules/programs/wayland/sway.nix @@ -42,11 +42,6 @@ in { <https://github.com/swaywm/sway/wiki> and "man 5 sway" for more information''); - enableRealtime = mkEnableOption (lib.mdDoc '' - add CAP_SYS_NICE capability on `sway` binary for realtime scheduling - privileges. This may improve latency and reduce stuttering, specially in - high load scenarios'') // { default = true; }; - package = mkOption { type = with types; nullOr package; default = defaultSwayPackage; @@ -154,14 +149,6 @@ in { "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config"; }; }; - security.wrappers = mkIf (cfg.enableRealtime && cfg.package != null) { - sway = { - owner = "root"; - group = "root"; - source = "${cfg.package}/bin/sway"; - capabilities = "cap_sys_nice+ep"; - }; - }; # To make a Sway session available if a display manager like SDDM is enabled: services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; } (import ./wayland-session.nix { inherit lib pkgs; }) diff --git a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.md b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.md index 73d425244ce7..6a310006edbf 100644 --- a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.md +++ b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.md @@ -78,7 +78,7 @@ If third-party customizations (e.g. new themes) are supposed to be added to - Completion scripts are supposed to be stored at `$out/share/zsh/site-functions`. This directory is part of the - [`fpath`](http://zsh.sourceforge.net/Doc/Release/Functions.html) + [`fpath`](https://zsh.sourceforge.io/Doc/Release/Functions.html) and the package should be compatible with pure `ZSH` setups. The module will automatically link the contents of `site-functions` to completions directory in the proper diff --git a/nixpkgs/nixos/modules/rename.nix b/nixpkgs/nixos/modules/rename.nix index 0fbb2351f986..3fab863adb7f 100644 --- a/nixpkgs/nixos/modules/rename.nix +++ b/nixpkgs/nixos/modules/rename.nix @@ -111,6 +111,7 @@ in (mkRemovedOptionModule [ "services" "riak" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "cryptpad" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "rtsp-simple-server" ] "Package has been completely rebranded by upstream as mediamtx, and thus the service and the package were renamed in NixOS as well.") + (mkRemovedOptionModule [ "services" "prayer" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "i18n" "inputMethod" "fcitx" ] "The fcitx module has been removed. Please use fcitx5 instead") (mkRemovedOptionModule [ "services" "dhcpd4" ] '' diff --git a/nixpkgs/nixos/modules/security/acme/default.nix b/nixpkgs/nixos/modules/security/acme/default.nix index 932bf3e79115..7cc302969fb6 100644 --- a/nixpkgs/nixos/modules/security/acme/default.nix +++ b/nixpkgs/nixos/modules/security/acme/default.nix @@ -345,6 +345,10 @@ let serviceConfig = commonServiceConfig // { Group = data.group; + # Let's Encrypt Failed Validation Limit allows 5 retries per hour, per account, hostname and hour. + # This avoids eating them all up if something is misconfigured upon the first try. + RestartSec = 15 * 60; + # Keep in mind that these directories will be deleted if the user runs # systemctl clean --what=state # acme/.lego/${cert} is listed for this reason. diff --git a/nixpkgs/nixos/modules/security/google_oslogin.nix b/nixpkgs/nixos/modules/security/google_oslogin.nix index f75b4df1851a..95975943ff80 100644 --- a/nixpkgs/nixos/modules/security/google_oslogin.nix +++ b/nixpkgs/nixos/modules/security/google_oslogin.nix @@ -42,6 +42,10 @@ in security.sudo.extraConfig = '' #includedir /run/google-sudoers.d ''; + security.sudo-rs.extraConfig = '' + #includedir /run/google-sudoers.d + ''; + systemd.tmpfiles.rules = [ "d /run/google-sudoers.d 750 root root -" "d /var/google-users.d 750 root root -" diff --git a/nixpkgs/nixos/modules/security/pam.nix b/nixpkgs/nixos/modules/security/pam.nix index 709bb8b94a65..b7e1ea526535 100644 --- a/nixpkgs/nixos/modules/security/pam.nix +++ b/nixpkgs/nixos/modules/security/pam.nix @@ -1531,6 +1531,10 @@ in (map (module: "mr ${module},")) concatLines ]); - }; + security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth '' + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. + Defaults env_keep+=SSH_AUTH_SOCK + ''; + }; } diff --git a/nixpkgs/nixos/modules/security/pam_mount.nix b/nixpkgs/nixos/modules/security/pam_mount.nix index ad78f38b0866..26f906f2a76a 100644 --- a/nixpkgs/nixos/modules/security/pam_mount.nix +++ b/nixpkgs/nixos/modules/security/pam_mount.nix @@ -33,7 +33,7 @@ in default = []; description = lib.mdDoc '' List of volume definitions for pam_mount. - For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. + For more information, visit <https://pam-mount.sourceforge.net/pam_mount.conf.5.html>. ''; }; @@ -78,7 +78,7 @@ in description = lib.mdDoc '' Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, and 2 additionally enables tracing in mount.crypt. The default is 0. - For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. + For more information, visit <https://pam-mount.sourceforge.net/pam_mount.conf.5.html>. ''; }; @@ -88,7 +88,7 @@ in description = lib.mdDoc '' Amount of microseconds to wait until killing remaining processes after final logout. - For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. + For more information, visit <https://pam-mount.sourceforge.net/pam_mount.conf.5.html>. ''; }; diff --git a/nixpkgs/nixos/modules/security/polkit.nix b/nixpkgs/nixos/modules/security/polkit.nix index de427ccb295b..327f49c0b637 100644 --- a/nixpkgs/nixos/modules/security/polkit.nix +++ b/nixpkgs/nixos/modules/security/polkit.nix @@ -35,7 +35,7 @@ in description = lib.mdDoc '' Any polkit rules to be added to config (in JavaScript ;-). See: - http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules + <https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules> ''; }; @@ -117,4 +117,3 @@ in }; } - diff --git a/nixpkgs/nixos/modules/security/sudo.nix b/nixpkgs/nixos/modules/security/sudo.nix index c665c15242a5..3dd5d2e525d9 100644 --- a/nixpkgs/nixos/modules/security/sudo.nix +++ b/nixpkgs/nixos/modules/security/sudo.nix @@ -6,6 +6,8 @@ let cfg = config.security.sudo; + inherit (config.security.pam) enableSSHAgentAuth; + toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; @@ -28,9 +30,18 @@ in ###### interface - options = { + options.security.sudo = { + + defaultOptions = mkOption { + type = with types; listOf str; + default = [ "SETENV" ]; + description = mdDoc '' + Options used for the default rules, granting `root` and the + `wheel` group permission to run any command as any user. + ''; + }; - security.sudo.enable = mkOption { + enable = mkOption { type = types.bool; default = true; description = @@ -40,29 +51,21 @@ in ''; }; - security.sudo.package = mkOption { - type = types.package; - default = pkgs.sudo; - defaultText = literalExpression "pkgs.sudo"; - description = lib.mdDoc '' - Which package to use for `sudo`. - ''; - }; + package = mkPackageOption pkgs "sudo" { }; - security.sudo.wheelNeedsPassword = mkOption { + wheelNeedsPassword = mkOption { type = types.bool; default = true; - description = - lib.mdDoc '' - Whether users of the `wheel` group must - provide a password to run commands as super user via {command}`sudo`. - ''; + description = mdDoc '' + Whether users of the `wheel` group must + provide a password to run commands as super user via {command}`sudo`. + ''; }; - security.sudo.execWheelOnly = mkOption { + execWheelOnly = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = mdDoc '' Only allow members of the `wheel` group to execute sudo by setting the executable's permissions accordingly. This prevents users that are not members of `wheel` from @@ -70,19 +73,18 @@ in ''; }; - security.sudo.configFile = mkOption { + configFile = mkOption { type = types.lines; # Note: if syntax errors are detected in this file, the NixOS # configuration will fail to build. - description = - lib.mdDoc '' - This string contains the contents of the - {file}`sudoers` file. - ''; + description = mdDoc '' + This string contains the contents of the + {file}`sudoers` file. + ''; }; - security.sudo.extraRules = mkOption { - description = lib.mdDoc '' + extraRules = mkOption { + description = mdDoc '' Define specific rules to be in the {file}`sudoers` file. More specific rules should come after more general ones in order to yield the expected behavior. You can use mkBefore/mkAfter to ensure @@ -112,7 +114,7 @@ in options = { users = mkOption { type = with types; listOf (either str int); - description = lib.mdDoc '' + description = mdDoc '' The usernames / UIDs this rule should apply for. ''; default = []; @@ -120,7 +122,7 @@ in groups = mkOption { type = with types; listOf (either str int); - description = lib.mdDoc '' + description = mdDoc '' The groups / GIDs this rule should apply for. ''; default = []; @@ -129,7 +131,7 @@ in host = mkOption { type = types.str; default = "ALL"; - description = lib.mdDoc '' + description = mdDoc '' For what host this rule should apply. ''; }; @@ -137,7 +139,7 @@ in runAs = mkOption { type = with types; str; default = "ALL:ALL"; - description = lib.mdDoc '' + description = mdDoc '' Under which user/group the specified command is allowed to run. A user can be specified using just the username: `"foo"`. @@ -147,7 +149,7 @@ in }; commands = mkOption { - description = lib.mdDoc '' + description = mdDoc '' The commands for which the rule should apply. ''; type = with types; listOf (either str (submodule { @@ -155,7 +157,7 @@ in options = { command = mkOption { type = with types; str; - description = lib.mdDoc '' + description = mdDoc '' A command being either just a path to a binary to allow any arguments, the full command with arguments pre-set or with `""` used as the argument, not allowing arguments to the command at all. @@ -164,7 +166,7 @@ in options = mkOption { type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]); - description = lib.mdDoc '' + description = mdDoc '' Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html). ''; default = []; @@ -177,10 +179,10 @@ in }); }; - security.sudo.extraConfig = mkOption { + extraConfig = mkOption { type = types.lines; default = ""; - description = lib.mdDoc '' + description = mdDoc '' Extra configuration text appended to {file}`sudoers`. ''; }; @@ -190,44 +192,55 @@ in ###### implementation config = mkIf cfg.enable { - assertions = [ - { assertion = cfg.package.pname != "sudo-rs"; - message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; } - ]; - - # We `mkOrder 600` so that the default rule shows up first, but there is - # still enough room for a user to `mkBefore` it. - security.sudo.extraRules = mkOrder 600 [ - { groups = [ "wheel" ]; - commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ]; - } - ]; - - security.sudo.configFile = + assertions = [ { + assertion = cfg.package.pname != "sudo-rs"; + message = '' + NixOS' `sudo` module does not support `sudo-rs`; see `security.sudo-rs` instead. + ''; + } ]; + + security.sudo.extraRules = + let + defaultRule = { users ? [], groups ? [], opts ? [] }: [ { + inherit users groups; + commands = [ { + command = "ALL"; + options = opts ++ cfg.defaultOptions; + } ]; + } ]; + in mkMerge [ + # This is ordered before users' `mkBefore` rules, + # so as not to introduce unexpected changes. + (mkOrder 400 (defaultRule { users = [ "root" ]; })) + + # This is ordered to show before (most) other rules, but + # late-enough for a user to `mkBefore` it. + (mkOrder 600 (defaultRule { + groups = [ "wheel" ]; + opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD"); + })) + ]; + + security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [ '' # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ # or ‘security.sudo.extraRules’ instead. - - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. - Defaults env_keep+=SSH_AUTH_SOCK - - # "root" is allowed to do anything. - root ALL=(ALL:ALL) SETENV: ALL - - # extraRules - ${concatStringsSep "\n" ( - lists.flatten ( - map ( - rule: optionals (length rule.commands != 0) [ - (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) - (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) - ] - ) cfg.extraRules - ) - )} - + '' + (pipe cfg.extraRules [ + (filter (rule: length rule.commands != 0)) + (map (rule: [ + (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) + (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) + ])) + flatten + (concatStringsSep "\n") + ]) + "\n" + (optionalString (cfg.extraConfig != "") '' + # extraConfig ${cfg.extraConfig} - ''; + '') + ]); security.wrappers = let owner = "root"; diff --git a/nixpkgs/nixos/modules/services/audio/jack.nix b/nixpkgs/nixos/modules/services/audio/jack.nix index 105e99cb2f5e..b51f2a78c983 100644 --- a/nixpkgs/nixos/modules/services/audio/jack.nix +++ b/nixpkgs/nixos/modules/services/audio/jack.nix @@ -225,7 +225,7 @@ in { description = "JACK Audio system service user"; isSystemUser = true; }; - # http://jackaudio.org/faq/linux_rt_config.html + # https://jackaudio.org/faq/linux_rt_config.html security.pam.loginLimits = [ { domain = "@jackaudio"; type = "-"; item = "rtprio"; value = "99"; } { domain = "@jackaudio"; type = "-"; item = "memlock"; value = "unlimited"; } diff --git a/nixpkgs/nixos/modules/services/audio/navidrome.nix b/nixpkgs/nixos/modules/services/audio/navidrome.nix index e18e61eb6d44..77a0e74af9ca 100644 --- a/nixpkgs/nixos/modules/services/audio/navidrome.nix +++ b/nixpkgs/nixos/modules/services/audio/navidrome.nix @@ -28,10 +28,17 @@ in { ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to open the TCP port in the firewall"; + }; }; }; config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.Port]; + systemd.services.navidrome = { description = "Navidrome Media Server"; after = [ "network.target" ]; diff --git a/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix b/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix index f156e8314a95..2d56acdc1b4c 100644 --- a/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix +++ b/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix @@ -146,6 +146,8 @@ in CapabilityBoundingSet = ""; DeviceAllow = if builtins.elem options.device [ "cuda" "auto" ] then [ # https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf + # CUDA not working? Check DeviceAllow and PrivateDevices first! + "/dev/nvidia0" "/dev/nvidia1" "/dev/nvidia2" "/dev/nvidia3" @@ -160,7 +162,6 @@ in DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; - PrivateDevices = true; PrivateUsers = true; ProtectHome = true; ProtectHostname = true; diff --git a/nixpkgs/nixos/modules/services/backup/restic.nix b/nixpkgs/nixos/modules/services/backup/restic.nix index 49a55d056014..87595f39796d 100644 --- a/nixpkgs/nixos/modules/services/backup/restic.nix +++ b/nixpkgs/nixos/modules/services/backup/restic.nix @@ -133,13 +133,15 @@ in }; timerConfig = mkOption { - type = types.attrsOf unitOption; + type = types.nullOr (types.attrsOf unitOption); default = { OnCalendar = "daily"; Persistent = true; }; description = lib.mdDoc '' - When to run the backup. See {manpage}`systemd.timer(5)` for details. + When to run the backup. See {manpage}`systemd.timer(5)` for + details. If null no timer is created and the backup will only + run when explicitly started. ''; example = { OnCalendar = "00:05"; @@ -345,7 +347,7 @@ in } // optionalAttrs (backup.environmentFile != null) { EnvironmentFile = backup.environmentFile; }; - } // optionalAttrs (backup.initialize || backup.dynamicFilesFrom != null || backup.backupPrepareCommand != null) { + } // optionalAttrs (backup.initialize || doBackup || backup.backupPrepareCommand != null) { preStart = '' ${optionalString (backup.backupPrepareCommand != null) '' ${pkgs.writeScript "backupPrepareCommand" backup.backupPrepareCommand} @@ -360,12 +362,12 @@ in ${pkgs.writeScript "dynamicFilesFromScript" backup.dynamicFilesFrom} >> ${filesFromTmpFile} ''} ''; - } // optionalAttrs (backup.dynamicFilesFrom != null || backup.backupCleanupCommand != null) { + } // optionalAttrs (doBackup || backup.backupCleanupCommand != null) { postStop = '' ${optionalString (backup.backupCleanupCommand != null) '' ${pkgs.writeScript "backupCleanupCommand" backup.backupCleanupCommand} ''} - ${optionalString (backup.dynamicFilesFrom != null) '' + ${optionalString doBackup '' rm ${filesFromTmpFile} ''} ''; @@ -378,7 +380,7 @@ in wantedBy = [ "timers.target" ]; timerConfig = backup.timerConfig; }) - config.services.restic.backups; + (filterAttrs (_: backup: backup.timerConfig != null) config.services.restic.backups); # generate wrapper scripts, as described in the createWrapper option environment.systemPackages = lib.mapAttrsToList (name: backup: let diff --git a/nixpkgs/nixos/modules/services/backup/syncoid.nix b/nixpkgs/nixos/modules/services/backup/syncoid.nix index 0f375455e7ed..1a1df38617b5 100644 --- a/nixpkgs/nixos/modules/services/backup/syncoid.nix +++ b/nixpkgs/nixos/modules/services/backup/syncoid.nix @@ -369,7 +369,7 @@ in PrivateDevices = true; PrivateMounts = true; PrivateNetwork = mkDefault false; - PrivateUsers = true; + PrivateUsers = false; # Enabling this breaks on zfs-2.2.0 ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; diff --git a/nixpkgs/nixos/modules/services/computing/boinc/client.nix b/nixpkgs/nixos/modules/services/computing/boinc/client.nix index 51475171bf3f..ff16795c8208 100644 --- a/nixpkgs/nixos/modules/services/computing/boinc/client.nix +++ b/nixpkgs/nixos/modules/services/computing/boinc/client.nix @@ -54,7 +54,7 @@ in only the hosts listed in {var}`dataDir`/remote_hosts.cfg will be allowed to connect. - See also: <http://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely#Remote_access> + See also: <https://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely#Remote_access> ''; }; diff --git a/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix b/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix index 344c43a429b3..1cbe7b893f83 100644 --- a/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix @@ -6,7 +6,7 @@ let cfg = config.services.slurm; opt = options.services.slurm; - # configuration file can be generated by http://slurm.schedmd.com/configurator.html + # configuration file can be generated by https://slurm.schedmd.com/configurator.html defaultUser = "slurm"; diff --git a/nixpkgs/nixos/modules/services/databases/couchdb.nix b/nixpkgs/nixos/modules/services/databases/couchdb.nix index 0a81a8dceeee..bfecfbb3664f 100644 --- a/nixpkgs/nixos/modules/services/databases/couchdb.nix +++ b/nixpkgs/nixos/modules/services/databases/couchdb.nix @@ -79,7 +79,7 @@ in { ''; }; - # couchdb options: http://docs.couchdb.org/en/latest/config/index.html + # couchdb options: https://docs.couchdb.org/en/latest/config/index.html databaseDir = mkOption { type = types.path; diff --git a/nixpkgs/nixos/modules/services/databases/firebird.nix b/nixpkgs/nixos/modules/services/databases/firebird.nix index 26ed46f0e60c..3927c81d953d 100644 --- a/nixpkgs/nixos/modules/services/databases/firebird.nix +++ b/nixpkgs/nixos/modules/services/databases/firebird.nix @@ -17,7 +17,7 @@ # There are at least two ways to run firebird. superserver has been chosen # however there are no strong reasons to prefer this or the other one AFAIK # Eg superserver is said to be most efficiently using resources according to -# http://www.firebirdsql.org/manual/qsg25-classic-or-super.html +# https://www.firebirdsql.org/manual/qsg25-classic-or-super.html with lib; diff --git a/nixpkgs/nixos/modules/services/databases/pgmanage.nix b/nixpkgs/nixos/modules/services/databases/pgmanage.nix index 12c8253ab49c..a0933a5ffc45 100644 --- a/nixpkgs/nixos/modules/services/databases/pgmanage.nix +++ b/nixpkgs/nixos/modules/services/databases/pgmanage.nix @@ -66,7 +66,7 @@ in { pgmanage requires at least one PostgreSQL server be defined. Detailed information about PostgreSQL connection strings is available at: - <http://www.postgresql.org/docs/current/static/libpq-connect.html> + <https://www.postgresql.org/docs/current/libpq-connect.html> Note that you should not specify your user name or password. That information will be entered on the login screen. If you specify a diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.md b/nixpkgs/nixos/modules/services/databases/postgresql.md index e4b679a3eee0..d65d9616e2f2 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.md +++ b/nixpkgs/nixos/modules/services/databases/postgresql.md @@ -5,7 +5,7 @@ *Source:* {file}`modules/services/databases/postgresql.nix` -*Upstream documentation:* <http://www.postgresql.org/docs/> +*Upstream documentation:* <https://www.postgresql.org/docs/> <!-- FIXME: more stuff, like maintainer? --> diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.nix b/nixpkgs/nixos/modules/services/databases/postgresql.nix index 21e6a60e32a3..af4db5c9611f 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.nix +++ b/nixpkgs/nixos/modules/services/databases/postgresql.nix @@ -588,7 +588,7 @@ in else "simple"; # Shut down Postgres using SIGINT ("Fast Shutdown mode"). See - # http://www.postgresql.org/docs/current/static/server-shutdown.html + # https://www.postgresql.org/docs/current/server-shutdown.html KillSignal = "SIGINT"; KillMode = "mixed"; diff --git a/nixpkgs/nixos/modules/services/databases/redis.nix b/nixpkgs/nixos/modules/services/databases/redis.nix index 86b295dadf49..315a0282cd73 100644 --- a/nixpkgs/nixos/modules/services/databases/redis.nix +++ b/nixpkgs/nixos/modules/services/databases/redis.nix @@ -63,7 +63,7 @@ in { vmOverCommit = mkEnableOption (lib.mdDoc '' setting of vm.overcommit_memory to 1 - (Suggested for Background Saving: http://redis.io/topics/faq) + (Suggested for Background Saving: <https://redis.io/docs/get-started/faq/>) ''); servers = mkOption { diff --git a/nixpkgs/nixos/modules/services/desktops/gnome/at-spi2-core.nix b/nixpkgs/nixos/modules/services/desktops/gnome/at-spi2-core.nix index 10a2f1f9eca0..d0320c1e6307 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome/at-spi2-core.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome/at-spi2-core.nix @@ -51,7 +51,7 @@ with lib; }) (mkIf (!config.services.gnome.at-spi2-core.enable) { - environment.variables = { + environment.sessionVariables = { NO_AT_BRIDGE = "1"; GTK_A11Y = "none"; }; diff --git a/nixpkgs/nixos/modules/services/display-managers/greetd.nix b/nixpkgs/nixos/modules/services/display-managers/greetd.nix index 3a0f59f62afb..89cb81f3a78f 100644 --- a/nixpkgs/nixos/modules/services/display-managers/greetd.nix +++ b/nixpkgs/nixos/modules/services/display-managers/greetd.nix @@ -59,6 +59,7 @@ in security.pam.services.greetd = { allowNullPassword = true; startSession = true; + enableGnomeKeyring = mkDefault config.services.gnome.gnome-keyring.enable; }; # This prevents nixos-rebuild from killing greetd by activating getty again diff --git a/nixpkgs/nixos/modules/services/hardware/fwupd.nix b/nixpkgs/nixos/modules/services/hardware/fwupd.nix index 7a938459d0cb..7b6c336bd221 100644 --- a/nixpkgs/nixos/modules/services/hardware/fwupd.nix +++ b/nixpkgs/nixos/modules/services/hardware/fwupd.nix @@ -187,13 +187,20 @@ in { # fwupd-refresh expects a user that we do not create, so just run with DynamicUser # instead and ensure we take ownership of /var/lib/fwupd services.fwupd-refresh.serviceConfig = { - DynamicUser = true; StateDirectory = "fwupd"; + # Better for debugging, upstream sets stderr to null for some reason.. + StandardError = "inherit"; }; timers.fwupd-refresh.wantedBy = [ "timers.target" ]; }; + users.users.fwupd-refresh = { + isSystemUser = true; + group = "fwupd-refresh"; + }; + users.groups.fwupd-refresh = {}; + security.polkit.enable = true; }; diff --git a/nixpkgs/nixos/modules/services/hardware/udev.nix b/nixpkgs/nixos/modules/services/hardware/udev.nix index 24987374ab0d..08ca7a0d247d 100644 --- a/nixpkgs/nixos/modules/services/hardware/udev.nix +++ b/nixpkgs/nixos/modules/services/hardware/udev.nix @@ -279,7 +279,7 @@ in default = true; type = types.bool; description = lib.mdDoc '' - Whether to assign [predictable names to network interfaces](http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames). + Whether to assign [predictable names to network interfaces](https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/). If enabled, interfaces are assigned names that contain topology information (e.g. `wlp3s0`) and thus should be stable diff --git a/nixpkgs/nixos/modules/services/home-automation/home-assistant.nix b/nixpkgs/nixos/modules/services/home-automation/home-assistant.nix index 789b06af19b1..54fd3e17292f 100644 --- a/nixpkgs/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixpkgs/nixos/modules/services/home-automation/home-assistant.nix @@ -16,7 +16,8 @@ let cp ${format.generate "configuration.yaml" filteredConfig} $out sed -i -e "s/'\!\([a-z_]\+\) \(.*\)'/\!\1 \2/;s/^\!\!/\!/;" $out ''; - lovelaceConfig = cfg.lovelaceConfig or {}; + lovelaceConfig = if (cfg.lovelaceConfig == null) then {} + else (lib.recursiveUpdate customLovelaceModulesResources cfg.lovelaceConfig); lovelaceConfigFile = format.generate "ui-lovelace.yaml" lovelaceConfig; # Components advertised by the home-assistant package @@ -62,8 +63,24 @@ let # Respect overrides that already exist in the passed package and # concat it with values passed via the module. extraComponents = oldArgs.extraComponents or [] ++ extraComponents; - extraPackages = ps: (oldArgs.extraPackages or (_: []) ps) ++ (cfg.extraPackages ps); + extraPackages = ps: (oldArgs.extraPackages or (_: []) ps) + ++ (cfg.extraPackages ps) + ++ (lib.concatMap (component: component.propagatedBuildInputs or []) cfg.customComponents); })); + + # Create a directory that holds all lovelace modules + customLovelaceModulesDir = pkgs.buildEnv { + name = "home-assistant-custom-lovelace-modules"; + paths = cfg.customLovelaceModules; + }; + + # Create parts of the lovelace config that reference lovelave modules as resources + customLovelaceModulesResources = { + lovelace.resources = map (card: { + url = "/local/nixos-lovelace-modules/${card.entrypoint or card.pname}.js?${card.version}"; + type = "module"; + }) cfg.customLovelaceModules; + }; in { imports = [ # Migrations in NixOS 22.05 @@ -137,6 +154,41 @@ in { ''; }; + customComponents = mkOption { + type = types.listOf types.package; + default = []; + example = literalExpression '' + with pkgs.home-assistant-custom-components; [ + prometheus-sensor + ]; + ''; + description = lib.mdDoc '' + List of custom component packages to install. + + Available components can be found below `pkgs.home-assistant-custom-components`. + ''; + }; + + customLovelaceModules = mkOption { + type = types.listOf types.package; + default = []; + example = literalExpression '' + with pkgs.home-assistant-custom-lovelace-modules; [ + mini-graph-card + mini-media-player + ]; + ''; + description = lib.mdDoc '' + List of custom lovelace card packages to load as lovelace resources. + + Available cards can be found below `pkgs.home-assistant-custom-lovelace-modules`. + + ::: {.note} + Automatic loading only works with lovelace in `yaml` mode. + ::: + ''; + }; + config = mkOption { type = types.nullOr (types.submodule { freeformType = format.type; @@ -408,9 +460,35 @@ in { rm -f "${cfg.configDir}/ui-lovelace.yaml" ln -s /etc/home-assistant/ui-lovelace.yaml "${cfg.configDir}/ui-lovelace.yaml" ''; + copyCustomLovelaceModules = if cfg.customLovelaceModules != [] then '' + mkdir -p "${cfg.configDir}/www" + ln -fns ${customLovelaceModulesDir} "${cfg.configDir}/www/nixos-lovelace-modules" + '' else '' + rm -f "${cfg.configDir}/www/nixos-lovelace-modules" + ''; + copyCustomComponents = '' + mkdir -p "${cfg.configDir}/custom_components" + + # remove components symlinked in from below the /nix/store + components="$(find "${cfg.configDir}/custom_components" -maxdepth 1 -type l)" + for component in "$components"; do + if [[ "$(readlink "$component")" =~ ^${escapeShellArg builtins.storeDir} ]]; then + rm "$component" + fi + done + + # recreate symlinks for desired components + declare -a components=(${escapeShellArgs cfg.customComponents}) + for component in "''${components[@]}"; do + path="$(dirname $(find "$component" -name "manifest.json"))" + ln -fns "$path" "${cfg.configDir}/custom_components/" + done + ''; in (optionalString (cfg.config != null) copyConfig) + - (optionalString (cfg.lovelaceConfig != null) copyLovelaceConfig) + (optionalString (cfg.lovelaceConfig != null) copyLovelaceConfig) + + copyCustomLovelaceModules + + copyCustomComponents ; environment.PYTHONPATH = package.pythonPath; serviceConfig = let diff --git a/nixpkgs/nixos/modules/services/home-automation/zwave-js.nix b/nixpkgs/nixos/modules/services/home-automation/zwave-js.nix new file mode 100644 index 000000000000..87c9b8f1ac81 --- /dev/null +++ b/nixpkgs/nixos/modules/services/home-automation/zwave-js.nix @@ -0,0 +1,152 @@ +{config, pkgs, lib, ...}: + +with lib; + +let + cfg = config.services.zwave-js; + mergedConfigFile = "/run/zwave-js/config.json"; + settingsFormat = pkgs.formats.json {}; +in { + options.services.zwave-js = { + enable = mkEnableOption (mdDoc "the zwave-js server on boot"); + + package = mkPackageOptionMD pkgs "zwave-js-server" { }; + + port = mkOption { + type = types.port; + default = 3000; + description = mdDoc '' + Port for the server to listen on. + ''; + }; + + serialPort = mkOption { + type = types.path; + description = mdDoc '' + Serial port device path for Z-Wave controller. + ''; + example = "/dev/ttyUSB0"; + }; + + secretsConfigFile = mkOption { + type = types.path; + description = mdDoc '' + JSON file containing secret keys. A dummy example: + + ``` + { + "securityKeys": { + "S0_Legacy": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", + "S2_Unauthenticated": "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB", + "S2_Authenticated": "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC", + "S2_AccessControl": "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" + } + } + ``` + + See + <https://zwave-js.github.io/node-zwave-js/#/getting-started/security-s2> + for details. This file will be merged with the module-generated config + file (taking precedence). + + Z-Wave keys can be generated with: + + {command}`< /dev/urandom tr -dc A-F0-9 | head -c32 ;echo` + + + ::: {.warning} + A file in the nix store should not be used since it will be readable to + all users. + ::: + ''; + example = "/secrets/zwave-js-keys.json"; + }; + + settings = mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + + options = { + storage = { + cacheDir = mkOption { + type = types.path; + default = "/var/cache/zwave-js"; + readOnly = true; + description = lib.mdDoc "Cache directory"; + }; + }; + }; + }; + default = {}; + description = mdDoc '' + Configuration settings for the generated config + file. + ''; + }; + + extraFlags = lib.mkOption { + type = with lib.types; listOf str; + default = [ ]; + example = [ "--mock-driver" ]; + description = lib.mdDoc '' + Extra flags to pass to command + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.zwave-js = let + configFile = settingsFormat.generate "zwave-js-config.json" cfg.settings; + in { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "Z-Wave JS Server"; + serviceConfig = { + ExecStartPre = '' + /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} ${cfg.secretsConfigFile} > ${mergedConfigFile}" + ''; + ExecStart = lib.concatStringsSep " " [ + "${cfg.package}/bin/zwave-server" + "--config ${mergedConfigFile}" + "--port ${toString cfg.port}" + cfg.serialPort + (escapeShellArgs cfg.extraFlags) + ]; + Restart = "on-failure"; + User = "zwave-js"; + SupplementaryGroups = [ "dialout" ]; + CacheDirectory = "zwave-js"; + RuntimeDirectory = "zwave-js"; + + # Hardening + CapabilityBoundingSet = ""; + DeviceAllow = [cfg.serialPort]; + DevicePolicy = "closed"; + DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service @pkey" + "~@privileged @resources" + ]; + UMask = "0077"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ graham33 ]; +} diff --git a/nixpkgs/nixos/modules/services/logging/logstash.nix b/nixpkgs/nixos/modules/services/logging/logstash.nix index e9e3ae1f14ce..42d52a61639e 100644 --- a/nixpkgs/nixos/modules/services/logging/logstash.nix +++ b/nixpkgs/nixos/modules/services/logging/logstash.nix @@ -123,7 +123,7 @@ in example = '' if [type] == "syslog" { # Keep only relevant systemd fields - # http://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html + # https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html prune { whitelist_names => [ "type", "@timestamp", "@version", diff --git a/nixpkgs/nixos/modules/services/mail/mailman.nix b/nixpkgs/nixos/modules/services/mail/mailman.nix index 646addc5dad2..d61826de1b5c 100644 --- a/nixpkgs/nixos/modules/services/mail/mailman.nix +++ b/nixpkgs/nixos/modules/services/mail/mailman.nix @@ -480,6 +480,9 @@ in { RuntimeDirectory = "mailman"; LogsDirectory = "mailman"; PIDFile = "/run/mailman/master.pid"; + Restart = "on-failure"; + TimeoutStartSec = 180; + TimeoutStopSec = 180; }; }; @@ -592,6 +595,7 @@ in { User = cfg.webUser; Group = "mailman"; RuntimeDirectory = "mailman-uwsgi"; + Restart = "on-failure"; }; }); @@ -616,6 +620,7 @@ in { User = cfg.webUser; Group = "mailman"; WorkingDirectory = "/var/lib/mailman-web"; + Restart = "on-failure"; }; }; } // flip lib.mapAttrs' { diff --git a/nixpkgs/nixos/modules/services/matrix/appservice-discord.nix b/nixpkgs/nixos/modules/services/matrix/appservice-discord.nix index f579c2529c0a..6ce8718c35d8 100644 --- a/nixpkgs/nixos/modules/services/matrix/appservice-discord.nix +++ b/nixpkgs/nixos/modules/services/matrix/appservice-discord.nix @@ -100,9 +100,9 @@ in { serviceDependencies = mkOption { type = with types; listOf str; - default = optional config.services.matrix-synapse.enable "matrix-synapse.service"; + default = optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit; defaultText = literalExpression '' - optional config.services.matrix-synapse.enable "matrix-synapse.service" + optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit ''; description = lib.mdDoc '' List of Systemd services to require and wait for when starting the application service, diff --git a/nixpkgs/nixos/modules/services/matrix/matrix-sliding-sync.nix b/nixpkgs/nixos/modules/services/matrix/matrix-sliding-sync.nix index 7e464d6ed589..9807cde40919 100644 --- a/nixpkgs/nixos/modules/services/matrix/matrix-sliding-sync.nix +++ b/nixpkgs/nixos/modules/services/matrix/matrix-sliding-sync.nix @@ -80,8 +80,11 @@ in } ]; }; - systemd.services.matrix-sliding-sync = { - after = lib.optional cfg.createDatabase "postgresql.service"; + systemd.services.matrix-sliding-sync = rec { + after = + lib.optional cfg.createDatabase "postgresql.service" + ++ lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit; + wants = after; wantedBy = [ "multi-user.target" ]; environment = cfg.settings; serviceConfig = { @@ -90,6 +93,8 @@ in ExecStart = lib.getExe cfg.package; StateDirectory = "matrix-sliding-sync"; WorkingDirectory = "%S/matrix-sliding-sync"; + Restart = "on-failure"; + RestartSec = "1s"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix b/nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix index bab6865496dd..671040500df8 100644 --- a/nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix +++ b/nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix @@ -145,7 +145,7 @@ in { wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" - ] ++ optional config.services.matrix-synapse.enable "matrix-synapse.service" + ] ++ optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit ++ optional cfg.configurePostgresql "postgresql.service"; after = wants; diff --git a/nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix b/nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix index 97a6ba858e00..168c8bf436ac 100644 --- a/nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix +++ b/nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix @@ -122,9 +122,9 @@ in { serviceDependencies = mkOption { type = with types; listOf str; - default = optional config.services.matrix-synapse.enable "matrix-synapse.service"; + default = optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit; defaultText = literalExpression '' - optional config.services.matrix-synapse.enable "matrix-synapse.service" + optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit ''; description = lib.mdDoc '' List of Systemd services to require and wait for when starting the application service. diff --git a/nixpkgs/nixos/modules/services/matrix/mautrix-whatsapp.nix b/nixpkgs/nixos/modules/services/matrix/mautrix-whatsapp.nix index c4dc48213495..4b561a4b07a3 100644 --- a/nixpkgs/nixos/modules/services/matrix/mautrix-whatsapp.nix +++ b/nixpkgs/nixos/modules/services/matrix/mautrix-whatsapp.nix @@ -100,9 +100,9 @@ in { serviceDependencies = lib.mkOption { type = with lib.types; listOf str; - default = lib.optional config.services.matrix-synapse.enable "matrix-synapse.service"; + default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit; defaultText = lib.literalExpression '' - optional config.services.matrix-synapse.enable "matrix-synapse.service" + optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnits ''; description = lib.mdDoc '' List of Systemd services to require and wait for when starting the application service. diff --git a/nixpkgs/nixos/modules/services/matrix/mx-puppet-discord.nix b/nixpkgs/nixos/modules/services/matrix/mx-puppet-discord.nix index 36c9f8b122ea..70828804b556 100644 --- a/nixpkgs/nixos/modules/services/matrix/mx-puppet-discord.nix +++ b/nixpkgs/nixos/modules/services/matrix/mx-puppet-discord.nix @@ -66,9 +66,9 @@ in { }; serviceDependencies = mkOption { type = with types; listOf str; - default = optional config.services.matrix-synapse.enable "matrix-synapse.service"; + default = optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit; defaultText = literalExpression '' - optional config.services.matrix-synapse.enable "matrix-synapse.service" + optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit ''; description = lib.mdDoc '' List of Systemd services to require and wait for when starting the application service. diff --git a/nixpkgs/nixos/modules/services/matrix/synapse.nix b/nixpkgs/nixos/modules/services/matrix/synapse.nix index 12e27ef26ff3..9cc769c2d0db 100644 --- a/nixpkgs/nixos/modules/services/matrix/synapse.nix +++ b/nixpkgs/nixos/modules/services/matrix/synapse.nix @@ -296,6 +296,18 @@ in { services.matrix-synapse = { enable = mkEnableOption (lib.mdDoc "matrix.org synapse"); + serviceUnit = lib.mkOption { + type = lib.types.str; + readOnly = true; + description = lib.mdDoc '' + The systemd unit (a service or a target) for other services to depend on if they + need to be started after matrix-synapse. + + This option is useful as the actual parent unit for all matrix-synapse processes + changes when configuring workers. + ''; + }; + configFile = mkOption { type = types.path; readOnly = true; @@ -1021,6 +1033,7 @@ in { port = 9093; }); + services.matrix-synapse.serviceUnit = if hasWorkers then "matrix-synapse.target" else "matrix-synapse.service"; services.matrix-synapse.configFile = configFile; services.matrix-synapse.package = wrapped; diff --git a/nixpkgs/nixos/modules/services/misc/autofs.nix b/nixpkgs/nixos/modules/services/misc/autofs.nix index 55ab15ff003d..723b67e8bb6b 100644 --- a/nixpkgs/nixos/modules/services/misc/autofs.nix +++ b/nixpkgs/nixos/modules/services/misc/autofs.nix @@ -74,7 +74,7 @@ in config = mkIf cfg.enable { - boot.kernelModules = [ "autofs4" ]; + boot.kernelModules = [ "autofs" ]; systemd.services.autofs = { description = "Automounts filesystems on demand"; diff --git a/nixpkgs/nixos/modules/services/misc/mediatomb.nix b/nixpkgs/nixos/modules/services/misc/mediatomb.nix index 632b7caaac40..335b1b684b1a 100644 --- a/nixpkgs/nixos/modules/services/misc/mediatomb.nix +++ b/nixpkgs/nixos/modules/services/misc/mediatomb.nix @@ -186,7 +186,7 @@ let defaultFirewallRules = { # udp 1900 port needs to be opened for SSDP (not configurable within # mediatomb/gerbera) cf. - # http://docs.gerbera.io/en/latest/run.html?highlight=udp%20port#network-setup + # https://docs.gerbera.io/en/latest/run.html?highlight=udp%20port#network-setup allowedUDPPorts = [ 1900 cfg.port ]; allowedTCPPorts = [ cfg.port ]; }; diff --git a/nixpkgs/nixos/modules/services/misc/soft-serve.nix b/nixpkgs/nixos/modules/services/misc/soft-serve.nix index 0f246493880b..2b63b6bcd867 100644 --- a/nixpkgs/nixos/modules/services/misc/soft-serve.nix +++ b/nixpkgs/nixos/modules/services/misc/soft-serve.nix @@ -12,7 +12,7 @@ in { options = { services.soft-serve = { - enable = mkEnableOption "Enable soft-serve service"; + enable = mkEnableOption "soft-serve"; package = mkPackageOption pkgs "soft-serve" { }; @@ -20,7 +20,7 @@ in type = format.type; default = { }; description = mdDoc '' - The contents of the configuration file. + The contents of the configuration file for soft-serve. See <${docUrl}>. ''; diff --git a/nixpkgs/nixos/modules/services/misc/sourcehut/default.nix b/nixpkgs/nixos/modules/services/misc/sourcehut/default.nix index bee971662972..f2b09f4bc4b6 100644 --- a/nixpkgs/nixos/modules/services/misc/sourcehut/default.nix +++ b/nixpkgs/nixos/modules/services/misc/sourcehut/default.nix @@ -25,7 +25,7 @@ let || head srvMatch == srv # Include sections for the service being configured then v # Enable Web links and integrations between services. - else if tail srvMatch == [ null ] && elem (head srvMatch) cfg.services + else if tail srvMatch == [ null ] && cfg.${head srvMatch}.enable then { inherit (v) origin; # mansrht crashes without it @@ -38,9 +38,9 @@ let # for services needing access to them. "builds.sr.ht::worker".buildlogs = "/var/log/sourcehut/buildsrht-worker"; "git.sr.ht".post-update-script = "/usr/bin/gitsrht-update-hook"; - "git.sr.ht".repos = "/var/lib/sourcehut/gitsrht/repos"; + "git.sr.ht".repos = cfg.settings."git.sr.ht".repos; "hg.sr.ht".changegroup-script = "/usr/bin/hgsrht-hook-changegroup"; - "hg.sr.ht".repos = "/var/lib/sourcehut/hgsrht/repos"; + "hg.sr.ht".repos = cfg.settings."hg.sr.ht".repos; # Making this a per service option despite being in a global section, # so that it uses the redis-server used by the service. "sr.ht".redis-host = cfg.${srv}.redis.host; @@ -77,6 +77,14 @@ let type = types.path; apply = s: "<" + toString s; }; + api-origin = mkOption { + description = lib.mdDoc "Origin URL for the API"; + type = types.str; + default = "http://${cfg.listenAddress}:${toString (cfg.${srv}.port + 100)}"; + defaultText = lib.literalMD '' + `"http://''${`[](#opt-services.sourcehut.listenAddress)`}:''${toString (`[](#opt-services.sourcehut.${srv}.port)` + 100)}"` + ''; + }; }; # Specialized python containing all the modules @@ -112,15 +120,6 @@ in and account management services ''); - services = mkOption { - type = with types; listOf (enum - [ "builds" "git" "hg" "hub" "lists" "man" "meta" "pages" "paste" "todo" ]); - defaultText = "locally enabled services"; - description = lib.mdDoc '' - Services that may be displayed as links in the title bar of the Web interface. - ''; - }; - listenAddress = mkOption { type = types.str; default = "localhost"; @@ -400,8 +399,8 @@ in This setting is propagated to newer and existing repositories. ''; type = types.str; - default = "${cfg.python}/bin/hgsrht-hook-changegroup"; - defaultText = "\${cfg.python}/bin/hgsrht-hook-changegroup"; + default = "${pkgs.sourcehut.hgsrht}/bin/hgsrht-hook-changegroup"; + defaultText = "\${pkgs.sourcehut.hgsrht}/bin/hgsrht-hook-changegroup"; }; repos = mkOption { description = lib.mdDoc '' @@ -501,12 +500,6 @@ in options."meta.sr.ht" = removeAttrs (commonServiceSettings "meta") ["oauth-client-id" "oauth-client-secret"] // { - api-origin = mkOption { - description = lib.mdDoc "Origin URL for API, 100 more than web."; - type = types.str; - default = "http://${cfg.listenAddress}:${toString (cfg.meta.port + 100)}"; - defaultText = lib.literalMD ''`"http://''${`[](#opt-services.sourcehut.listenAddress)`}:''${toString (`[](#opt-services.sourcehut.meta.port)` + 100)}"`''; - }; webhooks = mkOption { description = lib.mdDoc "The Redis connection used for the webhooks worker."; type = types.str; @@ -784,6 +777,7 @@ in extraConfig = '' PermitUserEnvironment SRHT_* ''; + startWhenNeeded = false; }; environment.etc."ssh/sourcehut/config.ini".source = settingsFormat.generate "sourcehut-dispatch-config.ini" @@ -792,15 +786,28 @@ in environment.etc."ssh/sourcehut/subdir/srht-dispatch" = { # sshd_config(5): The program must be owned by root, not writable by group or others mode = "0755"; - source = pkgs.writeShellScript "srht-dispatch" '' + source = pkgs.writeShellScript "srht-dispatch-wrapper" '' set -e + set -x cd /etc/ssh/sourcehut/subdir - ${cfg.python}/bin/gitsrht-dispatch "$@" + ${pkgs.sourcehut.gitsrht}/bin/gitsrht-dispatch "$@" ''; }; + systemd.tmpfiles.settings."10-sourcehut-gitsrht" = mkIf cfg.git.enable ( + builtins.listToAttrs (map (name: { + name = "/var/log/sourcehut/gitsrht-${name}"; + value.f = { + inherit (cfg.git) user group; + mode = "0644"; + }; + }) [ "keys" "shell" "update-hook" ]) + ); systemd.services.sshd = { - #path = optional cfg.git.enable [ cfg.git.package ]; + preStart = mkIf cfg.hg.enable '' + chown ${cfg.hg.user}:${cfg.hg.group} /var/log/sourcehut/hgsrht-keys + ''; serviceConfig = { + LogsDirectory = "sourcehut"; BindReadOnlyPaths = # Note that those /usr/bin/* paths are hardcoded in multiple places in *.sr.ht, # for instance to get the user from the [git.sr.ht::dispatch] settings. @@ -813,7 +820,6 @@ in "${pkgs.writeShellScript "buildsrht-keys-wrapper" '' set -e cd /run/sourcehut/buildsrht/subdir - set -x exec -a "$0" ${pkgs.sourcehut.buildsrht}/bin/buildsrht-keys "$@" ''}:/usr/bin/buildsrht-keys" "${pkgs.sourcehut.buildsrht}/bin/master-shell:/usr/bin/master-shell" @@ -825,31 +831,26 @@ in "${pkgs.writeShellScript "gitsrht-keys-wrapper" '' set -e cd /run/sourcehut/gitsrht/subdir - set -x exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-keys "$@" ''}:/usr/bin/gitsrht-keys" "${pkgs.writeShellScript "gitsrht-shell-wrapper" '' set -e cd /run/sourcehut/gitsrht/subdir - set -x + export PATH="${cfg.git.package}/bin:$PATH" + export SRHT_CONFIG=/run/sourcehut/gitsrht/config.ini exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-shell "$@" ''}:/usr/bin/gitsrht-shell" "${pkgs.writeShellScript "gitsrht-update-hook" '' set -e - test -e "''${PWD%/*}"/config.ini || - # Git hooks are run relative to their repository's directory, - # but gitsrht-update-hook looks up ../config.ini - ln -s /run/sourcehut/gitsrht/config.ini "''${PWD%/*}"/config.ini + export SRHT_CONFIG=/run/sourcehut/gitsrht/config.ini # hooks/post-update calls /usr/bin/gitsrht-update-hook as hooks/stage-3 # but this wrapper being a bash script, it overrides $0 with /usr/bin/gitsrht-update-hook # hence this hack to put hooks/stage-3 back into gitsrht-update-hook's $0 if test "''${STAGE3:+set}" then - set -x exec -a hooks/stage-3 ${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook "$@" else export STAGE3=set - set -x exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook "$@" fi ''}:/usr/bin/gitsrht-update-hook" @@ -860,13 +861,11 @@ in "${pkgs.writeShellScript "hgsrht-keys-wrapper" '' set -e cd /run/sourcehut/hgsrht/subdir - set -x exec -a "$0" ${pkgs.sourcehut.hgsrht}/bin/hgsrht-keys "$@" ''}:/usr/bin/hgsrht-keys" "${pkgs.writeShellScript "hgsrht-shell-wrapper" '' set -e cd /run/sourcehut/hgsrht/subdir - set -x exec -a "$0" ${pkgs.sourcehut.hgsrht}/bin/hgsrht-shell "$@" ''}:/usr/bin/hgsrht-shell" # Mercurial's changegroup hooks are run relative to their repository's directory, @@ -875,8 +874,7 @@ in set -e test -e "''$PWD"/config.ini || ln -s /run/sourcehut/hgsrht/config.ini "''$PWD"/config.ini - set -x - exec -a "$0" ${cfg.python}/bin/hgsrht-hook-changegroup "$@" + exec -a "$0" ${pkgs.sourcehut.hgsrht}/bin/hgsrht-hook-changegroup "$@" ''}:/usr/bin/hgsrht-hook-changegroup" ]; }; @@ -1066,10 +1064,11 @@ in }; }) ]; - extraServices.gitsrht-api = { - serviceConfig.Restart = "always"; - serviceConfig.RestartSec = "5s"; - serviceConfig.ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}"; + extraServices.gitsrht-api.serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}"; + BindPaths = [ "${cfg.settings."git.sr.ht".repos}:/var/lib/sourcehut/gitsrht/repos" ]; }; extraServices.gitsrht-fcgiwrap = mkIf cfg.nginx.enable { serviceConfig = { @@ -1188,7 +1187,7 @@ in extraServices.listssrht-lmtp = { wants = [ "postfix.service" ]; unitConfig.JoinsNamespaceOf = optional cfg.postfix.enable "postfix.service"; - serviceConfig.ExecStart = "${cfg.python}/bin/listssrht-lmtp"; + serviceConfig.ExecStart = "${pkgs.sourcehut.listssrht}/bin/listssrht-lmtp"; # Avoid crashing: os.chown(sock, os.getuid(), sock_gid) serviceConfig.PrivateUsers = mkForce false; }; @@ -1252,55 +1251,30 @@ in ) cfg.settings)); serviceConfig.ExecStart = "${pkgs.sourcehut.metasrht}/bin/metasrht-api -b ${cfg.listenAddress}:${toString (cfg.meta.port + 100)}"; }; - extraConfig = mkMerge [ - { - assertions = [ - { assertion = let s = cfg.settings."meta.sr.ht::billing"; in - s.enabled == "yes" -> (s.stripe-public-key != null && s.stripe-secret-key != null); - message = "If meta.sr.ht::billing is enabled, the keys must be defined."; - } - ]; - environment.systemPackages = optional cfg.meta.enable - (pkgs.writeShellScriptBin "metasrht-manageuser" '' - set -eux - if test "$(${pkgs.coreutils}/bin/id -n -u)" != '${cfg.meta.user}' - then exec sudo -u '${cfg.meta.user}' "$0" "$@" - else - # In order to load config.ini - if cd /run/sourcehut/metasrht - then exec ${cfg.python}/bin/metasrht-manageuser "$@" - else cat <<EOF - Please run: sudo systemctl start metasrht - EOF - exit 1 - fi + extraConfig = { + assertions = [ + { assertion = let s = cfg.settings."meta.sr.ht::billing"; in + s.enabled == "yes" -> (s.stripe-public-key != null && s.stripe-secret-key != null); + message = "If meta.sr.ht::billing is enabled, the keys must be defined."; + } + ]; + environment.systemPackages = optional cfg.meta.enable + (pkgs.writeShellScriptBin "metasrht-manageuser" '' + set -eux + if test "$(${pkgs.coreutils}/bin/id -n -u)" != '${cfg.meta.user}' + then exec sudo -u '${cfg.meta.user}' "$0" "$@" + else + # In order to load config.ini + if cd /run/sourcehut/metasrht + then exec ${pkgs.sourcehut.metasrht}/bin/metasrht-manageuser "$@" + else cat <<EOF + Please run: sudo systemctl start metasrht + EOF + exit 1 fi - ''); - } - (mkIf cfg.nginx.enable { - services.nginx.virtualHosts."meta.${domain}" = { - locations."/query" = { - proxyPass = cfg.settings."meta.sr.ht".api-origin; - extraConfig = '' - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; - ''; - }; - }; - }) - ]; + fi + ''); + }; }) (import ./service.nix "pages" { @@ -1356,7 +1330,7 @@ in extraServices.todosrht-lmtp = { wants = [ "postfix.service" ]; unitConfig.JoinsNamespaceOf = optional cfg.postfix.enable "postfix.service"; - serviceConfig.ExecStart = "${cfg.python}/bin/todosrht-lmtp"; + serviceConfig.ExecStart = "${pkgs.sourcehut.todosrht}/bin/todosrht-lmtp"; # Avoid crashing: os.chown(sock, os.getuid(), sock_gid) serviceConfig.PrivateUsers = mkForce false; }; @@ -1388,6 +1362,10 @@ in dispatch is deprecated. See https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/ for more information. '') + + (mkRemovedOptionModule [ "services" "sourcehut" "services"] '' + This option was removed in favor of individual <service>.enable flags. + '') ]; meta.doc = ./default.md; diff --git a/nixpkgs/nixos/modules/services/misc/sourcehut/service.nix b/nixpkgs/nixos/modules/services/misc/sourcehut/service.nix index aae13e0cc2c9..18c2f5effc5a 100644 --- a/nixpkgs/nixos/modules/services/misc/sourcehut/service.nix +++ b/nixpkgs/nixos/modules/services/misc/sourcehut/service.nix @@ -108,7 +108,7 @@ let #SocketBindDeny = "any"; SystemCallFilter = [ "@system-service" - "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@timer" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@timer" "@chown" "@setuid" ]; SystemCallArchitectures = "native"; @@ -222,6 +222,23 @@ in expires 30d; ''; }; + locations."/query" = mkIf (cfg.settings.${iniKey} ? api-origin) { + proxyPass = cfg.settings.${iniKey}.api-origin; + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + + add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + ''; + }; } cfg.nginx.virtualHost ]; }; @@ -236,9 +253,6 @@ in }) [srvCfg.user]; }; - services.sourcehut.services = mkDefault (filter (s: cfg.${s}.enable) - [ "builds" "dispatch" "git" "hg" "hub" "lists" "man" "meta" "pages" "paste" "todo" ]); - services.sourcehut.settings = mkMerge [ { "${srv}.sr.ht".origin = mkDefault "https://${srv}.${cfg.settings."sr.ht".global-domain}"; @@ -363,6 +377,20 @@ in } extraService ])) extraServices) + + # Work around 'pq: permission denied for schema public' with postgres v15, until a + # solution for `services.postgresql.ensureUsers` is found. + # See https://github.com/NixOS/nixpkgs/issues/216989 + # Workaround taken from nixos/forgejo: https://github.com/NixOS/nixpkgs/pull/262741 + (lib.mkIf ( + cfg.postgresql.enable + && lib.strings.versionAtLeast config.services.postgresql.package.version "15.0" + ) { + postgresql.postStart = (lib.mkAfter '' + $PSQL -tAc 'ALTER DATABASE "${srvCfg.postgresql.database}" OWNER TO "${srvCfg.user}";' + ''); + } + ) ]; systemd.timers = mapAttrs (timerName: timer: diff --git a/nixpkgs/nixos/modules/services/monitoring/bosun.nix b/nixpkgs/nixos/modules/services/monitoring/bosun.nix index dc75fda6ed8a..1dc19743461b 100644 --- a/nixpkgs/nixos/modules/services/monitoring/bosun.nix +++ b/nixpkgs/nixos/modules/services/monitoring/bosun.nix @@ -108,7 +108,7 @@ in { option. A detailed description of the supported syntax can be found at-spi2-atk - http://bosun.org/configuration.html + https://bosun.org/configuration.html ''; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/grafana.nix b/nixpkgs/nixos/modules/services/monitoring/grafana.nix index e90a0e9d16db..5e21407042b6 100644 --- a/nixpkgs/nixos/modules/services/monitoring/grafana.nix +++ b/nixpkgs/nixos/modules/services/monitoring/grafana.nix @@ -88,7 +88,7 @@ let # Get a submodule without any embedded metadata: _filter = x: filterAttrs (k: v: k != "_module") x; - # http://docs.grafana.org/administration/provisioning/#datasources + # https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources grafanaTypes.datasourceConfig = types.submodule { freeformType = provisioningSettingsFormat.type; @@ -140,7 +140,7 @@ let }; }; - # http://docs.grafana.org/administration/provisioning/#dashboards + # https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards grafanaTypes.dashboardConfig = types.submodule { freeformType = provisioningSettingsFormat.type; diff --git a/nixpkgs/nixos/modules/services/monitoring/graphite.nix b/nixpkgs/nixos/modules/services/monitoring/graphite.nix index 65c91b8f79bb..cc3d70976204 100644 --- a/nixpkgs/nixos/modules/services/monitoring/graphite.nix +++ b/nixpkgs/nixos/modules/services/monitoring/graphite.nix @@ -102,7 +102,7 @@ in { default = ""; description = lib.mdDoc '' Graphite webapp settings. See: - <http://graphite.readthedocs.io/en/latest/config-local-settings.html> + <https://graphite.readthedocs.io/en/latest/config-local-settings.html> ''; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/munin.nix b/nixpkgs/nixos/modules/services/monitoring/munin.nix index 90a51181ac30..5ed7cac48ae7 100644 --- a/nixpkgs/nixos/modules/services/monitoring/munin.nix +++ b/nixpkgs/nixos/modules/services/monitoring/munin.nix @@ -4,7 +4,7 @@ # TODO: LWP/Pg perl libs aren't recognized # TODO: support fastcgi -# http://guide.munin-monitoring.org/en/latest/example/webserver/apache-cgi.html +# https://guide.munin-monitoring.org/en/latest/example/webserver/apache-cgi.html # spawn-fcgi -s /run/munin/fastcgi-graph.sock -U www-data -u munin -g munin /usr/lib/munin/cgi/munin-cgi-graph # spawn-fcgi -s /run/munin/fastcgi-html.sock -U www-data -u munin -g munin /usr/lib/munin/cgi/munin-cgi-html # https://paste.sh/vofcctHP#-KbDSXVeWoifYncZmLfZzgum @@ -147,7 +147,7 @@ in Enable Munin Node agent. Munin node listens on 0.0.0.0 and by default accepts connections only from 127.0.0.1 for security reasons. - See <http://guide.munin-monitoring.org/en/latest/architecture/index.html>. + See <https://guide.munin-monitoring.org/en/latest/architecture/index.html>. ''; }; @@ -156,7 +156,7 @@ in type = types.lines; description = lib.mdDoc '' {file}`munin-node.conf` extra configuration. See - <http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html> + <https://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html> ''; }; @@ -165,7 +165,7 @@ in type = types.lines; description = lib.mdDoc '' {file}`plugin-conf.d` extra plugin configuration. See - <http://guide.munin-monitoring.org/en/latest/plugin/use.html> + <https://guide.munin-monitoring.org/en/latest/plugin/use.html> ''; example = '' [fail2ban_*] @@ -273,9 +273,9 @@ in type = types.lines; description = lib.mdDoc '' {file}`munin.conf` extra global configuration. - See <http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html>. + See <https://guide.munin-monitoring.org/en/latest/reference/munin.conf.html>. Useful to setup notifications, see - <http://guide.munin-monitoring.org/en/latest/tutorial/alert.html> + <https://guide.munin-monitoring.org/en/latest/tutorial/alert.html> ''; example = '' contact.email.command mail -s "Munin notification for ''${var:host}" someone@example.com @@ -288,7 +288,7 @@ in description = lib.mdDoc '' Definitions of hosts of nodes to collect data from. Needs at least one host for cron to succeed. See - <http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html> + <https://guide.munin-monitoring.org/en/latest/reference/munin.conf.html> ''; example = literalExpression '' ''' diff --git a/nixpkgs/nixos/modules/services/monitoring/nagios.nix b/nixpkgs/nixos/modules/services/monitoring/nagios.nix index 8feff22c1182..dc5fa1be2922 100644 --- a/nixpkgs/nixos/modules/services/monitoring/nagios.nix +++ b/nixpkgs/nixos/modules/services/monitoring/nagios.nix @@ -88,7 +88,7 @@ in options = { services.nagios = { - enable = mkEnableOption (lib.mdDoc ''[Nagios](http://www.nagios.org/) to monitor your system or network.''); + enable = mkEnableOption (lib.mdDoc ''[Nagios](https://www.nagios.org/) to monitor your system or network.''); objectDefs = mkOption { description = lib.mdDoc '' diff --git a/nixpkgs/nixos/modules/services/monitoring/netdata.nix b/nixpkgs/nixos/modules/services/monitoring/netdata.nix index 3833418b5add..de0e044453ee 100644 --- a/nixpkgs/nixos/modules/services/monitoring/netdata.nix +++ b/nixpkgs/nixos/modules/services/monitoring/netdata.nix @@ -12,6 +12,7 @@ let ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin + ln -s /run/wrappers/bin/systemd-journal.plugin $out/libexec/netdata/plugins.d/systemd-journal.plugin ''; plugins = [ @@ -254,7 +255,7 @@ in { # Capabilities CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins - "CAP_DAC_READ_SEARCH" # is required for apps plugin + "CAP_DAC_READ_SEARCH" # is required for apps and systemd-journal plugin "CAP_FOWNER" # is required for freeipmi plugin "CAP_SETPCAP" # is required for apps, perf and slabinfo plugins "CAP_SYS_ADMIN" # is required for perf plugin @@ -263,6 +264,7 @@ in { "CAP_NET_RAW" # is required for fping app "CAP_SYS_CHROOT" # is required for cgroups plugin "CAP_SETUID" # is required for cgroups and cgroups-network plugins + "CAP_SYSLOG" # is required for systemd-journal plugin ]; # Sandboxing ProtectSystem = "full"; @@ -318,6 +320,14 @@ in { permissions = "u+rx,g+x,o-rwx"; }; + "systemd-journal.plugin" = { + source = "${cfg.package}/libexec/netdata/plugins.d/systemd-journal.plugin.org"; + capabilities = "cap_dac_read_search,cap_syslog+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+x,o-rwx"; + }; + "slabinfo.plugin" = { source = "${cfg.package}/libexec/netdata/plugins.d/slabinfo.plugin.org"; capabilities = "cap_dac_override+ep"; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix index 305f235054be..f89522c09864 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -2,8 +2,8 @@ let inherit (lib) concatStrings foldl foldl' genAttrs literalExpression maintainers - mapAttrsToList mkDefault mkEnableOption mkIf mkMerge mkOption - optional types mkOptionDefault flip attrNames; + mapAttrs mapAttrsToList mkDefault mkEnableOption mkIf mkMerge mkOption + optional types mkOptionDefault flip attrNames; cfg = config.services.prometheus.exporters; @@ -20,7 +20,7 @@ let # systemd service must be provided by specifying either # `serviceOpts.script` or `serviceOpts.serviceConfig.ExecStart` - exporterOpts = genAttrs [ + exporterOpts = (genAttrs [ "apcupsd" "artifactory" "bind" @@ -34,14 +34,15 @@ let "domain" "dovecot" "fastly" + "flow" "fritzbox" "graphite" "idrac" "imap-mailstat" "influxdb" "ipmi" - "json" "jitsi" + "json" "junos-czerwonk" "kea" "keylight" @@ -74,9 +75,9 @@ let "scaphandre" "script" "shelly" - "snmp" "smartctl" "smokeping" + "snmp" "sql" "statsd" "surfboard" @@ -88,10 +89,39 @@ let "v2ray" "varnish" "wireguard" - "flow" "zfs" - ] (name: - import (./. + "/exporters/${name}.nix") { inherit config lib pkgs options; } + ] + (name: + import (./. + "/exporters/${name}.nix") { inherit config lib pkgs options; } + )) // (mapAttrs + (name: params: + import (./. + "/exporters/${params.name}.nix") { inherit config lib pkgs options; type = params.type ; }) + { + exportarr-bazarr = { + name = "exportarr"; + type = "bazarr"; + }; + exportarr-lidarr = { + name = "exportarr"; + type = "lidarr"; + }; + exportarr-prowlarr = { + name = "exportarr"; + type = "prowlarr"; + }; + exportarr-radarr = { + name = "exportarr"; + type = "radarr"; + }; + exportarr-readarr = { + name = "exportarr"; + type = "readarr"; + }; + exportarr-sonarr = { + name = "exportarr"; + type = "sonarr"; + }; + } ); mkExporterOpts = ({ name, port }: { diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/exportarr.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/exportarr.nix new file mode 100644 index 000000000000..132209335410 --- /dev/null +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/exportarr.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, options, type }: + +let + cfg = config.services.prometheus.exporters."exportarr-${type}"; + exportarrEnvironment = ( + lib.mapAttrs (_: toString) cfg.environment + ) // { + PORT = toString cfg.port; + URL = cfg.url; + API_KEY_FILE = lib.mkIf (cfg.apiKeyFile != null) "%d/api-key"; + }; +in +{ + port = 9708; + extraOpts = { + url = lib.mkOption { + type = lib.types.str; + default = "http://127.0.0.1"; + description = lib.mdDoc '' + The full URL to Sonarr, Radarr, or Lidarr. + ''; + }; + + apiKeyFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = lib.mdDoc '' + File containing the api-key. + ''; + }; + + package = lib.mkPackageOptionMD pkgs "exportarr" { }; + + environment = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + default = { }; + description = lib.mdDoc '' + See [the configuration guide](https://github.com/onedr0p/exportarr#configuration) for available options. + ''; + example = { + PROWLARR__BACKFILL = true; + }; + }; + }; + serviceOpts = { + serviceConfig = { + LoadCredential = lib.optionalString (cfg.apiKeyFile != null) "api-key:${cfg.apiKeyFile}"; + ExecStart = ''${cfg.package}/bin/exportarr ${type} "$@"''; + ProcSubset = "pid"; + ProtectProc = "invisible"; + SystemCallFilter = ["@system-service" "~@privileged"]; + }; + environment = exportarrEnvironment; + }; +} diff --git a/nixpkgs/nixos/modules/services/monitoring/smartd.nix b/nixpkgs/nixos/modules/services/monitoring/smartd.nix index 1e654cad5dd2..8b79ac0e0c1e 100644 --- a/nixpkgs/nixos/modules/services/monitoring/smartd.nix +++ b/nixpkgs/nixos/modules/services/monitoring/smartd.nix @@ -19,7 +19,7 @@ let { ${pkgs.coreutils}/bin/cat << EOF From: smartd on ${host} <${nm.sender}> - To: undisclosed-recipients:; + To: ${nm.recipient} Subject: $SMARTD_SUBJECT $SMARTD_FULLMESSAGE diff --git a/nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix b/nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix index 926c3c3bd523..866661cf4e6f 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix @@ -176,7 +176,7 @@ in description = lib.mdDoc '' Configuration of XtreemFS DIR service. WARNING: configuration is saved as plaintext inside nix store. - For more options: http://www.xtreemfs.org/xtfs-guide-1.5.1/index.html + For more options: https://www.xtreemfs.org/xtfs-guide-1.5.1/index.html ''; }; replication = { @@ -218,7 +218,7 @@ in description = lib.mdDoc '' Configuration of XtreemFS DIR replication plugin. WARNING: configuration is saved as plaintext inside nix store. - For more options: http://www.xtreemfs.org/xtfs-guide-1.5.1/index.html + For more options: https://www.xtreemfs.org/xtfs-guide-1.5.1/index.html ''; }; }; @@ -319,7 +319,7 @@ in description = lib.mdDoc '' Configuration of XtreemFS MRC service. WARNING: configuration is saved as plaintext inside nix store. - For more options: http://www.xtreemfs.org/xtfs-guide-1.5.1/index.html + For more options: https://www.xtreemfs.org/xtfs-guide-1.5.1/index.html ''; }; replication = { @@ -361,7 +361,7 @@ in description = lib.mdDoc '' Configuration of XtreemFS MRC replication plugin. WARNING: configuration is saved as plaintext inside nix store. - For more options: http://www.xtreemfs.org/xtfs-guide-1.5.1/index.html + For more options: https://www.xtreemfs.org/xtfs-guide-1.5.1/index.html ''; }; }; @@ -438,7 +438,7 @@ in description = lib.mdDoc '' Configuration of XtreemFS OSD service. WARNING: configuration is saved as plaintext inside nix store. - For more options: http://www.xtreemfs.org/xtfs-guide-1.5.1/index.html + For more options: https://www.xtreemfs.org/xtfs-guide-1.5.1/index.html ''; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/asterisk.nix b/nixpkgs/nixos/modules/services/networking/asterisk.nix index 5a1d03f07211..279927781edc 100644 --- a/nixpkgs/nixos/modules/services/networking/asterisk.nix +++ b/nixpkgs/nixos/modules/services/networking/asterisk.nix @@ -139,7 +139,7 @@ in path. See - <http://www.asterisk.org/community/documentation> + <https://www.asterisk.org/community/documentation/> for more examples of what is possible here. ''; }; diff --git a/nixpkgs/nixos/modules/services/networking/harmonia.nix b/nixpkgs/nixos/modules/services/networking/harmonia.nix index 144fa6c708e2..4733165cf7d1 100644 --- a/nixpkgs/nixos/modules/services/networking/harmonia.nix +++ b/nixpkgs/nixos/modules/services/networking/harmonia.nix @@ -28,6 +28,8 @@ in }; config = lib.mkIf cfg.enable { + nix.settings.extra-allowed-users = [ "harmonia" ]; + systemd.services.harmonia = { description = "harmonia binary cache service"; diff --git a/nixpkgs/nixos/modules/services/networking/hostapd.nix b/nixpkgs/nixos/modules/services/networking/hostapd.nix index ffb154463053..5bd8e1d4d7a0 100644 --- a/nixpkgs/nixos/modules/services/networking/hostapd.nix +++ b/nixpkgs/nixos/modules/services/networking/hostapd.nix @@ -899,25 +899,6 @@ in { ''; }; }; - - managementFrameProtection = mkOption { - default = "required"; - type = types.enum ["disabled" "optional" "required"]; - apply = x: - getAttr x { - "disabled" = 0; - "optional" = 1; - "required" = 2; - }; - description = mdDoc '' - Management frame protection (MFP) authenticates management frames - to prevent deauthentication (or related) attacks. - - - {var}`"disabled"`: No management frame protection - - {var}`"optional"`: Use MFP if a connection allows it - - {var}`"required"`: Force MFP for all clients - ''; - }; }; config = let @@ -943,7 +924,8 @@ in { # IEEE 802.11i (authentication) related configuration # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = bssCfg.managementFrameProtection; + ieee80211w = mkDefault 1; + sae_require_mfp = mkDefault 1; # Only allow WPA by default and disable insecure WEP auth_algs = mkDefault 1; @@ -1185,14 +1167,6 @@ in { message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.''; } { - assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"''; - } - { - assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"''; - } - { assertion = countWpaPasswordDefinitions <= 1; message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)''; } diff --git a/nixpkgs/nixos/modules/services/networking/i2pd.nix b/nixpkgs/nixos/modules/services/networking/i2pd.nix index f872daf05b8f..808e7b66d36e 100644 --- a/nixpkgs/nixos/modules/services/networking/i2pd.nix +++ b/nixpkgs/nixos/modules/services/networking/i2pd.nix @@ -239,7 +239,7 @@ in enable = mkEnableOption (lib.mdDoc "I2Pd daemon") // { description = lib.mdDoc '' Enables I2Pd as a running service upon activation. - Please read http://i2pd.readthedocs.io/en/latest/ for further + Please read <https://i2pd.readthedocs.io/en/latest/> for further configuration help. ''; }; diff --git a/nixpkgs/nixos/modules/services/networking/nix-serve.nix b/nixpkgs/nixos/modules/services/networking/nix-serve.nix index f37be31270b7..8c4352bc95e8 100644 --- a/nixpkgs/nixos/modules/services/networking/nix-serve.nix +++ b/nixpkgs/nixos/modules/services/networking/nix-serve.nix @@ -67,6 +67,8 @@ in }; config = mkIf cfg.enable { + nix.settings.extra-allowed-users = [ "nix-serve" ]; + systemd.services.nix-serve = { description = "nix-serve binary cache server"; after = [ "network.target" ]; diff --git a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix index afd721e34da5..d370e6946d7b 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix @@ -9,6 +9,7 @@ let stateDir = cfg.directory; driftFile = "${stateDir}/chrony.drift"; keyFile = "${stateDir}/chrony.keys"; + rtcFile = "${stateDir}/chrony.rtc"; configFile = pkgs.writeText "chrony.conf" '' ${concatMapStringsSep "\n" (server: "server " + server + " " + cfg.serverOption + optionalString (cfg.enableNTS) " nts") cfg.servers} @@ -20,8 +21,10 @@ let driftfile ${driftFile} keyfile ${keyFile} + ${optionalString (cfg.enableRTCTrimming) "rtcfile ${rtcFile}"} ${optionalString (cfg.enableNTS) "ntsdumpdir ${stateDir}"} + ${optionalString (cfg.enableRTCTrimming) "rtcautotrim ${builtins.toString cfg.autotrimThreshold}"} ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} ${cfg.extraConfig} @@ -85,6 +88,33 @@ in ''; }; + enableRTCTrimming = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Enable tracking of the RTC offset to the system clock and automatic trimming. + See also [](#opt-services.chrony.autotrimThreshold) + + ::: {.note} + This is not compatible with the `rtcsync` directive, which naively syncs the RTC time every 11 minutes. + + Tracking the RTC drift will allow more precise timekeeping, + especially on intermittently running devices, where the RTC is very relevant. + ::: + ''; + }; + + autotrimThreshold = mkOption { + type = types.ints.positive; + default = 30; + example = 10; + description = '' + Maximum estimated error threshold for the `rtcautotrim` command. + When reached, the RTC will be trimmed. + Only used when [](#opt-services.chrony.enableRTCTrimming) is enabled. + ''; + }; + enableNTS = mkOption { type = types.bool; default = false; @@ -141,7 +171,7 @@ in }; config = mkIf cfg.enable { - meta.maintainers = with lib.maintainers; [ thoughtpolice ]; + meta.maintainers = with lib.maintainers; [ thoughtpolice vifino ]; environment.systemPackages = [ chronyPkg ]; @@ -156,12 +186,19 @@ in services.timesyncd.enable = mkForce false; + # If chrony controls and tracks the RTC, writing it externally causes clock error. + systemd.services.save-hwclock = lib.mkIf cfg.enableRTCTrimming { + enable = lib.mkForce false; + }; + systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "chronyd.service"; }; systemd.tmpfiles.rules = [ "d ${stateDir} 0750 chrony chrony - -" "f ${driftFile} 0640 chrony chrony - -" "f ${keyFile} 0640 chrony chrony - -" + ] ++ lib.optionals cfg.enableRTCTrimming [ + "f ${rtcFile} 0640 chrony chrony - -" ]; systemd.services.chronyd = diff --git a/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix b/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix index 036a8df635db..2bc690cacf09 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix @@ -56,7 +56,7 @@ in The default flags prevent external hosts from using ntpd as a DDoS reflector, setting system time, and querying OS/ntpd version. As recommended in section 6.5.1.1.3, answer "No" of - http://support.ntp.org/bin/view/Support/AccessRestrictions + https://support.ntp.org/Support/AccessRestrictions ''; default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ]; }; diff --git a/nixpkgs/nixos/modules/services/networking/pleroma.nix b/nixpkgs/nixos/modules/services/networking/pleroma.nix index e9db7f3eab8e..89e64d36c8a0 100644 --- a/nixpkgs/nixos/modules/services/networking/pleroma.nix +++ b/nixpkgs/nixos/modules/services/networking/pleroma.nix @@ -146,6 +146,6 @@ in { }; }; - meta.maintainers = with lib.maintainers; [ ninjatrappeur ]; + meta.maintainers = with lib.maintainers; [ picnoir ]; meta.doc = ./pleroma.md; } diff --git a/nixpkgs/nixos/modules/services/networking/prayer.nix b/nixpkgs/nixos/modules/services/networking/prayer.nix deleted file mode 100644 index 197aa8a6f448..000000000000 --- a/nixpkgs/nixos/modules/services/networking/prayer.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - inherit (pkgs) prayer; - - cfg = config.services.prayer; - - stateDir = "/var/lib/prayer"; - - prayerUser = "prayer"; - prayerGroup = "prayer"; - - prayerExtraCfg = pkgs.writeText "extraprayer.cf" '' - prefix = "${prayer}" - var_prefix = "${stateDir}" - prayer_user = "${prayerUser}" - prayer_group = "${prayerGroup}" - sendmail_path = "/run/wrappers/bin/sendmail" - - use_http_port ${cfg.port} - - ${cfg.extraConfig} - ''; - - prayerCfg = pkgs.runCommand "prayer.cf" { preferLocalBuild = true; } '' - # We have to remove the http_port 80, or it will start a server there - cat ${prayer}/etc/prayer.cf | grep -v http_port > $out - cat ${prayerExtraCfg} >> $out - ''; - -in - -{ - - ###### interface - - options = { - - services.prayer = { - - enable = mkEnableOption (lib.mdDoc "the prayer webmail http server"); - - port = mkOption { - default = 2080; - type = types.port; - description = lib.mdDoc '' - Port the prayer http server is listening to. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = "" ; - description = lib.mdDoc '' - Extra configuration. Contents will be added verbatim to the configuration file. - ''; - }; - }; - - }; - - - ###### implementation - - config = mkIf config.services.prayer.enable { - environment.systemPackages = [ prayer ]; - - users.users.${prayerUser} = - { uid = config.ids.uids.prayer; - description = "Prayer daemon user"; - home = stateDir; - }; - - users.groups.${prayerGroup} = - { gid = config.ids.gids.prayer; }; - - systemd.services.prayer = { - wantedBy = [ "multi-user.target" ]; - serviceConfig.Type = "forking"; - preStart = '' - mkdir -m 0755 -p ${stateDir} - chown ${prayerUser}:${prayerGroup} ${stateDir} - ''; - script = "${prayer}/sbin/prayer --config-file=${prayerCfg}"; - }; - }; -} diff --git a/nixpkgs/nixos/modules/services/networking/prosody.nix b/nixpkgs/nixos/modules/services/networking/prosody.nix index 0066c77438f4..038d574bd878 100644 --- a/nixpkgs/nixos/modules/services/networking/prosody.nix +++ b/nixpkgs/nixos/modules/services/networking/prosody.nix @@ -779,9 +779,6 @@ in admins = ${toLua cfg.admins} - -- we already build with libevent, so we can just enable it for a more performant server - use_libevent = true - modules_enabled = { ${ lib.concatStringsSep "\n " (lib.mapAttrsToList diff --git a/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix b/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix index 5c7e7a4c2208..0f310a28d266 100644 --- a/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix +++ b/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix @@ -47,7 +47,7 @@ in lib.mdDoc '' Configuration for bootstrap daemon. See <https://github.com/irungentoo/toxcore/blob/master/other/bootstrap_daemon/tox-bootstrapd.conf> - and <http://wiki.tox.im/Nodes>. + and <https://wiki.tox.chat/users/nodes>. ''; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/trust-dns.nix b/nixpkgs/nixos/modules/services/networking/trust-dns.nix index 4196d124a2ab..758e33f16d38 100644 --- a/nixpkgs/nixos/modules/services/networking/trust-dns.nix +++ b/nixpkgs/nixos/modules/services/networking/trust-dns.nix @@ -54,7 +54,7 @@ in defaultText = "pkgs.trust-dns"; description = mdDoc '' Trust-dns package to use. - Only `bin/trust-dns` need be provided: the other trust-dns utilities (client and resolver) are not needed. + The package must provide `meta.mainProgram` which names the server binary; any other utilities (client, resolver) are not needed. ''; }; quiet = mkOption { @@ -135,7 +135,7 @@ in flags = (lib.optional cfg.debug "--debug") ++ (lib.optional cfg.quiet "--quiet"); flagsStr = builtins.concatStringsSep " " flags; in '' - ${cfg.package}/bin/trust-dns --config ${configFile} ${flagsStr} + ${cfg.package}/bin/${cfg.package.meta.mainProgram} --config ${configFile} ${flagsStr} ''; Type = "simple"; Restart = "on-failure"; diff --git a/nixpkgs/nixos/modules/services/networking/unifi.nix b/nixpkgs/nixos/modules/services/networking/unifi.nix index 6b6837109806..537a4db95ca7 100644 --- a/nixpkgs/nixos/modules/services/networking/unifi.nix +++ b/nixpkgs/nixos/modules/services/networking/unifi.nix @@ -1,60 +1,61 @@ { config, options, lib, pkgs, utils, ... }: -with lib; let cfg = config.services.unifi; stateDir = "/var/lib/unifi"; - cmd = '' - @${cfg.jrePackage}/bin/java java \ - ${optionalString (lib.versionAtLeast (lib.getVersion cfg.jrePackage) "16") - ("--add-opens java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED " - + "--add-opens java.base/sun.security.util=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED " - + "--add-opens java.rmi/sun.rmi.transport=ALL-UNNAMED")} \ - ${optionalString (cfg.initialJavaHeapSize != null) "-Xms${(toString cfg.initialJavaHeapSize)}m"} \ - ${optionalString (cfg.maximumJavaHeapSize != null) "-Xmx${(toString cfg.maximumJavaHeapSize)}m"} \ - -jar ${stateDir}/lib/ace.jar - ''; + cmd = lib.escapeShellArgs ([ "@${cfg.jrePackage}/bin/java" "java" ] + ++ lib.optionals (lib.versionAtLeast (lib.getVersion cfg.jrePackage) "16") [ + "--add-opens=java.base/java.lang=ALL-UNNAMED" + "--add-opens=java.base/java.time=ALL-UNNAMED" + "--add-opens=java.base/sun.security.util=ALL-UNNAMED" + "--add-opens=java.base/java.io=ALL-UNNAMED" + "--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED" + ] + ++ (lib.optional (cfg.initialJavaHeapSize != null) "-Xms${(toString cfg.initialJavaHeapSize)}m") + ++ (lib.optional (cfg.maximumJavaHeapSize != null) "-Xmx${(toString cfg.maximumJavaHeapSize)}m") + ++ cfg.extraJvmOptions + ++ [ "-jar" "${stateDir}/lib/ace.jar" ]); in { options = { - services.unifi.enable = mkOption { - type = types.bool; + services.unifi.enable = lib.mkOption { + type = lib.types.bool; default = false; description = lib.mdDoc '' Whether or not to enable the unifi controller service. ''; }; - services.unifi.jrePackage = mkOption { - type = types.package; + services.unifi.jrePackage = lib.mkOption { + type = lib.types.package; default = if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.5") then pkgs.jdk17_headless else if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3") then pkgs.jdk11 else pkgs.jre8; - defaultText = literalExpression ''if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.5") then pkgs.jdk17_headless else if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3" then pkgs.jdk11 else pkgs.jre8''; + defaultText = lib.literalExpression ''if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.5") then pkgs.jdk17_headless else if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3" then pkgs.jdk11 else pkgs.jre8''; description = lib.mdDoc '' The JRE package to use. Check the release notes to ensure it is supported. ''; }; - services.unifi.unifiPackage = mkOption { - type = types.package; + services.unifi.unifiPackage = lib.mkOption { + type = lib.types.package; default = pkgs.unifi5; - defaultText = literalExpression "pkgs.unifi5"; + defaultText = lib.literalExpression "pkgs.unifi5"; description = lib.mdDoc '' The unifi package to use. ''; }; - services.unifi.mongodbPackage = mkOption { - type = types.package; + services.unifi.mongodbPackage = lib.mkOption { + type = lib.types.package; default = pkgs.mongodb-4_4; - defaultText = literalExpression "pkgs.mongodb"; + defaultText = lib.literalExpression "pkgs.mongodb"; description = lib.mdDoc '' The mongodb package to use. Please note: unifi7 officially only supports mongodb up until 3.6 but works with 4.4. ''; }; - services.unifi.openFirewall = mkOption { - type = types.bool; + services.unifi.openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = lib.mdDoc '' Whether or not to open the minimum required ports on the firewall. @@ -65,8 +66,8 @@ in ''; }; - services.unifi.initialJavaHeapSize = mkOption { - type = types.nullOr types.int; + services.unifi.initialJavaHeapSize = lib.mkOption { + type = with lib.types; nullOr int; default = null; example = 1024; description = lib.mdDoc '' @@ -75,8 +76,8 @@ in ''; }; - services.unifi.maximumJavaHeapSize = mkOption { - type = types.nullOr types.int; + services.unifi.maximumJavaHeapSize = lib.mkOption { + type = with lib.types; nullOr int; default = null; example = 4096; description = lib.mdDoc '' @@ -85,9 +86,18 @@ in ''; }; + services.unifi.extraJvmOptions = lib.mkOption { + type = with lib.types; listOf str; + default = [ ]; + example = lib.literalExpression ''["-Xlog:gc"]''; + description = lib.mdDoc '' + Set extra options to pass to the JVM. + ''; + }; + }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { users.users.unifi = { isSystemUser = true; @@ -97,7 +107,7 @@ in }; users.groups.unifi = {}; - networking.firewall = mkIf cfg.openFirewall { + networking.firewall = lib.mkIf cfg.openFirewall { # https://help.ubnt.com/hc/en-us/articles/218506997 allowedTCPPorts = [ 8080 # Port for UAP to inform controller. @@ -123,8 +133,8 @@ in serviceConfig = { Type = "simple"; - ExecStart = "${(removeSuffix "\n" cmd)} start"; - ExecStop = "${(removeSuffix "\n" cmd)} stop"; + ExecStart = "${cmd} start"; + ExecStop = "${cmd} stop"; Restart = "on-failure"; TimeoutSec = "5min"; User = "unifi"; @@ -166,7 +176,7 @@ in StateDirectory = "unifi"; RuntimeDirectory = "unifi"; LogsDirectory = "unifi"; - CacheDirectory= "unifi"; + CacheDirectory = "unifi"; TemporaryFileSystem = [ # required as we want to create bind mounts below @@ -176,7 +186,7 @@ in # We must create the binary directories as bind mounts instead of symlinks # This is because the controller resolves all symlinks to absolute paths # to be used as the working directory. - BindPaths = [ + BindPaths = [ "/var/log/unifi:${stateDir}/logs" "/run/unifi:${stateDir}/run" "${cfg.unifiPackage}/dl:${stateDir}/dl" @@ -194,7 +204,7 @@ in }; imports = [ - (mkRemovedOptionModule [ "services" "unifi" "dataDir" ] "You should move contents of dataDir to /var/lib/unifi/data" ) - (mkRenamedOptionModule [ "services" "unifi" "openPorts" ] [ "services" "unifi" "openFirewall" ]) + (lib.mkRemovedOptionModule [ "services" "unifi" "dataDir" ] "You should move contents of dataDir to /var/lib/unifi/data") + (lib.mkRenamedOptionModule [ "services" "unifi" "openPorts" ] [ "services" "unifi" "openFirewall" ]) ]; } diff --git a/nixpkgs/nixos/modules/services/networking/wireguard.nix b/nixpkgs/nixos/modules/services/networking/wireguard.nix index d4099be12a27..d36be87daf60 100644 --- a/nixpkgs/nixos/modules/services/networking/wireguard.nix +++ b/nixpkgs/nixos/modules/services/networking/wireguard.nix @@ -586,6 +586,7 @@ in }) all_peers; boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; + boot.kernelModules = [ "wireguard" ]; environment.systemPackages = [ pkgs.wireguard-tools ]; systemd.services = diff --git a/nixpkgs/nixos/modules/services/printing/cupsd.nix b/nixpkgs/nixos/modules/services/printing/cupsd.nix index 279b26bb8957..3a2744303474 100644 --- a/nixpkgs/nixos/modules/services/printing/cupsd.nix +++ b/nixpkgs/nixos/modules/services/printing/cupsd.nix @@ -108,6 +108,12 @@ let containsGutenprint = pkgs: length (filterGutenprint pkgs) > 0; getGutenprint = pkgs: head (filterGutenprint pkgs); + parsePorts = addresses: let + splitAddress = addr: strings.splitString ":" addr; + extractPort = addr: builtins.foldl' (a: b: b) "" (splitAddress addr); + in + builtins.map (address: strings.toInt (extractPort address)) addresses; + in { @@ -172,6 +178,15 @@ in ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the firewall for TCP/UDP ports specified in + listenAdrresses option. + ''; + }; + bindirCmds = mkOption { type = types.lines; internal = true; @@ -463,6 +478,13 @@ in security.pam.services.cups = {}; + networking.firewall = let + listenPorts = parsePorts cfg.listenAddresses; + in mkIf cfg.openFirewall { + allowedTCPPorts = listenPorts; + allowedUDPPorts = listenPorts; + }; + }; meta.maintainers = with lib.maintainers; [ matthewbauer ]; diff --git a/nixpkgs/nixos/modules/services/torrent/flexget.nix b/nixpkgs/nixos/modules/services/torrent/flexget.nix index 5cd7ae6ad7db..58a4b7001497 100644 --- a/nixpkgs/nixos/modules/services/torrent/flexget.nix +++ b/nixpkgs/nixos/modules/services/torrent/flexget.nix @@ -64,7 +64,6 @@ in { path = [ pkg ]; serviceConfig = { User = cfg.user; - Environment = "TZ=${config.time.timeZone}"; ExecStartPre = "${pkgs.coreutils}/bin/install -m644 ${ymlFile} ${configFile}"; ExecStart = "${pkg}/bin/flexget -c ${configFile} daemon start"; ExecStop = "${pkg}/bin/flexget -c ${configFile} daemon stop"; diff --git a/nixpkgs/nixos/modules/services/torrent/transmission.nix b/nixpkgs/nixos/modules/services/torrent/transmission.nix index b98cb5283a1a..5efb9334ea03 100644 --- a/nixpkgs/nixos/modules/services/torrent/transmission.nix +++ b/nixpkgs/nixos/modules/services/torrent/transmission.nix @@ -148,7 +148,7 @@ in type = types.bool; default = true; description = lib.mdDoc '' - Whether to enable [Micro Transport Protocol (µTP)](http://en.wikipedia.org/wiki/Micro_Transport_Protocol). + Whether to enable [Micro Transport Protocol (µTP)](https://en.wikipedia.org/wiki/Micro_Transport_Protocol). ''; }; options.watch-dir = mkOption { diff --git a/nixpkgs/nixos/modules/services/video/unifi-video.nix b/nixpkgs/nixos/modules/services/video/unifi-video.nix index cb438a08150f..5c93f60cbd79 100644 --- a/nixpkgs/nixos/modules/services/video/unifi-video.nix +++ b/nixpkgs/nixos/modules/services/video/unifi-video.nix @@ -32,7 +32,7 @@ let name = "mongo.conf"; executable = false; text = '' - # for documentation of all options, see http://docs.mongodb.org/manual/reference/configuration-options/ + # for documentation of all options, see https://www.mongodb.com/docs/manual/reference/configuration-options/ storage: dbPath: ${cfg.dataDir}/db @@ -63,7 +63,7 @@ let executable = false; text = '' # for documentation of all options, see: - # http://docs.mongodb.org/manual/reference/configuration-options/ + # https://www.mongodb.com/docs/manual/reference/configuration-options/ storage: dbPath: ${cfg.dataDir}/db-wt diff --git a/nixpkgs/nixos/modules/services/web-apps/akkoma.nix b/nixpkgs/nixos/modules/services/web-apps/akkoma.nix index 5f9bbbd66374..8a8ed49115fd 100644 --- a/nixpkgs/nixos/modules/services/web-apps/akkoma.nix +++ b/nixpkgs/nixos/modules/services/web-apps/akkoma.nix @@ -909,7 +909,7 @@ in { }; config = mkIf cfg.enable { - warnings = optionals (!config.security.sudo.enable) ['' + warnings = optionals (with config.security; (!sudo.enable) && (!sudo-rs.enable)) ['' The pleroma_ctl wrapper enabled by the installWrapper option relies on sudo, which appears to have been disabled through security.sudo.enable. '']; diff --git a/nixpkgs/nixos/modules/services/web-apps/discourse.nix b/nixpkgs/nixos/modules/services/web-apps/discourse.nix index f80eb6b4c7f0..da1dba7d940b 100644 --- a/nixpkgs/nixos/modules/services/web-apps/discourse.nix +++ b/nixpkgs/nixos/modules/services/web-apps/discourse.nix @@ -407,7 +407,7 @@ in type = with lib.types; nullOr (enum ["plain" "login" "cram_md5"]); default = null; description = lib.mdDoc '' - Authentication type to use, see http://api.rubyonrails.org/classes/ActionMailer/Base.html + Authentication type to use, see https://api.rubyonrails.org/classes/ActionMailer/Base.html ''; }; @@ -423,7 +423,7 @@ in type = lib.types.str; default = "peer"; description = lib.mdDoc '' - How OpenSSL checks the certificate, see http://api.rubyonrails.org/classes/ActionMailer/Base.html + How OpenSSL checks the certificate, see https://api.rubyonrails.org/classes/ActionMailer/Base.html ''; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/mastodon.nix b/nixpkgs/nixos/modules/services/web-apps/mastodon.nix index 2aab97438b7d..d861f9e251be 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mastodon.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mastodon.nix @@ -17,9 +17,6 @@ let WEB_CONCURRENCY = toString cfg.webProcesses; MAX_THREADS = toString cfg.webThreads; - # mastodon-streaming concurrency. - STREAMING_CLUSTER_NUM = toString cfg.streamingProcesses; - DB_USER = cfg.database.user; REDIS_HOST = cfg.redis.host; @@ -33,13 +30,15 @@ let PAPERCLIP_ROOT_PATH = "/var/lib/mastodon/public-system"; PAPERCLIP_ROOT_URL = "/system"; ES_ENABLED = if (cfg.elasticsearch.host != null) then "true" else "false"; - ES_HOST = cfg.elasticsearch.host; - ES_PORT = toString(cfg.elasticsearch.port); TRUSTED_PROXY_IP = cfg.trustedProxy; } // lib.optionalAttrs (cfg.database.host != "/run/postgresql" && cfg.database.port != null) { DB_PORT = toString cfg.database.port; } // lib.optionalAttrs cfg.smtp.authenticate { SMTP_LOGIN = cfg.smtp.user; } + // lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_HOST = cfg.elasticsearch.host; } + // lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_PORT = toString(cfg.elasticsearch.port); } + // lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_PRESET = cfg.elasticsearch.preset; } + // lib.optionalAttrs (cfg.elasticsearch.user != null) { ES_USER = cfg.elasticsearch.user; } // cfg.extraConfig; systemCallsList = [ "@cpu-emulation" "@debug" "@keyring" "@ipc" "@mount" "@obsolete" "@privileged" "@setuid" ]; @@ -141,8 +140,44 @@ let }) ) cfg.sidekiqProcesses; + streamingUnits = builtins.listToAttrs + (map (i: { + name = "mastodon-streaming-${toString i}"; + value = { + after = [ "network.target" "mastodon-init-dirs.service" ] + ++ lib.optional databaseActuallyCreateLocally "postgresql.service" + ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; + requires = [ "mastodon-init-dirs.service" ] + ++ lib.optional databaseActuallyCreateLocally "postgresql.service" + ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; + wantedBy = [ "mastodon.target" "mastodon-streaming.target" ]; + description = "Mastodon streaming ${toString i}"; + environment = env // { SOCKET = "/run/mastodon-streaming/streaming-${toString i}.socket"; }; + serviceConfig = { + ExecStart = "${cfg.package}/run-streaming.sh"; + Restart = "always"; + RestartSec = 20; + EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles; + WorkingDirectory = cfg.package; + # Runtime directory and mode + RuntimeDirectory = "mastodon-streaming"; + RuntimeDirectoryMode = "0750"; + # System Call Filtering + SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@memlock" "@resources" ])) "pipe" "pipe2" ]; + } // cfgService; + }; + }) + (lib.range 1 cfg.streamingProcesses)); + in { + imports = [ + (lib.mkRemovedOptionModule + [ "services" "mastodon" "streamingPort" ] + "Mastodon currently doesn't support streaming via TCP ports. Please open a PR if you need this." + ) + ]; + options = { services.mastodon = { enable = lib.mkEnableOption (lib.mdDoc "Mastodon, a federated social network server"); @@ -191,18 +226,13 @@ in { default = "mastodon"; }; - streamingPort = lib.mkOption { - description = lib.mdDoc "TCP port used by the mastodon-streaming service."; - type = lib.types.port; - default = 55000; - }; streamingProcesses = lib.mkOption { description = lib.mdDoc '' - Processes used by the mastodon-streaming service. - Defaults to the number of CPU cores minus one. + Number of processes used by the mastodon-streaming service. + Recommended is the amount of your CPU cores minus one. ''; - type = lib.types.nullOr lib.types.int; - default = null; + type = lib.types.ints.positive; + example = 3; }; webPort = lib.mkOption { @@ -485,6 +515,31 @@ in { type = lib.types.port; default = 9200; }; + + preset = lib.mkOption { + description = lib.mdDoc '' + It controls the ElasticSearch indices configuration (number of shards and replica). + ''; + type = lib.types.enum [ "single_node_cluster" "small_cluster" "large_cluster" ]; + default = "single_node_cluster"; + example = "large_cluster"; + }; + + user = lib.mkOption { + description = lib.mdDoc "Used for optionally authenticating with Elasticsearch."; + type = lib.types.nullOr lib.types.str; + default = null; + example = "elasticsearch-mastodon"; + }; + + passwordFile = lib.mkOption { + description = lib.mdDoc '' + Path to file containing password for optionally authenticating with Elasticsearch. + ''; + type = lib.types.nullOr lib.types.path; + default = null; + example = "/var/lib/mastodon/secrets/elasticsearch-password"; + }; }; package = lib.mkOption { @@ -603,6 +658,12 @@ in { after = [ "network.target" ]; }; + systemd.targets.mastodon-streaming = { + description = "Target for all Mastodon streaming services"; + wantedBy = [ "multi-user.target" "mastodon.target" ]; + after = [ "network.target" ]; + }; + systemd.services.mastodon-init-dirs = { script = '' umask 077 @@ -631,6 +692,8 @@ in { DB_PASS="$(cat ${cfg.database.passwordFile})" '' + lib.optionalString cfg.smtp.authenticate '' SMTP_PASSWORD="$(cat ${cfg.smtp.passwordFile})" + '' + lib.optionalString (cfg.elasticsearch.passwordFile != null) '' + ES_PASS="$(cat ${cfg.elasticsearch.passwordFile})" '' + '' EOF ''; @@ -688,33 +751,6 @@ in { ++ lib.optional databaseActuallyCreateLocally "postgresql.service"; }; - systemd.services.mastodon-streaming = { - after = [ "network.target" "mastodon-init-dirs.service" ] - ++ lib.optional databaseActuallyCreateLocally "postgresql.service" - ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; - requires = [ "mastodon-init-dirs.service" ] - ++ lib.optional databaseActuallyCreateLocally "postgresql.service" - ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; - wantedBy = [ "mastodon.target" ]; - description = "Mastodon streaming"; - environment = env // (if cfg.enableUnixSocket - then { SOCKET = "/run/mastodon-streaming/streaming.socket"; } - else { PORT = toString(cfg.streamingPort); } - ); - serviceConfig = { - ExecStart = "${cfg.package}/run-streaming.sh"; - Restart = "always"; - RestartSec = 20; - EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles; - WorkingDirectory = cfg.package; - # Runtime directory and mode - RuntimeDirectory = "mastodon-streaming"; - RuntimeDirectoryMode = "0750"; - # System Call Filtering - SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@memlock" "@resources" ])) "pipe" "pipe2" ]; - } // cfgService; - }; - systemd.services.mastodon-web = { after = [ "network.target" "mastodon-init-dirs.service" ] ++ lib.optional databaseActuallyCreateLocally "postgresql.service" @@ -780,10 +816,20 @@ in { }; locations."/api/v1/streaming/" = { - proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(cfg.streamingPort)}/"); + proxyPass = "http://mastodon-streaming"; proxyWebsockets = true; }; }; + upstreams.mastodon-streaming = { + extraConfig = '' + least_conn; + ''; + servers = builtins.listToAttrs + (map (i: { + name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket"; + value = { }; + }) (lib.range 1 cfg.streamingProcesses)); + }; }; services.postfix = lib.mkIf (cfg.smtp.createLocally && cfg.smtp.host == "127.0.0.1") { @@ -819,7 +865,7 @@ in { users.groups.${cfg.group}.members = lib.optional cfg.configureNginx config.services.nginx.user; } - { systemd.services = sidekiqUnits; } + { systemd.services = lib.mkMerge [ sidekiqUnits streamingUnits ]; } ]); meta.maintainers = with lib.maintainers; [ happy-river erictapen ]; diff --git a/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix b/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix index c5fb03766899..8b494b7c1208 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix @@ -493,6 +493,8 @@ in services.phpfpm.pools.mediawiki = { inherit user group; phpEnv.MEDIAWIKI_CONFIG = "${mediawikiConfig}"; + # https://www.mediawiki.org/wiki/Compatibility + phpPackage = pkgs.php81; settings = (if (cfg.webserver == "apache") then { "listen.owner" = config.services.httpd.user; "listen.group" = config.services.httpd.group; @@ -552,24 +554,20 @@ in deny all; ''; # MediaWiki assets (usually images) - "~ ^/w/resources/(assets|lib|src)" = { - tryFiles = "$uri =404"; - extraConfig = '' - add_header Cache-Control "public"; - expires 7d; - ''; - }; + "~ ^/w/resources/(assets|lib|src)".extraConfig = '' + rewrite ^/w(/.*) $1 break; + add_header Cache-Control "public"; + expires 7d; + ''; # Assets, scripts and styles from skins and extensions - "~ ^/w/(skins|extensions)/.+\\.(css|js|gif|jpg|jpeg|png|svg|wasm|ttf|woff|woff2)$" = { - tryFiles = "$uri =404"; - extraConfig = '' - add_header Cache-Control "public"; - expires 7d; - ''; - }; + "~ ^/w/(skins|extensions)/.+\\.(css|js|gif|jpg|jpeg|png|svg|wasm|ttf|woff|woff2)$".extraConfig = '' + rewrite ^/w(/.*) $1 break; + add_header Cache-Control "public"; + expires 7d; + ''; # Handling for Mediawiki REST API, see [[mw:API:REST_API]] - "/w/rest.php".tryFiles = "$uri $uri/ /rest.php?$query_string"; + "/w/rest.php/".tryFiles = "$uri $uri/ /w/rest.php?$query_string"; # Handling for the article path (pretty URLs) "/wiki/".extraConfig = '' diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.md b/nixpkgs/nixos/modules/services/web-apps/nextcloud.md index a25bed30e47f..ecc7f380592a 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.md +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.md @@ -49,7 +49,7 @@ used by the imperative installer and all values are written to an additional fil to ensure that changes can be applied by changing the module's options. In case the application serves multiple domains (those are checked with -[`$_SERVER['HTTP_HOST']`](http://php.net/manual/en/reserved.variables.server.php)) +[`$_SERVER['HTTP_HOST']`](https://www.php.net/manual/en/reserved.variables.server.php)) it's needed to add them to [`services.nextcloud.config.extraTrustedDomains`](#opt-services.nextcloud.config.extraTrustedDomains). diff --git a/nixpkgs/nixos/modules/services/web-apps/plausible.nix b/nixpkgs/nixos/modules/services/web-apps/plausible.nix index 576b54a7edf2..300a0f892ef7 100644 --- a/nixpkgs/nixos/modules/services/web-apps/plausible.nix +++ b/nixpkgs/nixos/modules/services/web-apps/plausible.nix @@ -11,13 +11,6 @@ in { package = mkPackageOptionMD pkgs "plausible" { }; - releaseCookiePath = mkOption { - type = with types; either str path; - description = lib.mdDoc '' - The path to the file with release cookie. (used for remote connection to the running node). - ''; - }; - adminUser = { name = mkOption { default = "admin"; @@ -92,6 +85,13 @@ in { framework docs](https://hexdocs.pm/phoenix/Mix.Tasks.Phx.Gen.Secret.html#content). ''; }; + listenAddress = mkOption { + default = "127.0.0.1"; + type = types.str; + description = lib.mdDoc '' + The IP address on which the server is listening. + ''; + }; port = mkOption { default = 8000; type = types.port; @@ -162,6 +162,10 @@ in { }; }; + imports = [ + (mkRemovedOptionModule [ "services" "plausible" "releaseCookiePath" ] "Plausible uses no distributed Erlang features, so this option is no longer necessary and was removed") + ]; + config = mkIf cfg.enable { assertions = [ { assertion = cfg.adminUser.activate -> cfg.database.postgres.setup; @@ -180,8 +184,6 @@ in { enable = true; }; - services.epmd.enable = true; - environment.systemPackages = [ cfg.package ]; systemd.services = mkMerge [ @@ -209,6 +211,32 @@ in { # Configuration options from # https://plausible.io/docs/self-hosting-configuration PORT = toString cfg.server.port; + LISTEN_IP = cfg.server.listenAddress; + + # Note [plausible-needs-no-erlang-distributed-features]: + # Plausible does not use, and does not plan to use, any of + # Erlang's distributed features, see: + # https://github.com/plausible/analytics/pull/1190#issuecomment-1018820934 + # Thus, disable distribution for improved simplicity and security: + # + # When distribution is enabled, + # Elixir spwans the Erlang VM, which will listen by default on all + # interfaces for messages between Erlang nodes (capable of + # remote code execution); it can be protected by a cookie; see + # https://erlang.org/doc/reference_manual/distributed.html#security). + # + # It would be possible to restrict the interface to one of our choice + # (e.g. localhost or a VPN IP) similar to how we do it with `listenAddress` + # for the Plausible web server; if distribution is ever needed in the future, + # https://github.com/NixOS/nixpkgs/pull/130297 shows how to do it. + # + # But since Plausible does not use this feature in any way, + # we just disable it. + RELEASE_DISTRIBUTION = "none"; + # Additional safeguard, in case `RELEASE_DISTRIBUTION=none` ever + # stops disabling the start of EPMD. + ERL_EPMD_ADDRESS = "127.0.0.1"; + DISABLE_REGISTRATION = if isBool cfg.server.disableRegistration then boolToString cfg.server.disableRegistration else cfg.server.disableRegistration; RELEASE_TMP = "/var/lib/plausible/tmp"; @@ -238,7 +266,10 @@ in { path = [ cfg.package ] ++ optional cfg.database.postgres.setup config.services.postgresql.package; script = '' - export RELEASE_COOKIE="$(< $CREDENTIALS_DIRECTORY/RELEASE_COOKIE )" + # Elixir does not start up if `RELEASE_COOKIE` is not set, + # even though we set `RELEASE_DISTRIBUTION=none` so the cookie should be unused. + # Thus, make a random one, which should then be ignored. + export RELEASE_COOKIE=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 20) export ADMIN_USER_PWD="$(< $CREDENTIALS_DIRECTORY/ADMIN_USER_PWD )" export SECRET_KEY_BASE="$(< $CREDENTIALS_DIRECTORY/SECRET_KEY_BASE )" @@ -265,7 +296,6 @@ in { LoadCredential = [ "ADMIN_USER_PWD:${cfg.adminUser.passwordFile}" "SECRET_KEY_BASE:${cfg.server.secretKeybaseFile}" - "RELEASE_COOKIE:${cfg.releaseCookiePath}" ] ++ lib.optionals (cfg.mail.smtp.passwordFile != null) [ "SMTP_USER_PWD:${cfg.mail.smtp.passwordFile}"]; }; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix b/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix index 592ab253f7da..7b2e3be4295e 100644 --- a/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixpkgs/nixos/modules/services/web-apps/tt-rss.nix @@ -430,7 +430,7 @@ let background processes while not running tt-rss, this method is generally viable to keep your feeds up to date. Still, there are more robust (and recommended) updating methods - available, you can read about them here: http://tt-rss.org/wiki/UpdatingFeeds + available, you can read about them here: <https://tt-rss.org/wiki/UpdatingFeeds> ''; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix b/nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix index 729a633a36cc..eaa113c0d52c 100644 --- a/nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix @@ -10,7 +10,7 @@ let # List of known lighttpd modules, ordered by how the lighttpd documentation # recommends them being imported: - # http://redmine.lighttpd.net/projects/1/wiki/Server_modulesDetails + # https://redmine.lighttpd.net/projects/1/wiki/Server_modulesDetails # # Some modules are always imported and should not appear in the config: # disallowedModules = [ "mod_indexfile" "mod_dirlisting" "mod_staticfile" ]; @@ -84,8 +84,8 @@ let # server.modules += () entries in each sub-service extraConfig snippet, # read this: # - # http://redmine.lighttpd.net/projects/1/wiki/Server_modulesDetails - # http://redmine.lighttpd.net/issues/2337 + # https://redmine.lighttpd.net/projects/1/wiki/Server_modulesDetails + # https://redmine.lighttpd.net/issues/2337 # # Basically, lighttpd doesn't want to load (or even silently ignore) a # module for a second time, and there is no way to check if a module has diff --git a/nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix b/nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix index 2d887af87c79..bdd6d8b62aa3 100644 --- a/nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix +++ b/nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix @@ -44,7 +44,7 @@ in { type = types.lines; description = lib.mdDoc '' Verbatim config file to use - (see http://www.mew.org/~kazu/proj/mighttpd/en/config.html) + (see https://kazu-yamamoto.github.io/mighttpd2/config.html) ''; }; @@ -78,7 +78,7 @@ in { type = types.lines; description = lib.mdDoc '' Verbatim routing file to use - (see http://www.mew.org/~kazu/proj/mighttpd/en/config.html) + (see https://kazu-yamamoto.github.io/mighttpd2/config.html) ''; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix index f2e8585a9365..cf70dc325945 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix @@ -955,7 +955,7 @@ in default = {}; description = lib.mdDoc '' Configure a proxy cache path entry. - See <http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path> for documentation. + See <https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path> for documentation. ''; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix index d4b2a50cb8af..28dd408c923c 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -63,7 +63,7 @@ in # make available for D-BUS user services #export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}:${config.system.path}/share:${e.efl}/share - # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ + # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ ${pkgs.xdg-user-dirs}/bin/xdg-user-dirs-update fi ''; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix index 8b5daf83de1d..12bdd9333377 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -455,7 +455,7 @@ in pkgs.glib # for gsettings program pkgs.gnome-menus pkgs.gtk3.out # for gtk-launch program - pkgs.xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ + pkgs.xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ ]; in mandatoryPackages diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix index eef7aa14057e..d82d19b26cda 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -201,7 +201,7 @@ in onboard orca # elementary/greeter#668 sound-theme-freedesktop - xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/ + xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ ]) ++ (with pkgs.pantheon; [ # Artwork elementary-gtk-theme diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix index fc3287045710..361dbe879a18 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -29,7 +29,7 @@ let libsForQt5 = pkgs.plasma5Packages; inherit (libsForQt5) kdeGear kdeFrameworks plasma5; inherit (lib) - getBin optionalString literalExpression + getBin optionalAttrs optionalString literalExpression mkRemovedOptionModule mkRenamedOptionModule mkDefault mkIf mkMerge mkOption mkPackageOptionMD types; @@ -178,7 +178,7 @@ in capabilities = "cap_sys_nice+ep"; source = "${getBin plasma5.kwin}/bin/kwin_wayland"; }; - } // mkIf (!cfg.runUsingSystemd) { + } // optionalAttrs (!cfg.runUsingSystemd) { start_kdeinit = { setuid = true; owner = "root"; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix index 1f08ded7c96f..16a7ff1a4bd5 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix @@ -96,7 +96,7 @@ let )} # Speed up application start by 50-150ms according to - # http://kdemonkey.blogspot.nl/2008/04/magic-trick.html + # https://kdemonkey.blogspot.com/2008/04/magic-trick.html compose_cache="''${XCOMPOSECACHE:-$HOME/.compose-cache}" mkdir -p "$compose_cache" # To avoid accidentally deleting a wrongly set up XCOMPOSECACHE directory, diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/xpra.nix b/nixpkgs/nixos/modules/services/x11/display-managers/xpra.nix index cb78f52d9b68..0861530f21e8 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/xpra.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/xpra.nix @@ -60,11 +60,11 @@ in VertRefresh 1.0 - 200.0 #To add your own modes here, use a modeline calculator, like: # cvt: - # http://www.x.org/archive/X11R7.5/doc/man/man1/cvt.1.html + # https://www.x.org/archive/X11R7.5/doc/man/man1/cvt.1.html # xtiming: - # http://xtiming.sourceforge.net/cgi-bin/xtiming.pl + # https://xtiming.sourceforge.net/cgi-bin/xtiming.pl # gtf: - # http://gtf.sourceforge.net/ + # https://gtf.sourceforge.net/ #This can be used to get a specific DPI, but only for the default resolution: #DisplaySize 508 317 #NOTE: the highest modes will not work without increasing the VideoRam diff --git a/nixpkgs/nixos/modules/services/x11/imwheel.nix b/nixpkgs/nixos/modules/services/x11/imwheel.nix index 133e64c65cdd..bd2bcb7bcd06 100644 --- a/nixpkgs/nixos/modules/services/x11/imwheel.nix +++ b/nixpkgs/nixos/modules/services/x11/imwheel.nix @@ -37,7 +37,7 @@ in Window class translation rules. /etc/X11/imwheelrc is generated based on this config which means this config is global for all users. - See [official man pages](http://imwheel.sourceforge.net/imwheel.1.html) + See [official man pages](https://imwheel.sourceforge.net/imwheel.1.html) for more information. ''; }; diff --git a/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix b/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix index 3df14030ab68..a8cd2e8f05fc 100644 --- a/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixpkgs/nixos/modules/system/boot/initrd-ssh.nix @@ -166,7 +166,7 @@ in } ]; - warnings = lib.optional (config.boot.initrd.systemd.enable -> cfg.shell != null) '' + warnings = lib.optional (config.boot.initrd.systemd.enable && cfg.shell != null) '' Please set 'boot.initrd.systemd.users.root.shell' instead of 'boot.initrd.network.ssh.shell' ''; diff --git a/nixpkgs/nixos/modules/system/boot/kernel.nix b/nixpkgs/nixos/modules/system/boot/kernel.nix index 6b07686efcba..a46331ccd431 100644 --- a/nixpkgs/nixos/modules/system/boot/kernel.nix +++ b/nixpkgs/nixos/modules/system/boot/kernel.nix @@ -96,8 +96,8 @@ in # (required, but can be null if only config changes # are needed) - extraStructuredConfig = { # attrset of extra configuration parameters - FOO = lib.kernel.yes; # (without the CONFIG_ prefix, optional) + extraStructuredConfig = { # attrset of extra configuration parameters without the CONFIG_ prefix + FOO = lib.kernel.yes; # (optional) }; # values should generally be lib.kernel.yes, # lib.kernel.no or lib.kernel.module @@ -105,8 +105,9 @@ in foo = true; # (may be checked by other NixOS modules, optional) }; - extraConfig = "CONFIG_FOO y"; # extra configuration options in string form - # (deprecated, use extraStructuredConfig instead, optional) + extraConfig = "FOO y"; # extra configuration options in string form without the CONFIG_ prefix + # (optional, multiple lines allowed to specify multiple options) + # (deprecated, use extraStructuredConfig instead) } ``` diff --git a/nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible/default.nix b/nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible/default.nix index 5ef3c5cd52a8..13df60907116 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible/default.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible/default.nix @@ -25,7 +25,7 @@ in under `/boot/extlinux.conf`. For instance, U-Boot's generic distro boot support uses this file format. - See [U-boot's documentation](http://git.denx.de/?p=u-boot.git;a=blob;f=doc/README.distro;hb=refs/heads/master) + See [U-boot's documentation](https://u-boot.readthedocs.io/en/latest/develop/distro.html) for more information. ''; }; diff --git a/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix b/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix index 468f701ae5bc..7097e1d83dca 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix @@ -339,7 +339,7 @@ in See the [ GRUB source code - ](http://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/commands/nativedisk.c?h=grub-2.04#n326) + ](https://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/commands/nativedisk.c?h=grub-2.04#n326) for which disk modules are available. The list elements are passed directly as `argv` diff --git a/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 310584e398bc..96b42066b223 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -11,7 +11,23 @@ import shutil import subprocess import sys import warnings -from typing import NamedTuple +import json +from typing import NamedTuple, Dict, List +from dataclasses import dataclass + + +@dataclass +class BootSpec: + init: str + initrd: str + initrdSecrets: str + kernel: str + kernelParams: List[str] + label: str + system: str + toplevel: str + specialisations: Dict[str, "BootSpec"] + libc = ctypes.CDLL("libc.so.6") @@ -71,12 +87,20 @@ def write_loader_conf(profile: str | None, generation: int, specialisation: str os.rename("@efiSysMountPoint@/loader/loader.conf.tmp", "@efiSysMountPoint@/loader/loader.conf") -def profile_path(profile: str | None, generation: int, specialisation: str | None, name: str) -> str: - return os.path.realpath("%s/%s" % (system_dir(profile, generation, specialisation), name)) +def get_bootspec(profile: str | None, generation: int) -> BootSpec: + boot_json_path = os.path.realpath("%s/%s" % (system_dir(profile, generation, None), "boot.json")) + boot_json_f = open(boot_json_path, 'r') + bootspec_json = json.load(boot_json_f) + return bootspec_from_json(bootspec_json) +def bootspec_from_json(bootspec_json: Dict) -> BootSpec: + specialisations = bootspec_json['org.nixos.specialisation.v1'] + specialisations = {k: bootspec_from_json(v) for k, v in specialisations.items()} + return BootSpec(**bootspec_json['org.nixos.bootspec.v1'], specialisations=specialisations) -def copy_from_profile(profile: str | None, generation: int, specialisation: str | None, name: str, dry_run: bool = False) -> str: - store_file_path = profile_path(profile, generation, specialisation, name) + +def copy_from_file(file: str, dry_run: bool = False) -> str: + store_file_path = os.path.realpath(file) suffix = os.path.basename(store_file_path) store_dir = os.path.basename(os.path.dirname(store_file_path)) efi_file_path = "/efi/nixos/%s-%s.efi" % (store_dir, suffix) @@ -84,40 +108,19 @@ def copy_from_profile(profile: str | None, generation: int, specialisation: str copy_if_not_exists(store_file_path, "@efiSysMountPoint@%s" % (efi_file_path)) return efi_file_path - -def describe_generation(profile: str | None, generation: int, specialisation: str | None) -> str: - try: - with open(profile_path(profile, generation, specialisation, "nixos-version")) as f: - nixos_version = f.read() - except IOError: - nixos_version = "Unknown" - - kernel_dir = os.path.dirname(profile_path(profile, generation, specialisation, "kernel")) - module_dir = glob.glob("%s/lib/modules/*" % kernel_dir)[0] - kernel_version = os.path.basename(module_dir) - - build_time = int(os.path.getctime(system_dir(profile, generation, specialisation))) - build_date = datetime.datetime.fromtimestamp(build_time).strftime('%F') - - description = "@distroName@ {}, Linux Kernel {}, Built on {}".format( - nixos_version, kernel_version, build_date - ) - - return description - - def write_entry(profile: str | None, generation: int, specialisation: str | None, - machine_id: str, current: bool) -> None: - kernel = copy_from_profile(profile, generation, specialisation, "kernel") - initrd = copy_from_profile(profile, generation, specialisation, "initrd") + machine_id: str, bootspec: BootSpec, current: bool) -> None: + if specialisation: + bootspec = bootspec.specialisations[specialisation] + kernel = copy_from_file(bootspec.kernel) + initrd = copy_from_file(bootspec.initrd) title = "@distroName@{profile}{specialisation}".format( profile=" [" + profile + "]" if profile else "", specialisation=" (%s)" % specialisation if specialisation else "") try: - append_initrd_secrets = profile_path(profile, generation, specialisation, "append-initrd-secrets") - subprocess.check_call([append_initrd_secrets, "@efiSysMountPoint@%s" % (initrd)]) + subprocess.check_call([bootspec.initrdSecrets, "@efiSysMountPoint@%s" % (initrd)]) except FileNotFoundError: pass except subprocess.CalledProcessError: @@ -132,17 +135,19 @@ def write_entry(profile: str | None, generation: int, specialisation: str | None entry_file = "@efiSysMountPoint@/loader/entries/%s" % ( generation_conf_filename(profile, generation, specialisation)) tmp_path = "%s.tmp" % (entry_file) - kernel_params = "init=%s " % profile_path(profile, generation, specialisation, "init") + kernel_params = "init=%s " % bootspec.init + + kernel_params = kernel_params + " ".join(bootspec.kernelParams) + build_time = int(os.path.getctime(system_dir(profile, generation, specialisation))) + build_date = datetime.datetime.fromtimestamp(build_time).strftime('%F') - with open(profile_path(profile, generation, specialisation, "kernel-params")) as params_file: - kernel_params = kernel_params + params_file.read() with open(tmp_path, 'w') as f: f.write(BOOT_ENTRY.format(title=title, generation=generation, kernel=kernel, initrd=initrd, kernel_params=kernel_params, - description=describe_generation(profile, generation, specialisation))) + description=f"{bootspec.label}, built on {build_date}")) if machine_id is not None: f.write("machine-id %s\n" % machine_id) f.flush() @@ -173,21 +178,14 @@ def get_generations(profile: str | None = None) -> list[SystemIdentifier]: return configurations[-configurationLimit:] -def get_specialisations(profile: str | None, generation: int, _: str | None) -> list[SystemIdentifier]: - specialisations_dir = os.path.join( - system_dir(profile, generation, None), "specialisation") - if not os.path.exists(specialisations_dir): - return [] - return [SystemIdentifier(profile, generation, spec) for spec in os.listdir(specialisations_dir)] - - def remove_old_entries(gens: list[SystemIdentifier]) -> None: rex_profile = re.compile(r"^@efiSysMountPoint@/loader/entries/nixos-(.*)-generation-.*\.conf$") rex_generation = re.compile(r"^@efiSysMountPoint@/loader/entries/nixos.*-generation-([0-9]+)(-specialisation-.*)?\.conf$") known_paths = [] for gen in gens: - known_paths.append(copy_from_profile(*gen, "kernel", True)) - known_paths.append(copy_from_profile(*gen, "initrd", True)) + bootspec = get_bootspec(gen.profile, gen.generation) + known_paths.append(copy_from_file(bootspec.kernel, True)) + known_paths.append(copy_from_file(bootspec.initrd, True)) for path in glob.iglob("@efiSysMountPoint@/loader/entries/nixos*-generation-[1-9]*.conf"): if rex_profile.match(path): prof = rex_profile.sub(r"\1", path) @@ -279,10 +277,11 @@ def install_bootloader(args: argparse.Namespace) -> None: remove_old_entries(gens) for gen in gens: try: - is_default = os.path.dirname(profile_path(*gen, "init")) == args.default_config - write_entry(*gen, machine_id, current=is_default) - for specialisation in get_specialisations(*gen): - write_entry(*specialisation, machine_id, current=is_default) + bootspec = get_bootspec(gen.profile, gen.generation) + is_default = os.path.dirname(bootspec.init) == args.default_config + write_entry(*gen, machine_id, bootspec, current=is_default) + for specialisation in bootspec.specialisations.keys(): + write_entry(gen.profile, gen.generation, specialisation, machine_id, bootspec, current=is_default) if is_default: write_loader_conf(*gen) except OSError as e: diff --git a/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index 6f0a62d0ea89..1086ab80b14f 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -67,6 +67,8 @@ let ''; in { + meta.maintainers = with lib.maintainers; [ julienmalka ]; + imports = [ (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "enable" ] [ "boot" "loader" "systemd-boot" "enable" ]) ]; diff --git a/nixpkgs/nixos/modules/system/boot/luksroot.nix b/nixpkgs/nixos/modules/system/boot/luksroot.nix index 06c329e006b8..ca560d63f3bd 100644 --- a/nixpkgs/nixos/modules/system/boot/luksroot.nix +++ b/nixpkgs/nixos/modules/system/boot/luksroot.nix @@ -537,7 +537,7 @@ in description = lib.mdDoc '' Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. - More information is available at <http://en.wikipedia.org/wiki/DMA_attack>. + More information is available at <https://en.wikipedia.org/wiki/DMA_attack>. This option blacklists FireWire drivers, but doesn't remove them. You can manually load the drivers if you need to use a FireWire device, but don't forget to unload them! diff --git a/nixpkgs/nixos/modules/system/boot/stage-1-init.sh b/nixpkgs/nixos/modules/system/boot/stage-1-init.sh index bc2fc7f7b108..086e5d65da2f 100644 --- a/nixpkgs/nixos/modules/system/boot/stage-1-init.sh +++ b/nixpkgs/nixos/modules/system/boot/stage-1-init.sh @@ -253,9 +253,6 @@ done @setHostId@ # Load the required kernel modules. -mkdir -p /lib -ln -s @modulesClosure@/lib/modules /lib/modules -ln -s @modulesClosure@/lib/firmware /lib/firmware echo @extraUtils@/bin/modprobe > /proc/sys/kernel/modprobe for i in @kernelModules@; do info "loading module $(basename $i)..." @@ -498,6 +495,8 @@ if test -e /sys/power/resume -a -e /sys/power/disk; then fi fi +@postResumeCommands@ + # If we have a path to an iso file, find the iso and link it to /dev/root if [ -n "$isoPath" ]; then mkdir -p /findiso diff --git a/nixpkgs/nixos/modules/system/boot/stage-1.nix b/nixpkgs/nixos/modules/system/boot/stage-1.nix index a3551f68dbe8..13c71e1495ea 100644 --- a/nixpkgs/nixos/modules/system/boot/stage-1.nix +++ b/nixpkgs/nixos/modules/system/boot/stage-1.nix @@ -284,7 +284,7 @@ let # in the NixOS installation CD, so use ID_CDROM_MEDIA in the # corresponding udev rules for now. This was the behaviour in # udev <= 154. See also - # http://www.spinics.net/lists/hotplug/msg03935.html + # https://www.spinics.net/lists/hotplug/msg03935.html substituteInPlace $out/60-persistent-storage.rules \ --replace ID_CDROM_MEDIA_TRACK_COUNT_DATA ID_CDROM_MEDIA ''; # */ @@ -307,7 +307,7 @@ let ${pkgs.buildPackages.busybox}/bin/ash -n $target ''; - inherit linkUnits udevRules extraUtils modulesClosure; + inherit linkUnits udevRules extraUtils; inherit (config.boot) resumeDevice; @@ -316,7 +316,7 @@ let inherit (config.system.build) earlyMountScript; inherit (config.boot.initrd) checkJournalingFS verbose - preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules; + preLVMCommands preDeviceCommands postDeviceCommands postResumeCommands postMountCommands preFailCommands kernelModules; resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}") (filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption.enable @@ -349,6 +349,9 @@ let [ { object = bootStage1; symlink = "/init"; } + { object = "${modulesClosure}/lib"; + symlink = "/lib"; + } { object = pkgs.runCommand "initrd-kmod-blacklist-ubuntu" { src = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf"; preferLocalBuild = true; @@ -524,6 +527,14 @@ in ''; }; + boot.initrd.postResumeCommands = mkOption { + default = ""; + type = types.lines; + description = lib.mdDoc '' + Shell commands to be executed immediately after attempting to resume. + ''; + }; + boot.initrd.postMountCommands = mkOption { default = ""; type = types.lines; diff --git a/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix b/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix index be40b8e969a1..0e7d59b32075 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix @@ -358,6 +358,7 @@ in { [ "preDeviceCommands" ] [ "preLVMCommands" ] [ "postDeviceCommands" ] + [ "postResumeCommands" ] [ "postMountCommands" ] [ "extraUdevRulesCommands" ] [ "extraUtilsCommands" ] @@ -369,7 +370,7 @@ in { boot.initrd.availableKernelModules = [ # systemd needs this for some features - "autofs4" + "autofs" # systemd-cryptenroll ] ++ lib.optional cfg.enableTpm2 "tpm-tis" ++ lib.optional (cfg.enableTpm2 && !(pkgs.stdenv.hostPlatform.isRiscV64 || pkgs.stdenv.hostPlatform.isArmv7)) "tpm-crb"; diff --git a/nixpkgs/nixos/modules/system/boot/systemd/journald.nix b/nixpkgs/nixos/modules/system/boot/systemd/journald.nix index 773163bbcb81..7e62a4c9bfed 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd/journald.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd/journald.nix @@ -28,6 +28,15 @@ in { ''; }; + services.journald.storage = mkOption { + default = "persistent"; + type = types.enum [ "persistent" "volatile" "auto" "none" ]; + description = mdDoc '' + Controls where to store journal data. See + {manpage}`journald.conf(5)` for further information. + ''; + }; + services.journald.rateLimitBurst = mkOption { default = 10000; type = types.int; @@ -100,7 +109,7 @@ in { environment.etc = { "systemd/journald.conf".text = '' [Journal] - Storage=persistent + Storage=${cfg.storage} RateLimitInterval=${cfg.rateLimitInterval} RateLimitBurst=${toString cfg.rateLimitBurst} ${optionalString (cfg.console != "") '' diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces.nix b/nixpkgs/nixos/modules/tasks/network-interfaces.nix index d976f9951bb5..298add13437a 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces.nix @@ -498,7 +498,7 @@ in option will result in an evaluation error if the hostname is empty or no domain is specified. - Modules that accept a mere `networing.hostName` but prefer a fully qualified + Modules that accept a mere `networking.hostName` but prefer a fully qualified domain name may use `networking.fqdnOrHostName` instead. ''; }; diff --git a/nixpkgs/nixos/modules/testing/test-instrumentation.nix b/nixpkgs/nixos/modules/testing/test-instrumentation.nix index c91e54f5a4d7..9ee77cd79a9b 100644 --- a/nixpkgs/nixos/modules/testing/test-instrumentation.nix +++ b/nixpkgs/nixos/modules/testing/test-instrumentation.nix @@ -6,49 +6,124 @@ with lib; let + cfg = config.testing; + qemu-common = import ../../lib/qemu-common.nix { inherit lib pkgs; }; + + backdoorService = { + requires = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ]; + after = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ]; + script = + '' + export USER=root + export HOME=/root + export DISPLAY=:0.0 + + if [[ -e /etc/profile ]]; then + source /etc/profile + fi + + # Don't use a pager when executing backdoor + # actions. Because we use a tty, commands like systemctl + # or nix-store get confused into thinking they're running + # interactively. + export PAGER= + + cd /tmp + exec < /dev/hvc0 > /dev/hvc0 + while ! exec 2> /dev/${qemu-common.qemuSerialDevice}; do sleep 0.1; done + echo "connecting to host..." >&2 + stty -F /dev/hvc0 raw -echo # prevent nl -> cr/nl conversion + # The following line is essential since it signals to + # the test driver that the shell is ready. + # See: the connect method in the Machine class. + echo "Spawning backdoor root shell..." + # Passing the terminal device makes bash run non-interactively. + # Otherwise we get errors on the terminal because bash tries to + # setup things like job control. + # Note: calling bash explicitly here instead of sh makes sure that + # we can also run non-NixOS guests during tests. + PS1= exec /usr/bin/env bash --norc /dev/hvc0 + ''; + serviceConfig.KillSignal = "SIGHUP"; + }; + in { + options.testing = { + + initrdBackdoor = lib.mkEnableOption (lib.mdDoc '' + enable backdoor.service in initrd. Requires + boot.initrd.systemd.enable to be enabled. Boot will pause in + stage 1 at initrd.target, and will listen for commands from the + Machine python interface, just like stage 2 normally does. This + enables commands to be sent to test and debug stage 1. Use + machine.switch_root() to leave stage 1 and proceed to stage 2. + ''); + + }; + config = { - systemd.services.backdoor = - { wantedBy = [ "multi-user.target" ]; - requires = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ]; - after = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ]; - script = - '' - export USER=root - export HOME=/root - export DISPLAY=:0.0 + assertions = [ + { + assertion = cfg.initrdBackdoor -> config.boot.initrd.systemd.enable; + message = '' + testing.initrdBackdoor requires boot.initrd.systemd.enable to be enabled. + ''; + } + ]; - source /etc/profile + systemd.services.backdoor = lib.mkMerge [ + backdoorService + { + wantedBy = [ "multi-user.target" ]; + } + ]; - # Don't use a pager when executing backdoor - # actions. Because we use a tty, commands like systemctl - # or nix-store get confused into thinking they're running - # interactively. - export PAGER= - - cd /tmp - exec < /dev/hvc0 > /dev/hvc0 - while ! exec 2> /dev/${qemu-common.qemuSerialDevice}; do sleep 0.1; done - echo "connecting to host..." >&2 - stty -F /dev/hvc0 raw -echo # prevent nl -> cr/nl conversion - # The following line is essential since it signals to - # the test driver that the shell is ready. - # See: the connect method in the Machine class. - echo "Spawning backdoor root shell..." - # Passing the terminal device makes bash run non-interactively. - # Otherwise we get errors on the terminal because bash tries to - # setup things like job control. - # Note: calling bash explicitly here instead of sh makes sure that - # we can also run non-NixOS guests during tests. - PS1= exec /usr/bin/env bash --norc /dev/hvc0 - ''; - serviceConfig.KillSignal = "SIGHUP"; - }; + boot.initrd.systemd = lib.mkMerge [ + { + contents."/etc/systemd/journald.conf".text = '' + [Journal] + ForwardToConsole=yes + MaxLevelConsole=debug + ''; + + extraConfig = config.systemd.extraConfig; + } + + (lib.mkIf cfg.initrdBackdoor { + # Implemented in machine.switch_root(). Suppress the unit by + # making it a noop without removing it, which would break + # initrd-parse-etc.service + services.initrd-cleanup.serviceConfig.ExecStart = [ + # Reset + "" + # noop + "/bin/true" + ]; + + services.backdoor = lib.mkMerge [ + backdoorService + { + # TODO: Both stage 1 and stage 2 should use these same + # settings. But a lot of existing tests rely on + # backdoor.service having default orderings, + # e.g. systemd-boot.update relies on /boot being mounted + # as soon as backdoor starts. But it can be useful for + # backdoor to start even earlier. + wantedBy = [ "sysinit.target" ]; + unitConfig.DefaultDependencies = false; + conflicts = [ "shutdown.target" "initrd-switch-root.target" ]; + before = [ "shutdown.target" "initrd-switch-root.target" ]; + } + ]; + + contents."/usr/bin/env".source = "${pkgs.coreutils}/bin/env"; + }) + ]; # Prevent agetty from being instantiated on the serial device, since it # interferes with the backdoor (writes to it will randomly fail @@ -104,12 +179,6 @@ in MaxLevelConsole=debug ''; - boot.initrd.systemd.contents."/etc/systemd/journald.conf".text = '' - [Journal] - ForwardToConsole=yes - MaxLevelConsole=debug - ''; - systemd.extraConfig = '' # Don't clobber the console with duplicate systemd messages. ShowStatus=no @@ -123,8 +192,6 @@ in DefaultDeviceTimeoutSec=300 ''; - boot.initrd.systemd.extraConfig = config.systemd.extraConfig; - boot.consoleLogLevel = 7; # Prevent tests from accessing the Internet. diff --git a/nixpkgs/nixos/modules/virtualisation/azure-agent.nix b/nixpkgs/nixos/modules/virtualisation/azure-agent.nix index 6e6021cf80fe..e712fac17a46 100644 --- a/nixpkgs/nixos/modules/virtualisation/azure-agent.nix +++ b/nixpkgs/nixos/modules/virtualisation/azure-agent.nix @@ -61,7 +61,7 @@ in # Which provisioning agent to use. Supported values are "auto" (default), "waagent", # "cloud-init", or "disabled". - Provisioning.Agent=disabled + Provisioning.Agent=auto # Password authentication for root account will be unavailable. Provisioning.DeleteRootPassword=n @@ -241,7 +241,16 @@ in after = [ "network-online.target" "sshd.service" ]; wants = [ "network-online.target" ]; - path = [ pkgs.e2fsprogs pkgs.bash ]; + path = [ + pkgs.e2fsprogs + pkgs.bash + + # waagent's Microsoft.OSTCExtensions.VMAccessForLinux needs Python 3 + pkgs.python39 + + # waagent's Microsoft.CPlat.Core.RunCommandLinux needs lsof + pkgs.lsof + ]; description = "Windows Azure Agent Service"; unitConfig.ConditionPathExists = "/etc/waagent.conf"; serviceConfig = { @@ -250,5 +259,10 @@ in }; }; + # waagent will generate files under /etc/sudoers.d during provisioning + security.sudo.extraConfig = '' + #includedir /etc/sudoers.d + ''; + }; } diff --git a/nixpkgs/nixos/modules/virtualisation/azure-image.nix b/nixpkgs/nixos/modules/virtualisation/azure-image.nix index 39c6cab5980a..d909680cca1f 100644 --- a/nixpkgs/nixos/modules/virtualisation/azure-image.nix +++ b/nixpkgs/nixos/modules/virtualisation/azure-image.nix @@ -37,42 +37,5 @@ in inherit config lib pkgs; }; - # Azure metadata is available as a CD-ROM drive. - fileSystems."/metadata".device = "/dev/sr0"; - - systemd.services.fetch-ssh-keys = { - description = "Fetch host keys and authorized_keys for root user"; - - wantedBy = [ "sshd.service" "waagent.service" ]; - before = [ "sshd.service" "waagent.service" ]; - - path = [ pkgs.coreutils ]; - script = - '' - eval "$(cat /metadata/CustomData.bin)" - if ! [ -z "$ssh_host_ecdsa_key" ]; then - echo "downloaded ssh_host_ecdsa_key" - echo "$ssh_host_ecdsa_key" > /etc/ssh/ssh_host_ed25519_key - chmod 600 /etc/ssh/ssh_host_ed25519_key - fi - - if ! [ -z "$ssh_host_ecdsa_key_pub" ]; then - echo "downloaded ssh_host_ecdsa_key_pub" - echo "$ssh_host_ecdsa_key_pub" > /etc/ssh/ssh_host_ed25519_key.pub - chmod 644 /etc/ssh/ssh_host_ed25519_key.pub - fi - - if ! [ -z "$ssh_root_auth_key" ]; then - echo "downloaded ssh_root_auth_key" - mkdir -m 0700 -p /root/.ssh - echo "$ssh_root_auth_key" > /root/.ssh/authorized_keys - chmod 600 /root/.ssh/authorized_keys - fi - ''; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - serviceConfig.StandardError = "journal+console"; - serviceConfig.StandardOutput = "journal+console"; - }; }; } diff --git a/nixpkgs/nixos/modules/virtualisation/google-compute-config.nix b/nixpkgs/nixos/modules/virtualisation/google-compute-config.nix index 3c503f027d79..887af26949fe 100644 --- a/nixpkgs/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixpkgs/nixos/modules/virtualisation/google-compute-config.nix @@ -84,6 +84,10 @@ in { groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } ]; + security.sudo-rs.extraRules = mkIf config.users.mutableUsers [ + { groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; + users.groups.google-sudoers = mkIf config.users.mutableUsers { }; boot.extraModprobeConfig = readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf"; diff --git a/nixpkgs/nixos/modules/virtualisation/google-compute-image.nix b/nixpkgs/nixos/modules/virtualisation/google-compute-image.nix index 197ebb18b9ad..dcdd1b59eef5 100644 --- a/nixpkgs/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixpkgs/nixos/modules/virtualisation/google-compute-image.nix @@ -44,10 +44,17 @@ in GZIP compression level of the resulting disk image (1-9). ''; }; + virtualisation.googleComputeImage.efi = mkEnableOption "EFI booting"; }; #### implementation config = { + boot.initrd.availableKernelModules = [ "nvme" ]; + boot.loader.grub = mkIf cfg.efi { + device = mkForce "nodev"; + efiSupport = true; + efiInstallAsRemovable = true; + }; system.build.googleComputeImage = import ../../lib/make-disk-image.nix { name = "google-compute-image"; @@ -62,6 +69,7 @@ in ''; format = "raw"; configFile = if cfg.configFile == null then defaultConfigFile else cfg.configFile; + partitionTableType = if cfg.efi then "efi" else "legacy"; inherit (cfg) diskSize; inherit config lib pkgs; }; diff --git a/nixpkgs/nixos/modules/virtualisation/oci-containers.nix b/nixpkgs/nixos/modules/virtualisation/oci-containers.nix index 65e97d53724f..a4a40346f093 100644 --- a/nixpkgs/nixos/modules/virtualisation/oci-containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/oci-containers.nix @@ -214,6 +214,13 @@ let ''; }; + hostname = mkOption { + type = with types; nullOr str; + default = null; + description = lib.mdDoc "The hostname of the container."; + example = "hello-world"; + }; + extraOptions = mkOption { type = with types; listOf str; default = []; @@ -245,11 +252,10 @@ let text = '' ${cfg.backend} rm -f ${name} || true ${optionalString (isValidLogin container.login) '' - cat ${container.login.passwordFile} | \ ${cfg.backend} login \ ${container.login.registry} \ --username ${container.login.username} \ - --password-stdin + --password-stdin < ${container.login.passwordFile} ''} ${optionalString (container.imageFile != null) '' ${cfg.backend} load -i ${container.imageFile} @@ -280,6 +286,8 @@ let "--log-driver=${container.log-driver}" ] ++ optional (container.entrypoint != null) "--entrypoint=${escapeShellArg container.entrypoint}" + ++ optional (container.hostname != null) + "--hostname=${escapeShellArg container.hostname}" ++ lib.optionals (cfg.backend == "podman") [ "--cidfile=/run/podman-${escapedName}.ctr-id" "--cgroups=no-conmon" diff --git a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix index e625c6322d9c..6f275baf60dc 100644 --- a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix @@ -997,7 +997,7 @@ in virtualisation.memorySize is above 2047, but qemu is only able to allocate 2047MB RAM on 32bit max. ''; } - { assertion = cfg.directBoot.initrd != options.virtualisation.directBoot.initrd.default -> cfg.directBoot.enable; + { assertion = cfg.directBoot.enable || cfg.directBoot.initrd == options.virtualisation.directBoot.initrd.default; message = '' You changed the default of `virtualisation.directBoot.initrd` but you are not diff --git a/nixpkgs/nixos/modules/virtualisation/vagrant-guest.nix b/nixpkgs/nixos/modules/virtualisation/vagrant-guest.nix index 263b1ebca086..2fad376086e3 100644 --- a/nixpkgs/nixos/modules/virtualisation/vagrant-guest.nix +++ b/nixpkgs/nixos/modules/virtualisation/vagrant-guest.nix @@ -55,4 +55,5 @@ in }; security.sudo.wheelNeedsPassword = false; + security.sudo-rs.wheelNeedsPassword = false; } diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index 6201045b54cc..f44fcfcf54ab 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -934,4 +934,5 @@ in { zram-generator = handleTest ./zram-generator.nix {}; zrepl = handleTest ./zrepl.nix {}; zsh-history = handleTest ./zsh-history.nix {}; + zwave-js = handleTest ./zwave-js.nix {}; } diff --git a/nixpkgs/nixos/tests/castopod.nix b/nixpkgs/nixos/tests/castopod.nix index 1d53c3e9a3e6..4435ec617d4e 100644 --- a/nixpkgs/nixos/tests/castopod.nix +++ b/nixpkgs/nixos/tests/castopod.nix @@ -82,6 +82,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: castopod.succeed("curl -s http://localhost/cp-install | grep 'Create your Super Admin account' > /dev/null") with subtest("Create superadmin and log in"): - castopod.succeed("PYTHONUNBUFFERED=1 test-runner | systemd-cat -t test-runner") + castopod.succeed("PYTHONUNBUFFERED=1 systemd-cat -t test-runner test-runner") ''; }) diff --git a/nixpkgs/nixos/tests/gitea.nix b/nixpkgs/nixos/tests/gitea.nix index f574b59be545..f62c72bddddc 100644 --- a/nixpkgs/nixos/tests/gitea.nix +++ b/nixpkgs/nixos/tests/gitea.nix @@ -26,7 +26,7 @@ let supportedDbTypes = [ "mysql" "postgres" "sqlite3" ]; makeGiteaTest = type: nameValuePair type (makeTest { name = "${giteaPackage.pname}-${type}"; - meta.maintainers = with maintainers; [ aanderse emilylange kolaente ma27 ]; + meta.maintainers = with maintainers; [ aanderse kolaente ma27 ]; nodes = { server = { config, pkgs, ... }: { diff --git a/nixpkgs/nixos/tests/hadoop/hadoop.nix b/nixpkgs/nixos/tests/hadoop/hadoop.nix index 0de2366b1864..6162ccfd33d4 100644 --- a/nixpkgs/nixos/tests/hadoop/hadoop.nix +++ b/nixpkgs/nixos/tests/hadoop/hadoop.nix @@ -176,22 +176,22 @@ import ../make-test-python.nix ({ package, ... }: { nn2.succeed("systemctl stop hdfs-zkfc") # Initialize zookeeper for failover controller - nn1.succeed("sudo -u hdfs hdfs zkfc -formatZK 2>&1 | systemd-cat") + nn1.succeed("sudo -u hdfs systemd-cat hdfs zkfc -formatZK") # Format NN1 and start it - nn1.succeed("sudo -u hdfs hadoop namenode -format 2>&1 | systemd-cat") + nn1.succeed("sudo -u hdfs systemd-cat hadoop namenode -format") nn1.succeed("systemctl start hdfs-namenode") nn1.wait_for_open_port(9870) nn1.wait_for_open_port(8022) nn1.wait_for_open_port(8020) # Bootstrap NN2 from NN1 and start it - nn2.succeed("sudo -u hdfs hdfs namenode -bootstrapStandby 2>&1 | systemd-cat") + nn2.succeed("sudo -u hdfs systemd-cat hdfs namenode -bootstrapStandby") nn2.succeed("systemctl start hdfs-namenode") nn2.wait_for_open_port(9870) nn2.wait_for_open_port(8022) nn2.wait_for_open_port(8020) - nn1.succeed("netstat -tulpne | systemd-cat") + nn1.succeed("systemd-cat netstat -tulpne") # Start failover controllers nn1.succeed("systemctl start hdfs-zkfc") @@ -200,10 +200,10 @@ import ../make-test-python.nix ({ package, ... }: { # DN should have started by now, but confirm anyway dn1.wait_for_unit("hdfs-datanode") # Print states of namenodes - client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") + client.succeed("sudo -u hdfs systemd-cat hdfs haadmin -getAllServiceState") # Wait for cluster to exit safemode client.succeed("sudo -u hdfs hdfs dfsadmin -safemode wait") - client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") + client.succeed("sudo -u hdfs systemd-cat hdfs haadmin -getAllServiceState") # test R/W client.succeed("echo testfilecontents | sudo -u hdfs hdfs dfs -put - /testfile") assert "testfilecontents" in client.succeed("sudo -u hdfs hdfs dfs -cat /testfile") @@ -211,7 +211,7 @@ import ../make-test-python.nix ({ package, ... }: { # Test NN failover nn1.succeed("systemctl stop hdfs-namenode") assert "active" in client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState") - client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") + client.succeed("sudo -u hdfs systemd-cat hdfs haadmin -getAllServiceState") assert "testfilecontents" in client.succeed("sudo -u hdfs hdfs dfs -cat /testfile") nn1.succeed("systemctl start hdfs-namenode") @@ -219,7 +219,7 @@ import ../make-test-python.nix ({ package, ... }: { nn1.wait_for_open_port(8022) nn1.wait_for_open_port(8020) assert "standby" in client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState") - client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") + client.succeed("sudo -u hdfs systemd-cat hdfs haadmin -getAllServiceState") #### YARN tests #### @@ -236,18 +236,18 @@ import ../make-test-python.nix ({ package, ... }: { nm1.wait_for_open_port(8042) nm1.wait_for_open_port(8040) client.wait_until_succeeds("yarn node -list | grep Nodes:1") - client.succeed("sudo -u yarn yarn rmadmin -getAllServiceState | systemd-cat") - client.succeed("sudo -u yarn yarn node -list | systemd-cat") + client.succeed("sudo -u yarn systemd-cat yarn rmadmin -getAllServiceState") + client.succeed("sudo -u yarn systemd-cat yarn node -list") # Test RM failover rm1.succeed("systemctl stop yarn-resourcemanager") assert "standby" not in client.succeed("sudo -u yarn yarn rmadmin -getAllServiceState") - client.succeed("sudo -u yarn yarn rmadmin -getAllServiceState | systemd-cat") + client.succeed("sudo -u yarn systemd-cat yarn rmadmin -getAllServiceState") rm1.succeed("systemctl start yarn-resourcemanager") rm1.wait_for_unit("yarn-resourcemanager") rm1.wait_for_open_port(8088) assert "standby" in client.succeed("sudo -u yarn yarn rmadmin -getAllServiceState") - client.succeed("sudo -u yarn yarn rmadmin -getAllServiceState | systemd-cat") + client.succeed("sudo -u yarn systemd-cat yarn rmadmin -getAllServiceState") assert "Estimated value of Pi is" in client.succeed("HADOOP_USER_NAME=hdfs yarn jar $(readlink $(which yarn) | sed -r 's~bin/yarn~share/hadoop/mapreduce/hadoop-mapreduce-examples-*.jar~g') pi 2 10") assert "SUCCEEDED" in client.succeed("yarn application -list -appStates FINISHED") diff --git a/nixpkgs/nixos/tests/hadoop/hdfs.nix b/nixpkgs/nixos/tests/hadoop/hdfs.nix index 429d4bf6b538..65686b371559 100644 --- a/nixpkgs/nixos/tests/hadoop/hdfs.nix +++ b/nixpkgs/nixos/tests/hadoop/hdfs.nix @@ -50,8 +50,8 @@ import ../make-test-python.nix ({ package, lib, ... }: namenode.wait_for_unit("hdfs-namenode") namenode.wait_for_unit("network.target") namenode.wait_for_open_port(8020) - namenode.succeed("ss -tulpne | systemd-cat") - namenode.succeed("cat /etc/hadoop*/hdfs-site.xml | systemd-cat") + namenode.succeed("systemd-cat ss -tulpne") + namenode.succeed("systemd-cat cat /etc/hadoop*/hdfs-site.xml") namenode.wait_for_open_port(9870) datanode.wait_for_unit("hdfs-datanode") diff --git a/nixpkgs/nixos/tests/home-assistant.nix b/nixpkgs/nixos/tests/home-assistant.nix index e06c52a5f41c..e97e8a467b18 100644 --- a/nixpkgs/nixos/tests/home-assistant.nix +++ b/nixpkgs/nixos/tests/home-assistant.nix @@ -9,13 +9,13 @@ in { nodes.hass = { pkgs, ... }: { services.postgresql = { enable = true; - ensureDatabases = [ "hass" ]; - ensureUsers = [{ - name = "hass"; - ensurePermissions = { - "DATABASE hass" = "ALL PRIVILEGES"; - }; - }]; + + # FIXME: hack for https://github.com/NixOS/nixpkgs/issues/216989 + # Should be replaced with ensureUsers again when a solution for that is found + initialScript = pkgs.writeText "hass-setup-db.sql" '' + CREATE ROLE hass WITH LOGIN; + CREATE DATABASE hass WITH OWNER hass; + ''; }; services.home-assistant = { @@ -43,6 +43,16 @@ in { psycopg2 ]; + # test loading custom components + customComponents = with pkgs.home-assistant-custom-components; [ + prometheus-sensor + ]; + + # test loading lovelace modules + customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [ + mini-graph-card + ]; + config = { homeassistant = { name = "Home"; @@ -114,6 +124,14 @@ in { inheritParentConfig = true; configuration.services.home-assistant.config.backup = {}; }; + + specialisation.removeCustomThings = { + inheritParentConfig = true; + configuration.services.home-assistant = { + customComponents = lib.mkForce []; + customLovelaceModules = lib.mkForce []; + }; + }; }; testScript = { nodes, ... }: let @@ -161,6 +179,14 @@ in { hass.wait_for_open_port(8123) hass.succeed("curl --fail http://localhost:8123/lovelace") + with subtest("Check that custom components get installed"): + hass.succeed("test -f ${configDir}/custom_components/prometheus_sensor/manifest.json") + hass.wait_until_succeeds("journalctl -u home-assistant.service | grep -q 'We found a custom integration prometheus_sensor which has not been tested by Home Assistant'") + + with subtest("Check that lovelace modules are referenced and fetchable"): + hass.succeed("grep -q 'mini-graph-card-bundle.js' '${configDir}/ui-lovelace.yaml'") + hass.succeed("curl --fail http://localhost:8123/local/nixos-lovelace-modules/mini-graph-card-bundle.js") + with subtest("Check that optional dependencies are in the PYTHONPATH"): env = get_unit_property("Environment") python_path = env.split("PYTHONPATH=")[1].split()[0] @@ -200,6 +226,13 @@ in { for domain in ["backup"]: assert f"Setup of domain {domain} took" in journal, f"{domain} setup missing" + with subtest("Check custom components and custom lovelace modules get removed"): + cursor = get_journal_cursor() + hass.succeed("${system}/specialisation/removeCustomThings/bin/switch-to-configuration test") + hass.fail("grep -q 'mini-graph-card-bundle.js' '${configDir}/ui-lovelace.yaml'") + hass.fail("test -f ${configDir}/custom_components/prometheus_sensor/manifest.json") + wait_for_homeassistant(cursor) + with subtest("Check that no errors were logged"): hass.fail("journalctl -u home-assistant -o cat | grep -q ERROR") diff --git a/nixpkgs/nixos/tests/iscsi-multipath-root.nix b/nixpkgs/nixos/tests/iscsi-multipath-root.nix index 92ae9990c947..494a539b57e0 100644 --- a/nixpkgs/nixos/tests/iscsi-multipath-root.nix +++ b/nixpkgs/nixos/tests/iscsi-multipath-root.nix @@ -202,7 +202,7 @@ import ./make-test-python.nix ( initiatorAuto.succeed("umount /mnt") initiatorAuto.succeed("systemctl restart multipathd") - initiatorAuto.succeed("multipath -ll | systemd-cat") + initiatorAuto.succeed("systemd-cat multipath -ll") # Install our RootDisk machine to 123456, the alias to the device that multipath is now managing initiatorAuto.succeed("mount /dev/mapper/123456 /mnt") @@ -223,7 +223,7 @@ import ./make-test-python.nix ( initiatorRootDisk.fail("iscsiadm -m discovery -o update -t sendtargets -p 192.168.1.3 --login") initiatorRootDisk.fail("iscsiadm -m discovery -o update -t sendtargets -p 192.168.2.3 --login") initiatorRootDisk.succeed("systemctl restart multipathd") - initiatorRootDisk.succeed("multipath -ll | systemd-cat") + initiatorRootDisk.succeed("systemd-cat multipath -ll") # Verify we can write and sync the root disk initiatorRootDisk.succeed("mkdir /scratch") diff --git a/nixpkgs/nixos/tests/mobilizon.nix b/nixpkgs/nixos/tests/mobilizon.nix index 2b070ca9d960..398c8530dc56 100644 --- a/nixpkgs/nixos/tests/mobilizon.nix +++ b/nixpkgs/nixos/tests/mobilizon.nix @@ -10,7 +10,7 @@ import ./make-test-python.nix ({ lib, ... }: meta.maintainers = with lib.maintainers; [ minijackson erictapen ]; nodes.server = - { ... }: + { pkgs, ... }: { services.mobilizon = { enable = true; @@ -25,6 +25,8 @@ import ./make-test-python.nix ({ lib, ... }: }; }; + services.postgresql.package = pkgs.postgresql_14; + security.pki.certificateFiles = [ certs.ca.cert ]; services.nginx.virtualHosts."${mobilizonDomain}" = { diff --git a/nixpkgs/nixos/tests/openssh.nix b/nixpkgs/nixos/tests/openssh.nix index 881eb9d7d91c..799497477993 100644 --- a/nixpkgs/nixos/tests/openssh.nix +++ b/nixpkgs/nixos/tests/openssh.nix @@ -103,7 +103,12 @@ in { testScript = '' start_all() - server.wait_for_unit("sshd") + server.wait_for_unit("sshd", timeout=30) + server_localhost_only.wait_for_unit("sshd", timeout=30) + server_match_rule.wait_for_unit("sshd", timeout=30) + + server_lazy.wait_for_unit("sshd.socket", timeout=30) + server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30) with subtest("manual-authkey"): client.succeed("mkdir -m 700 /root/.ssh") diff --git a/nixpkgs/nixos/tests/plausible.nix b/nixpkgs/nixos/tests/plausible.nix index 9afd3db75de8..9c26c509a5ab 100644 --- a/nixpkgs/nixos/tests/plausible.nix +++ b/nixpkgs/nixos/tests/plausible.nix @@ -8,9 +8,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { virtualisation.memorySize = 4096; services.plausible = { enable = true; - releaseCookiePath = "${pkgs.runCommand "cookie" { } '' - ${pkgs.openssl}/bin/openssl rand -base64 64 >"$out" - ''}"; adminUser = { email = "admin@example.org"; passwordFile = "${pkgs.writeText "pwd" "foobar"}"; @@ -28,6 +25,10 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.wait_for_unit("plausible.service") machine.wait_for_open_port(8000) + # Ensure that the software does not make not make the machine + # listen on any public interfaces by default. + machine.fail("ss -tlpn 'src = 0.0.0.0 or src = [::]' | grep LISTEN") + machine.succeed("curl -f localhost:8000 >&2") machine.succeed("curl -f localhost:8000/js/script.js >&2") diff --git a/nixpkgs/nixos/tests/pleroma.nix b/nixpkgs/nixos/tests/pleroma.nix index 4f1aef854146..c80f48e52ed5 100644 --- a/nixpkgs/nixos/tests/pleroma.nix +++ b/nixpkgs/nixos/tests/pleroma.nix @@ -25,6 +25,18 @@ import ./make-test-python.nix ({ pkgs, ... }: let + # Fix for https://github.com/ihabunek/toot/pull/405. Includes + # https://github.com/ihabunek/toot/pull/405. TOREMOVE when + # toot > 0.38.1 + patched-toot = pkgs.toot.overrideAttrs (old: { + version = "unstable-24-09-2023"; + src = pkgs.fetchFromGitHub { + owner = "ihabunek"; + repo = "toot"; + rev = "30857f570d64a26da80d0024227a8259f7cb65b5"; + sha256 = "sha256-BxrI7UY9bfqPzS+VLqCFSmu4PkIkvhntcEeNJb1AzOs="; + }; + }); send-toot = pkgs.writeScriptBin "send-toot" '' set -eux # toot is using the requests library internally. This library @@ -164,9 +176,12 @@ import ./make-test-python.nix ({ pkgs, ... }: ''; tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' - openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=pleroma.nixos.test' -days 36500 mkdir -p $out - cp key.pem cert.pem $out + openssl req -x509 \ + -subj '/CN=pleroma.nixos.test/' -days 49710 \ + -addext 'subjectAltName = DNS:pleroma.nixos.test' \ + -keyout "$out/key.pem" -newkey ed25519 \ + -out "$out/cert.pem" -noenc ''; hosts = nodes: '' @@ -180,7 +195,7 @@ import ./make-test-python.nix ({ pkgs, ... }: security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ]; networking.extraHosts = hosts nodes; environment.systemPackages = with pkgs; [ - toot + patched-toot send-toot ]; }; diff --git a/nixpkgs/nixos/tests/printing.nix b/nixpkgs/nixos/tests/printing.nix index 7df042e72e90..29c5d810f215 100644 --- a/nixpkgs/nixos/tests/printing.nix +++ b/nixpkgs/nixos/tests/printing.nix @@ -19,6 +19,7 @@ import ./make-test-python.nix ( startWhenNeeded = socket; listenAddresses = [ "*:631" ]; defaultShared = true; + openFirewall = true; extraConf = '' <Location /> Order allow,deny @@ -26,7 +27,6 @@ import ./make-test-python.nix ( </Location> ''; }; - networking.firewall.allowedTCPPorts = [ 631 ]; # Add a HP Deskjet printer connected via USB to the server. hardware.printers.ensurePrinters = [{ name = "DeskjetLocal"; diff --git a/nixpkgs/nixos/tests/prometheus-exporters.nix b/nixpkgs/nixos/tests/prometheus-exporters.nix index 7fd824967206..7840130d4a36 100644 --- a/nixpkgs/nixos/tests/prometheus-exporters.nix +++ b/nixpkgs/nixos/tests/prometheus-exporters.nix @@ -257,6 +257,21 @@ let ''; }; + exportarr-sonarr = { + nodeName = "exportarr_sonarr"; + exporterConfig = { + enable = true; + url = "http://127.0.0.1:8989"; + # testing for real data is tricky, because the api key can not be preconfigured + apiKeyFile = pkgs.writeText "dummy-api-key" "eccff6a992bc2e4b88e46d064b26bb4e"; + }; + exporterTest = '' + wait_for_unit("prometheus-exportarr-sonarr-exporter.service") + wait_for_open_port(9707) + succeed("curl -sSf 'http://localhost:9707/metrics") + ''; + }; + fastly = { exporterConfig = { enable = true; @@ -471,7 +486,7 @@ let services.knot = { enable = true; extraArgs = [ "-v" ]; - extraConfig = '' + settingsFile = pkgs.writeText "knot.conf" '' server: listen: 127.0.0.1@53 @@ -969,7 +984,7 @@ let pgbouncer = { exporterConfig = { enable = true; - connectionString = "postgres://admin:@localhost:6432/pgbouncer?sslmode=disable"; + connectionStringFile = pkgs.writeText "connection.conf" "postgres://admin:@localhost:6432/pgbouncer?sslmode=disable"; }; metricProvider = { @@ -1318,12 +1333,12 @@ let wait_for_open_port(9374) wait_until_succeeds( "curl -sSf localhost:9374/metrics | grep '{}' | grep -v ' 0$'".format( - 'smokeping_requests_total{host="127.0.0.1",ip="127.0.0.1"} ' + 'smokeping_requests_total{host="127.0.0.1",ip="127.0.0.1",source=""} ' ) ) wait_until_succeeds( "curl -sSf localhost:9374/metrics | grep '{}'".format( - 'smokeping_response_ttl{host="127.0.0.1",ip="127.0.0.1"}' + 'smokeping_response_ttl{host="127.0.0.1",ip="127.0.0.1",source=""}' ) ) ''; diff --git a/nixpkgs/nixos/tests/restic.nix b/nixpkgs/nixos/tests/restic.nix index 54fdc1d3995c..4111720cf6be 100644 --- a/nixpkgs/nixos/tests/restic.nix +++ b/nixpkgs/nixos/tests/restic.nix @@ -4,6 +4,7 @@ import ./make-test-python.nix ( let remoteRepository = "/root/restic-backup"; remoteFromFileRepository = "/root/restic-backup-from-file"; + remoteNoInitRepository = "/root/restic-backup-no-init"; rcloneRepository = "rclone:local:/root/restic-rclone-backup"; backupPrepareCommand = '' @@ -54,6 +55,7 @@ import ./make-test-python.nix ( inherit passwordFile paths exclude pruneOpts backupPrepareCommand backupCleanupCommand; repository = remoteRepository; initialize = true; + timerConfig = null; # has no effect here, just checking that it doesn't break the service }; remote-from-file-backup = { inherit passwordFile exclude pruneOpts; @@ -64,6 +66,11 @@ import ./make-test-python.nix ( find /opt -mindepth 1 -maxdepth 1 ! -name a_dir # all files in /opt except for a_dir ''; }; + remote-noinit-backup = { + inherit passwordFile exclude pruneOpts paths; + initialize = false; + repository = remoteNoInitRepository; + }; rclonebackup = { inherit passwordFile paths exclude pruneOpts; initialize = true; @@ -114,6 +121,7 @@ import ./make-test-python.nix ( "cp -rT ${testDir} /opt", "touch /opt/excluded_file_1 /opt/excluded_file_2", "mkdir -p /root/restic-rclone-backup", + "restic-remote-noinit-backup init", # test that remotebackup runs custom commands and produces a snapshot "timedatectl set-time '2016-12-13 13:45'", @@ -130,6 +138,10 @@ import ./make-test-python.nix ( "systemctl start restic-backups-remote-from-file-backup.service", 'restic-remote-from-file-backup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', + # test that remote-noinit-backup produces a snapshot + "systemctl start restic-backups-remote-noinit-backup.service", + 'restic-remote-noinit-backup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', + # test that restoring that snapshot produces the same directory "mkdir /tmp/restore-2", "${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} restore latest -t /tmp/restore-2", diff --git a/nixpkgs/nixos/tests/shattered-pixel-dungeon.nix b/nixpkgs/nixos/tests/shattered-pixel-dungeon.nix index a256bbdfd735..b4ac1670b5ca 100644 --- a/nixpkgs/nixos/tests/shattered-pixel-dungeon.nix +++ b/nixpkgs/nixos/tests/shattered-pixel-dungeon.nix @@ -21,9 +21,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.wait_for_x() machine.execute("shattered-pixel-dungeon >&2 &") machine.wait_for_window(r"Shattered Pixel Dungeon") - machine.sleep(5) - if "Enter" not in machine.get_screen_text(): - raise Exception("Program did not start successfully") + machine.wait_for_text("Enter") machine.screenshot("screen") ''; }) diff --git a/nixpkgs/nixos/tests/sourcehut.nix b/nixpkgs/nixos/tests/sourcehut.nix index 87e6d82bdd8f..0b258acc2af1 100644 --- a/nixpkgs/nixos/tests/sourcehut.nix +++ b/nixpkgs/nixos/tests/sourcehut.nix @@ -126,6 +126,7 @@ in virtualisation.diskSize = 4 * 1024; virtualisation.memorySize = 2 * 1024; networking.domain = domain; + networking.enableIPv6 = false; networking.extraHosts = '' ${config.networking.primaryIPAddress} builds.${domain} ${config.networking.primaryIPAddress} git.${domain} @@ -134,11 +135,6 @@ in services.sourcehut = { enable = true; - services = [ - "builds" - "git" - "meta" - ]; nginx.enable = true; nginx.virtualHost = { forceSSL = true; diff --git a/nixpkgs/nixos/tests/sudo.nix b/nixpkgs/nixos/tests/sudo.nix index 1b177391488d..1fe478f0bff1 100644 --- a/nixpkgs/nixos/tests/sudo.nix +++ b/nixpkgs/nixos/tests/sudo.nix @@ -21,7 +21,8 @@ in }; security.sudo = { - enable = true; + # Explicitly _not_ defining 'enable = true;' here, to check that sudo is enabled by default + wheelNeedsPassword = false; extraConfig = '' diff --git a/nixpkgs/nixos/tests/systemd-boot.nix b/nixpkgs/nixos/tests/systemd-boot.nix index 7d334326cca9..13007d0d80d8 100644 --- a/nixpkgs/nixos/tests/systemd-boot.nix +++ b/nixpkgs/nixos/tests/systemd-boot.nix @@ -18,7 +18,7 @@ in { basic = makeTest { name = "systemd-boot"; - meta.maintainers = with pkgs.lib.maintainers; [ danielfullmer ]; + meta.maintainers = with pkgs.lib.maintainers; [ danielfullmer julienmalka ]; nodes.machine = common; @@ -42,7 +42,7 @@ in # Check that specialisations create corresponding boot entries. specialisation = makeTest { name = "systemd-boot-specialisation"; - meta.maintainers = with pkgs.lib.maintainers; [ lukegb ]; + meta.maintainers = with pkgs.lib.maintainers; [ lukegb julienmalka ]; nodes.machine = { pkgs, lib, ... }: { imports = [ common ]; @@ -65,7 +65,7 @@ in # Boot without having created an EFI entry--instead using default "/EFI/BOOT/BOOTX64.EFI" fallback = makeTest { name = "systemd-boot-fallback"; - meta.maintainers = with pkgs.lib.maintainers; [ danielfullmer ]; + meta.maintainers = with pkgs.lib.maintainers; [ danielfullmer julienmalka ]; nodes.machine = { pkgs, lib, ... }: { imports = [ common ]; @@ -91,7 +91,7 @@ in update = makeTest { name = "systemd-boot-update"; - meta.maintainers = with pkgs.lib.maintainers; [ danielfullmer ]; + meta.maintainers = with pkgs.lib.maintainers; [ danielfullmer julienmalka ]; nodes.machine = common; @@ -113,7 +113,7 @@ in memtest86 = makeTest { name = "systemd-boot-memtest86"; - meta.maintainers = with pkgs.lib.maintainers; [ Enzime ]; + meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ]; nodes.machine = { pkgs, lib, ... }: { imports = [ common ]; @@ -128,7 +128,7 @@ in netbootxyz = makeTest { name = "systemd-boot-netbootxyz"; - meta.maintainers = with pkgs.lib.maintainers; [ Enzime ]; + meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ]; nodes.machine = { pkgs, lib, ... }: { imports = [ common ]; @@ -143,7 +143,7 @@ in entryFilename = makeTest { name = "systemd-boot-entry-filename"; - meta.maintainers = with pkgs.lib.maintainers; [ Enzime ]; + meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ]; nodes.machine = { pkgs, lib, ... }: { imports = [ common ]; @@ -160,7 +160,7 @@ in extraEntries = makeTest { name = "systemd-boot-extra-entries"; - meta.maintainers = with pkgs.lib.maintainers; [ Enzime ]; + meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ]; nodes.machine = { pkgs, lib, ... }: { imports = [ common ]; @@ -179,7 +179,7 @@ in extraFiles = makeTest { name = "systemd-boot-extra-files"; - meta.maintainers = with pkgs.lib.maintainers; [ Enzime ]; + meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ]; nodes.machine = { pkgs, lib, ... }: { imports = [ common ]; @@ -196,7 +196,7 @@ in switch-test = makeTest { name = "systemd-boot-switch-test"; - meta.maintainers = with pkgs.lib.maintainers; [ Enzime ]; + meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ]; nodes = { inherit common; @@ -256,7 +256,7 @@ in # itself, systems with such firmware won't boot without this fix uefiLargeFileWorkaround = makeTest { name = "uefi-large-file-workaround"; - + meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ]; nodes.machine = { pkgs, ... }: { imports = [common]; virtualisation.efi.OVMF = pkgs.OVMF.overrideAttrs (old: { diff --git a/nixpkgs/nixos/tests/systemd-initrd-modprobe.nix b/nixpkgs/nixos/tests/systemd-initrd-modprobe.nix index bf635a10d0e9..0f93492176b4 100644 --- a/nixpkgs/nixos/tests/systemd-initrd-modprobe.nix +++ b/nixpkgs/nixos/tests/systemd-initrd-modprobe.nix @@ -2,6 +2,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "systemd-initrd-modprobe"; nodes.machine = { pkgs, ... }: { + testing.initrdBackdoor = true; boot.initrd.systemd.enable = true; boot.initrd.kernelModules = [ "loop" ]; # Load module in initrd. boot.extraModprobeConfig = '' @@ -10,6 +11,12 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { }; testScript = '' + machine.wait_for_unit("initrd.target") + max_loop = machine.succeed("cat /sys/module/loop/parameters/max_loop") + assert int(max_loop) == 42, "Parameter should be respected for initrd kernel modules" + + # Make sure it sticks in stage 2 + machine.switch_root() machine.wait_for_unit("multi-user.target") max_loop = machine.succeed("cat /sys/module/loop/parameters/max_loop") assert int(max_loop) == 42, "Parameter should be respected for initrd kernel modules" diff --git a/nixpkgs/nixos/tests/systemd-initrd-networkd-ssh.nix b/nixpkgs/nixos/tests/systemd-initrd-networkd-ssh.nix index 6aaa6c828f7b..d4c168f40e29 100644 --- a/nixpkgs/nixos/tests/systemd-initrd-networkd-ssh.nix +++ b/nixpkgs/nixos/tests/systemd-initrd-networkd-ssh.nix @@ -4,34 +4,16 @@ import ./make-test-python.nix ({ lib, ... }: { nodes = { server = { config, pkgs, ... }: { - environment.systemPackages = [ pkgs.cryptsetup ]; - boot.loader.systemd-boot.enable = true; - boot.loader.timeout = 0; - virtualisation = { - emptyDiskImages = [ 4096 ]; - useBootLoader = true; - # Booting off the encrypted disk requires an available init script from - # the Nix store - mountHostNixStore = true; - useEFIBoot = true; - }; - - specialisation.encrypted-root.configuration = { - virtualisation.rootDevice = "/dev/mapper/root"; - virtualisation.fileSystems."/".autoFormat = true; - boot.initrd.luks.devices = lib.mkVMOverride { - root.device = "/dev/vdb"; - }; - boot.initrd.systemd.enable = true; - boot.initrd.network = { + testing.initrdBackdoor = true; + boot.initrd.systemd.enable = true; + boot.initrd.systemd.contents."/etc/msg".text = "foo"; + boot.initrd.network = { + enable = true; + ssh = { enable = true; - ssh = { - enable = true; - authorizedKeys = [ (lib.readFile ./initrd-network-ssh/id_ed25519.pub) ]; - port = 22; - # Terrible hack so it works with useBootLoader - hostKeys = [ { outPath = "${./initrd-network-ssh/ssh_host_ed25519_key}"; } ]; - }; + authorizedKeys = [ (lib.readFile ./initrd-network-ssh/id_ed25519.pub) ]; + port = 22; + hostKeys = [ ./initrd-network-ssh/ssh_host_ed25519_key ]; }; }; }; @@ -63,24 +45,16 @@ import ./make-test-python.nix ({ lib, ... }: { status, _ = client.execute("nc -z server 22") return status == 0 - server.wait_for_unit("multi-user.target") - server.succeed( - "echo somepass | cryptsetup luksFormat --type=luks2 /dev/vdb", - "bootctl set-default nixos-generation-1-specialisation-encrypted-root.conf", - "sync", - ) - server.shutdown() - server.start() - client.wait_for_unit("network.target") with client.nested("waiting for SSH server to come up"): retry(ssh_is_up) - client.succeed( - "echo somepass | ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'systemd-tty-ask-password-agent' & exit" + msg = client.succeed( + "ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'cat /etc/msg'" ) + assert "foo" in msg + server.switch_root() server.wait_for_unit("multi-user.target") - server.succeed("mount | grep '/dev/mapper/root on /'") ''; }) diff --git a/nixpkgs/nixos/tests/systemd-initrd-networkd.nix b/nixpkgs/nixos/tests/systemd-initrd-networkd.nix index 8376276d8f63..9c4ddb6e4b36 100644 --- a/nixpkgs/nixos/tests/systemd-initrd-networkd.nix +++ b/nixpkgs/nixos/tests/systemd-initrd-networkd.nix @@ -1,14 +1,36 @@ -import ./make-test-python.nix ({ pkgs, lib, ... }: { - name = "systemd-initrd-network"; - meta.maintainers = [ lib.maintainers.elvishjerricco ]; +{ system ? builtins.currentSystem +, config ? {} +, pkgs ? import ../.. { inherit system config; } +, lib ? pkgs.lib +}: - nodes = let - mkFlushTest = flush: script: { ... }: { - boot.initrd.systemd.enable = true; - boot.initrd.network = { - enable = true; - flushBeforeStage2 = flush; - }; +with import ../lib/testing-python.nix { inherit system pkgs; }; + +let + inherit (lib.maintainers) elvishjerricco; + + common = { + boot.initrd.systemd = { + enable = true; + network.wait-online.timeout = 10; + network.wait-online.anyInterface = true; + targets.network-online.requiredBy = [ "initrd.target" ]; + services.systemd-networkd-wait-online.requiredBy = + [ "network-online.target" ]; + initrdBin = [ pkgs.iproute2 pkgs.iputils pkgs.gnugrep ]; + }; + testing.initrdBackdoor = true; + boot.initrd.network.enable = true; + }; + + mkFlushTest = flush: script: makeTest { + name = "systemd-initrd-network-${lib.optionalString (!flush) "no-"}flush"; + meta.maintainers = [ elvishjerricco ]; + + nodes.machine = { + imports = [ common ]; + + boot.initrd.network.flushBeforeStage2 = flush; systemd.services.check-flush = { requiredBy = ["multi-user.target"]; before = ["network-pre.target" "multi-user.target"]; @@ -19,57 +41,53 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { inherit script; }; }; - in { - basic = { ... }: { - boot.initrd.network.enable = true; - boot.initrd.systemd = { - enable = true; - # Enable network-online to fail the test in case of timeout - network.wait-online.timeout = 10; - network.wait-online.anyInterface = true; - targets.network-online.requiredBy = [ "initrd.target" ]; - services.systemd-networkd-wait-online.requiredBy = - [ "network-online.target" ]; + testScript = '' + machine.wait_for_unit("network-online.target") + machine.succeed( + "ip addr | grep 10.0.2.15", + "ping -c1 10.0.2.2", + ) + machine.switch_root() - initrdBin = [ pkgs.iproute2 pkgs.iputils pkgs.gnugrep ]; - services.check = { - requiredBy = [ "initrd.target" ]; - before = [ "initrd.target" ]; - after = [ "network-online.target" ]; - serviceConfig.Type = "oneshot"; - path = [ pkgs.iproute2 pkgs.iputils pkgs.gnugrep ]; - script = '' - ip addr | grep 10.0.2.15 || exit 1 - ping -c1 10.0.2.2 || exit 1 - ''; - }; - }; - }; - - doFlush = mkFlushTest true '' - if ip addr | grep 10.0.2.15; then - echo "Network configuration survived switch-root; flushBeforeStage2 failed" - exit 1 - fi + machine.wait_for_unit("multi-user.target") ''; + }; + +in { + basic = makeTest { + name = "systemd-initrd-network"; + meta.maintainers = [ elvishjerricco ]; - dontFlush = mkFlushTest false '' - if ! (ip addr | grep 10.0.2.15); then - echo "Network configuration didn't survive switch-root" - exit 1 - fi + nodes.machine = common; + + testScript = '' + machine.wait_for_unit("network-online.target") + machine.succeed( + "ip addr | grep 10.0.2.15", + "ping -c1 10.0.2.2", + ) + machine.switch_root() + + # Make sure the systemd-network user was set correctly in initrd + machine.wait_for_unit("multi-user.target") + machine.succeed("[ $(stat -c '%U,%G' /run/systemd/netif/links) = systemd-network,systemd-network ]") + machine.succeed("ip addr show >&2") + machine.succeed("ip route show >&2") ''; }; - testScript = '' - start_all() - basic.wait_for_unit("multi-user.target") - doFlush.wait_for_unit("multi-user.target") - dontFlush.wait_for_unit("multi-user.target") - # Make sure the systemd-network user was set correctly in initrd - basic.succeed("[ $(stat -c '%U,%G' /run/systemd/netif/links) = systemd-network,systemd-network ]") - basic.succeed("ip addr show >&2") - basic.succeed("ip route show >&2") + doFlush = mkFlushTest true '' + if ip addr | grep 10.0.2.15; then + echo "Network configuration survived switch-root; flushBeforeStage2 failed" + exit 1 + fi + ''; + + dontFlush = mkFlushTest false '' + if ! (ip addr | grep 10.0.2.15); then + echo "Network configuration didn't survive switch-root" + exit 1 + fi ''; -}) +} diff --git a/nixpkgs/nixos/tests/systemd-initrd-simple.nix b/nixpkgs/nixos/tests/systemd-initrd-simple.nix index a6a22e9d48e0..2b7283a82193 100644 --- a/nixpkgs/nixos/tests/systemd-initrd-simple.nix +++ b/nixpkgs/nixos/tests/systemd-initrd-simple.nix @@ -2,16 +2,19 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "systemd-initrd-simple"; nodes.machine = { pkgs, ... }: { - boot.initrd.systemd = { - enable = true; - emergencyAccess = true; - }; + testing.initrdBackdoor = true; + boot.initrd.systemd.enable = true; virtualisation.fileSystems."/".autoResize = true; }; testScript = '' import subprocess + with subtest("testing initrd backdoor"): + machine.wait_for_unit("initrd.target") + machine.succeed("systemctl status initrd-fs.target") + machine.switch_root() + with subtest("handover to stage-2 systemd works"): machine.wait_for_unit("multi-user.target") machine.succeed("systemd-analyze | grep -q '(initrd)'") # direct handover @@ -37,6 +40,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"]) machine.start() + machine.switch_root() newAvail = machine.succeed("df --output=avail / | sed 1d") assert int(oldAvail) < int(newAvail), "File system did not grow" diff --git a/nixpkgs/nixos/tests/systemd-networkd.nix b/nixpkgs/nixos/tests/systemd-networkd.nix index 6c423f4140b1..6b241b93d511 100644 --- a/nixpkgs/nixos/tests/systemd-networkd.nix +++ b/nixpkgs/nixos/tests/systemd-networkd.nix @@ -65,7 +65,7 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { in import ./make-test-python.nix ({pkgs, ... }: { name = "networkd"; meta = with pkgs.lib.maintainers; { - maintainers = [ ninjatrappeur ]; + maintainers = [ picnoir ]; }; nodes = { node1 = { pkgs, ... }@attrs: diff --git a/nixpkgs/nixos/tests/tandoor-recipes.nix b/nixpkgs/nixos/tests/tandoor-recipes.nix index 54456238fe63..f3369da99a05 100644 --- a/nixpkgs/nixos/tests/tandoor-recipes.nix +++ b/nixpkgs/nixos/tests/tandoor-recipes.nix @@ -3,33 +3,8 @@ import ./make-test-python.nix ({ lib, ... }: { meta.maintainers = with lib.maintainers; [ ambroisie ]; nodes.machine = { pkgs, ... }: { - # Setup using Postgres services.tandoor-recipes = { enable = true; - - extraConfig = { - DB_ENGINE = "django.db.backends.postgresql"; - POSTGRES_HOST = "/run/postgresql"; - POSTGRES_USER = "tandoor_recipes"; - POSTGRES_DB = "tandoor_recipes"; - }; - }; - - services.postgresql = { - enable = true; - ensureDatabases = [ "tandoor_recipes" ]; - ensureUsers = [ - { - name = "tandoor_recipes"; - ensurePermissions."DATABASE tandoor_recipes" = "ALL PRIVILEGES"; - } - ]; - }; - - systemd.services = { - tandoor-recipes = { - after = [ "postgresql.service" ]; - }; }; }; diff --git a/nixpkgs/nixos/tests/udisks2.nix b/nixpkgs/nixos/tests/udisks2.nix index 6afb200f8566..8cc148750c7b 100644 --- a/nixpkgs/nixos/tests/udisks2.nix +++ b/nixpkgs/nixos/tests/udisks2.nix @@ -32,6 +32,9 @@ in '' import lzma + machine.systemctl("start udisks2") + machine.wait_for_unit("udisks2.service") + with lzma.open( "${stick}" ) as data, open(machine.state_dir / "usbstick.img", "wb") as stick: diff --git a/nixpkgs/nixos/tests/vaultwarden.nix b/nixpkgs/nixos/tests/vaultwarden.nix index 95d00c1d8ec1..9d2f0e6ab060 100644 --- a/nixpkgs/nixos/tests/vaultwarden.nix +++ b/nixpkgs/nixos/tests/vaultwarden.nix @@ -54,9 +54,8 @@ let services.postgresql = { enable = true; initialScript = pkgs.writeText "postgresql-init.sql" '' - CREATE DATABASE bitwarden; CREATE USER bitwardenuser WITH PASSWORD '${dbPassword}'; - GRANT ALL PRIVILEGES ON DATABASE bitwarden TO bitwardenuser; + CREATE DATABASE bitwarden WITH OWNER bitwardenuser; ''; }; @@ -174,7 +173,7 @@ let ) with subtest("use the web interface to sign up, log in, and save a password"): - server.succeed("PYTHONUNBUFFERED=1 test-runner | systemd-cat -t test-runner") + server.succeed("PYTHONUNBUFFERED=1 systemd-cat -t test-runner test-runner") with subtest("log in with the cli"): key = client.succeed( diff --git a/nixpkgs/nixos/tests/web-apps/mastodon/remote-postgresql.nix b/nixpkgs/nixos/tests/web-apps/mastodon/remote-postgresql.nix index 715477191bfb..6548883db452 100644 --- a/nixpkgs/nixos/tests/web-apps/mastodon/remote-postgresql.nix +++ b/nixpkgs/nixos/tests/web-apps/mastodon/remote-postgresql.nix @@ -16,7 +16,7 @@ in meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin ]; nodes = { - database = { + database = { config, ... }: { networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -24,11 +24,13 @@ in ]; }; extraHosts = hosts; - firewall.allowedTCPPorts = [ 5432 ]; + firewall.allowedTCPPorts = [ config.services.postgresql.port ]; }; services.postgresql = { enable = true; + # TODO remove once https://github.com/NixOS/nixpkgs/pull/266270 is resolved. + package = pkgs.postgresql_14; enableTCPIP = true; authentication = '' hostnossl mastodon_local mastodon_test 192.168.2.201/32 md5 @@ -41,7 +43,7 @@ in }; }; - nginx = { + nginx = { nodes, ... }: { networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -69,18 +71,14 @@ in tryFiles = "$uri @proxy"; }; locations."@proxy" = { - proxyPass = "http://192.168.2.201:55001"; - proxyWebsockets = true; - }; - locations."/api/v1/streaming/" = { - proxyPass = "http://192.168.2.201:55002"; + proxyPass = "http://192.168.2.201:${toString nodes.server.services.mastodon.webPort}"; proxyWebsockets = true; }; }; }; }; - server = { pkgs, ... }: { + server = { config, pkgs, ... }: { virtualisation.memorySize = 2048; environment = { @@ -98,7 +96,10 @@ in ]; }; extraHosts = hosts; - firewall.allowedTCPPorts = [ 55001 55002 ]; + firewall.allowedTCPPorts = [ + config.services.mastodon.webPort + config.services.mastodon.sidekiqPort + ]; }; services.mastodon = { @@ -106,6 +107,7 @@ in configureNginx = false; localDomain = "mastodon.local"; enableUnixSocket = false; + streamingProcesses = 2; database = { createLocally = false; host = "192.168.2.102"; diff --git a/nixpkgs/nixos/tests/web-apps/mastodon/script.nix b/nixpkgs/nixos/tests/web-apps/mastodon/script.nix index a89b4b7480e9..afb7c0e0a0eb 100644 --- a/nixpkgs/nixos/tests/web-apps/mastodon/script.nix +++ b/nixpkgs/nixos/tests/web-apps/mastodon/script.nix @@ -10,9 +10,8 @@ server.wait_for_unit("redis-mastodon.service") server.wait_for_unit("mastodon-sidekiq-all.service") - server.wait_for_unit("mastodon-streaming.service") + server.wait_for_unit("mastodon-streaming.target") server.wait_for_unit("mastodon-web.service") - server.wait_for_open_port(55000) server.wait_for_open_port(55001) # Check that mastodon-media-auto-remove is scheduled diff --git a/nixpkgs/nixos/tests/web-apps/mastodon/standard.nix b/nixpkgs/nixos/tests/web-apps/mastodon/standard.nix index 14311afea3f7..e5eb30fef597 100644 --- a/nixpkgs/nixos/tests/web-apps/mastodon/standard.nix +++ b/nixpkgs/nixos/tests/web-apps/mastodon/standard.nix @@ -40,11 +40,15 @@ in port = 31637; }; + # TODO remove once https://github.com/NixOS/nixpkgs/pull/266270 is resolved. + services.postgresql.package = pkgs.postgresql_14; + services.mastodon = { enable = true; configureNginx = true; localDomain = "mastodon.local"; enableUnixSocket = false; + streamingProcesses = 2; smtp = { createLocally = false; fromAddress = "mastodon@mastodon.local"; diff --git a/nixpkgs/nixos/tests/xmpp/ejabberd.nix b/nixpkgs/nixos/tests/xmpp/ejabberd.nix index 7926fe80de2f..1a807b27b6f6 100644 --- a/nixpkgs/nixos/tests/xmpp/ejabberd.nix +++ b/nixpkgs/nixos/tests/xmpp/ejabberd.nix @@ -1,7 +1,7 @@ import ../make-test-python.nix ({ pkgs, ... }: { name = "ejabberd"; meta = with pkgs.lib.maintainers; { - maintainers = [ ajs124 ]; + maintainers = [ ]; }; nodes = { client = { nodes, pkgs, ... }: { diff --git a/nixpkgs/nixos/tests/zwave-js.nix b/nixpkgs/nixos/tests/zwave-js.nix new file mode 100644 index 000000000000..9239e6964fd7 --- /dev/null +++ b/nixpkgs/nixos/tests/zwave-js.nix @@ -0,0 +1,31 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : + +let + secretsConfigFile = pkgs.writeText "secrets.json" (builtins.toJSON { + securityKeys = { + "S0_Legacy" = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; + }; + }); +in { + name = "zwave-js"; + meta.maintainers = with lib.maintainers; [ graham33 ]; + + nodes = { + machine = { config, ... }: { + services.zwave-js = { + enable = true; + serialPort = "/dev/null"; + extraFlags = ["--mock-driver"]; + inherit secretsConfigFile; + }; + }; + }; + + testScript = '' + start_all() + + machine.wait_for_unit("zwave-js.service") + machine.wait_for_open_port(3000) + machine.wait_until_succeeds("journalctl --since -1m --unit zwave-js --grep 'ZwaveJS server listening'") + ''; +}) |