diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-12-15 19:32:38 +0100 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-12-15 19:32:38 +0100 |
| commit | 6b8e2555ef013b579cda57025b17d662e0f1fe1f (patch) | |
| tree | 5a83c673af26c9976acd5a5dfa20e09e06898047 /nixpkgs/nixos | |
| parent | 66ca7a150b5c051f0728f13134e6265cc46f370c (diff) | |
| parent | 02357adddd0889782362d999628de9d309d202dc (diff) | |
| download | nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar.gz nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar.bz2 nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar.lz nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar.xz nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar.zst nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.zip | |
Merge branch 'nixos-unstable-small' of https://github.com/NixOS/nixpkgs
Diffstat (limited to 'nixpkgs/nixos')
132 files changed, 2170 insertions, 444 deletions
diff --git a/nixpkgs/nixos/doc/manual/administration/nixos-state.section.md b/nixpkgs/nixos/doc/manual/administration/nixos-state.section.md new file mode 100644 index 000000000000..9819d613198c --- /dev/null +++ b/nixpkgs/nixos/doc/manual/administration/nixos-state.section.md @@ -0,0 +1,28 @@ +# NixOS {#sec-nixos-state} + +## `/nix` {#sec-state-nix} + +NixOS needs the entirety of `/nix` to be persistent, as it includes: +- `/nix/store`, which contains all the system's executables, libraries, and supporting data; +- `/nix/var/nix`, which contains: + - the Nix daemon's database; + - roots whose transitive closure is preserved when garbage-collecting the Nix store; + - system-wide and per-user profiles. + +## `/boot` {#sec-state-boot} + +`/boot` should also be persistent, as it contains: +- the kernel and initrd which the bootloader loads, +- the bootloader's configuration, including the kernel's command-line which + determines the store path to use as system environment. + + +## Users and groups {#sec-state-users} + +- `/var/lib/nixos` should persist: it holds state needed to generate stable + uids and gids for declaratively-managed users and groups, etc. +- `users.mutableUsers` should be false, *or* the following files under `/etc` + should all persist: + - {manpage}`passwd(5)` and {manpage}`group(5)`, + - {manpage}`shadow(5)` and {manpage}`gshadow(5)`, + - {manpage}`subuid(5)` and {manpage}`subgid(5)`. diff --git a/nixpkgs/nixos/doc/manual/administration/running.md b/nixpkgs/nixos/doc/manual/administration/running.md index 48e8c7c6668b..83412d9b7af5 100644 --- a/nixpkgs/nixos/doc/manual/administration/running.md +++ b/nixpkgs/nixos/doc/manual/administration/running.md @@ -8,6 +8,7 @@ rebooting.chapter.md user-sessions.chapter.md control-groups.chapter.md logging.chapter.md +system-state.chapter.md cleaning-store.chapter.md containers.chapter.md troubleshooting.chapter.md diff --git a/nixpkgs/nixos/doc/manual/administration/system-state.chapter.md b/nixpkgs/nixos/doc/manual/administration/system-state.chapter.md new file mode 100644 index 000000000000..6840cc390257 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/administration/system-state.chapter.md @@ -0,0 +1,17 @@ +# Necessary system state {#ch-system-state} + +Normally — on systems with a persistent `rootfs` — system services can persist state to +the filesystem without administrator intervention. + +However, it is possible and not-uncommon to create [impermanent systems], whose +`rootfs` is either a `tmpfs` or reset during boot. While NixOS itself supports +this kind of configuration, special care needs to be taken. + +[impermanent systems]: https://nixos.wiki/wiki/Impermanence + + +```{=include=} sections +nixos-state.section.md +systemd-state.section.md +zfs-state.section.md +``` diff --git a/nixpkgs/nixos/doc/manual/administration/systemd-state.section.md b/nixpkgs/nixos/doc/manual/administration/systemd-state.section.md new file mode 100644 index 000000000000..84f074871a65 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/administration/systemd-state.section.md @@ -0,0 +1,52 @@ +# systemd {#sec-systemd-state} + +## `machine-id(5)` {#sec-machine-id} + +`systemd` uses per-machine identifier — {manpage}`machine-id(5)` — which must be +unique and persistent; otherwise, the system journal may fail to list earlier +boots, etc. + +`systemd` generates a random `machine-id(5)` during boot if it does not already exist, +and persists it in `/etc/machine-id`. As such, it suffices to make that file persistent. + +Alternatively, it is possible to generate a random `machine-id(5)`; while the +specification allows for *any* hex-encoded 128b value, systemd itself uses +[UUIDv4], *i.e.* random UUIDs, and it is thus preferable to do so as well, in +case some software assumes `machine-id(5)` to be a UUIDv4. Those can be +generated with `uuidgen -r | tr -d -` (`tr` being used to remove the dashes). + +Such a `machine-id(5)` can be set by writing it to `/etc/machine-id` or through +the kernel's command-line, though NixOS' systemd maintainers [discourage] the +latter approach. + +[UUIDv4]: https://en.wikipedia.org/wiki/Universally_unique_identifier#Version_4_(random) +[discourage]: https://github.com/NixOS/nixpkgs/pull/268995 + + +## `/var/lib/systemd` {#sec-var-systemd} + +Moreover, `systemd` expects its state directory — `/var/lib/systemd` — to persist, for: +- {manpage}`systemd-random-seed(8)`, which loads a 256b “seed” into the kernel's RNG + at boot time, and saves a fresh one during shutdown; +- {manpage}`systemd.timer(5)` with `Persistent=yes`, which are then run after boot if + the timer would have triggered during the time the system was shut down; +- {manpage}`systemd-coredump(8)` to store core dumps there by default; + (see {manpage}`coredump.conf(5)`) +- {manpage}`systemd-timesyncd(8)`; +- {manpage}`systemd-backlight(8)` and {manpage}`systemd-rfkill(8)` persist hardware-related + state; +- possibly other things, this list is not meant to be exhaustive. + +In any case, making `/var/lib/systemd` persistent is recommended. + + +## `/var/log/journal/{machine-id}` {#sec-var-journal} + +Lastly, {manpage}`systemd-journald(8)` writes the system's journal in binary +form to `/var/log/journal/{machine-id}`; if (locally) persisting the entire log +is desired, it is recommended to make all of `/var/log/journal` persistent. + +If not, one can set `Storage=volatile` in {manpage}`journald.conf(5)` +([`services.journald.storage = "volatile";`](#opt-services.journald.storage)), +which disables journal persistence and causes it to be written to +`/run/log/journal`. diff --git a/nixpkgs/nixos/doc/manual/administration/zfs-state.section.md b/nixpkgs/nixos/doc/manual/administration/zfs-state.section.md new file mode 100644 index 000000000000..11ad5badea7e --- /dev/null +++ b/nixpkgs/nixos/doc/manual/administration/zfs-state.section.md @@ -0,0 +1,16 @@ +# ZFS {#sec-zfs-state} + +When using ZFS, `/etc/zfs/zpool.cache` should be persistent (or a symlink to a persistent +location) as it is the default value for the `cachefile` [property](man:zpoolprops(7)). + +This cachefile is used on system startup to discover ZFS pools, so ZFS pools +holding the `rootfs` and/or early-boot datasets such as `/nix` can be set to +`cachefile=none`. + +In principle, if there are no other pools attached to the system, `zpool.cache` +does not need to be persisted; it is however *strongly recommended* to persist +it, in case additional pools are added later on, temporarily or permanently: + +While mishandling the cachefile does not lead to data loss by itself, it may +cause zpools not to be imported during boot, and services may then write to a +location where a dataset was expected to be mounted. diff --git a/nixpkgs/nixos/doc/manual/development/option-types.section.md b/nixpkgs/nixos/doc/manual/development/option-types.section.md index 2ad3d6c4f949..f9c7ac80018e 100644 --- a/nixpkgs/nixos/doc/manual/development/option-types.section.md +++ b/nixpkgs/nixos/doc/manual/development/option-types.section.md @@ -13,6 +13,13 @@ merging is handled. `types.bool` : A boolean, its values can be `true` or `false`. + All definitions must have the same value, after priorities. An error is thrown in case of a conflict. + +`types.boolByOr` + +: A boolean, its values can be `true` or `false`. + The result is `true` if _any_ of multiple definitions is `true`. + In other words, definitions are merged with the logical _OR_ operator. `types.path` diff --git a/nixpkgs/nixos/doc/manual/installation/changing-config.chapter.md b/nixpkgs/nixos/doc/manual/installation/changing-config.chapter.md index 12abf90b718f..9e56b15a880f 100644 --- a/nixpkgs/nixos/doc/manual/installation/changing-config.chapter.md +++ b/nixpkgs/nixos/doc/manual/installation/changing-config.chapter.md @@ -55,6 +55,14 @@ which causes the new configuration (and previous ones created using This can be useful to separate test configurations from "stable" configurations. +A repl, or read-eval-print loop, is also available. You can inspect your configuration and use the Nix language with + +```ShellSession +# nixos-rebuild repl +``` + +Your configuration is loaded into the `config` variable. Use tab for autocompletion, use the `:r` command to reload the configuration files. See `:?` or [`nix repl` in the Nix manual](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-repl.html) to learn more. + Finally, you can do ```ShellSession diff --git a/nixpkgs/nixos/doc/manual/release-notes/release-notes.md b/nixpkgs/nixos/doc/manual/release-notes/release-notes.md index 3f926fb21a5c..0514a1b0044a 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/release-notes.md +++ b/nixpkgs/nixos/doc/manual/release-notes/release-notes.md @@ -3,6 +3,7 @@ This section lists the release notes for each stable version of NixOS and current unstable revision. ```{=include=} sections +rl-2405.section.md rl-2311.section.md rl-2305.section.md rl-2211.section.md diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md index 400eb1062d9a..8edf4fd35e4f 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md @@ -100,7 +100,7 @@ In addition to numerous new and upgraded packages, this release has the followin - [opensnitch](https://github.com/evilsocket/opensnitch), an application firewall. Available as [services.opensnitch](#opt-services.opensnitch.enable). - [snapraid](https://www.snapraid.it/), a backup program for disk arrays. - Available as [snapraid](#opt-snapraid.enable). + Available as [snapraid](#opt-services.snapraid.enable). - [Hockeypuck](https://github.com/hockeypuck/hockeypuck), a OpenPGP Key Server. Available as [services.hockeypuck](#opt-services.hockeypuck.enable). diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md index e693067561a4..1aef1828908f 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md @@ -20,7 +20,7 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 - [Breaking Changes](#sec-release-23.11-nixos-breaking-changes) - [New Services](#sec-release-23.11-nixos-new-services) - [Other Notable Changes](#sec-release-23.11-nixos-notable-changes) -- [Nixpkgs Library Changes](#sec-release-23.11-nixpkgs-lib) +- [Nixpkgs Library](#sec-release-23.11-nixpkgs-lib) - [Breaking Changes](#sec-release-23.11-lib-breaking) - [Additions and Improvements](#sec-release-23.11-lib-additions-improvements) - [Deprecations](#sec-release-23.11-lib-deprecations) @@ -1313,18 +1313,26 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 - When using [split parity files](https://www.snapraid.it/manual#7.1) in `snapraid`, the snapraid-sync systemd service will no longer fail to run. +- `wpa_supplicant`'s configuration file cannot be read by non-root users, and + secrets (such as Pre-Shared Keys) can safely be passed via + `networking.wireless.environmentFile`. + + The configuration file could previously be read, when `userControlled.enable` (non-default), + by users who are in both `wheel` and `userControlled.group` (defaults to `wheel`) + + ## Nixpkgs Library {#sec-release-23.11-nixpkgs-lib} ### Breaking Changes {#sec-release-23.11-lib-breaking} -- [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.foldl-prime) +- [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime) now always evaluates the initial accumulator argument first. If you depend on the lazier behavior, consider using - [`lib.lists.foldl`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.foldl) + [`lib.lists.foldl`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl) or [`builtins.foldl'`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-foldl') instead. -- [`lib.attrsets.foldlAttrs`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.foldlAttrs) +- [`lib.attrsets.foldlAttrs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.foldlAttrs) now always evaluates the initial accumulator argument first. - Now that the internal NixOS transition to Markdown documentation is complete, `lib.options.literalDocBook` has been removed after deprecation in 22.11. @@ -1332,7 +1340,7 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 ### Additions and Improvements {#sec-release-23.11-lib-additions-improvements} -- [`lib.fileset`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-fileset): +- [`lib.fileset`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-fileset): A new sub-library to select local files to use for sources, designed to be easy and safe to use. @@ -1341,7 +1349,7 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 post](https://www.tweag.io/blog/2023-11-28-file-sets/) or [the tutorial](https://nix.dev/tutorials/file-sets). -- [`lib.gvariant`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-gvariant): +- [`lib.gvariant`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-gvariant): A partial and basic implementation of GVariant formatted strings. See [GVariant Format Strings](https://docs.gtk.org/glib/gvariant-format-strings.html) for details. @@ -1351,58 +1359,58 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 change in backwards incompatible ways without prior notice. ::: -- [`lib.asserts`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-asserts): +- [`lib.asserts`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-asserts): New function: - [`assertEachOneOf`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.asserts.assertEachOneOf). -- [`lib.attrsets`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-attrsets): + [`assertEachOneOf`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.asserts.assertEachOneOf). +- [`lib.attrsets`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-attrsets): New function: - [`attrsToList`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.attrsToList). -- [`lib.customisation`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-customisation): + [`attrsToList`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.attrsToList). +- [`lib.customisation`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-customisation): New function: - [`makeScopeWithSplicing'`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.customisation.makeScopeWithSplicing-prime). -- [`lib.fixedPoints`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-fixedPoints): + [`makeScopeWithSplicing'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.customisation.makeScopeWithSplicing-prime). +- [`lib.fixedPoints`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-fixedPoints): Documentation improvements for - [`lib.fixedPoints.fix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.fixedPoints.fix). + [`lib.fixedPoints.fix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.fixedPoints.fix). - `lib.generators`: New functions: - [`mkDconfKeyValue`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.generators.mkDconfKeyValue), - [`toDconfINI`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.generators.toDconfINI). + [`mkDconfKeyValue`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.generators.mkDconfKeyValue), + [`toDconfINI`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.generators.toDconfINI). `lib.generators.toKeyValue` now supports the `indent` attribute in its first argument. -- [`lib.lists`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-lists): +- [`lib.lists`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-lists): New functions: - [`findFirstIndex`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.findFirstIndex), - [`hasPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.hasPrefix), - [`removePrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.removePrefix), - [`commonPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.commonPrefix), - [`allUnique`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.allUnique). + [`findFirstIndex`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.findFirstIndex), + [`hasPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.hasPrefix), + [`removePrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.removePrefix), + [`commonPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.commonPrefix), + [`allUnique`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.allUnique). Documentation improvements for - [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.foldl-prime). -- [`lib.meta`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-meta): + [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime). +- [`lib.meta`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-meta): Documentation of functions now gets rendered -- [`lib.path`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-path): +- [`lib.path`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-path): New functions: - [`hasPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.hasPrefix), - [`removePrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.removePrefix), - [`splitRoot`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.splitRoot), - [`subpath.components`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.subpath.components). -- [`lib.strings`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-strings): + [`hasPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.hasPrefix), + [`removePrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.removePrefix), + [`splitRoot`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.splitRoot), + [`subpath.components`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.subpath.components). +- [`lib.strings`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-strings): New functions: - [`replicate`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.replicate), - [`cmakeOptionType`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.cmakeOptionType), - [`cmakeBool`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.cmakeBool), - [`cmakeFeature`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.cmakeFeature). -- [`lib.trivial`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-trivial): + [`replicate`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.replicate), + [`cmakeOptionType`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeOptionType), + [`cmakeBool`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeBool), + [`cmakeFeature`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeFeature). +- [`lib.trivial`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-trivial): New function: - [`mirrorFunctionArgs`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.trivial.mirrorFunctionArgs). + [`mirrorFunctionArgs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.trivial.mirrorFunctionArgs). - `lib.systems`: New function: - [`equals`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.systems.equals). -- [`lib.options`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-options): + [`equals`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.systems.equals). +- [`lib.options`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-options): Improved documentation for - [`mkPackageOption`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOption). + [`mkPackageOption`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.options.mkPackageOption). - [`mkPackageOption`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOption). + [`mkPackageOption`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.options.mkPackageOption). now also supports the `pkgsText` attribute. Module system: diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md index 9191a204a7a1..f792194da224 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md @@ -10,6 +10,10 @@ In addition to numerous new and upgraded packages, this release has the followin - `screen`'s module has been cleaned, and will now require you to set `programs.screen.enable` in order to populate `screenrc` and add the program to the environment. +- NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS. + - This can be disabled through the `environment.stub-ld.enable` option. + - If you use `programs.nix-ld.enable`, no changes are needed. The stub will be disabled automatically. + ## New Services {#sec-release-24.05-new-services} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -27,9 +31,26 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> +- The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS. + - `mkosi` was updated to v19. Parts of the user interface have changed. Consult the [release notes](https://github.com/systemd/mkosi/releases/tag/v19) for a list of changes. +- The latest available version of Nextcloud is v28 (available as `pkgs.nextcloud28`). The installation logic is as follows: + - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**) + - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud28` will be installed by default. + - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11, `pkgs.nextcloud27` will be installed by default. + - Please note that an upgrade from v26 (or older) to v28 directly is not possible. Please upgrade to `nextcloud27` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud27;`](options.html#opt-services.nextcloud.package). + +- `services.avahi.nssmdns` got split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switch for IPv4 and IPv6 respectively. + Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts. + +- `networking.iproute2.enable` now does not set `environment.etc."iproute2/rt_tables".text`. + + Setting `environment.etc."iproute2/{CONFIG_FILE_NAME}".text` will override the whole configuration file instead of appending it to the upstream configuration file. + + `CONFIG_FILE_NAME` includes `bpf_pinning`, `ematch_map`, `group`, `nl_protos`, `rt_dsfield`, `rt_protos`, `rt_realms`, `rt_scopes`, and `rt_tables`. + ## Other Notable Changes {#sec-release-24.05-notable-changes} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -38,20 +59,36 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - Cinnamon has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release. +- `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list. + For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``; + - Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles. The `nimPackages` and `nim2Packages` sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information. +- `libass` now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with `mpv`, `ffmpeg`, etc. + - The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0. +- [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or + `globalRedirect` can now have redirect codes other than 301 through + `redirectCode`. + +- [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11. + - Gitea 1.21 upgrade has several breaking changes, including: - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*` - New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command. - The `hardware.pulseaudio` module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes [issue 114399](https://github.com/NixOS/nixpkgs/issues/114399). +- The `btrbk` module now automatically selects and provides required compression + program depending on the configured `stream_compress` option. Since this + replaces the need for the `extraPackages` option, this option will be + deprecated in future releases. + - QtMultimedia has changed its default backend to `QT_MEDIA_BACKEND=ffmpeg` (previously `gstreamer` on Linux or `darwin` on MacOS). The previous native backends remain available but are now minimally maintained. Refer to [upstream documentation](https://doc.qt.io/qt-6/qtmultimedia-index.html#ffmpeg-as-the-default-backend) for further details about each platform. diff --git a/nixpkgs/nixos/lib/test-driver/test_driver/machine.py b/nixpkgs/nixos/lib/test-driver/test_driver/machine.py index f430321bb607..da60b669fa27 100644 --- a/nixpkgs/nixos/lib/test-driver/test_driver/machine.py +++ b/nixpkgs/nixos/lib/test-driver/test_driver/machine.py @@ -447,8 +447,7 @@ class Machine: """ def check_active(_: Any) -> bool: - info = self.get_unit_info(unit, user) - state = info["ActiveState"] + state = self.get_unit_property(unit, "ActiveState", user) if state == "failed": raise Exception(f'unit "{unit}" reached state "{state}"') @@ -491,6 +490,35 @@ class Machine: if line_pattern.match(line) ) + def get_unit_property( + self, + unit: str, + property: str, + user: Optional[str] = None, + ) -> str: + status, lines = self.systemctl( + f'--no-pager show "{unit}" --property="{property}"', + user, + ) + if status != 0: + raise Exception( + f'retrieving systemctl property "{property}" for unit "{unit}"' + + ("" if user is None else f' under user "{user}"') + + f" failed with exit code {status}" + ) + + invalid_output_message = ( + f'systemctl show --property "{property}" "{unit}"' + f"produced invalid output: {lines}" + ) + + line_pattern = re.compile(r"^([^=]+)=(.*)$") + match = line_pattern.match(lines) + assert match is not None, invalid_output_message + + assert match[1] == property, invalid_output_message + return match[2] + def systemctl(self, q: str, user: Optional[str] = None) -> Tuple[int, str]: """ Runs `systemctl` commands with optional support for diff --git a/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh b/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh index 0c1656efaf1c..d182c5c2a479 100755 --- a/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh +++ b/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh @@ -27,31 +27,37 @@ var ${bucket:=nixos-amis} var ${service_role_name:=vmimport} # Output of the command: -# > aws ec2 describe-regions --all-regions --query "Regions[].{Name:RegionName}" --output text | sort +# $ nix-shell -I nixpkgs=. -p awscli --run 'aws ec2 describe-regions --region us-east-1 --all-regions --query "Regions[].{Name:RegionName}" --output text | sort | sed -e s/^/\ \ /' var ${regions:= - af-south-1 - ap-east-1 - ap-northeast-1 - ap-northeast-2 - ap-northeast-3 - ap-south-1 - ap-southeast-1 - ap-southeast-2 - ap-southeast-3 - ca-central-1 - eu-central-1 - eu-north-1 - eu-south-1 - eu-west-1 - eu-west-2 - eu-west-3 - me-south-1 - sa-east-1 - us-east-1 - us-east-2 - us-west-1 - us-west-2 - } + af-south-1 + ap-east-1 + ap-northeast-1 + ap-northeast-2 + ap-northeast-3 + ap-south-1 + ap-south-2 + ap-southeast-1 + ap-southeast-2 + ap-southeast-3 + ap-southeast-4 + ca-central-1 + eu-central-1 + eu-central-2 + eu-north-1 + eu-south-1 + eu-south-2 + eu-west-1 + eu-west-2 + eu-west-3 + il-central-1 + me-central-1 + me-south-1 + sa-east-1 + us-east-1 + us-east-2 + us-west-1 + us-west-2 +} regions=($regions) diff --git a/nixpkgs/nixos/modules/config/iproute2.nix b/nixpkgs/nixos/modules/config/iproute2.nix index 78bd07d680e2..0cde57b759be 100644 --- a/nixpkgs/nixos/modules/config/iproute2.nix +++ b/nixpkgs/nixos/modules/config/iproute2.nix @@ -18,10 +18,9 @@ in }; config = mkIf cfg.enable { - environment.etc."iproute2/rt_tables" = { + environment.etc."iproute2/rt_tables.d/nixos.conf" = { mode = "0644"; - text = (fileContents "${pkgs.iproute2}/lib/iproute2/rt_tables") - + (optionalString (cfg.rttablesExtraConfig != "") "\n\n${cfg.rttablesExtraConfig}"); + text = cfg.rttablesExtraConfig; }; }; } diff --git a/nixpkgs/nixos/modules/config/ldso.nix b/nixpkgs/nixos/modules/config/ldso.nix new file mode 100644 index 000000000000..72ae3958d886 --- /dev/null +++ b/nixpkgs/nixos/modules/config/ldso.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) last splitString mkOption types mdDoc optionals; + + libDir = pkgs.stdenv.hostPlatform.libDir; + ldsoBasename = builtins.unsafeDiscardStringContext (last (splitString "/" pkgs.stdenv.cc.bintools.dynamicLinker)); + + pkgs32 = pkgs.pkgsi686Linux; + libDir32 = pkgs32.stdenv.hostPlatform.libDir; + ldsoBasename32 = builtins.unsafeDiscardStringContext (last (splitString "/" pkgs32.stdenv.cc.bintools.dynamicLinker)); +in { + options = { + environment.ldso = mkOption { + type = types.nullOr types.path; + default = null; + description = mdDoc '' + The executable to link into the normal FHS location of the ELF loader. + ''; + }; + + environment.ldso32 = mkOption { + type = types.nullOr types.path; + default = null; + description = mdDoc '' + The executable to link into the normal FHS location of the 32-bit ELF loader. + + This currently only works on x86_64 architectures. + ''; + }; + }; + + config = { + assertions = [ + { assertion = isNull config.environment.ldso32 || pkgs.stdenv.isx86_64; + message = "Option environment.ldso32 currently only works on x86_64."; + } + ]; + + systemd.tmpfiles.rules = ( + if isNull config.environment.ldso then [ + "r /${libDir}/${ldsoBasename} - - - - -" + ] else [ + "d /${libDir} 0755 root root - -" + "L+ /${libDir}/${ldsoBasename} - - - - ${config.environment.ldso}" + ] + ) ++ optionals pkgs.stdenv.isx86_64 ( + if isNull config.environment.ldso32 then [ + "r /${libDir32}/${ldsoBasename32} - - - - -" + ] else [ + "d /${libDir32} 0755 root root - -" + "L+ /${libDir32}/${ldsoBasename32} - - - - ${config.environment.ldso32}" + ] + ); + }; + + meta.maintainers = with lib.maintainers; [ tejing ]; +} diff --git a/nixpkgs/nixos/modules/config/nix.nix b/nixpkgs/nixos/modules/config/nix.nix index cee4f54db0cb..2769d8b25ef6 100644 --- a/nixpkgs/nixos/modules/config/nix.nix +++ b/nixpkgs/nixos/modules/config/nix.nix @@ -109,13 +109,17 @@ let if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' echo "Ignoring validation for cross-compilation" '' - else '' + else + let + showCommand = if isNixAtLeast "2.20pre" then "config show" else "show-config"; + in + '' echo "Validating generated nix.conf" ln -s $out ./nix.conf set -e set +o pipefail NIX_CONF_DIR=$PWD \ - ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ + ${cfg.package}/bin/nix ${showCommand} ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ |& sed -e 's/^warning:/error:/' \ | (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}') diff --git a/nixpkgs/nixos/modules/config/no-x-libs.nix b/nixpkgs/nixos/modules/config/no-x-libs.nix index b2eb46f273b1..ec26d4b12eff 100644 --- a/nixpkgs/nixos/modules/config/no-x-libs.nix +++ b/nixpkgs/nixos/modules/config/no-x-libs.nix @@ -51,6 +51,7 @@ with lib; mc = super.mc.override { x11Support = false; }; mpv-unwrapped = super.mpv-unwrapped.override { sdl2Support = false; x11Support = false; waylandSupport = false; }; msmtp = super.msmtp.override { withKeyring = false; }; + mupdf = super.mupdf.override { enableGL = false; enableX11 = false; }; neofetch = super.neofetch.override { x11Support = false; }; networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; diff --git a/nixpkgs/nixos/modules/config/stub-ld.nix b/nixpkgs/nixos/modules/config/stub-ld.nix new file mode 100644 index 000000000000..14c07466d061 --- /dev/null +++ b/nixpkgs/nixos/modules/config/stub-ld.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) optionalString mkOption types mdDoc mkIf mkDefault; + + cfg = config.environment.stub-ld; + + message = '' + NixOS cannot run dynamically linked executables intended for generic + linux environments out of the box. For more information, see: + https://nix.dev/permalink/stub-ld + ''; + + stub-ld-for = pkgsArg: messageArg: pkgsArg.pkgsStatic.runCommandCC "stub-ld" { + nativeBuildInputs = [ pkgsArg.unixtools.xxd ]; + inherit messageArg; + } '' + printf "%s" "$messageArg" | xxd -i -n message >main.c + cat <<EOF >>main.c + #include <stdio.h> + int main(int argc, char * argv[]) { + fprintf(stderr, "Could not start dynamically linked executable: %s\n", argv[0]); + fwrite(message, sizeof(unsigned char), message_len, stderr); + return 127; // matches behavior of bash and zsh without a loader. fish uses 139 + } + EOF + $CC -Os main.c -o $out + ''; + + pkgs32 = pkgs.pkgsi686Linux; + + stub-ld = stub-ld-for pkgs message; + stub-ld32 = stub-ld-for pkgs32 message; +in { + options = { + environment.stub-ld = { + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = mdDoc '' + Install a stub ELF loader to print an informative error message + in the event that a user attempts to run an ELF binary not + compiled for NixOS. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.ldso = mkDefault stub-ld; + environment.ldso32 = mkIf pkgs.stdenv.isx86_64 (mkDefault stub-ld32); + }; + + meta.maintainers = with lib.maintainers; [ tejing ]; +} diff --git a/nixpkgs/nixos/modules/config/sysctl.nix b/nixpkgs/nixos/modules/config/sysctl.nix index 452c050b6dda..b779f12aca30 100644 --- a/nixpkgs/nixos/modules/config/sysctl.nix +++ b/nixpkgs/nixos/modules/config/sysctl.nix @@ -21,19 +21,27 @@ in options = { boot.kernel.sysctl = mkOption { - type = types.submodule { + type = let + highestValueType = types.ints.unsigned // { + merge = loc: defs: + foldl + (a: b: if b.value == null then null else lib.max a b.value) + 0 + (filterOverrides defs); + }; + in types.submodule { freeformType = types.attrsOf sysctlOption; options."net.core.rmem_max" = mkOption { - type = types.nullOr types.ints.unsigned // { - merge = loc: defs: - foldl - (a: b: if b.value == null then null else lib.max a b.value) - 0 - (filterOverrides defs); - }; + type = types.nullOr highestValueType; default = null; description = lib.mdDoc "The maximum socket receive buffer size. In case of conflicting values, the highest will be used."; }; + + options."net.core.wmem_max" = mkOption { + type = types.nullOr highestValueType; + default = null; + description = lib.mdDoc "The maximum socket send buffer size. In case of conflicting values, the highest will be used."; + }; }; default = {}; example = literalExpression '' diff --git a/nixpkgs/nixos/modules/config/users-groups.nix b/nixpkgs/nixos/modules/config/users-groups.nix index 39aac9fb821b..2aed620eb154 100644 --- a/nixpkgs/nixos/modules/config/users-groups.nix +++ b/nixpkgs/nixos/modules/config/users-groups.nix @@ -475,7 +475,7 @@ let sdInitrdUidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) config.boot.initrd.systemd.users) "uid"; sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid"; groupNames = lib.mapAttrsToList (n: g: g.name) cfg.groups; - usersWithoutExistingGroup = lib.filterAttrs (n: u: !lib.elem u.group groupNames) cfg.users; + usersWithoutExistingGroup = lib.filterAttrs (n: u: u.group != "" && !lib.elem u.group groupNames) cfg.users; spec = pkgs.writeText "users-groups.json" (builtins.toJSON { inherit (cfg) mutableUsers; diff --git a/nixpkgs/nixos/modules/hardware/keyboard/qmk.nix b/nixpkgs/nixos/modules/hardware/keyboard/qmk.nix index df3bcaeccd2e..d95d36dedb44 100644 --- a/nixpkgs/nixos/modules/hardware/keyboard/qmk.nix +++ b/nixpkgs/nixos/modules/hardware/keyboard/qmk.nix @@ -12,5 +12,6 @@ in config = mkIf cfg.enable { services.udev.packages = [ pkgs.qmk-udev-rules ]; + users.groups.plugdev = {}; }; } diff --git a/nixpkgs/nixos/modules/misc/ids.nix b/nixpkgs/nixos/modules/misc/ids.nix index 18928a6bf21b..5af7284ac71a 100644 --- a/nixpkgs/nixos/modules/misc/ids.nix +++ b/nixpkgs/nixos/modules/misc/ids.nix @@ -288,7 +288,7 @@ in telegraf = 256; gitlab-runner = 257; postgrey = 258; - hound = 259; + # hound = 259; # unused, removed 2023-11-21 leaps = 260; ipfs = 261; # stanchion = 262; # unused, removed 2020-10-14 @@ -599,7 +599,7 @@ in #telegraf = 256; # unused gitlab-runner = 257; postgrey = 258; - hound = 259; + # hound = 259; # unused, removed 2023-11-21 leaps = 260; ipfs = 261; # stanchion = 262; # unused, removed 2020-10-14 diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 43bf477cb215..dc95ff8016b2 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -12,6 +12,7 @@ ./config/iproute2.nix ./config/krb5/default.nix ./config/ldap.nix + ./config/ldso.nix ./config/locale.nix ./config/malloc.nix ./config/mysql.nix @@ -28,6 +29,7 @@ ./config/resolvconf.nix ./config/shells-environment.nix ./config/stevenblack.nix + ./config/stub-ld.nix ./config/swap.nix ./config/sysctl.nix ./config/system-environment.nix @@ -364,6 +366,7 @@ ./services/backup/mysql-backup.nix ./services/backup/postgresql-backup.nix ./services/backup/postgresql-wal-receiver.nix + ./services/backup/snapraid.nix ./services/backup/restic-rest-server.nix ./services/backup/restic.nix ./services/backup/rsnapshot.nix @@ -972,6 +975,7 @@ ./services/networking/iwd.nix ./services/networking/jibri/default.nix ./services/networking/jicofo.nix + ./services/networking/jigasi.nix ./services/networking/jitsi-videobridge.nix ./services/networking/jool.nix ./services/networking/kea.nix @@ -1335,6 +1339,7 @@ ./services/web-apps/vikunja.nix ./services/web-apps/whitebophir.nix ./services/web-apps/wiki-js.nix + ./services/web-apps/windmill.nix ./services/web-apps/wordpress.nix ./services/web-apps/writefreely.nix ./services/web-apps/youtrack.nix @@ -1360,6 +1365,7 @@ ./services/web-servers/molly-brown.nix ./services/web-servers/nginx/default.nix ./services/web-servers/nginx/gitweb.nix + ./services/web-servers/nginx/tailscale-auth.nix ./services/web-servers/phpfpm/default.nix ./services/web-servers/pomerium.nix ./services/web-servers/rustus.nix @@ -1505,7 +1511,6 @@ ./tasks/network-interfaces.nix ./tasks/powertop.nix ./tasks/scsi-link-power-management.nix - ./tasks/snapraid.nix ./tasks/stratis.nix ./tasks/swraid.nix ./tasks/trackpoint.nix diff --git a/nixpkgs/nixos/modules/profiles/minimal.nix b/nixpkgs/nixos/modules/profiles/minimal.nix index 75f355b4a002..b76740f7cc58 100644 --- a/nixpkgs/nixos/modules/profiles/minimal.nix +++ b/nixpkgs/nixos/modules/profiles/minimal.nix @@ -21,6 +21,8 @@ with lib; # Perl is a default package. environment.defaultPackages = mkDefault [ ]; + environment.stub-ld.enable = false; + # The lessopen package pulls in Perl. programs.less.lessopen = mkDefault null; diff --git a/nixpkgs/nixos/modules/programs/firejail.nix b/nixpkgs/nixos/modules/programs/firejail.nix index 6f79c13d94b4..046c31ce64f6 100644 --- a/nixpkgs/nixos/modules/programs/firejail.nix +++ b/nixpkgs/nixos/modules/programs/firejail.nix @@ -53,7 +53,7 @@ in { desktop = mkOption { type = types.nullOr types.path; default = null; - description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable."; + description = lib.mdDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable."; example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"''; }; profile = mkOption { diff --git a/nixpkgs/nixos/modules/programs/hyprland.nix b/nixpkgs/nixos/modules/programs/hyprland.nix index 166c6cbc5c18..9061ce5da83a 100644 --- a/nixpkgs/nixos/modules/programs/hyprland.nix +++ b/nixpkgs/nixos/modules/programs/hyprland.nix @@ -30,7 +30,6 @@ in readOnly = true; default = cfg.package.override { enableXWayland = cfg.xwayland.enable; - enableNvidiaPatches = cfg.enableNvidiaPatches; }; defaultText = literalExpression "`programs.hyprland.package` with applied configuration"; @@ -42,8 +41,6 @@ in portalPackage = mkPackageOption pkgs "xdg-desktop-portal-hyprland" { }; xwayland.enable = mkEnableOption (mdDoc "XWayland") // { default = true; }; - - enableNvidiaPatches = mkEnableOption (mdDoc "patching wlroots for better Nvidia support"); }; config = mkIf cfg.enable { @@ -73,9 +70,13 @@ in [ "programs" "hyprland" "xwayland" "hidpi" ] "XWayland patches are deprecated. Refer to https://wiki.hyprland.org/Configuring/XWayland" ) - (mkRenamedOptionModule - [ "programs" "hyprland" "nvidiaPatches" ] + (mkRemovedOptionModule [ "programs" "hyprland" "enableNvidiaPatches" ] + "Nvidia patches are no longer needed" + ) + (mkRemovedOptionModule + [ "programs" "hyprland" "nvidiaPatches" ] + "Nvidia patches are no longer needed" ) ]; } diff --git a/nixpkgs/nixos/modules/programs/nix-ld.nix b/nixpkgs/nixos/modules/programs/nix-ld.nix index e3a9bb16410c..6f36ce33640c 100644 --- a/nixpkgs/nixos/modules/programs/nix-ld.nix +++ b/nixpkgs/nixos/modules/programs/nix-ld.nix @@ -47,7 +47,7 @@ in }; config = lib.mkIf config.programs.nix-ld.enable { - systemd.tmpfiles.packages = [ cfg.package ]; + environment.ldso = "${cfg.package}/libexec/nix-ld"; environment.systemPackages = [ nix-ld-libraries ]; diff --git a/nixpkgs/nixos/modules/programs/wayland/river.nix b/nixpkgs/nixos/modules/programs/wayland/river.nix index ec59bd50a015..995129b9710a 100644 --- a/nixpkgs/nixos/modules/programs/wayland/river.nix +++ b/nixpkgs/nixos/modules/programs/wayland/river.nix @@ -48,6 +48,9 @@ in { # To make a river session available if a display manager like SDDM is enabled: services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; + + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 + xdg.portal.config.river.default = mkDefault [ "wlr" "gtk" ]; } (import ./wayland-session.nix { inherit lib pkgs; }) ]); diff --git a/nixpkgs/nixos/modules/security/acme/default.md b/nixpkgs/nixos/modules/security/acme/default.md index 31548ad181a7..51ee0428d84e 100644 --- a/nixpkgs/nixos/modules/security/acme/default.md +++ b/nixpkgs/nixos/modules/security/acme/default.md @@ -45,7 +45,7 @@ placeholder certificates in place of the real ACME certs. The placeholder certs are overwritten when the ACME certs arrive. For `foo.example.com` the config would look like this: -``` +```nix security.acme.acceptTerms = true; security.acme.defaults.email = "admin+acme@example.com"; services.nginx = { @@ -88,7 +88,7 @@ This example uses a vhost called `certs.example.com`, with the intent that you will generate certs for all your vhosts and redirect everyone to HTTPS. -``` +```nix security.acme.acceptTerms = true; security.acme.defaults.email = "admin+acme@example.com"; @@ -136,7 +136,7 @@ services.httpd = { Now you need to configure ACME to generate a certificate. -``` +```nix security.acme.certs."foo.example.com" = { webroot = "/var/lib/acme/.challenges"; email = "foo@example.com"; @@ -167,7 +167,7 @@ see the [lego docs](https://go-acme.github.io/lego/dns/) for provider/server specific configuration values. For the sake of these docs, we will provide a fully self-hosted example using bind. -``` +```nix services.bind = { enable = true; extraConfig = '' @@ -199,7 +199,7 @@ The {file}`dnskeys.conf` and {file}`certs.secret` must be kept secure and thus you should not keep their contents in your Nix config. Instead, generate them one time with a systemd service: -``` +```nix systemd.services.dns-rfc2136-conf = { requiredBy = ["acme-example.com.service" "bind.service"]; before = ["acme-example.com.service" "bind.service"]; @@ -250,7 +250,7 @@ first, however instead of setting the options for one certificate you will set them as defaults (e.g. [](#opt-security.acme.defaults.dnsProvider)). -``` +```nix # Configure ACME appropriately security.acme.acceptTerms = true; security.acme.defaults.email = "admin+acme@example.com"; @@ -287,7 +287,7 @@ There is no way to change the user the ACME module uses (it will always be Below is an example configuration for OpenSMTPD, but this pattern can be applied to any service. -``` +```nix # Configure ACME however you like (DNS or HTTP validation), adding # the following configuration for the relevant certificate. # Note: You cannot use `systemctl reload` here as that would mean @@ -340,7 +340,7 @@ to be regenerated. In this scenario lego will produce the error `JWS verificatio The solution is to simply delete the associated accounts file and re-run the affected service(s). -``` +```shell # Find the accounts folder for the certificate systemctl cat acme-example.com.service | grep -Po 'accounts/[^:]*' export accountdir="$(!!)" diff --git a/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix b/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix index eda409f1f800..dd7f62744cd0 100644 --- a/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix +++ b/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix @@ -121,6 +121,7 @@ in in mkIf (cfg.servers != {}) { systemd.services = mapAttrs' (server: options: nameValuePair "wyoming-faster-whisper-${server}" { + inherit (options) enable; description = "Wyoming faster-whisper server instance ${server}"; after = [ "network-online.target" diff --git a/nixpkgs/nixos/modules/services/audio/wyoming/piper.nix b/nixpkgs/nixos/modules/services/audio/wyoming/piper.nix index 698828aa6cba..2828fdf07892 100644 --- a/nixpkgs/nixos/modules/services/audio/wyoming/piper.nix +++ b/nixpkgs/nixos/modules/services/audio/wyoming/piper.nix @@ -116,6 +116,7 @@ in in mkIf (cfg.servers != {}) { systemd.services = mapAttrs' (server: options: nameValuePair "wyoming-piper-${server}" { + inherit (options) enable; description = "Wyoming Piper server instance ${server}"; after = [ "network-online.target" diff --git a/nixpkgs/nixos/modules/services/backup/borgbackup.nix b/nixpkgs/nixos/modules/services/backup/borgbackup.nix index 039a5f227ac4..393fe83f493f 100644 --- a/nixpkgs/nixos/modules/services/backup/borgbackup.nix +++ b/nixpkgs/nixos/modules/services/backup/borgbackup.nix @@ -602,53 +602,56 @@ in { }; extraArgs = mkOption { - type = types.str; + type = with types; coercedTo (listOf str) escapeShellArgs str; description = lib.mdDoc '' Additional arguments for all {command}`borg` calls the service has. Handle with care. ''; - default = ""; - example = "--remote-path=/path/to/borg"; + default = [ ]; + example = [ "--remote-path=/path/to/borg" ]; }; extraInitArgs = mkOption { - type = types.str; + type = with types; coercedTo (listOf str) escapeShellArgs str; description = lib.mdDoc '' Additional arguments for {command}`borg init`. Can also be set at runtime using `$extraInitArgs`. ''; - default = ""; - example = "--append-only"; + default = [ ]; + example = [ "--append-only" ]; }; extraCreateArgs = mkOption { - type = types.str; + type = with types; coercedTo (listOf str) escapeShellArgs str; description = lib.mdDoc '' Additional arguments for {command}`borg create`. Can also be set at runtime using `$extraCreateArgs`. ''; - default = ""; - example = "--stats --checkpoint-interval 600"; + default = [ ]; + example = [ + "--stats" + "--checkpoint-interval 600" + ]; }; extraPruneArgs = mkOption { - type = types.str; + type = with types; coercedTo (listOf str) escapeShellArgs str; description = lib.mdDoc '' Additional arguments for {command}`borg prune`. Can also be set at runtime using `$extraPruneArgs`. ''; - default = ""; - example = "--save-space"; + default = [ ]; + example = [ "--save-space" ]; }; extraCompactArgs = mkOption { - type = types.str; + type = with types; coercedTo (listOf str) escapeShellArgs str; description = lib.mdDoc '' Additional arguments for {command}`borg compact`. Can also be set at runtime using `$extraCompactArgs`. ''; - default = ""; - example = "--cleanup-commits"; + default = [ ]; + example = [ "--cleanup-commits" ]; }; }; } diff --git a/nixpkgs/nixos/modules/services/backup/btrbk.nix b/nixpkgs/nixos/modules/services/backup/btrbk.nix index 1e90ef54d33f..364b77b6a21c 100644 --- a/nixpkgs/nixos/modules/services/backup/btrbk.nix +++ b/nixpkgs/nixos/modules/services/backup/btrbk.nix @@ -6,14 +6,17 @@ let concatMapStringsSep concatStringsSep filterAttrs + flatten + getAttr isAttrs literalExpression mapAttrs' mapAttrsToList mkIf mkOption + optional optionalString - sort + sortOn types ; @@ -37,7 +40,7 @@ let genConfig = set: let pairs = mapAttrsToList (name: value: { inherit name value; }) set; - sortedPairs = sort (a: b: prioOf a < prioOf b) pairs; + sortedPairs = sortOn prioOf pairs; in concatMap genPair sortedPairs; genSection = sec: secName: value: @@ -84,6 +87,18 @@ let ''; }; + streamCompressMap = { + gzip = pkgs.gzip; + pigz = pkgs.pigz; + bzip2 = pkgs.bzip2; + pbzip2 = pkgs.pbzip2; + bzip3 = pkgs.bzip3; + xz = pkgs.xz; + lzo = pkgs.lzo; + lz4 = pkgs.lz4; + zstd = pkgs.zstd; + }; + cfg = config.services.btrbk; sshEnabled = cfg.sshAccess != [ ]; serviceEnabled = cfg.instances != { }; @@ -94,7 +109,14 @@ in options = { services.btrbk = { extraPackages = mkOption { - description = lib.mdDoc "Extra packages for btrbk, like compression utilities for `stream_compress`"; + description = lib.mdDoc '' + Extra packages for btrbk, like compression utilities for `stream_compress`. + + **Note**: This option will get deprecated in future releases. + Required compression programs will get automatically provided to btrbk + depending on configured compression method in + `services.btrbk.instances.<name>.settings` option. + ''; type = types.listOf types.package; default = [ ]; example = literalExpression "[ pkgs.xz ]"; @@ -124,7 +146,19 @@ in ''; }; settings = mkOption { - type = let t = types.attrsOf (types.either types.str (t // { description = "instances of this type recursively"; })); in t; + type = types.submodule { + freeformType = let t = types.attrsOf (types.either types.str (t // { description = "instances of this type recursively"; })); in t; + options = { + stream_compress = mkOption { + description = lib.mdDoc '' + Compress the btrfs send stream before transferring it from/to remote locations using a + compression command. + ''; + type = types.enum ["gzip" "pigz" "bzip2" "pbzip2" "bzip3" "xz" "lzo" "lz4" "zstd" "no"]; + default = "no"; + }; + }; + }; default = { }; example = { snapshot_preserve_min = "2d"; @@ -169,6 +203,11 @@ in }; config = mkIf (sshEnabled || serviceEnabled) { + + warnings = optional (cfg.extraPackages != []) '' + extraPackages option will be deprecated in future releases. Programs required for compression are now automatically selected depending on services.btrbk.instances.<name>.settings.stream_compress option. + ''; + environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages; security.sudo.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ]; @@ -232,12 +271,15 @@ in cfg.instances; systemd.services = mapAttrs' ( - name: _: { + name: instance: { name = "btrbk-${name}"; value = { description = "Takes BTRFS snapshots and maintains retention policies."; unitConfig.Documentation = "man:btrbk(1)"; - path = [ "/run/wrappers" ] ++ cfg.extraPackages; + path = [ "/run/wrappers" ] + ++ cfg.extraPackages + ++ optional (instance.settings.stream_compress != "no") + (getAttr instance.settings.stream_compress streamCompressMap); serviceConfig = { User = "btrbk"; Group = "btrbk"; diff --git a/nixpkgs/nixos/modules/services/backup/restic.nix b/nixpkgs/nixos/modules/services/backup/restic.nix index e3eb504e0adf..b222dd952d15 100644 --- a/nixpkgs/nixos/modules/services/backup/restic.nix +++ b/nixpkgs/nixos/modules/services/backup/restic.nix @@ -384,10 +384,11 @@ in ${lib.optionalString (backup.environmentFile != null) "source ${backup.environmentFile}"} # set same environment variables as the systemd service ${lib.pipe config.systemd.services."restic-backups-${name}".environment [ - (lib.filterAttrs (_: v: v != null)) + (lib.filterAttrs (n: v: v != null && n != "PATH")) (lib.mapAttrsToList (n: v: "${n}=${v}")) (lib.concatStringsSep "\n") ]} + PATH=${config.systemd.services."restic-backups-${name}".environment.PATH}:$PATH exec ${resticCmd} $@ '') (lib.filterAttrs (_: v: v.createWrapper) config.services.restic.backups); diff --git a/nixpkgs/nixos/modules/tasks/snapraid.nix b/nixpkgs/nixos/modules/services/backup/snapraid.nix index 9570c6b76123..c9b2550e80e8 100644 --- a/nixpkgs/nixos/modules/tasks/snapraid.nix +++ b/nixpkgs/nixos/modules/services/backup/snapraid.nix @@ -2,10 +2,15 @@ with lib; -let cfg = config.snapraid; +let cfg = config.services.snapraid; in { - options.snapraid = with types; { + imports = [ + # Should have never been on the top-level. + (mkRenamedOptionModule [ "snapraid" ] [ "services" "snapraid" ]) + ]; + + options.services.snapraid = with types; { enable = mkEnableOption (lib.mdDoc "SnapRAID"); dataDisks = mkOption { default = { }; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix index 11c5adc6a885..dca8996df083 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix @@ -13,6 +13,13 @@ in ###### interface options.services.kubernetes.flannel = { enable = mkEnableOption (lib.mdDoc "flannel networking"); + + openFirewallPorts = mkOption { + description = lib.mdDoc '' + Whether to open the Flannel UDP ports in the firewall on all interfaces.''; + type = types.bool; + default = true; + }; }; ###### implementation @@ -38,7 +45,7 @@ in }; networking = { - firewall.allowedUDPPorts = [ + firewall.allowedUDPPorts = mkIf cfg.openFirewallPorts [ 8285 # flannel udp 8472 # flannel vxlan ]; diff --git a/nixpkgs/nixos/modules/services/cluster/spark/default.nix b/nixpkgs/nixos/modules/services/cluster/spark/default.nix index 2e3914a734be..b3e1ac399ae9 100644 --- a/nixpkgs/nixos/modules/services/cluster/spark/default.nix +++ b/nixpkgs/nixos/modules/services/cluster/spark/default.nix @@ -69,8 +69,8 @@ with lib; confDir = mkOption { type = types.path; description = lib.mdDoc "Spark configuration directory. Spark will use the configuration files (spark-defaults.conf, spark-env.sh, log4j.properties, etc) from this directory."; - default = "${cfg.package}/lib/${cfg.package.untarDir}/conf"; - defaultText = literalExpression ''"''${package}/lib/''${package.untarDir}/conf"''; + default = "${cfg.package}/conf"; + defaultText = literalExpression ''"''${package}/conf"''; }; logDir = mkOption { type = types.path; @@ -111,9 +111,9 @@ with lib; Type = "forking"; User = "spark"; Group = "spark"; - WorkingDirectory = "${cfg.package}/lib/${cfg.package.untarDir}"; - ExecStart = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/start-master.sh"; - ExecStop = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/stop-master.sh"; + WorkingDirectory = "${cfg.package}/"; + ExecStart = "${cfg.package}/sbin/start-master.sh"; + ExecStop = "${cfg.package}/sbin/stop-master.sh"; TimeoutSec = 300; StartLimitBurst=10; Restart = "always"; @@ -134,9 +134,9 @@ with lib; serviceConfig = { Type = "forking"; User = "spark"; - WorkingDirectory = "${cfg.package}/lib/${cfg.package.untarDir}"; - ExecStart = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/start-worker.sh spark://${cfg.worker.master}"; - ExecStop = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/stop-worker.sh"; + WorkingDirectory = "${cfg.package}/"; + ExecStart = "${cfg.package}/sbin/start-worker.sh spark://${cfg.worker.master}"; + ExecStop = "${cfg.package}/sbin/stop-worker.sh"; TimeoutSec = 300; StartLimitBurst=10; Restart = "always"; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix index e96743784e04..d69cf4587aab 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix @@ -236,6 +236,7 @@ in { serviceConfig = { User = cfg.user; + StateDirectory = mkIf (hasPrefix "/var/lib/jenkins" cfg.home) "jenkins"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.md b/nixpkgs/nixos/modules/services/databases/postgresql.md index e5e0b7efec29..7d141f12b5de 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.md +++ b/nixpkgs/nixos/modules/services/databases/postgresql.md @@ -258,7 +258,7 @@ postgresql_15.pkgs.pg_partman postgresql_15.pkgs.pgroonga To add plugins via NixOS configuration, set `services.postgresql.extraPlugins`: ``` services.postgresql.package = pkgs.postgresql_12; -services.postgresql.extraPlugins = with pkgs.postgresql_12.pkgs; [ +services.postgresql.extraPlugins = ps: with ps; [ pg_repack postgis ]; diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.nix b/nixpkgs/nixos/modules/services/databases/postgresql.nix index 690f2d85a4c9..ed5915735730 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.nix +++ b/nixpkgs/nixos/modules/services/databases/postgresql.nix @@ -18,7 +18,7 @@ let in if cfg.extraPlugins == [] then base - else base.withPackages (_: cfg.extraPlugins); + else base.withPackages cfg.extraPlugins; toStr = value: if true == value then "yes" @@ -391,12 +391,11 @@ in }; extraPlugins = mkOption { - type = types.listOf types.path; - default = []; - example = literalExpression "with pkgs.postgresql_15.pkgs; [ postgis pg_repack ]"; + type = with types; coercedTo (listOf path) (path: _ignorePg: path) (functionTo (listOf path)); + default = _: []; + example = literalExpression "ps: with ps; [ postgis pg_repack ]"; description = lib.mdDoc '' - List of PostgreSQL plugins. PostgreSQL version for each plugin should - match version for `services.postgresql.package` value. + List of PostgreSQL plugins. ''; }; @@ -405,7 +404,7 @@ in default = {}; description = lib.mdDoc '' PostgreSQL configuration. Refer to - <https://www.postgresql.org/docs/15/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE> + <https://www.postgresql.org/docs/current/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE> for an overview of `postgresql.conf`. ::: {.note} diff --git a/nixpkgs/nixos/modules/services/desktops/flatpak.nix b/nixpkgs/nixos/modules/services/desktops/flatpak.nix index d99faf381e01..4c26e6874023 100644 --- a/nixpkgs/nixos/modules/services/desktops/flatpak.nix +++ b/nixpkgs/nixos/modules/services/desktops/flatpak.nix @@ -35,6 +35,7 @@ in { services.dbus.packages = [ pkgs.flatpak ]; systemd.packages = [ pkgs.flatpak ]; + systemd.tmpfiles.packages = [ pkgs.flatpak ]; environment.profiles = [ "$HOME/.local/share/flatpak/exports" diff --git a/nixpkgs/nixos/modules/services/development/zammad.nix b/nixpkgs/nixos/modules/services/development/zammad.nix index 87aceddd6635..c084d6541ad3 100644 --- a/nixpkgs/nixos/modules/services/development/zammad.nix +++ b/nixpkgs/nixos/modules/services/development/zammad.nix @@ -21,6 +21,7 @@ let NODE_ENV = "production"; RAILS_SERVE_STATIC_FILES = "true"; RAILS_LOG_TO_STDOUT = "true"; + REDIS_URL = "redis://${cfg.redis.host}:${toString cfg.redis.port}"; }; databaseConfig = settingsFormat.generate "database.yml" cfg.database.settings; in @@ -65,6 +66,36 @@ in description = lib.mdDoc "Websocket service port."; }; + redis = { + createLocally = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc "Whether to create a local redis automatically."; + }; + + name = mkOption { + type = types.str; + default = "zammad"; + description = lib.mdDoc '' + Name of the redis server. Only used if `createLocally` is set to true. + ''; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + description = lib.mdDoc '' + Redis server address. + ''; + }; + + port = mkOption { + type = types.port; + default = 6379; + description = lib.mdDoc "Port of the redis server."; + }; + }; + database = { type = mkOption { type = types.enum [ "PostgreSQL" "MySQL" ]; @@ -206,6 +237,10 @@ in assertion = cfg.database.createLocally -> cfg.database.passwordFile == null; message = "a password cannot be specified if services.zammad.database.createLocally is set to true"; } + { + assertion = cfg.redis.createLocally -> cfg.redis.host == "localhost"; + message = "the redis host must be localhost if services.zammad.redis.createLocally is set to true"; + } ]; services.mysql = optionalAttrs (cfg.database.createLocally && cfg.database.type == "MySQL") { @@ -231,6 +266,13 @@ in ]; }; + services.redis = optionalAttrs cfg.redis.createLocally { + servers."${cfg.redis.name}" = { + enable = true; + port = cfg.redis.port; + }; + }; + systemd.services.zammad-web = { inherit environment; serviceConfig = serviceConfig // { @@ -240,6 +282,8 @@ in after = [ "network.target" "postgresql.service" + ] ++ optionals cfg.redis.createLocally [ + "redis-${cfg.redis.name}.service" ]; requires = [ "postgresql.service" @@ -303,16 +347,15 @@ in script = "./script/websocket-server.rb -b ${cfg.host} -p ${toString cfg.websocketPort} start"; }; - systemd.services.zammad-scheduler = { - inherit environment; - serviceConfig = serviceConfig // { Type = "forking"; }; + systemd.services.zammad-worker = { + inherit serviceConfig environment; after = [ "zammad-web.service" ]; requires = [ "zammad-web.service" ]; - description = "Zammad scheduler"; + description = "Zammad background worker"; wantedBy = [ "multi-user.target" ]; - script = "./script/scheduler.rb start"; + script = "./script/background-worker.rb start"; }; }; - meta.maintainers = with lib.maintainers; [ garbas taeer ]; + meta.maintainers = with lib.maintainers; [ taeer netali ]; } diff --git a/nixpkgs/nixos/modules/services/display-managers/greetd.nix b/nixpkgs/nixos/modules/services/display-managers/greetd.nix index 779e141ca24b..2212f97a9ffe 100644 --- a/nixpkgs/nixos/modules/services/display-managers/greetd.nix +++ b/nixpkgs/nixos/modules/services/display-managers/greetd.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.greetd; tty = "tty${toString cfg.vt}"; - settingsFormat = pkgs.formats.toml {}; + settingsFormat = pkgs.formats.toml { }; in { options.services.greetd = { @@ -27,7 +27,7 @@ in ''; }; - vt = mkOption { + vt = mkOption { type = types.int; default = 1; description = lib.mdDoc '' @@ -97,12 +97,18 @@ in systemd.defaultUnit = "graphical.target"; + # Create directories potentially required by supported greeters + # See https://github.com/NixOS/nixpkgs/issues/248323 + systemd.tmpfiles.rules = [ + "d '/var/cache/tuigreet' - greeter greeter - -" + ]; + users.users.greeter = { isSystemUser = true; group = "greeter"; }; - users.groups.greeter = {}; + users.groups.greeter = { }; }; meta.maintainers = with maintainers; [ queezle ]; diff --git a/nixpkgs/nixos/modules/services/games/teeworlds.nix b/nixpkgs/nixos/modules/services/games/teeworlds.nix index ffef440330c4..bd0df1ffca57 100644 --- a/nixpkgs/nixos/modules/services/games/teeworlds.nix +++ b/nixpkgs/nixos/modules/services/games/teeworlds.nix @@ -100,7 +100,7 @@ in serviceConfig = { DynamicUser = true; - ExecStart = "${pkgs.teeworlds}/bin/teeworlds_srv -f ${teeworldsConf}"; + ExecStart = "${pkgs.teeworlds-server}/bin/teeworlds_srv -f ${teeworldsConf}"; # Hardening CapabilityBoundingSet = false; diff --git a/nixpkgs/nixos/modules/services/hardware/power-profiles-daemon.nix b/nixpkgs/nixos/modules/services/hardware/power-profiles-daemon.nix index 101da01b4a71..1d84bf8ac937 100644 --- a/nixpkgs/nixos/modules/services/hardware/power-profiles-daemon.nix +++ b/nixpkgs/nixos/modules/services/hardware/power-profiles-daemon.nix @@ -1,10 +1,7 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.services.power-profiles-daemon; - package = pkgs.power-profiles-daemon; in { @@ -15,8 +12,8 @@ in services.power-profiles-daemon = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = lib.mdDoc '' Whether to enable power-profiles-daemon, a DBus daemon that allows @@ -24,6 +21,8 @@ in ''; }; + package = lib.mkPackageOption pkgs "power-profiles-daemon" { }; + }; }; @@ -31,7 +30,7 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { assertions = [ { assertion = !config.services.tlp.enable; @@ -42,13 +41,13 @@ in } ]; - environment.systemPackages = [ package ]; + environment.systemPackages = [ cfg.package ]; - services.dbus.packages = [ package ]; + services.dbus.packages = [ cfg.package ]; - services.udev.packages = [ package ]; + services.udev.packages = [ cfg.package ]; - systemd.packages = [ package ]; + systemd.packages = [ cfg.package ]; }; diff --git a/nixpkgs/nixos/modules/services/hardware/udev.nix b/nixpkgs/nixos/modules/services/hardware/udev.nix index 08ca7a0d247d..311f60795bae 100644 --- a/nixpkgs/nixos/modules/services/hardware/udev.nix +++ b/nixpkgs/nixos/modules/services/hardware/udev.nix @@ -222,6 +222,9 @@ in description = lib.mdDoc '' Packages added to the {env}`PATH` environment variable when executing programs from Udev rules. + + coreutils, gnu{sed,grep}, util-linux and config.systemd.package are + automatically included. ''; }; diff --git a/nixpkgs/nixos/modules/services/home-automation/home-assistant.nix b/nixpkgs/nixos/modules/services/home-automation/home-assistant.nix index 6aa0ae9eba47..2a6b07c6f1a6 100644 --- a/nixpkgs/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixpkgs/nixos/modules/services/home-automation/home-assistant.nix @@ -11,14 +11,12 @@ let # options shown in settings. # We post-process the result to add support for YAML functions, like secrets or includes, see e.g. # https://www.home-assistant.io/docs/configuration/secrets/ - filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null ])) cfg.config or {}; + filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null ])) (lib.recursiveUpdate customLovelaceModulesResources (cfg.config or {})); configFile = pkgs.runCommandLocal "configuration.yaml" { } '' cp ${format.generate "configuration.yaml" filteredConfig} $out sed -i -e "s/'\!\([a-z_]\+\) \(.*\)'/\!\1 \2/;s/^\!\!/\!/;" $out ''; - lovelaceConfig = if (cfg.lovelaceConfig == null) then {} - else (lib.recursiveUpdate customLovelaceModulesResources cfg.lovelaceConfig); - lovelaceConfigFile = format.generate "ui-lovelace.yaml" lovelaceConfig; + lovelaceConfigFile = format.generate "ui-lovelace.yaml" cfg.lovelaceConfig; # Components advertised by the home-assistant package availableComponents = cfg.package.availableComponents; @@ -77,7 +75,7 @@ let # Create parts of the lovelace config that reference lovelave modules as resources customLovelaceModulesResources = { lovelace.resources = map (card: { - url = "/local/nixos-lovelace-modules/${card.entrypoint or card.pname}.js?${card.version}"; + url = "/local/nixos-lovelace-modules/${card.entrypoint or (card.pname + ".js")}?${card.version}"; type = "module"; }) cfg.customLovelaceModules; }; @@ -159,7 +157,7 @@ in { default = []; example = literalExpression '' with pkgs.home-assistant-custom-components; [ - prometheus-sensor + prometheus_sensor ]; ''; description = lib.mdDoc '' @@ -525,7 +523,6 @@ in { "bluetooth_tracker" "bthome" "default_config" - "eq3btsmart" "eufylife_ble" "esphome" "fjaraskupan" diff --git a/nixpkgs/nixos/modules/services/logging/vector.nix b/nixpkgs/nixos/modules/services/logging/vector.nix index 48f9eeb4ce8f..9ccf8a4fa061 100644 --- a/nixpkgs/nixos/modules/services/logging/vector.nix +++ b/nixpkgs/nixos/modules/services/logging/vector.nix @@ -51,13 +51,17 @@ in { ExecStart = "${getExe cfg.package} --config ${validateConfig conf}"; DynamicUser = true; - Restart = "no"; + Restart = "always"; StateDirectory = "vector"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; # This group is required for accessing journald. SupplementaryGroups = mkIf cfg.journaldAccess "systemd-journal"; }; + unitConfig = { + StartLimitIntervalSec = 10; + StartLimitBurst = 5; + }; }; }; } diff --git a/nixpkgs/nixos/modules/services/matrix/maubot.nix b/nixpkgs/nixos/modules/services/matrix/maubot.nix index 7d392c22983b..bc96ca03b1fc 100644 --- a/nixpkgs/nixos/modules/services/matrix/maubot.nix +++ b/nixpkgs/nixos/modules/services/matrix/maubot.nix @@ -42,7 +42,7 @@ let database = lib.last (lib.splitString "/" noSchema); }; - postgresDBs = [ + postgresDBs = builtins.filter isPostgresql [ cfg.settings.database cfg.settings.crypto_database cfg.settings.plugin_databases.postgres diff --git a/nixpkgs/nixos/modules/services/matrix/synapse.md b/nixpkgs/nixos/modules/services/matrix/synapse.md index 58be24204fcf..f270be8c8d78 100644 --- a/nixpkgs/nixos/modules/services/matrix/synapse.md +++ b/nixpkgs/nixos/modules/services/matrix/synapse.md @@ -16,13 +16,13 @@ around Matrix. ## Synapse Homeserver {#module-services-matrix-synapse} -[Synapse](https://github.com/matrix-org/synapse) is +[Synapse](https://github.com/element-hq/synapse) is the reference homeserver implementation of Matrix from the core development team at matrix.org. The following configuration example will set up a synapse server for the `example.org` domain, served from the host `myhostname.example.org`. For more information, please refer to the -[installation instructions of Synapse](https://matrix-org.github.io/synapse/latest/setup/installation.html) . +[installation instructions of Synapse](https://element-hq.github.io/synapse/latest/setup/installation.html) . ``` { pkgs, lib, config, ... }: let @@ -70,7 +70,7 @@ in { # the domain (i.e. example.org from @foo:example.org) and the federation port # is 8448. # Further reference can be found in the docs about delegation under - # https://matrix-org.github.io/synapse/latest/delegate.html + # https://element-hq.github.io/synapse/latest/delegate.html locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; # This is usually needed for homeserver discovery (from e.g. other Matrix clients). # Further reference can be found in the upstream docs at @@ -169,7 +169,7 @@ in an additional file like this: ::: {.note} It's also possible to user alternative authentication mechanism such as [LDAP (via `matrix-synapse-ldap3`)](https://github.com/matrix-org/matrix-synapse-ldap3) -or [OpenID](https://matrix-org.github.io/synapse/latest/openid.html). +or [OpenID](https://element-hq.github.io/synapse/latest/openid.html). ::: ## Element (formerly known as Riot) Web Client {#module-services-matrix-element-web} diff --git a/nixpkgs/nixos/modules/services/matrix/synapse.nix b/nixpkgs/nixos/modules/services/matrix/synapse.nix index 9cc769c2d0db..50019d2a25cb 100644 --- a/nixpkgs/nixos/modules/services/matrix/synapse.nix +++ b/nixpkgs/nixos/modules/services/matrix/synapse.nix @@ -446,7 +446,7 @@ in { default = { }; description = mdDoc '' The primary synapse configuration. See the - [sample configuration](https://github.com/matrix-org/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/sample_config.yaml) + [sample configuration](https://github.com/element-hq/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/sample_config.yaml) for possible values. Secrets should be passed in by using the `extraConfigFiles` option. @@ -749,7 +749,7 @@ in { by the module, but in practice it broke on runtime and as a result, no URL preview worked anywhere if this was set. - See https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_url_blacklist + See https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_url_blacklist on how to configure it properly. '')) (types.attrsOf types.str)); @@ -873,7 +873,7 @@ in { Redis configuration for synapse. See the - [upstream documentation](https://github.com/matrix-org/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/usage/configuration/config_documentation.md#redis) + [upstream documentation](https://github.com/element-hq/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/usage/configuration/config_documentation.md#redis) for available options. ''; }; @@ -886,7 +886,7 @@ in { description = lib.mdDoc '' Options for configuring workers. Worker support will be enabled if at least one worker is configured here. - See the [worker documention](https://matrix-org.github.io/synapse/latest/workers.html#worker-configuration) + See the [worker documention](https://element-hq.github.io/synapse/latest/workers.html#worker-configuration) for possible options for each worker. Worker-specific options overriding the shared homeserver configuration can be specified here for each worker. @@ -900,9 +900,9 @@ in { using [`services.matrix-synapse.configureRedisLocally`](#opt-services.matrix-synapse.configureRedisLocally). Workers also require a proper reverse proxy setup to direct incoming requests to the appropriate process. See - the [reverse proxy documentation](https://matrix-org.github.io/synapse/latest/reverse_proxy.html) for a + the [reverse proxy documentation](https://element-hq.github.io/synapse/latest/reverse_proxy.html) for a general reverse proxying setup and - the [worker documentation](https://matrix-org.github.io/synapse/latest/workers.html#available-worker-applications) + the [worker documentation](https://element-hq.github.io/synapse/latest/workers.html#available-worker-applications) for the available endpoints per worker application. ::: ''; @@ -932,7 +932,7 @@ in { The file for log configuration. See the [python documentation](https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema) - for the schema and the [upstream repository](https://github.com/matrix-org/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/sample_log_config.yaml) + for the schema and the [upstream repository](https://github.com/element-hq/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/sample_log_config.yaml) for an example. ''; }; diff --git a/nixpkgs/nixos/modules/services/misc/guix/default.nix b/nixpkgs/nixos/modules/services/misc/guix/default.nix index 00e84dc74554..3e1a212693b9 100644 --- a/nixpkgs/nixos/modules/services/misc/guix/default.nix +++ b/nixpkgs/nixos/modules/services/misc/guix/default.nix @@ -265,7 +265,7 @@ in linkProfileToPath = acc: profile: location: let guixProfile = "${cfg.stateDir}/guix/profiles/per-user/\${USER}/${profile}"; in acc + '' - [ -d "${guixProfile}" ] && ln -sf "${guixProfile}" "${location}" + [ -d "${guixProfile}" ] && [ -L "${location}" ] || ln -sf "${guixProfile}" "${location}" ''; activationScript = lib.foldlAttrs linkProfileToPath "" guixUserProfiles; @@ -373,7 +373,6 @@ in serviceConfig = { Type = "oneshot"; - MemoryDenyWriteExecute = true; PrivateDevices = true; PrivateNetworks = true; ProtectControlGroups = true; diff --git a/nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix b/nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix index 2d7d29b2e717..6c51a9bb8555 100644 --- a/nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix +++ b/nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix @@ -12,7 +12,7 @@ let DEBUG_TOOLBAR = "0"; MEDIA_ROOT = "/var/lib/tandoor-recipes"; } // optionalAttrs (config.time.timeZone != null) { - TIMEZONE = config.time.timeZone; + TZ = config.time.timeZone; } // ( lib.mapAttrs (_: toString) cfg.extraConfig ); diff --git a/nixpkgs/nixos/modules/services/monitoring/grafana.nix b/nixpkgs/nixos/modules/services/monitoring/grafana.nix index 62c50490ee99..5ac010bf81ee 100644 --- a/nixpkgs/nixos/modules/services/monitoring/grafana.nix +++ b/nixpkgs/nixos/modules/services/monitoring/grafana.nix @@ -74,7 +74,7 @@ let fi ''; provisionConfDir = pkgs.runCommand "grafana-provisioning" { nativeBuildInputs = [ pkgs.xorg.lndir ]; } '' - mkdir -p $out/{datasources,dashboards,notifiers,alerting} + mkdir -p $out/{alerting,datasources,dashboards,notifiers,plugins} ${ln { src = datasourceFileOrDir; dir = "datasources"; filename = "datasource"; }} ${ln { src = dashboardFileOrDir; dir = "dashboards"; filename = "dashboard"; }} ${ln { src = notifierFileOrDir; dir = "notifiers"; filename = "notifier"; }} @@ -1831,7 +1831,7 @@ in set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit - exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} -config ${configFile} + exec ${cfg.package}/bin/grafana server -homepath ${cfg.dataDir} -config ${configFile} ''; serviceConfig = { WorkingDirectory = cfg.dataDir; diff --git a/nixpkgs/nixos/modules/services/monitoring/netdata.nix b/nixpkgs/nixos/modules/services/monitoring/netdata.nix index 78b12537e27f..ec6aa5615039 100644 --- a/nixpkgs/nixos/modules/services/monitoring/netdata.nix +++ b/nixpkgs/nixos/modules/services/monitoring/netdata.nix @@ -198,6 +198,7 @@ in { } ]; + services.netdata.configDir.".opt-out-from-anonymous-statistics" = mkIf (!cfg.enableAnalyticsReporting) (pkgs.writeText ".opt-out-from-anonymous-statistics" ""); environment.etc."netdata/netdata.conf".source = configFile; environment.etc."netdata/conf.d".source = configDirectory; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix index 90ea56658b02..b4ac8e21451a 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix @@ -41,12 +41,12 @@ let # This becomes the main config file for Prometheus promConfig = { global = filterValidPrometheus cfg.globalConfig; - rule_files = map (promtoolCheck "check rules" "rules") (cfg.ruleFiles ++ [ - (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules)) - ]); scrape_configs = filterValidPrometheus cfg.scrapeConfigs; remote_write = filterValidPrometheus cfg.remoteWrite; remote_read = filterValidPrometheus cfg.remoteRead; + rule_files = optionals (!(cfg.enableAgentMode)) (map (promtoolCheck "check rules" "rules") (cfg.ruleFiles ++ [ + (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules)) + ])); alerting = { inherit (cfg) alertmanagers; }; @@ -62,15 +62,20 @@ let promtoolCheck "check config ${lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"}" "prometheus.yml" yml; cmdlineArgs = cfg.extraFlags ++ [ - "--storage.tsdb.path=${workingDir}/data/" "--config.file=${ if cfg.enableReload then "/etc/prometheus/prometheus.yaml" else prometheusYml }" "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" - "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" - ] ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" + ] ++ ( + if (cfg.enableAgentMode) then [ + "--enable-feature=agent" + ] else [ + "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity }" + "--storage.tsdb.path=${workingDir}/data/" + ]) + ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}" ++ optional (cfg.webConfigFile != null) "--web.config.file=${cfg.webConfigFile}"; @@ -1430,6 +1435,10 @@ let remote_timeout = mkOpt types.str '' Timeout for requests to the remote write endpoint. ''; + headers = mkOpt (types.attrsOf types.str) '' + Custom HTTP headers to be sent along with each remote write request. + Be aware that headers that are set by Prometheus itself can't be overwritten. + ''; write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' List of remote write relabel configurations. ''; @@ -1525,6 +1534,10 @@ let remote_timeout = mkOpt types.str '' Timeout for requests to the remote read endpoint. ''; + headers = mkOpt (types.attrsOf types.str) '' + Custom HTTP headers to be sent along with each remote read request. + Be aware that headers that are set by Prometheus itself can't be overwritten. + ''; read_recent = mkOpt types.bool '' Whether reads should be made for queries for time ranges that the local storage should have complete data for. @@ -1612,6 +1625,8 @@ in ''; }; + enableAgentMode = mkEnableOption (lib.mdDoc "agent mode"); + configText = mkOption { type = types.nullOr types.lines; default = null; diff --git a/nixpkgs/nixos/modules/services/monitoring/ups.nix b/nixpkgs/nixos/modules/services/monitoring/ups.nix index efef2d777acd..c9dda8a8c093 100644 --- a/nixpkgs/nixos/modules/services/monitoring/ups.nix +++ b/nixpkgs/nixos/modules/services/monitoring/ups.nix @@ -6,9 +6,83 @@ with lib; let cfg = config.power.ups; -in + defaultPort = 3493; + + nutFormat = { + + type = with lib.types; let + + singleAtom = nullOr (oneOf [ + bool + int + float + str + ]) // { + description = "atom (null, bool, int, float or string)"; + }; + + in attrsOf (oneOf [ + singleAtom + (listOf (nonEmptyListOf singleAtom)) + ]); + + generate = name: value: + let + normalizedValue = + lib.mapAttrs (key: val: + if lib.isList val + then forEach val (elem: if lib.isList elem then elem else [elem]) + else + if val == null + then [] + else [[val]] + ) value; + + mkValueString = concatMapStringsSep " " (v: + let str = generators.mkValueStringDefault {} v; + in + # Quote the value if it has spaces and isn't already quoted. + if (hasInfix " " str) && !(hasPrefix "\"" str && hasSuffix "\"" str) + then "\"${str}\"" + else str + ); + + in pkgs.writeText name (lib.generators.toKeyValue { + mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " "; + listsAsDuplicateKeys = true; + } normalizedValue); + + }; + + installSecrets = source: target: secrets: + pkgs.writeShellScript "installSecrets.sh" '' + install -m0600 -D ${source} "${target}" + ${concatLines (forEach secrets (name: '' + ${pkgs.replace-secret}/bin/replace-secret \ + '@${name}@' \ + "$CREDENTIALS_DIRECTORY/${name}" \ + "${target}" + ''))} + chmod u-w "${target}" + ''; + + upsmonConf = nutFormat.generate "upsmon.conf" cfg.upsmon.settings; + + upsdUsers = pkgs.writeText "upsd.users" (let + # This looks like INI, but it's not quite because the + # 'upsmon' option lacks a '='. See: man upsd.users + userConfig = name: user: concatStringsSep "\n " (concatLists [ + [ + "[${name}]" + "password = \"@upsdusers_password_${name}@\"" + ] + (optional (user.upsmon != null) "upsmon ${user.upsmon}") + (forEach user.actions (action: "actions = ${action}")) + (forEach user.instcmds (instcmd: "instcmds = ${instcmd}")) + ]); + in concatStringsSep "\n\n" (mapAttrsToList userConfig cfg.users)); + -let upsOptions = {name, config, ...}: { options = { @@ -95,6 +169,213 @@ let }; }; + listenOptions = { + options = { + address = mkOption { + type = types.str; + description = lib.mdDoc '' + Address of the interface for `upsd` to listen on. + See `man upsd.conf` for details. + ''; + }; + + port = mkOption { + type = types.port; + default = defaultPort; + description = lib.mdDoc '' + TCP port for `upsd` to listen on. + See `man upsd.conf` for details. + ''; + }; + }; + }; + + upsdOptions = { + options = { + enable = mkOption { + type = types.bool; + defaultText = literalMD "`true` if `mode` is one of `standalone`, `netserver`"; + description = mdDoc "Whether to enable `upsd`."; + }; + + listen = mkOption { + type = with types; listOf (submodule listenOptions); + default = []; + example = [ + { + address = "192.168.50.1"; + } + { + address = "::1"; + port = 5923; + } + ]; + description = lib.mdDoc '' + Address of the interface for `upsd` to listen on. + See `man upsd` for details`. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Additional lines to add to `upsd.conf`. + ''; + }; + }; + + config = { + enable = mkDefault (elem cfg.mode [ "standalone" "netserver" ]); + }; + }; + + + monitorOptions = { name, config, ... }: { + options = { + system = mkOption { + type = types.str; + default = name; + description = lib.mdDoc '' + Identifier of the UPS to monitor, in this form: `<upsname>[@<hostname>[:<port>]]` + See `upsmon.conf` for details. + ''; + }; + + powerValue = mkOption { + type = types.int; + default = 1; + description = lib.mdDoc '' + Number of power supplies that the UPS feeds on this system. + See `upsmon.conf` for details. + ''; + }; + + user = mkOption { + type = types.str; + description = lib.mdDoc '' + Username from `upsd.users` for accessing this UPS. + See `upsmon.conf` for details. + ''; + }; + + passwordFile = mkOption { + type = types.str; + defaultText = literalMD "power.ups.users.\${user}.passwordFile"; + description = lib.mdDoc '' + The full path to a file containing the password from + `upsd.users` for accessing this UPS. The password file + is read on service start. + See `upsmon.conf` for details. + ''; + }; + + type = mkOption { + type = types.str; + default = "master"; + description = lib.mdDoc '' + The relationship with `upsd`. + See `upsmon.conf` for details. + ''; + }; + }; + + config = { + passwordFile = mkDefault cfg.users.${config.user}.passwordFile; + }; + }; + + upsmonOptions = { + options = { + enable = mkOption { + type = types.bool; + defaultText = literalMD "`true` if `mode` is one of `standalone`, `netserver`, `netclient`"; + description = mdDoc "Whether to enable `upsmon`."; + }; + + monitor = mkOption { + type = with types; attrsOf (submodule monitorOptions); + default = {}; + description = lib.mdDoc '' + Set of UPS to monitor. See `man upsmon.conf` for details. + ''; + }; + + settings = mkOption { + type = nutFormat.type; + default = {}; + defaultText = literalMD '' + { + MINSUPPLIES = 1; + RUN_AS_USER = "root"; + NOTIFYCMD = "''${pkgs.nut}/bin/upssched"; + SHUTDOWNCMD = "''${pkgs.systemd}/bin/shutdown now"; + } + ''; + description = mdDoc "Additional settings to add to `upsmon.conf`."; + example = literalMD '' + { + MINSUPPLIES = 2; + NOTIFYFLAG = [ + [ "ONLINE" "SYSLOG+EXEC" ] + [ "ONBATT" "SYSLOG+EXEC" ] + ]; + } + ''; + }; + }; + + config = { + enable = mkDefault (elem cfg.mode [ "standalone" "netserver" "netclient" ]); + settings = { + RUN_AS_USER = "root"; # TODO: replace 'root' by another username. + MINSUPPLIES = mkDefault 1; + NOTIFYCMD = mkDefault "${pkgs.nut}/bin/upssched"; + SHUTDOWNCMD = mkDefault "${pkgs.systemd}/bin/shutdown now"; + MONITOR = flip mapAttrsToList cfg.upsmon.monitor (name: monitor: with monitor; [ system powerValue user "\"@upsmon_password_${name}@\"" type ]); + }; + }; + }; + + userOptions = { + options = { + passwordFile = mkOption { + type = types.str; + description = lib.mdDoc '' + The full path to a file that contains the user's (clear text) + password. The password file is read on service start. + ''; + }; + + actions = mkOption { + type = with types; listOf str; + default = []; + description = lib.mdDoc '' + Allow the user to do certain things with upsd. + See `man upsd.users` for details. + ''; + }; + + instcmds = mkOption { + type = with types; listOf str; + default = []; + description = lib.mdDoc '' + Let the user initiate specific instant commands. Use "ALL" to grant all commands automatically. For the full list of what your UPS supports, use "upscmd -l". + See `man upsd.users` for details. + ''; + }; + + upsmon = mkOption { + type = with types; nullOr str; + default = null; + description = lib.mdDoc '' + Add the necessary actions for a upsmon process to work. + See `man upsd.users` for details. + ''; + }; + }; + }; + in @@ -103,19 +384,14 @@ in # powerManagement.powerDownCommands power.ups = { - enable = mkOption { - default = false; - type = with types; bool; - description = lib.mdDoc '' - Enables support for Power Devices, such as Uninterruptible Power - Supplies, Power Distribution Units and Solar Controllers. - ''; - }; + enable = mkEnableOption (lib.mdDoc '' + Enables support for Power Devices, such as Uninterruptible Power + Supplies, Power Distribution Units and Solar Controllers. + ''); - # This option is not used yet. mode = mkOption { default = "standalone"; - type = types.str; + type = types.enum [ "none" "standalone" "netserver" "netclient" ]; description = lib.mdDoc '' The MODE determines which part of the NUT is to be started, and which configuration files must be modified. @@ -148,6 +424,13 @@ in ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Open ports in the firewall for `upsd`. + ''; + }; maxStartDelay = mkOption { default = 45; @@ -161,6 +444,22 @@ in ''; }; + upsmon = mkOption { + default = {}; + description = lib.mdDoc '' + Options for the `upsmon.conf` configuration file. + ''; + type = types.submodule upsmonOptions; + }; + + upsd = mkOption { + default = {}; + description = lib.mdDoc '' + Options for the `upsd.conf` configuration file. + ''; + type = types.submodule upsdOptions; + }; + ups = mkOption { default = {}; # see nut/etc/ups.conf.sample @@ -172,46 +471,95 @@ in type = with types; attrsOf (submodule upsOptions); }; + users = mkOption { + default = {}; + description = lib.mdDoc '' + Users that can access upsd. See `man upsd.users`. + ''; + type = with types; attrsOf (submodule userOptions); + }; + }; }; config = mkIf cfg.enable { + assertions = [ + (let + totalPowerValue = foldl' add 0 (map (monitor: monitor.powerValue) (attrValues cfg.upsmon.monitor)); + minSupplies = cfg.upsmon.settings.MINSUPPLIES; + in mkIf cfg.upsmon.enable { + assertion = totalPowerValue >= minSupplies; + message = '' + `power.ups.upsmon`: Total configured power value (${toString totalPowerValue}) must be at least MINSUPPLIES (${toString minSupplies}). + ''; + }) + ]; + environment.systemPackages = [ pkgs.nut ]; - systemd.services.upsmon = { + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = + if cfg.upsd.listen == [] + then [ defaultPort ] + else unique (forEach cfg.upsd.listen (listen: listen.port)); + }; + + systemd.services.upsmon = let + secrets = mapAttrsToList (name: monitor: "upsmon_password_${name}") cfg.upsmon.monitor; + createUpsmonConf = installSecrets upsmonConf "/run/nut/upsmon.conf" secrets; + in { + enable = cfg.upsmon.enable; description = "Uninterruptible Power Supplies (Monitor)"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.Type = "forking"; - script = "${pkgs.nut}/sbin/upsmon"; - environment.NUT_CONFPATH = "/etc/nut/"; - environment.NUT_STATEPATH = "/var/lib/nut/"; + serviceConfig = { + Type = "forking"; + ExecStartPre = "${createUpsmonConf}"; + ExecStart = "${pkgs.nut}/sbin/upsmon"; + ExecReload = "${pkgs.nut}/sbin/upsmon -c reload"; + LoadCredential = mapAttrsToList (name: monitor: "upsmon_password_${name}:${monitor.passwordFile}") cfg.upsmon.monitor; + }; + environment.NUT_CONFPATH = "/etc/nut"; + environment.NUT_STATEPATH = "/var/lib/nut"; }; - systemd.services.upsd = { + systemd.services.upsd = let + secrets = mapAttrsToList (name: user: "upsdusers_password_${name}") cfg.users; + createUpsdUsers = installSecrets upsdUsers "/run/nut/upsd.users" secrets; + in { + enable = cfg.upsd.enable; description = "Uninterruptible Power Supplies (Daemon)"; after = [ "network.target" "upsmon.service" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.Type = "forking"; - # TODO: replace 'root' by another username. - script = "${pkgs.nut}/sbin/upsd -u root"; - environment.NUT_CONFPATH = "/etc/nut/"; - environment.NUT_STATEPATH = "/var/lib/nut/"; + serviceConfig = { + Type = "forking"; + ExecStartPre = "${createUpsdUsers}"; + # TODO: replace 'root' by another username. + ExecStart = "${pkgs.nut}/sbin/upsd -u root"; + ExecReload = "${pkgs.nut}/sbin/upsd -c reload"; + LoadCredential = mapAttrsToList (name: user: "upsdusers_password_${name}:${user.passwordFile}") cfg.users; + }; + environment.NUT_CONFPATH = "/etc/nut"; + environment.NUT_STATEPATH = "/var/lib/nut"; + restartTriggers = [ + config.environment.etc."nut/upsd.conf".source + ]; }; systemd.services.upsdrv = { + enable = cfg.upsd.enable; description = "Uninterruptible Power Supplies (Register all UPS)"; after = [ "upsd.service" ]; wantedBy = [ "multi-user.target" ]; - # TODO: replace 'root' by another username. - script = "${pkgs.nut}/bin/upsdrvctl -u root start"; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; + # TODO: replace 'root' by another username. + ExecStart = "${pkgs.nut}/bin/upsdrvctl -u root start"; }; - environment.NUT_CONFPATH = "/etc/nut/"; - environment.NUT_STATEPATH = "/var/lib/nut/"; + environment.NUT_CONFPATH = "/etc/nut"; + environment.NUT_STATEPATH = "/var/lib/nut"; }; environment.etc = { @@ -223,24 +571,23 @@ in '' maxstartdelay = ${toString cfg.maxStartDelay} - ${flip concatStringsSep (forEach (attrValues cfg.ups) (ups: ups.summary)) " - - "} + ${concatStringsSep "\n\n" (forEach (attrValues cfg.ups) (ups: ups.summary))} + ''; + "nut/upsd.conf".source = pkgs.writeText "upsd.conf" + '' + ${concatStringsSep "\n" (forEach cfg.upsd.listen (listen: "LISTEN ${listen.address} ${toString listen.port}"))} + ${cfg.upsd.extraConfig} ''; "nut/upssched.conf".source = cfg.schedulerRules; - # These file are containing private information and thus should not - # be stored inside the Nix store. - /* - "nut/upsd.conf".source = ""; - "nut/upsd.users".source = ""; - "nut/upsmon.conf".source = ""; - */ + "nut/upsd.users".source = "/run/nut/upsd.users"; + "nut/upsmon.conf".source = "/run/nut/upsmon.conf"; }; power.ups.schedulerRules = mkDefault "${pkgs.nut}/etc/upssched.conf.sample"; systemd.tmpfiles.rules = [ "d /var/state/ups -" + "d /var/lib/nut 700" ]; diff --git a/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix b/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix index de51843ba6f9..89b30996e8fa 100644 --- a/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix @@ -42,6 +42,7 @@ in { imports = [ (lib.mkRenamedOptionModule [ "services" "avahi" "interfaces" ] [ "services" "avahi" "allowInterfaces" ]) + (lib.mkRenamedOptionModule [ "services" "avahi" "nssmdns" ] [ "services" "avahi" "nssmdns4" ]) ]; options.services.avahi = { @@ -93,7 +94,7 @@ in ipv6 = mkOption { type = types.bool; - default = config.networking.enableIPv6; + default = false; defaultText = literalExpression "config.networking.enableIPv6"; description = lib.mdDoc "Whether to use IPv6."; }; @@ -218,13 +219,28 @@ in }; }; - nssmdns = mkOption { + nssmdns4 = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv4. + Enabling it allows applications to resolve names in the `.local` + domain by transparently querying the Avahi daemon. + ''; + }; + + nssmdns6 = mkOption { type = types.bool; default = false; description = lib.mdDoc '' - Whether to enable the mDNS NSS (Name Service Switch) plug-in. + Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv6. Enabling it allows applications to resolve names in the `.local` domain by transparently querying the Avahi daemon. + + ::: {.note} + Due to the fact that most mDNS responders only register local IPv4 addresses, + most user want to leave this option disabled to avoid long timeouts when applications first resolve the none existing IPv6 address. + ::: ''; }; @@ -256,9 +272,18 @@ in users.groups.avahi = { }; - system.nssModules = optional cfg.nssmdns pkgs.nssmdns; - system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ - (mkBefore [ "mdns_minimal [NOTFOUND=return]" ]) # before resolve + system.nssModules = optional (cfg.nssmdns4 || cfg.nssmdns6) pkgs.nssmdns; + system.nssDatabases.hosts = let + mdnsMinimal = if (cfg.nssmdns4 && cfg.nssmdns6) then + "mdns_minimal" + else if (!cfg.nssmdns4 && cfg.nssmdns6) then + "mdns6_minimal" + else if (cfg.nssmdns4 && !cfg.nssmdns6) then + "mdns4_minimal" + else + ""; + in optionals (cfg.nssmdns4 || cfg.nssmdns6) (mkMerge [ + (mkBefore [ "${mdnsMinimal} [NOTFOUND=return]" ]) # before resolve (mkAfter [ "mdns" ]) # after dns ]); diff --git a/nixpkgs/nixos/modules/services/networking/ddclient.nix b/nixpkgs/nixos/modules/services/networking/ddclient.nix index 8f4fb0bc78d4..a67f0c5de9ba 100644 --- a/nixpkgs/nixos/modules/services/networking/ddclient.nix +++ b/nixpkgs/nixos/modules/services/networking/ddclient.nix @@ -126,7 +126,7 @@ with lib; default = "dyndns2"; type = str; description = lib.mdDoc '' - Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols). + Protocol to use with dynamic DNS provider (see https://ddclient.net/protocols.html ). ''; }; diff --git a/nixpkgs/nixos/modules/services/networking/ejabberd.nix b/nixpkgs/nixos/modules/services/networking/ejabberd.nix index b10a3d9f21df..78af256f9c81 100644 --- a/nixpkgs/nixos/modules/services/networking/ejabberd.nix +++ b/nixpkgs/nixos/modules/services/networking/ejabberd.nix @@ -120,6 +120,12 @@ in { if [ -z "$(ls -A '${cfg.spoolDir}')" ]; then touch "${cfg.spoolDir}/.firstRun" fi + + if ! test -e ${cfg.spoolDir}/.erlang.cookie; then + touch ${cfg.spoolDir}/.erlang.cookie + chmod 600 ${cfg.spoolDir}/.erlang.cookie + dd if=/dev/random bs=16 count=1 | base64 > ${cfg.spoolDir}/.erlang.cookie + fi ''; postStart = '' diff --git a/nixpkgs/nixos/modules/services/networking/harmonia.nix b/nixpkgs/nixos/modules/services/networking/harmonia.nix index beaa7d00b6ce..d0f4a8a6e633 100644 --- a/nixpkgs/nixos/modules/services/networking/harmonia.nix +++ b/nixpkgs/nixos/modules/services/networking/harmonia.nix @@ -29,6 +29,11 @@ in config = lib.mkIf cfg.enable { nix.settings.extra-allowed-users = [ "harmonia" ]; + users.users.harmonia = { + isSystemUser = true; + group = "harmonia"; + }; + users.groups.harmonia = { }; systemd.services.harmonia = { description = "harmonia binary cache service"; @@ -50,7 +55,6 @@ in ExecStart = lib.getExe cfg.package; User = "harmonia"; Group = "harmonia"; - DynamicUser = true; PrivateUsers = true; DeviceAllow = [ "" ]; UMask = "0066"; diff --git a/nixpkgs/nixos/modules/services/networking/iwd.nix b/nixpkgs/nixos/modules/services/networking/iwd.nix index b74f5d0bec9b..d46c1a69a619 100644 --- a/nixpkgs/nixos/modules/services/networking/iwd.nix +++ b/nixpkgs/nixos/modules/services/networking/iwd.nix @@ -64,8 +64,10 @@ in }; systemd.services.iwd = { + path = [ config.networking.resolvconf.package ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ configFile ]; + serviceConfig.ReadWritePaths = "-/etc/resolv.conf"; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/jigasi.nix b/nixpkgs/nixos/modules/services/networking/jigasi.nix new file mode 100644 index 000000000000..e701689031b1 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/jigasi.nix @@ -0,0 +1,237 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.jigasi; + homeDirName = "jigasi-home"; + stateDir = "/tmp"; + sipCommunicatorPropertiesFile = "${stateDir}/${homeDirName}/sip-communicator.properties"; + sipCommunicatorPropertiesFileUnsubstituted = "${pkgs.jigasi}/etc/jitsi/jigasi/sip-communicator.properties"; +in +{ + options.services.jigasi = with types; { + enable = mkEnableOption "Jitsi Gateway to SIP - component of Jitsi Meet"; + + xmppHost = mkOption { + type = str; + example = "localhost"; + description = '' + Hostname of the XMPP server to connect to. + ''; + }; + + xmppDomain = mkOption { + type = nullOr str; + example = "meet.example.org"; + description = '' + Domain name of the XMMP server to which to connect as a component. + + If null, <option>xmppHost</option> is used. + ''; + }; + + componentPasswordFile = mkOption { + type = str; + example = "/run/keys/jigasi-component"; + description = '' + Path to file containing component secret. + ''; + }; + + userName = mkOption { + type = str; + default = "callcontrol"; + description = '' + User part of the JID for XMPP user connection. + ''; + }; + + userDomain = mkOption { + type = str; + example = "internal.meet.example.org"; + description = '' + Domain part of the JID for XMPP user connection. + ''; + }; + + userPasswordFile = mkOption { + type = str; + example = "/run/keys/jigasi-user"; + description = '' + Path to file containing password for XMPP user connection. + ''; + }; + + bridgeMuc = mkOption { + type = str; + example = "jigasibrewery@internal.meet.example.org"; + description = '' + JID of the internal MUC used to communicate with Videobridges. + ''; + }; + + defaultJvbRoomName = mkOption { + type = str; + default = ""; + example = "siptest"; + description = '' + Name of the default JVB room that will be joined if no special header is included in SIP invite. + ''; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + File containing environment variables to be passed to the jigasi service, + in which secret tokens can be specified securely by defining values for + <literal>JIGASI_SIPUSER</literal>, + <literal>JIGASI_SIPPWD</literal>, + <literal>JIGASI_SIPSERVER</literal> and + <literal>JIGASI_SIPPORT</literal>. + ''; + }; + + config = mkOption { + type = attrsOf str; + default = { }; + example = literalExpression '' + { + "org.jitsi.jigasi.auth.URL" = "XMPP:jitsi-meet.example.com"; + } + ''; + description = '' + Contents of the <filename>sip-communicator.properties</filename> configuration file for jigasi. + ''; + }; + }; + + config = mkIf cfg.enable { + services.jicofo.config = { + "org.jitsi.jicofo.jigasi.BREWERY" = "${cfg.bridgeMuc}"; + }; + + services.jigasi.config = mapAttrs (_: v: mkDefault v) { + "org.jitsi.jigasi.BRIDGE_MUC" = cfg.bridgeMuc; + }; + + users.groups.jitsi-meet = {}; + + systemd.services.jigasi = let + jigasiProps = { + "-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION" = "${stateDir}"; + "-Dnet.java.sip.communicator.SC_HOME_DIR_NAME" = "${homeDirName}"; + "-Djava.util.logging.config.file" = "${pkgs.jigasi}/etc/jitsi/jigasi/logging.properties"; + }; + in + { + description = "Jitsi Gateway to SIP"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = '' + [ -f "${sipCommunicatorPropertiesFile}" ] && rm -f "${sipCommunicatorPropertiesFile}" + mkdir -p "$(dirname ${sipCommunicatorPropertiesFile})" + temp="${sipCommunicatorPropertiesFile}.unsubstituted" + + export DOMAIN_BASE="${cfg.xmppDomain}" + export JIGASI_XMPP_PASSWORD=$(cat "${cfg.userPasswordFile}") + export JIGASI_DEFAULT_JVB_ROOM_NAME="${cfg.defaultJvbRoomName}" + + # encode the credentials to base64 + export JIGASI_SIPPWD=$(echo -n "$JIGASI_SIPPWD" | base64 -w 0) + export JIGASI_XMPP_PASSWORD_BASE64=$(cat "${cfg.userPasswordFile}" | base64 -w 0) + + cp "${sipCommunicatorPropertiesFileUnsubstituted}" "$temp" + chmod 644 "$temp" + cat <<EOF >>"$temp" + net.java.sip.communicator.impl.protocol.sip.acc1403273890647.SERVER_PORT=$JIGASI_SIPPORT + net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PREFERRED_TRANSPORT=udp + EOF + chmod 444 "$temp" + + # Replace <<$VAR_NAME>> from example config to $VAR_NAME for environment substitution + sed -i -E \ + 's/<<([^>]+)>>/\$\1/g' \ + "$temp" + + sed -i \ + 's|\(net\.java\.sip\.communicator\.impl\.protocol\.jabber\.acc-xmpp-1\.PASSWORD=\).*|\1\$JIGASI_XMPP_PASSWORD_BASE64|g' \ + "$temp" + + sed -i \ + 's|\(#\)\(org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME=\).*|\2\$JIGASI_DEFAULT_JVB_ROOM_NAME|g' \ + "$temp" + + ${pkgs.envsubst}/bin/envsubst \ + -o "${sipCommunicatorPropertiesFile}" \ + -i "$temp" + + # Set the brewery room name + sed -i \ + 's|\(net\.java\.sip\.communicator\.impl\.protocol\.jabber\.acc-xmpp-1\.BREWERY=\).*|\1${cfg.bridgeMuc}|g' \ + "${sipCommunicatorPropertiesFile}" + sed -i \ + 's|\(org\.jitsi\.jigasi\.ALLOWED_JID=\).*|\1${cfg.bridgeMuc}|g' \ + "${sipCommunicatorPropertiesFile}" + + + # Disable certificate verification for self-signed certificates + sed -i \ + 's|\(# \)\(net.java.sip.communicator.service.gui.ALWAYS_TRUST_MODE_ENABLED=true\)|\2|g' \ + "${sipCommunicatorPropertiesFile}" + ''; + + restartTriggers = [ + config.environment.etc."jitsi/jigasi/sip-communicator.properties".source + ]; + environment.JAVA_SYS_PROPS = concatStringsSep " " (mapAttrsToList (k: v: "${k}=${toString v}") jigasiProps); + + script = '' + ${pkgs.jigasi}/bin/jigasi \ + --host="${cfg.xmppHost}" \ + --domain="${if cfg.xmppDomain == null then cfg.xmppHost else cfg.xmppDomain}" \ + --secret="$(cat ${cfg.componentPasswordFile})" \ + --user_name="${cfg.userName}" \ + --user_domain="${cfg.userDomain}" \ + --user_password="$(cat ${cfg.userPasswordFile})" \ + --configdir="${stateDir}" \ + --configdirname="${homeDirName}" + ''; + + serviceConfig = { + Type = "exec"; + + DynamicUser = true; + User = "jigasi"; + Group = "jitsi-meet"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + StateDirectory = baseNameOf stateDir; + EnvironmentFile = cfg.environmentFile; + }; + }; + + environment.etc."jitsi/jigasi/sip-communicator.properties".source = + mkDefault "${sipCommunicatorPropertiesFile}"; + environment.etc."jitsi/jigasi/logging.properties".source = + mkDefault "${stateDir}/logging.properties-journal"; + }; + + meta.maintainers = lib.teams.jitsi.members; +} diff --git a/nixpkgs/nixos/modules/services/networking/nebula.nix b/nixpkgs/nixos/modules/services/networking/nebula.nix index b9ebbfbd9a29..e13876172dac 100644 --- a/nixpkgs/nixos/modules/services/networking/nebula.nix +++ b/nixpkgs/nixos/modules/services/networking/nebula.nix @@ -196,7 +196,7 @@ in before = [ "sshd.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "simple"; + Type = "notify"; Restart = "always"; ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; UMask = "0027"; diff --git a/nixpkgs/nixos/modules/services/networking/syncthing.nix b/nixpkgs/nixos/modules/services/networking/syncthing.nix index 99d4d9eeffcc..e0425792431e 100644 --- a/nixpkgs/nixos/modules/services/networking/syncthing.nix +++ b/nixpkgs/nixos/modules/services/networking/syncthing.nix @@ -559,6 +559,15 @@ in { ''; }; + databaseDir = mkOption { + type = types.path; + description = lib.mdDoc '' + The directory containing the database and logs. + ''; + default = cfg.configDir; + defaultText = literalExpression "config.${opt.configDir}"; + }; + extraFlags = mkOption { type = types.listOf types.str; default = []; @@ -660,7 +669,7 @@ in { -no-browser \ -gui-address=${if isUnixGui then "unix://" else ""}${cfg.guiAddress} \ -config=${cfg.configDir} \ - -data=${cfg.dataDir} \ + -data=${cfg.databaseDir} \ ${escapeShellArgs cfg.extraFlags} ''; MemoryDenyWriteExecute = true; diff --git a/nixpkgs/nixos/modules/services/networking/teamspeak3.nix b/nixpkgs/nixos/modules/services/networking/teamspeak3.nix index f09ef1a959ed..ff41539a6d9b 100644 --- a/nixpkgs/nixos/modules/services/networking/teamspeak3.nix +++ b/nixpkgs/nixos/modules/services/networking/teamspeak3.nix @@ -50,7 +50,7 @@ in }; defaultVoicePort = mkOption { - type = types.int; + type = types.port; default = 9987; description = lib.mdDoc '' Default UDP port for clients to connect to virtual servers - used for first virtual server, subsequent ones will open on incrementing port numbers by default. @@ -67,7 +67,7 @@ in }; fileTransferPort = mkOption { - type = types.int; + type = types.port; default = 30033; description = lib.mdDoc '' TCP port opened for file transfers. @@ -84,10 +84,26 @@ in }; queryPort = mkOption { - type = types.int; + type = types.port; default = 10011; description = lib.mdDoc '' - TCP port opened for ServerQuery connections. + TCP port opened for ServerQuery connections using the raw telnet protocol. + ''; + }; + + querySshPort = mkOption { + type = types.port; + default = 10022; + description = lib.mdDoc '' + TCP port opened for ServerQuery connections using the SSH protocol. + ''; + }; + + queryHttpPort = mkOption { + type = types.port; + default = 10080; + description = lib.mdDoc '' + TCP port opened for ServerQuery connections using the HTTP protocol. ''; }; @@ -128,7 +144,9 @@ in ]; networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ cfg.fileTransferPort ] ++ optionals (cfg.openFirewallServerQuery) [ cfg.queryPort (cfg.queryPort + 11) ]; + allowedTCPPorts = [ cfg.fileTransferPort ] ++ (map (port: + mkIf cfg.openFirewallServerQuery port + ) [cfg.queryPort cfg.querySshPort cfg.queryHttpPort]); # subsequent vServers will use the incremented voice port, let's just open the next 10 allowedUDPPortRanges = [ { from = cfg.defaultVoicePort; to = cfg.defaultVoicePort + 10; } ]; }; @@ -141,13 +159,19 @@ in serviceConfig = { ExecStart = '' ${ts3}/bin/ts3server \ - dbsqlpath=${ts3}/lib/teamspeak/sql/ logpath=${cfg.logPath} \ - ${optionalString (cfg.voiceIP != null) "voice_ip=${cfg.voiceIP}"} \ + dbsqlpath=${ts3}/lib/teamspeak/sql/ \ + logpath=${cfg.logPath} \ + license_accepted=1 \ default_voice_port=${toString cfg.defaultVoicePort} \ - ${optionalString (cfg.fileTransferIP != null) "filetransfer_ip=${cfg.fileTransferIP}"} \ filetransfer_port=${toString cfg.fileTransferPort} \ + query_port=${toString cfg.queryPort} \ + query_ssh_port=${toString cfg.querySshPort} \ + query_http_port=${toString cfg.queryHttpPort} \ + ${optionalString (cfg.voiceIP != null) "voice_ip=${cfg.voiceIP}"} \ + ${optionalString (cfg.fileTransferIP != null) "filetransfer_ip=${cfg.fileTransferIP}"} \ ${optionalString (cfg.queryIP != null) "query_ip=${cfg.queryIP}"} \ - query_port=${toString cfg.queryPort} license_accepted=1 + ${optionalString (cfg.queryIP != null) "query_ssh_ip=${cfg.queryIP}"} \ + ${optionalString (cfg.queryIP != null) "query_http_ip=${cfg.queryIP}"} \ ''; WorkingDirectory = cfg.dataDir; User = user; diff --git a/nixpkgs/nixos/modules/services/networking/tinyproxy.nix b/nixpkgs/nixos/modules/services/networking/tinyproxy.nix index 42d45c460c2e..8ff12b52f10c 100644 --- a/nixpkgs/nixos/modules/services/networking/tinyproxy.nix +++ b/nixpkgs/nixos/modules/services/networking/tinyproxy.nix @@ -85,7 +85,7 @@ in User = "tinyproxy"; Group = "tinyproxy"; Type = "simple"; - ExecStart = "${getExe pkgs.tinyproxy} -d -c ${configFile}"; + ExecStart = "${getExe cfg.package} -d -c ${configFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; KillSignal = "SIGINT"; TimeoutStopSec = "30s"; diff --git a/nixpkgs/nixos/modules/services/networking/vdirsyncer.nix b/nixpkgs/nixos/modules/services/networking/vdirsyncer.nix index 6a069943434d..165dc70f0876 100644 --- a/nixpkgs/nixos/modules/services/networking/vdirsyncer.nix +++ b/nixpkgs/nixos/modules/services/networking/vdirsyncer.nix @@ -20,9 +20,11 @@ let else pkgs.writeText "vdirsyncer-${name}.conf" (toIniJson ( { - general = cfg'.config.general // (lib.optionalAttrs (cfg'.config.statusPath == null) { - status_path = "/var/lib/vdirsyncer/${name}"; - }); + general = cfg'.config.general // { + status_path = if cfg'.config.statusPath == null + then "/var/lib/vdirsyncer/${name}" + else cfg'.config.statusPath; + }; } // ( mapAttrs' (name: nameValuePair "pair ${name}") cfg'.config.pairs ) // ( diff --git a/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix b/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix index 90d9c68433cf..4586550ed75e 100644 --- a/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix @@ -107,6 +107,10 @@ let stopIfChanged = false; path = [ package ]; + # if `userControl.enable`, the supplicant automatically changes the permissions + # and owning group of the runtime dir; setting `umask` ensures the generated + # config file isn't readable (except to root); see nixpkgs#267693 + serviceConfig.UMask = "066"; serviceConfig.RuntimeDirectory = "wpa_supplicant"; serviceConfig.RuntimeDirectoryMode = "700"; serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null) diff --git a/nixpkgs/nixos/modules/services/search/hound.nix b/nixpkgs/nixos/modules/services/search/hound.nix index 539a322b431f..d238b26a226b 100644 --- a/nixpkgs/nixos/modules/services/search/hound.nix +++ b/nixpkgs/nixos/modules/services/search/hound.nix @@ -3,6 +3,12 @@ with lib; let cfg = config.services.hound; in { + imports = [ + (lib.mkRemovedOptionModule [ "services" "hound" "extraGroups" ] "Use users.users.hound.extraGroups instead") + ]; + + meta.maintainers = with maintainers; [ SuperSandro2000 ]; + options = { services.hound = { enable = mkOption { @@ -13,6 +19,8 @@ in { ''; }; + package = mkPackageOptionMD pkgs "hound" { }; + user = mkOption { default = "hound"; type = types.str; @@ -29,27 +37,15 @@ in { ''; }; - extraGroups = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "dialout" ]; - description = lib.mdDoc '' - List of extra groups that the "hound" user should be a part of. - ''; - }; - home = mkOption { default = "/var/lib/hound"; type = types.path; description = lib.mdDoc '' - The path to use as hound's $HOME. If the default user - "hound" is configured then this is the home of the "hound" - user. + The path to use as hound's $HOME. + If the default user "hound" is configured then this is the home of the "hound" user. ''; }; - package = mkPackageOption pkgs "hound" { }; - config = mkOption { type = types.str; description = lib.mdDoc '' @@ -57,63 +53,62 @@ in { should be an absolute path to a writable location on disk. ''; example = literalExpression '' - ''' - { - "max-concurrent-indexers" : 2, - "dbpath" : "''${services.hound.home}/data", - "repos" : { - "nixpkgs": { - "url" : "https://www.github.com/NixOS/nixpkgs.git" - } - } + { + "max-concurrent-indexers" : 2, + "repos" : { + "nixpkgs": { + "url" : "https://www.github.com/NixOS/nixpkgs.git" + } } - ''' + } ''; }; listen = mkOption { type = types.str; default = "0.0.0.0:6080"; - example = "127.0.0.1:6080 or just :6080"; + example = ":6080"; description = lib.mdDoc '' - Listen on this IP:port / :port + Listen on this [IP]:port ''; }; }; }; config = mkIf cfg.enable { - users.groups = optionalAttrs (cfg.group == "hound") { - hound.gid = config.ids.gids.hound; + users.groups = lib.mkIf (cfg.group == "hound") { + hound = { }; }; - users.users = optionalAttrs (cfg.user == "hound") { + users.users = lib.mkIf (cfg.user == "hound") { hound = { - description = "hound code search"; + description = "Hound code search"; createHome = true; - home = cfg.home; - group = cfg.group; - extraGroups = cfg.extraGroups; - uid = config.ids.uids.hound; + isSystemUser = true; + inherit (cfg) home group; }; }; - systemd.services.hound = { + systemd.services.hound = let + configFile = pkgs.writeTextFile { + name = "hound.json"; + text = cfg.config; + checkPhase = '' + # check if the supplied text is valid json + ${lib.getExe pkgs.jq} . $target > /dev/null + ''; + }; + in { description = "Hound Code Search"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig = { User = cfg.user; Group = cfg.group; WorkingDirectory = cfg.home; ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo /etc/ssl/certs/ca-certificates.crt"; - ExecStart = "${cfg.package}/bin/houndd" + - " -addr ${cfg.listen}" + - " -conf ${pkgs.writeText "hound.json" cfg.config}"; - + ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf ${configFile}"; }; }; }; - } diff --git a/nixpkgs/nixos/modules/services/security/clamav.nix b/nixpkgs/nixos/modules/services/security/clamav.nix index 72a195d3a04e..d3164373ec01 100644 --- a/nixpkgs/nixos/modules/services/security/clamav.nix +++ b/nixpkgs/nixos/modules/services/security/clamav.nix @@ -3,7 +3,6 @@ with lib; let clamavUser = "clamav"; stateDir = "/var/lib/clamav"; - runDir = "/run/clamav"; clamavGroup = clamavUser; cfg = config.services.clamav; pkg = pkgs.clamav; @@ -99,6 +98,29 @@ in ''; }; }; + + scanner = { + enable = mkEnableOption (lib.mdDoc "ClamAV scanner"); + + interval = mkOption { + type = types.str; + default = "*-*-* 04:00:00"; + description = lib.mdDoc '' + How often clamdscan is invoked. See systemd.time(7) for more + information about the format. + By default this runs using 10 cores at most, be sure to run it at a time of low traffic. + ''; + }; + + scanDirectories = mkOption { + type = with types; listOf str; + default = [ "/home" "/var/lib" "/tmp" "/etc" "/var/tmp" ]; + description = lib.mdDoc '' + List of directories to scan. + The default includes everything I could think of that is valid for nixos. Feel free to contribute a PR to add to the default if you see something missing. + ''; + }; + }; }; }; @@ -117,9 +139,8 @@ in services.clamav.daemon.settings = { DatabaseDirectory = stateDir; - LocalSocket = "${runDir}/clamd.ctl"; - PidFile = "${runDir}/clamd.pid"; - TemporaryDirectory = "/tmp"; + LocalSocket = "/run/clamav/clamd.ctl"; + PidFile = "/run/clamav/clamd.pid"; User = "clamav"; Foreground = true; }; @@ -182,7 +203,6 @@ in ExecStart = "${pkg}/bin/freshclam"; SuccessExitStatus = "1"; # if databases are up to date StateDirectory = "clamav"; - RuntimeDirectory = "clamav"; User = clamavUser; Group = clamavGroup; PrivateTmp = "yes"; @@ -204,7 +224,6 @@ in serviceConfig = { Type = "oneshot"; StateDirectory = "clamav"; - RuntimeDirectory = "clamav"; User = clamavUser; Group = clamavGroup; PrivateTmp = "yes"; @@ -230,12 +249,31 @@ in Type = "oneshot"; ExecStart = "${pkgs.fangfrisch}/bin/fangfrisch --conf ${fangfrischConfigFile} refresh"; StateDirectory = "clamav"; - RuntimeDirectory = "clamav"; User = clamavUser; Group = clamavGroup; PrivateTmp = "yes"; PrivateDevices = "yes"; }; }; + + systemd.timers.clamdscan = mkIf cfg.scanner.enable { + description = "Timer for ClamAV virus scanner"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = cfg.scanner.interval; + Unit = "clamdscan.service"; + }; + }; + + systemd.services.clamdscan = mkIf cfg.scanner.enable { + description = "ClamAV virus scanner"; + after = optionals cfg.updater.enable [ "clamav-freshclam.service" ]; + wants = optionals cfg.updater.enable [ "clamav-freshclam.service" ]; + + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkg}/bin/clamdscan --multiscan --fdpass --infected --allmatch ${lib.concatStringsSep " " cfg.scanner.scanDirectories}"; + }; + }; }; } diff --git a/nixpkgs/nixos/modules/services/torrent/transmission.nix b/nixpkgs/nixos/modules/services/torrent/transmission.nix index 0cd24fb03a7b..7fb7847ce935 100644 --- a/nixpkgs/nixos/modules/services/torrent/transmission.nix +++ b/nixpkgs/nixos/modules/services/torrent/transmission.nix @@ -333,10 +333,10 @@ in cfg.settings.watch-dir; StateDirectory = [ "transmission" - "transmission/.config/transmission-daemon" - "transmission/.incomplete" - "transmission/Downloads" - "transmission/watch-dir" + "transmission/${settingsDir}" + "transmission/${incompleteDir}" + "transmission/${downloadsDir}" + "transmission/${watchDir}" ]; StateDirectoryMode = mkDefault 750; # The following options are only for optimizing: @@ -434,7 +434,7 @@ in # at least up to the values hardcoded here: (mkIf cfg.settings.utp-enabled { "net.core.rmem_max" = mkDefault 4194304; # 4MB - "net.core.wmem_max" = mkDefault "1048576"; # 1MB + "net.core.wmem_max" = mkDefault 1048576; # 1MB }) (mkIf cfg.performanceNetParameters { # Increase the number of available source (local) TCP and UDP ports to 49151. diff --git a/nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix b/nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix index 0c0eb66e65b7..c4505534d635 100644 --- a/nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix +++ b/nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix @@ -35,6 +35,7 @@ let domain = cfg.hostName; muc = "conference.${cfg.hostName}"; focus = "focus.${cfg.hostName}"; + jigasi = "jigasi.${cfg.hostName}"; }; bosh = "//${cfg.hostName}/http-bind"; websocket = "wss://${cfg.hostName}/xmpp-websocket"; @@ -145,6 +146,16 @@ in ''; }; + jigasi.enable = mkOption { + type = bool; + default = false; + description = '' + Whether to enable jigasi instance and configure it to connect to Prosody. + + Additional configuration is possible with <option>services.jigasi</option>. + ''; + }; + nginx.enable = mkOption { type = bool; default = true; @@ -224,7 +235,7 @@ in roomDefaultPublicJids = true; extraConfig = '' storage = "memory" - admins = { "focus@auth.${cfg.hostName}", "jvb@auth.${cfg.hostName}" } + admins = { "focus@auth.${cfg.hostName}", "jvb@auth.${cfg.hostName}", "jigasi@auth.${cfg.hostName}" } ''; #-- muc_room_cache_size = 1000 } @@ -263,6 +274,9 @@ in Component "focus.${cfg.hostName}" "client_proxy" target_address = "focus@auth.${cfg.hostName}" + Component "jigasi.${cfg.hostName}" "client_proxy" + target_address = "jigasi@auth.${cfg.hostName}" + Component "speakerstats.${cfg.hostName}" "speakerstats_component" muc_component = "conference.${cfg.hostName}" @@ -356,7 +370,10 @@ in ${config.services.prosody.package}/bin/prosodyctl mod_roster_command subscribe focus.${cfg.hostName} focus@auth.${cfg.hostName} ${config.services.prosody.package}/bin/prosodyctl register jibri auth.${cfg.hostName} "$(cat /var/lib/jitsi-meet/jibri-auth-secret)" ${config.services.prosody.package}/bin/prosodyctl register recorder recorder.${cfg.hostName} "$(cat /var/lib/jitsi-meet/jibri-recorder-secret)" + '' + optionalString cfg.jigasi.enable '' + ${config.services.prosody.package}/bin/prosodyctl register jigasi auth.${cfg.hostName} "$(cat /var/lib/jitsi-meet/jigasi-user-secret)" ''; + serviceConfig = { EnvironmentFile = [ "/var/lib/jitsi-meet/secrets-env" ]; SupplementaryGroups = [ "jitsi-meet" ]; @@ -371,13 +388,13 @@ in systemd.services.jitsi-meet-init-secrets = { wantedBy = [ "multi-user.target" ]; - before = [ "jicofo.service" "jitsi-videobridge2.service" ] ++ (optional cfg.prosody.enable "prosody.service"); + before = [ "jicofo.service" "jitsi-videobridge2.service" ] ++ (optional cfg.prosody.enable "prosody.service") ++ (optional cfg.jigasi.enable "jigasi.service"); serviceConfig = { Type = "oneshot"; }; script = let - secrets = [ "jicofo-component-secret" "jicofo-user-secret" "jibri-auth-secret" "jibri-recorder-secret" ] ++ (optional (cfg.videobridge.passwordFile == null) "videobridge-secret"); + secrets = [ "jicofo-component-secret" "jicofo-user-secret" "jibri-auth-secret" "jibri-recorder-secret" ] ++ (optionals cfg.jigasi.enable [ "jigasi-user-secret" "jigasi-component-secret" ]) ++ (optional (cfg.videobridge.passwordFile == null) "videobridge-secret"); in '' cd /var/lib/jitsi-meet @@ -391,6 +408,7 @@ in # for easy access in prosody echo "JICOFO_COMPONENT_SECRET=$(cat jicofo-component-secret)" > secrets-env + echo "JIGASI_COMPONENT_SECRET=$(cat jigasi-component-secret)" >> secrets-env chown root:jitsi-meet secrets-env chmod 640 secrets-env '' @@ -592,6 +610,20 @@ in stripFromRoomDomain = "conference."; }; }; + + services.jigasi = mkIf cfg.jigasi.enable { + enable = true; + xmppHost = "localhost"; + xmppDomain = cfg.hostName; + userDomain = "auth.${cfg.hostName}"; + userName = "jigasi"; + userPasswordFile = "/var/lib/jitsi-meet/jigasi-user-secret"; + componentPasswordFile = "/var/lib/jitsi-meet/jigasi-component-secret"; + bridgeMuc = "jigasibrewery@internal.${cfg.hostName}"; + config = { + "org.jitsi.jigasi.ALWAYS_TRUST_MODE_ENABLED" = "true"; + }; + }; }; meta.doc = ./jitsi-meet.md; diff --git a/nixpkgs/nixos/modules/services/web-apps/keycloak.nix b/nixpkgs/nixos/modules/services/web-apps/keycloak.nix index 5d44bdee64a7..6d2948913b19 100644 --- a/nixpkgs/nixos/modules/services/web-apps/keycloak.nix +++ b/nixpkgs/nixos/modules/services/web-apps/keycloak.nix @@ -25,7 +25,6 @@ let maintainers catAttrs collect - splitString hasPrefix ; @@ -329,7 +328,8 @@ in }; hostname = mkOption { - type = str; + type = nullOr str; + default = null; example = "keycloak.example.com"; description = lib.mdDoc '' The hostname part of the public URL used as base for @@ -451,7 +451,7 @@ in keycloakConfig = lib.generators.toKeyValue { mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" { - mkValueString = v: with builtins; + mkValueString = v: if isInt v then toString v else if isString v then v else if true == v then "true" @@ -480,6 +480,14 @@ in assertion = createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true; message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably"; } + { + assertion = cfg.settings.hostname != null || cfg.settings.hostname-url or null != null; + message = "Setting the Keycloak hostname is required, see `services.keycloak.settings.hostname`"; + } + { + assertion = !(cfg.settings.hostname != null && cfg.settings.hostname-url or null != null); + message = "`services.keycloak.settings.hostname` and `services.keycloak.settings.hostname-url` are mutually exclusive"; + } ]; environment.systemPackages = [ keycloakBuild ]; diff --git a/nixpkgs/nixos/modules/services/web-apps/mattermost.nix b/nixpkgs/nixos/modules/services/web-apps/mattermost.nix index f19465eeb59a..503559432374 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mattermost.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mattermost.nix @@ -102,7 +102,7 @@ in services.mattermost = { enable = mkEnableOption (lib.mdDoc "Mattermost chat server"); - package = mkPackageOption pkgs "mattermostl" { }; + package = mkPackageOption pkgs "mattermost" { }; statePath = mkOption { type = types.str; diff --git a/nixpkgs/nixos/modules/services/web-apps/mobilizon.nix b/nixpkgs/nixos/modules/services/web-apps/mobilizon.nix index 0a530bff9232..bdb08f613149 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mobilizon.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mobilizon.nix @@ -384,7 +384,7 @@ in ensureDBOwnership = false; } ]; - extraPlugins = with postgresql.pkgs; [ postgis ]; + extraPlugins = ps: with ps; [ postgis ]; }; # Nginx config taken from support/nginx/mobilizon-release.conf diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.md b/nixpkgs/nixos/modules/services/web-apps/nextcloud.md index ecc7f380592a..b10fd566abb3 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.md +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.md @@ -5,7 +5,7 @@ self-hostable cloud platform. The server setup can be automated using [services.nextcloud](#opt-services.nextcloud.enable). A desktop client is packaged at `pkgs.nextcloud-client`. -The current default by NixOS is `nextcloud27` which is also the latest +The current default by NixOS is `nextcloud28` which is also the latest major version available. ## Basic usage {#module-services-nextcloud-basic-usage} diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix index 6c50ea3c81ef..2a3db4cd13f9 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix @@ -28,6 +28,7 @@ let phpPackage = cfg.phpPackage.buildEnv { extensions = { enabled, all }: (with all; enabled + ++ [ bz2 intl sodium ] # recommended ++ optional cfg.enableImagemagick imagick # Optionally enabled depending on caching settings ++ optional cfg.caching.apcu apcu @@ -61,7 +62,9 @@ let pgsqlLocal = cfg.database.createLocally && cfg.config.dbtype == "pgsql"; # https://github.com/nextcloud/documentation/pull/11179 - ocmProviderIsNotAStaticDirAnymore = versionAtLeast cfg.package.version "27.1.2"; + ocmProviderIsNotAStaticDirAnymore = versionAtLeast cfg.package.version "27.1.2" + || (versionOlder cfg.package.version "27.0.0" + && versionAtLeast cfg.package.version "26.0.8"); in { @@ -188,7 +191,7 @@ in { package = mkOption { type = types.package; description = lib.mdDoc "Which package to use for the Nextcloud instance."; - relatedPackages = [ "nextcloud26" "nextcloud27" ]; + relatedPackages = [ "nextcloud26" "nextcloud27" "nextcloud28" ]; }; phpPackage = mkPackageOption pkgs "php" { example = "php82"; @@ -238,7 +241,7 @@ in { }; phpOptions = mkOption { - type = types.attrsOf types.str; + type = with types; attrsOf (oneOf [ str int ]); defaultText = literalExpression (generators.toPretty { } defaultPHPSettings); description = lib.mdDoc '' Options for PHP's php.ini file for nextcloud. @@ -677,7 +680,7 @@ in { config = mkIf cfg.enable (mkMerge [ { warnings = let - latest = 27; + latest = 28; upgradeWarning = major: nixos: '' A legacy Nextcloud install (from before NixOS ${nixos}) may be installed. @@ -698,7 +701,8 @@ in { '') ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) ++ (optional (versionOlder cfg.package.version "26") (upgradeWarning 25 "23.05")) - ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")); + ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")) + ++ (optional (versionOlder cfg.package.version "28") (upgradeWarning 27 "24.05")); services.nextcloud.package = with pkgs; mkDefault ( @@ -708,15 +712,13 @@ in { nextcloud defined in an overlay, please set `services.nextcloud.package` to `pkgs.nextcloud`. '' - else if versionOlder stateVersion "22.11" then nextcloud24 else if versionOlder stateVersion "23.05" then nextcloud25 else if versionOlder stateVersion "23.11" then nextcloud26 - else nextcloud27 + else if versionOlder stateVersion "24.05" then nextcloud27 + else nextcloud28 ); - services.nextcloud.phpPackage = - if versionOlder cfg.package.version "26" then pkgs.php81 - else pkgs.php82; + services.nextcloud.phpPackage = pkgs.php82; services.nextcloud.phpOptions = mkMerge [ (mapAttrs (const mkOptionDefault) defaultPHPSettings) diff --git a/nixpkgs/nixos/modules/services/web-apps/node-red.nix b/nixpkgs/nixos/modules/services/web-apps/node-red.nix index de78f05a98ca..7f265d289bdb 100644 --- a/nixpkgs/nixos/modules/services/web-apps/node-red.nix +++ b/nixpkgs/nixos/modules/services/web-apps/node-red.nix @@ -19,7 +19,7 @@ in options.services.node-red = { enable = mkEnableOption (lib.mdDoc "the Node-RED service"); - package = mkPackageOption pkgs "nodePackages.node-red" { }; + package = mkPackageOption pkgs.nodePackages "node-red" { }; openFirewall = mkOption { type = types.bool; diff --git a/nixpkgs/nixos/modules/services/web-apps/windmill.nix b/nixpkgs/nixos/modules/services/web-apps/windmill.nix new file mode 100644 index 000000000000..8e940dabdc1f --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/windmill.nix @@ -0,0 +1,177 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.services.windmill; +in +{ + options.services.windmill = { + enable = lib.mkEnableOption (lib.mdDoc "windmill service"); + + serverPort = lib.mkOption { + type = lib.types.port; + default = 8001; + description = lib.mdDoc "Port the windmill server listens on."; + }; + + lspPort = lib.mkOption { + type = lib.types.port; + default = 3001; + description = lib.mdDoc "Port the windmill lsp listens on."; + }; + + database = { + name = lib.mkOption { + type = lib.types.str; + # the simplest database setup is to have the database named like the user. + default = "windmill"; + description = lib.mdDoc "Database name."; + }; + + user = lib.mkOption { + type = lib.types.str; + # the simplest database setup is to have the database user like the name. + default = "windmill"; + description = lib.mdDoc "Database user."; + }; + + urlPath = lib.mkOption { + type = lib.types.path; + description = lib.mdDoc '' + Path to the file containing the database url windmill should connect to. This is not deducted from database user and name as it might contain a secret + ''; + example = "config.age.secrets.DATABASE_URL_FILE.path"; + }; + createLocally = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc "Whether to create a local database automatically."; + }; + }; + + baseUrl = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc '' + The base url that windmill will be served on. + ''; + example = "https://windmill.example.com"; + }; + + logLevel = lib.mkOption { + type = lib.types.enum [ "error" "warn" "info" "debug" "trace" ]; + default = "info"; + description = lib.mdDoc "Log level"; + }; + }; + + config = lib.mkIf cfg.enable { + + services.postgresql = lib.optionalAttrs (cfg.database.createLocally) { + enable = lib.mkDefault true; + + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { name = cfg.database.user; + ensureDBOwnership = true; + } + ]; + + }; + + systemd.services = + let + serviceConfig = { + DynamicUser = true; + # using the same user to simplify db connection + User = cfg.database.user; + ExecStart = "${pkgs.windmill}/bin/windmill"; + + Restart = "always"; + LoadCredential = [ + "DATABASE_URL_FILE:${cfg.database.urlPath}" + ]; + }; + in + { + + # coming from https://github.com/windmill-labs/windmill/blob/main/init-db-as-superuser.sql + # modified to not grant priviledges on all tables + # create role windmill_user and windmill_admin only if they don't exist + postgresql.postStart = lib.mkIf cfg.database.createLocally (lib.mkAfter '' + $PSQL -tA <<"EOF" +DO $$ +BEGIN + IF NOT EXISTS ( + SELECT FROM pg_catalog.pg_roles + WHERE rolname = 'windmill_user' + ) THEN + CREATE ROLE windmill_user; + GRANT ALL PRIVILEGES ON DATABASE ${cfg.database.name} TO windmill_user; + ELSE + RAISE NOTICE 'Role "windmill_user" already exists. Skipping.'; + END IF; + IF NOT EXISTS ( + SELECT FROM pg_catalog.pg_roles + WHERE rolname = 'windmill_admin' + ) THEN + CREATE ROLE windmill_admin WITH BYPASSRLS; + GRANT windmill_user TO windmill_admin; + ELSE + RAISE NOTICE 'Role "windmill_admin" already exists. Skipping.'; + END IF; + GRANT windmill_admin TO windmill; +END +$$; +EOF + ''); + + windmill-server = { + description = "Windmill server"; + after = [ "network.target" ] ++ lib.optional cfg.database.createLocally "postgresql.service"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = serviceConfig // { StateDirectory = "windmill";}; + + environment = { + DATABASE_URL_FILE = "%d/DATABASE_URL_FILE"; + PORT = builtins.toString cfg.serverPort; + WM_BASE_URL = cfg.baseUrl; + RUST_LOG = cfg.logLevel; + MODE = "server"; + }; + }; + + windmill-worker = { + description = "Windmill worker"; + after = [ "network.target" ] ++ lib.optional cfg.database.createLocally "postgresql.service"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = serviceConfig // { StateDirectory = "windmill-worker";}; + + environment = { + DATABASE_URL_FILE = "%d/DATABASE_URL_FILE"; + WM_BASE_URL = cfg.baseUrl; + RUST_LOG = cfg.logLevel; + MODE = "worker"; + WORKER_GROUP = "default"; + KEEP_JOB_DIR = "false"; + }; + }; + + windmill-worker-native = { + description = "Windmill worker native"; + after = [ "network.target" ] ++ lib.optional cfg.database.createLocally "postgresql.service"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = serviceConfig // { StateDirectory = "windmill-worker-native";}; + + environment = { + DATABASE_URL_FILE = "%d/DATABASE_URL_FILE"; + WM_BASE_URL = cfg.baseUrl; + RUST_LOG = cfg.logLevel; + MODE = "worker"; + WORKER_GROUP = "native"; + }; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix index 03d5634854a3..002d6683b2ed 100644 --- a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix +++ b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix @@ -34,7 +34,7 @@ let # copy additional plugin(s), theme(s) and language(s) ${concatStringsSep "\n" (mapAttrsToList (name: theme: "cp -r ${theme} $out/share/wordpress/wp-content/themes/${name}") cfg.themes)} ${concatStringsSep "\n" (mapAttrsToList (name: plugin: "cp -r ${plugin} $out/share/wordpress/wp-content/plugins/${name}") cfg.plugins)} - ${concatMapStringsSep "\n" (language: "cp -r ${language}/* $out/share/wordpress/wp-content/languages/") cfg.languages} + ${concatMapStringsSep "\n" (language: "cp -r ${language} $out/share/wordpress/wp-content/languages/") cfg.languages} ''; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix index 497aa9ba956e..95dc219d108c 100644 --- a/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix @@ -147,7 +147,7 @@ in default = configFile; defaultText = "A Caddyfile automatically generated by values from services.caddy.*"; example = literalExpression '' - pkgs.writeTextDir "Caddyfile" ''' + pkgs.writeText "Caddyfile" ''' example.com root * /var/www/wordpress @@ -164,9 +164,9 @@ in }; adapter = mkOption { - default = if (builtins.baseNameOf cfg.configFile) == "Caddyfile" then "caddyfile" else null; + default = if ((cfg.configFile != configFile) || (builtins.baseNameOf cfg.configFile) == "Caddyfile") then "caddyfile" else null; defaultText = literalExpression '' - if (builtins.baseNameOf cfg.configFile) == "Caddyfile" then "caddyfile" else null + if ((cfg.configFile != configFile) || (builtins.baseNameOf cfg.configFile) == "Caddyfile") then "caddyfile" else null ''; example = literalExpression "nginx"; type = with types; nullOr str; @@ -342,8 +342,9 @@ in } ''; - # https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size + # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes boot.kernel.sysctl."net.core.rmem_max" = mkDefault 2500000; + boot.kernel.sysctl."net.core.wmem_max" = mkDefault 2500000; systemd.packages = [ cfg.package ]; systemd.services.caddy = { diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix index cf70dc325945..6ea24e65f220 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix @@ -377,7 +377,7 @@ let server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; ${acmeLocation} location / { - return 301 https://$host$request_uri; + return ${toString vhost.redirectCode} https://$host$request_uri; } } ''} @@ -396,7 +396,7 @@ let ${optionalString (vhost.root != null) "root ${vhost.root};"} ${optionalString (vhost.globalRedirect != null) '' location / { - return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; + return ${toString vhost.redirectCode} http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; } ''} ${optionalString hasSSL '' @@ -449,7 +449,7 @@ let ${optionalString (config.tryFiles != null) "try_files ${config.tryFiles};"} ${optionalString (config.root != null) "root ${config.root};"} ${optionalString (config.alias != null) "alias ${config.alias};"} - ${optionalString (config.return != null) "return ${config.return};"} + ${optionalString (config.return != null) "return ${toString config.return};"} ${config.extraConfig} ${optionalString (config.proxyPass != null && config.recommendedProxySettings) "include ${recommendedProxyConfig};"} ${mkBasicAuth "sublocation" config} diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix index 2728852058ea..2138e551fd43 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix @@ -93,7 +93,7 @@ with lib; }; return = mkOption { - type = types.nullOr types.str; + type = with types; nullOr (oneOf [ str int ]); default = null; example = "301 http://example.com$request_uri"; description = lib.mdDoc '' diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix new file mode 100644 index 000000000000..a2e4d4a30be5 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix @@ -0,0 +1,158 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nginx.tailscaleAuth; +in +{ + options.services.nginx.tailscaleAuth = { + enable = mkEnableOption (lib.mdDoc "Enable tailscale.nginx-auth, to authenticate nginx users via tailscale."); + + package = lib.mkPackageOptionMD pkgs "tailscale-nginx-auth" {}; + + user = mkOption { + type = types.str; + default = "tailscale-nginx-auth"; + description = lib.mdDoc "User which runs tailscale-nginx-auth"; + }; + + group = mkOption { + type = types.str; + default = "tailscale-nginx-auth"; + description = lib.mdDoc "Group which runs tailscale-nginx-auth"; + }; + + expectedTailnet = mkOption { + default = ""; + type = types.nullOr types.str; + example = "tailnet012345.ts.net"; + description = lib.mdDoc '' + If you want to prevent node sharing from allowing users to access services + across tailnets, declare your expected tailnets domain here. + ''; + }; + + socketPath = mkOption { + default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock"; + type = types.path; + description = lib.mdDoc '' + Path of the socket listening to nginx authorization requests. + ''; + }; + + virtualHosts = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc '' + A list of nginx virtual hosts to put behind tailscale.nginx-auth + ''; + }; + }; + + config = mkIf cfg.enable { + services.tailscale.enable = true; + services.nginx.enable = true; + + users.users.${cfg.user} = { + isSystemUser = true; + inherit (cfg) group; + }; + users.groups.${cfg.group} = { }; + users.users.${config.services.nginx.user}.extraGroups = [ cfg.group ]; + systemd.sockets.tailscale-nginx-auth = { + description = "Tailscale NGINX Authentication socket"; + partOf = [ "tailscale-nginx-auth.service" ]; + wantedBy = [ "sockets.target" ]; + listenStreams = [ cfg.socketPath ]; + socketConfig = { + SocketMode = "0660"; + SocketUser = cfg.user; + SocketGroup = cfg.group; + }; + }; + + + systemd.services.tailscale-nginx-auth = { + description = "Tailscale NGINX Authentication service"; + after = [ "nginx.service" ]; + wants = [ "nginx.service" ]; + requires = [ "tailscale-nginx-auth.socket" ]; + + serviceConfig = { + ExecStart = "${lib.getExe cfg.package}"; + RuntimeDirectory = "tailscale-nginx-auth"; + User = cfg.user; + Group = cfg.group; + + BindPaths = [ "/run/tailscale/tailscaled.sock" ]; + + CapabilityBoundingSet = ""; + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictAddressFamilies = [ "AF_UNIX" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" + ]; + }; + }; + + services.nginx.virtualHosts = genAttrs + cfg.virtualHosts + (vhost: { + locations."/auth" = { + extraConfig = '' + internal; + + proxy_pass http://unix:${cfg.socketPath}; + proxy_pass_request_body off; + + # Upstream uses $http_host here, but we are using gixy to check nginx configurations + # gixy wants us to use $host: https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md + proxy_set_header Host $host; + proxy_set_header Remote-Addr $remote_addr; + proxy_set_header Remote-Port $remote_port; + proxy_set_header Original-URI $request_uri; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + ''; + }; + locations."/".extraConfig = '' + auth_request /auth; + auth_request_set $auth_user $upstream_http_tailscale_user; + auth_request_set $auth_name $upstream_http_tailscale_name; + auth_request_set $auth_login $upstream_http_tailscale_login; + auth_request_set $auth_tailnet $upstream_http_tailscale_tailnet; + auth_request_set $auth_profile_picture $upstream_http_tailscale_profile_picture; + + proxy_set_header X-Webauth-User "$auth_user"; + proxy_set_header X-Webauth-Name "$auth_name"; + proxy_set_header X-Webauth-Login "$auth_login"; + proxy_set_header X-Webauth-Tailnet "$auth_tailnet"; + proxy_set_header X-Webauth-Profile-Picture "$auth_profile_picture"; + + ${lib.optionalString (cfg.expectedTailnet != "") ''proxy_set_header Expected-Tailnet "${cfg.expectedTailnet}";''} + ''; + }); + }; + + meta.maintainers = with maintainers; [ phaer ]; + +} diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix index 9db4c8e23025..64a95afab9f4 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -162,10 +162,11 @@ with lib; type = types.bool; default = false; description = lib.mdDoc '' - Whether to add a separate nginx server block that permanently redirects (301) - all plain HTTP traffic to HTTPS. This will set defaults for - `listen` to listen on all interfaces on the respective default - ports (80, 443), where the non-SSL listens are used for the redirect vhosts. + Whether to add a separate nginx server block that redirects (defaults + to 301, configurable with `redirectCode`) all plain HTTP traffic to + HTTPS. This will set defaults for `listen` to listen on all interfaces + on the respective default ports (80, 443), where the non-SSL listens + are used for the redirect vhosts. ''; }; @@ -307,8 +308,20 @@ with lib; default = null; example = "newserver.example.org"; description = lib.mdDoc '' - If set, all requests for this host are redirected permanently to - the given hostname. + If set, all requests for this host are redirected (defaults to 301, + configurable with `redirectCode`) to the given hostname. + ''; + }; + + redirectCode = mkOption { + type = types.ints.between 300 399; + default = 301; + example = 308; + description = lib.mdDoc '' + HTTP status used by `globalRedirect` and `forceSSL`. Possible usecases + include temporary (302, 307) redirects, keeping the request method and + body (307, 308), or explicitly resetting the method to GET (303). + See <https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections>. ''; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix index 9cc7c4381620..027479b1ce09 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -338,6 +338,7 @@ in # Enable helpful DBus services. services.accounts-daemon.enable = true; + programs.dconf.enable = true; # when changing an account picture the accounts-daemon reads a temporary file containing the image which systemsettings5 may place under /tmp systemd.services.accounts-daemon.serviceConfig.PrivateTmp = false; services.power-profiles-daemon.enable = mkDefault true; diff --git a/nixpkgs/nixos/modules/system/boot/networkd.nix b/nixpkgs/nixos/modules/system/boot/networkd.nix index 33261021480f..3e10770812db 100644 --- a/nixpkgs/nixos/modules/system/boot/networkd.nix +++ b/nixpkgs/nixos/modules/system/boot/networkd.nix @@ -1612,7 +1612,7 @@ let description = lib.mdDoc '' Each attribute in this set specifies an option in the `[WireGuardPeer]` section of the unit. See - {manpage}`systemd.network(5)` for details. + {manpage}`systemd.netdev(5)` for details. ''; }; }; diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces.nix b/nixpkgs/nixos/modules/tasks/network-interfaces.nix index 298add13437a..53ffaa028038 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces.nix @@ -1396,6 +1396,8 @@ in "net.ipv4.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); + # allow all users to do ICMP echo requests (ping) + "net.ipv4.ping_group_range" = mkDefault "0 2147483647"; # networkmanager falls back to "/proc/sys/net/ipv6/conf/default/use_tempaddr" "net.ipv6.conf.default.use_tempaddr" = tempaddrValues.${cfg.tempAddresses}.sysctl; } // listToAttrs (forEach interfaces diff --git a/nixpkgs/nixos/modules/virtualisation/incus.nix b/nixpkgs/nixos/modules/virtualisation/incus.nix index 47a5e462262d..3e48f8873ed4 100644 --- a/nixpkgs/nixos/modules/virtualisation/incus.nix +++ b/nixpkgs/nixos/modules/virtualisation/incus.nix @@ -5,7 +5,9 @@ let preseedFormat = pkgs.formats.yaml { }; in { - meta.maintainers = [ lib.maintainers.adamcstephens ]; + meta = { + maintainers = lib.teams.lxc.members; + }; options = { virtualisation.incus = { diff --git a/nixpkgs/nixos/modules/virtualisation/lxc-container.nix b/nixpkgs/nixos/modules/virtualisation/lxc-container.nix index 4db4df02fe8c..8d3a480e6dc8 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxc-container.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxc-container.nix @@ -1,7 +1,9 @@ { lib, config, pkgs, ... }: { - meta.maintainers = with lib.maintainers; [ adamcstephens ]; + meta = { + maintainers = lib.teams.lxc.members; + }; imports = [ ./lxc-instance-common.nix diff --git a/nixpkgs/nixos/modules/virtualisation/lxc.nix b/nixpkgs/nixos/modules/virtualisation/lxc.nix index 5bd64a5f9a56..3febb4b4f248 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxc.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxc.nix @@ -2,21 +2,19 @@ { config, lib, pkgs, ... }: -with lib; - let - cfg = config.virtualisation.lxc; - in { - ###### interface + meta = { + maintainers = lib.teams.lxc.members; + }; options.virtualisation.lxc = { enable = - mkOption { - type = types.bool; + lib.mkOption { + type = lib.types.bool; default = false; description = lib.mdDoc '' @@ -27,8 +25,8 @@ in }; systemConfig = - mkOption { - type = types.lines; + lib.mkOption { + type = lib.types.lines; default = ""; description = lib.mdDoc '' @@ -38,8 +36,8 @@ in }; defaultConfig = - mkOption { - type = types.lines; + lib.mkOption { + type = lib.types.lines; default = ""; description = lib.mdDoc '' @@ -49,8 +47,8 @@ in }; usernetConfig = - mkOption { - type = types.lines; + lib.mkOption { + type = lib.types.lines; default = ""; description = lib.mdDoc '' @@ -62,7 +60,7 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.lxc ]; environment.etc."lxc/lxc.conf".text = cfg.systemConfig; environment.etc."lxc/lxc-usernet".text = cfg.usernetConfig; diff --git a/nixpkgs/nixos/modules/virtualisation/lxcfs.nix b/nixpkgs/nixos/modules/virtualisation/lxcfs.nix index fb0ba49f7304..b2eaec774a65 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxcfs.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxcfs.nix @@ -2,18 +2,18 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.virtualisation.lxc.lxcfs; in { - meta.maintainers = [ maintainers.mic92 ]; + meta = { + maintainers = lib.teams.lxc.members; + }; ###### interface options.virtualisation.lxc.lxcfs = { enable = - mkOption { - type = types.bool; + lib.mkOption { + type = lib.types.bool; default = false; description = lib.mdDoc '' This enables LXCFS, a FUSE filesystem for LXC. @@ -27,7 +27,7 @@ in { }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.services.lxcfs = { description = "FUSE filesystem for LXC"; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/virtualisation/lxd-agent.nix b/nixpkgs/nixos/modules/virtualisation/lxd-agent.nix index 5bcc86e3bcbe..59dd46b74b40 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxd-agent.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxd-agent.nix @@ -45,7 +45,9 @@ let chown -R root:root "$PREFIX" ''; in { - meta.maintainers = with lib.maintainers; [ adamcstephens ]; + meta = { + maintainers = lib.teams.lxc.members; + }; options = { virtualisation.lxd.agent.enable = lib.mkEnableOption (lib.mdDoc "Enable LXD agent"); diff --git a/nixpkgs/nixos/modules/virtualisation/lxd-virtual-machine.nix b/nixpkgs/nixos/modules/virtualisation/lxd-virtual-machine.nix index ba729465ec2f..92434cb9babf 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxd-virtual-machine.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxd-virtual-machine.nix @@ -6,6 +6,10 @@ let then "ttyS0" else "ttyAMA0"; # aarch64 in { + meta = { + maintainers = lib.teams.lxc.members; + }; + imports = [ ./lxc-instance-common.nix diff --git a/nixpkgs/nixos/modules/virtualisation/lxd.nix b/nixpkgs/nixos/modules/virtualisation/lxd.nix index 6f628c4a6e32..c4c856d9be30 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxd.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxd.nix @@ -6,12 +6,14 @@ let cfg = config.virtualisation.lxd; preseedFormat = pkgs.formats.yaml {}; in { + meta = { + maintainers = lib.teams.lxc.members; + }; + imports = [ (lib.mkRemovedOptionModule [ "virtualisation" "lxd" "zfsPackage" ] "Override zfs in an overlay instead to override it globally") ]; - ###### interface - options = { virtualisation.lxd = { enable = lib.mkOption { diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index e0572e3bed9c..ab07428cf055 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -163,7 +163,7 @@ in { btrbk-no-timer = handleTest ./btrbk-no-timer.nix {}; btrbk-section-order = handleTest ./btrbk-section-order.nix {}; budgie = handleTest ./budgie.nix {}; - buildbot = handleTest ./buildbot.nix {}; + buildbot = handleTestOn [ "x86_64-linux" ] ./buildbot.nix {}; buildkite-agents = handleTest ./buildkite-agents.nix {}; c2fmzq = handleTest ./c2fmzq.nix {}; caddy = handleTest ./caddy.nix {}; @@ -583,6 +583,7 @@ in { nginx-njs = handleTest ./nginx-njs.nix {}; nginx-proxyprotocol = handleTest ./nginx-proxyprotocol {}; nginx-pubhtml = handleTest ./nginx-pubhtml.nix {}; + nginx-redirectcode = handleTest ./nginx-redirectcode.nix {}; nginx-sso = handleTest ./nginx-sso.nix {}; nginx-status-page = handleTest ./nginx-status-page.nix {}; nginx-tmpdir = handleTest ./nginx-tmpdir.nix {}; @@ -787,6 +788,7 @@ in { step-ca = handleTestOn ["x86_64-linux"] ./step-ca.nix {}; stratis = handleTest ./stratis {}; strongswan-swanctl = handleTest ./strongswan-swanctl.nix {}; + stub-ld = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./stub-ld.nix {}; stunnel = handleTest ./stunnel.nix {}; sudo = handleTest ./sudo.nix {}; sudo-rs = handleTest ./sudo-rs.nix {}; diff --git a/nixpkgs/nixos/tests/avahi.nix b/nixpkgs/nixos/tests/avahi.nix index c53a95903291..d8f4d13340fb 100644 --- a/nixpkgs/nixos/tests/avahi.nix +++ b/nixpkgs/nixos/tests/avahi.nix @@ -16,7 +16,7 @@ import ./make-test-python.nix { cfg = { ... }: { services.avahi = { enable = true; - nssmdns = true; + nssmdns4 = true; publish.addresses = true; publish.domain = true; publish.enable = true; diff --git a/nixpkgs/nixos/tests/btrbk.nix b/nixpkgs/nixos/tests/btrbk.nix index 5261321dfa2c..403c9595530d 100644 --- a/nixpkgs/nixos/tests/btrbk.nix +++ b/nixpkgs/nixos/tests/btrbk.nix @@ -27,7 +27,6 @@ import ./make-test-python.nix ({ pkgs, ... }: # don't do it with real ssh keys. environment.etc."btrbk_key".text = privateKey; services.btrbk = { - extraPackages = [ pkgs.lz4 ]; instances = { remote = { onCalendar = "minutely"; diff --git a/nixpkgs/nixos/tests/caddy.nix b/nixpkgs/nixos/tests/caddy.nix index 5a0d3539394b..41d8e57de468 100644 --- a/nixpkgs/nixos/tests/caddy.nix +++ b/nixpkgs/nixos/tests/caddy.nix @@ -48,11 +48,19 @@ import ./make-test-python.nix ({ pkgs, ... }: { }; }; }; + specialisation.explicit-config-file.configuration = { + services.caddy.configFile = pkgs.writeText "Caddyfile" '' + localhost:80 + + respond "hello world" + ''; + }; }; }; testScript = { nodes, ... }: let + explicitConfigFile = "${nodes.webserver.system.build.toplevel}/specialisation/explicit-config-file"; justReloadSystem = "${nodes.webserver.system.build.toplevel}/specialisation/config-reload"; multipleConfigs = "${nodes.webserver.system.build.toplevel}/specialisation/multiple-configs"; rfc42Config = "${nodes.webserver.system.build.toplevel}/specialisation/rfc42"; @@ -84,5 +92,12 @@ import ./make-test-python.nix ({ pkgs, ... }: { ) webserver.wait_for_open_port(80) webserver.succeed("curl http://localhost | grep hello") + + with subtest("explicit configFile"): + webserver.succeed( + "${explicitConfigFile}/bin/switch-to-configuration test >&2" + ) + webserver.wait_for_open_port(80) + webserver.succeed("curl http://localhost | grep hello") ''; }) diff --git a/nixpkgs/nixos/tests/ceph-single-node.nix b/nixpkgs/nixos/tests/ceph-single-node.nix index 4a5636fac156..a3a4072365af 100644 --- a/nixpkgs/nixos/tests/ceph-single-node.nix +++ b/nixpkgs/nixos/tests/ceph-single-node.nix @@ -182,16 +182,19 @@ let monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + # This test has been commented out due to the upstream issue with pyo3 + # that has broken this dashboard + # Reference: https://www.spinics.net/lists/ceph-users/msg77812.html # Enable the dashboard and recheck health - monA.succeed( - "ceph mgr module enable dashboard", - "ceph config set mgr mgr/dashboard/ssl false", - # default is 8080 but it's better to be explicit - "ceph config set mgr mgr/dashboard/server_port 8080", - ) - monA.wait_for_open_port(8080) - monA.wait_until_succeeds("curl -q --fail http://localhost:8080") - monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + # monA.succeed( + # "ceph mgr module enable dashboard", + # "ceph config set mgr mgr/dashboard/ssl false", + # # default is 8080 but it's better to be explicit + # "ceph config set mgr mgr/dashboard/server_port 8080", + # ) + # monA.wait_for_open_port(8080) + # monA.wait_until_succeeds("curl -q --fail http://localhost:8080") + # monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") ''; in { name = "basic-single-node-ceph-cluster"; diff --git a/nixpkgs/nixos/tests/containers-imperative.nix b/nixpkgs/nixos/tests/containers-imperative.nix index 18bec1db78e8..fff00e4f73a8 100644 --- a/nixpkgs/nixos/tests/containers-imperative.nix +++ b/nixpkgs/nixos/tests/containers-imperative.nix @@ -13,6 +13,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { nix.settings.sandbox = false; nix.settings.substituters = []; # don't try to access cache.nixos.org + virtualisation.memorySize = 2048; virtualisation.writableStore = true; # Make sure we always have all the required dependencies for creating a # container available within the VM, because we don't have network access. diff --git a/nixpkgs/nixos/tests/guix/basic.nix b/nixpkgs/nixos/tests/guix/basic.nix index 7f90bdeeb1e0..9b943b8965e6 100644 --- a/nixpkgs/nixos/tests/guix/basic.nix +++ b/nixpkgs/nixos/tests/guix/basic.nix @@ -11,7 +11,10 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: { nodes.machine = { config, ... }: { environment.etc."guix/scripts".source = ./scripts; - services.guix.enable = true; + services.guix = { + enable = true; + gc.enable = true; + }; }; testScript = '' @@ -19,6 +22,7 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: { machine.wait_for_unit("multi-user.target") machine.wait_for_unit("guix-daemon.service") + machine.succeed("systemctl start guix-gc.service") # Can't do much here since the environment has restricted network access. with subtest("Guix basic package management"): diff --git a/nixpkgs/nixos/tests/guix/publish.nix b/nixpkgs/nixos/tests/guix/publish.nix index 6dbe8f99ebd6..a15e00b0fa98 100644 --- a/nixpkgs/nixos/tests/guix/publish.nix +++ b/nixpkgs/nixos/tests/guix/publish.nix @@ -16,7 +16,7 @@ in { # substitute server which requires Avahi. services.avahi = { enable = true; - nssmdns = true; + nssmdns4 = true; publish = { enable = true; userServices = true; diff --git a/nixpkgs/nixos/tests/harmonia.nix b/nixpkgs/nixos/tests/harmonia.nix index 6cf9ad4d2335..a9beac82f8e1 100644 --- a/nixpkgs/nixos/tests/harmonia.nix +++ b/nixpkgs/nixos/tests/harmonia.nix @@ -13,6 +13,9 @@ networking.firewall.allowedTCPPorts = [ 5000 ]; system.extraDependencies = [ pkgs.emptyFile ]; + + # check that extra-allowed-users is effective for harmonia + nix.settings.allowed-users = []; }; client01 = { diff --git a/nixpkgs/nixos/tests/home-assistant.nix b/nixpkgs/nixos/tests/home-assistant.nix index e1588088ba19..05fb2fa1e06a 100644 --- a/nixpkgs/nixos/tests/home-assistant.nix +++ b/nixpkgs/nixos/tests/home-assistant.nix @@ -43,7 +43,7 @@ in { # test loading custom components customComponents = with pkgs.home-assistant-custom-components; [ - prometheus-sensor + prometheus_sensor ]; # test loading lovelace modules @@ -182,7 +182,7 @@ in { hass.wait_until_succeeds("journalctl -u home-assistant.service | grep -q 'We found a custom integration prometheus_sensor which has not been tested by Home Assistant'") with subtest("Check that lovelace modules are referenced and fetchable"): - hass.succeed("grep -q 'mini-graph-card-bundle.js' '${configDir}/ui-lovelace.yaml'") + hass.succeed("grep -q 'mini-graph-card-bundle.js' '${configDir}/configuration.yaml'") hass.succeed("curl --fail http://localhost:8123/local/nixos-lovelace-modules/mini-graph-card-bundle.js") with subtest("Check that optional dependencies are in the PYTHONPATH"): diff --git a/nixpkgs/nixos/tests/incus/container.nix b/nixpkgs/nixos/tests/incus/container.nix index 49a22c08aad1..2d3fa49e5bd1 100644 --- a/nixpkgs/nixos/tests/incus/container.nix +++ b/nixpkgs/nixos/tests/incus/container.nix @@ -14,7 +14,9 @@ in { name = "incus-container"; - meta.maintainers = with lib.maintainers; [ adamcstephens ]; + meta = { + maintainers = lib.teams.lxc.members; + }; nodes.machine = { ... }: { virtualisation = { diff --git a/nixpkgs/nixos/tests/incus/preseed.nix b/nixpkgs/nixos/tests/incus/preseed.nix index 47b2d0cd6228..a488d71f3c92 100644 --- a/nixpkgs/nixos/tests/incus/preseed.nix +++ b/nixpkgs/nixos/tests/incus/preseed.nix @@ -3,7 +3,9 @@ import ../make-test-python.nix ({ pkgs, lib, ... } : { name = "incus-preseed"; - meta.maintainers = with lib.maintainers; [ adamcstephens ]; + meta = { + maintainers = lib.teams.lxc.members; + }; nodes.machine = { lib, ... }: { virtualisation = { diff --git a/nixpkgs/nixos/tests/incus/socket-activated.nix b/nixpkgs/nixos/tests/incus/socket-activated.nix index 4d25b26a15f5..fca536b7054f 100644 --- a/nixpkgs/nixos/tests/incus/socket-activated.nix +++ b/nixpkgs/nixos/tests/incus/socket-activated.nix @@ -3,7 +3,9 @@ import ../make-test-python.nix ({ pkgs, lib, ... } : { name = "incus-socket-activated"; - meta.maintainers = with lib.maintainers; [ adamcstephens ]; + meta = { + maintainers = lib.teams.lxc.members; + }; nodes.machine = { lib, ... }: { virtualisation = { diff --git a/nixpkgs/nixos/tests/incus/virtual-machine.nix b/nixpkgs/nixos/tests/incus/virtual-machine.nix index bfa116679d43..be5746ef63e2 100644 --- a/nixpkgs/nixos/tests/incus/virtual-machine.nix +++ b/nixpkgs/nixos/tests/incus/virtual-machine.nix @@ -19,7 +19,9 @@ in { name = "incus-virtual-machine"; - meta.maintainers = with lib.maintainers; [ adamcstephens ]; + meta = { + maintainers = lib.teams.lxc.members; + }; nodes.machine = {...}: { virtualisation = { diff --git a/nixpkgs/nixos/tests/installed-tests/flatpak.nix b/nixpkgs/nixos/tests/installed-tests/flatpak.nix index 9524d890c402..fa191202f52d 100644 --- a/nixpkgs/nixos/tests/installed-tests/flatpak.nix +++ b/nixpkgs/nixos/tests/installed-tests/flatpak.nix @@ -7,6 +7,7 @@ makeInstalledTest { testConfig = { xdg.portal.enable = true; xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; + xdg.portal.config.common.default = "gtk"; services.flatpak.enable = true; environment.systemPackages = with pkgs; [ gnupg ostree python3 ]; virtualisation.memorySize = 2047; diff --git a/nixpkgs/nixos/tests/kernel-generic.nix b/nixpkgs/nixos/tests/kernel-generic.nix index 352deb521a47..72d31246b75d 100644 --- a/nixpkgs/nixos/tests/kernel-generic.nix +++ b/nixpkgs/nixos/tests/kernel-generic.nix @@ -31,6 +31,7 @@ let linux_5_15_hardened linux_6_1_hardened linux_6_5_hardened + linux_6_6_hardened linux_rt_5_4 linux_rt_5_10 linux_rt_5_15 diff --git a/nixpkgs/nixos/tests/lxd/container.nix b/nixpkgs/nixos/tests/lxd/container.nix index 0ebe73d872f2..ef9c3f4bbee7 100644 --- a/nixpkgs/nixos/tests/lxd/container.nix +++ b/nixpkgs/nixos/tests/lxd/container.nix @@ -18,8 +18,8 @@ let in { name = "lxd-container"; - meta = with pkgs.lib.maintainers; { - maintainers = [ patryk27 adamcstephens ]; + meta = { + maintainers = lib.teams.lxc.members; }; nodes.machine = { lib, ... }: { diff --git a/nixpkgs/nixos/tests/lxd/nftables.nix b/nixpkgs/nixos/tests/lxd/nftables.nix index d98bd4952906..e6ce4089d719 100644 --- a/nixpkgs/nixos/tests/lxd/nftables.nix +++ b/nixpkgs/nixos/tests/lxd/nftables.nix @@ -5,11 +5,11 @@ # iptables to nftables requires a full reboot, which is a bit hard inside NixOS # tests. -import ../make-test-python.nix ({ pkgs, ...} : { +import ../make-test-python.nix ({ pkgs, lib, ...} : { name = "lxd-nftables"; - meta = with pkgs.lib.maintainers; { - maintainers = [ patryk27 ]; + meta = { + maintainers = lib.teams.lxc.members; }; nodes.machine = { lib, ... }: { diff --git a/nixpkgs/nixos/tests/lxd/preseed.nix b/nixpkgs/nixos/tests/lxd/preseed.nix index 7d89b9f56daa..fb80dcf3893e 100644 --- a/nixpkgs/nixos/tests/lxd/preseed.nix +++ b/nixpkgs/nixos/tests/lxd/preseed.nix @@ -4,7 +4,7 @@ import ../make-test-python.nix ({ pkgs, lib, ... } : name = "lxd-preseed"; meta = { - maintainers = with lib.maintainers; [ adamcstephens ]; + maintainers = lib.teams.lxc.members; }; nodes.machine = { lib, ... }: { diff --git a/nixpkgs/nixos/tests/lxd/ui.nix b/nixpkgs/nixos/tests/lxd/ui.nix index ff651725ba70..c442f44ab81c 100644 --- a/nixpkgs/nixos/tests/lxd/ui.nix +++ b/nixpkgs/nixos/tests/lxd/ui.nix @@ -1,8 +1,8 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: { name = "lxd-ui"; - meta = with pkgs.lib.maintainers; { - maintainers = [ jnsgruk ]; + meta = { + maintainers = lib.teams.lxc.members; }; nodes.machine = { lib, ... }: { diff --git a/nixpkgs/nixos/tests/lxd/virtual-machine.nix b/nixpkgs/nixos/tests/lxd/virtual-machine.nix index 93705e9350c5..2a9dd8fcdbf6 100644 --- a/nixpkgs/nixos/tests/lxd/virtual-machine.nix +++ b/nixpkgs/nixos/tests/lxd/virtual-machine.nix @@ -18,8 +18,8 @@ let in { name = "lxd-virtual-machine"; - meta = with pkgs.lib.maintainers; { - maintainers = [adamcstephens]; + meta = { + maintainers = lib.teams.lxc.members; }; nodes.machine = {lib, ...}: { diff --git a/nixpkgs/nixos/tests/mobilizon.nix b/nixpkgs/nixos/tests/mobilizon.nix index 398c8530dc56..2b070ca9d960 100644 --- a/nixpkgs/nixos/tests/mobilizon.nix +++ b/nixpkgs/nixos/tests/mobilizon.nix @@ -10,7 +10,7 @@ import ./make-test-python.nix ({ lib, ... }: meta.maintainers = with lib.maintainers; [ minijackson erictapen ]; nodes.server = - { pkgs, ... }: + { ... }: { services.mobilizon = { enable = true; @@ -25,8 +25,6 @@ import ./make-test-python.nix ({ lib, ... }: }; }; - services.postgresql.package = pkgs.postgresql_14; - security.pki.certificateFiles = [ certs.ca.cert ]; services.nginx.virtualHosts."${mobilizonDomain}" = { diff --git a/nixpkgs/nixos/tests/mongodb.nix b/nixpkgs/nixos/tests/mongodb.nix index 1afc891817af..68be6926865e 100644 --- a/nixpkgs/nixos/tests/mongodb.nix +++ b/nixpkgs/nixos/tests/mongodb.nix @@ -27,7 +27,7 @@ import ./make-test-python.nix ({ pkgs, ... }: in { name = "mongodb"; meta = with pkgs.lib.maintainers; { - maintainers = [ bluescreen303 offline rvl phile314 ]; + maintainers = [ bluescreen303 offline phile314 ]; }; nodes = { diff --git a/nixpkgs/nixos/tests/mysql/mysql-backup.nix b/nixpkgs/nixos/tests/mysql/mysql-backup.nix index 968f56dd3c9b..451f5c04ce46 100644 --- a/nixpkgs/nixos/tests/mysql/mysql-backup.nix +++ b/nixpkgs/nixos/tests/mysql/mysql-backup.nix @@ -15,9 +15,6 @@ let name ? mkTestName package }: makeTest { name = "${name}-backup"; - meta = with pkgs.lib.maintainers; { - maintainers = [ rvl ]; - }; nodes = { master = { pkgs, ... }: { diff --git a/nixpkgs/nixos/tests/nextcloud/default.nix b/nixpkgs/nixos/tests/nextcloud/default.nix index 19d04b28b4f9..84ac37153727 100644 --- a/nixpkgs/nixos/tests/nextcloud/default.nix +++ b/nixpkgs/nixos/tests/nextcloud/default.nix @@ -22,4 +22,4 @@ foldl }; }) { } - [ 26 27 ] + [ 26 27 28 ] diff --git a/nixpkgs/nixos/tests/nginx-redirectcode.nix b/nixpkgs/nixos/tests/nginx-redirectcode.nix new file mode 100644 index 000000000000..f60434a21a85 --- /dev/null +++ b/nixpkgs/nixos/tests/nginx-redirectcode.nix @@ -0,0 +1,25 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "nginx-redirectcode"; + meta.maintainers = with lib.maintainers; [ misterio77 ]; + + nodes = { + webserver = { pkgs, lib, ... }: { + services.nginx = { + enable = true; + virtualHosts.localhost = { + globalRedirect = "example.com/foo"; + # With 308 (and 307), the method and body are to be kept when following it + redirectCode = 308; + }; + }; + }; + }; + + testScript = '' + webserver.wait_for_unit("nginx") + webserver.wait_for_open_port(80) + + # Check the status code + webserver.succeed("curl -si http://localhost | grep '^HTTP/[0-9.]\+ 308 Permanent Redirect'") + ''; +}) diff --git a/nixpkgs/nixos/tests/pgjwt.nix b/nixpkgs/nixos/tests/pgjwt.nix index 4793a3e31503..8d3310b74eb3 100644 --- a/nixpkgs/nixos/tests/pgjwt.nix +++ b/nixpkgs/nixos/tests/pgjwt.nix @@ -11,7 +11,7 @@ with pkgs; { { services.postgresql = { enable = true; - extraPlugins = [ pgjwt pgtap ]; + extraPlugins = ps: with ps; [ pgjwt pgtap ]; }; }; }; diff --git a/nixpkgs/nixos/tests/postgis.nix b/nixpkgs/nixos/tests/postgis.nix index d0685abc510c..09c738b938ba 100644 --- a/nixpkgs/nixos/tests/postgis.nix +++ b/nixpkgs/nixos/tests/postgis.nix @@ -9,10 +9,10 @@ import ./make-test-python.nix ({ pkgs, ...} : { { pkgs, ... }: { - services.postgresql = let mypg = pkgs.postgresql; in { + services.postgresql = { enable = true; - package = mypg; - extraPlugins = with mypg.pkgs; [ + package = pkgs.postgresql; + extraPlugins = ps: with ps; [ postgis ]; }; diff --git a/nixpkgs/nixos/tests/promscale.nix b/nixpkgs/nixos/tests/promscale.nix index d4825b6d7f55..da18628f2482 100644 --- a/nixpkgs/nixos/tests/promscale.nix +++ b/nixpkgs/nixos/tests/promscale.nix @@ -27,7 +27,7 @@ let services.postgresql = { enable = true; package = postgresql-package; - extraPlugins = with postgresql-package.pkgs; [ + extraPlugins = ps: with ps; [ timescaledb promscale_extension ]; diff --git a/nixpkgs/nixos/tests/spark/default.nix b/nixpkgs/nixos/tests/spark/default.nix index 462f0d23a403..eed7db35bf4f 100644 --- a/nixpkgs/nixos/tests/spark/default.nix +++ b/nixpkgs/nixos/tests/spark/default.nix @@ -1,28 +1,48 @@ -import ../make-test-python.nix ({...}: { - name = "spark"; +{ pkgs, ... }: - nodes = { - worker = { nodes, pkgs, ... }: { - services.spark.worker = { - enable = true; - master = "master:7077"; +let + inherit (pkgs) lib; + tests = { + default = testsForPackage { sparkPackage = pkgs.spark; }; + }; + + testsForPackage = args: lib.recurseIntoAttrs { + sparkCluster = testSparkCluster args; + passthru.override = args': testsForPackage (args // args'); + }; + testSparkCluster = { sparkPackage, ... }: pkgs.nixosTest ({ + name = "spark"; + + nodes = { + worker = { nodes, pkgs, ... }: { + services.spark = { + package = sparkPackage; + worker = { + enable = true; + master = "master:7077"; + }; + }; + virtualisation.memorySize = 2048; }; - virtualisation.memorySize = 2048; - }; - master = { config, pkgs, ... }: { - services.spark.master = { - enable = true; - bind = "0.0.0.0"; + master = { config, pkgs, ... }: { + services.spark = { + package = sparkPackage; + master = { + enable = true; + bind = "0.0.0.0"; + }; + }; + networking.firewall.allowedTCPPorts = [ 22 7077 8080 ]; }; - networking.firewall.allowedTCPPorts = [ 22 7077 8080 ]; }; - }; - testScript = '' - master.wait_for_unit("spark-master.service") - worker.wait_for_unit("spark-worker.service") - worker.copy_from_host( "${./spark_sample.py}", "/spark_sample.py" ) - assert "<title>Spark Master at spark://" in worker.succeed("curl -sSfkL http://master:8080/") - worker.succeed("spark-submit --master spark://master:7077 --executor-memory 512m --executor-cores 1 /spark_sample.py") - ''; -}) + testScript = '' + master.wait_for_unit("spark-master.service") + worker.wait_for_unit("spark-worker.service") + worker.copy_from_host( "${./spark_sample.py}", "/spark_sample.py" ) + assert "<title>Spark Master at spark://" in worker.succeed("curl -sSfkL http://master:8080/") + worker.succeed("spark-submit --version | systemd-cat") + worker.succeed("spark-submit --master spark://master:7077 --executor-memory 512m --executor-cores 1 /spark_sample.py") + ''; + }); +in tests diff --git a/nixpkgs/nixos/tests/stub-ld.nix b/nixpkgs/nixos/tests/stub-ld.nix new file mode 100644 index 000000000000..25161301741b --- /dev/null +++ b/nixpkgs/nixos/tests/stub-ld.nix @@ -0,0 +1,73 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "stub-ld"; + + nodes.machine = { lib, ... }: + { + environment.stub-ld.enable = true; + + specialisation.nostub = { + inheritParentConfig = true; + + configuration = { ... }: { + environment.stub-ld.enable = lib.mkForce false; + }; + }; + }; + + testScript = let + libDir = pkgs.stdenv.hostPlatform.libDir; + ldsoBasename = lib.last (lib.splitString "/" pkgs.stdenv.cc.bintools.dynamicLinker); + + check32 = pkgs.stdenv.isx86_64; + pkgs32 = pkgs.pkgsi686Linux; + + libDir32 = pkgs32.stdenv.hostPlatform.libDir; + ldsoBasename32 = lib.last (lib.splitString "/" pkgs32.stdenv.cc.bintools.dynamicLinker); + + test-exec = builtins.mapAttrs (n: v: pkgs.runCommand "test-exec-${n}" { src = pkgs.fetchurl v; } "mkdir -p $out;cd $out;tar -xzf $src") { + x86_64-linux.url = "https://github.com/rustic-rs/rustic/releases/download/v0.6.1/rustic-v0.6.1-x86_64-unknown-linux-gnu.tar.gz"; + x86_64-linux.hash = "sha256-3zySzx8MKFprMOi++yr2ZGASE0aRfXHQuG3SN+kWUCI="; + i686-linux.url = "https://github.com/rustic-rs/rustic/releases/download/v0.6.1/rustic-v0.6.1-i686-unknown-linux-gnu.tar.gz"; + i686-linux.hash = "sha256-fWNiATFeg0B2pfB5zndlnzGn7Ztl8diVS1rFLEDnSLU="; + aarch64-linux.url = "https://github.com/rustic-rs/rustic/releases/download/v0.6.1/rustic-v0.6.1-aarch64-unknown-linux-gnu.tar.gz"; + aarch64-linux.hash = "sha256-hnldbd2cctQIAhIKoEZLIWY8H3jiFBClkNy2UlyyvAs="; + }; + exec-name = "rustic"; + + if32 = pythonStatement: if check32 then pythonStatement else "pass"; + in + '' + machine.start() + machine.wait_for_unit("multi-user.target") + + with subtest("Check for stub (enabled, initial)"): + machine.succeed('test -L /${libDir}/${ldsoBasename}') + ${if32 "machine.succeed('test -L /${libDir32}/${ldsoBasename32}')"} + + with subtest("Try FHS executable"): + machine.copy_from_host('${test-exec.${pkgs.system}}','test-exec') + machine.succeed('if test-exec/${exec-name} 2>outfile; then false; else [ $? -eq 127 ];fi') + machine.succeed('grep -qi nixos outfile') + ${if32 "machine.copy_from_host('${test-exec.${pkgs32.system}}','test-exec32')"} + ${if32 "machine.succeed('if test-exec32/${exec-name} 2>outfile32; then false; else [ $? -eq 127 ];fi')"} + ${if32 "machine.succeed('grep -qi nixos outfile32')"} + + with subtest("Disable stub"): + machine.succeed("/run/booted-system/specialisation/nostub/bin/switch-to-configuration test") + + with subtest("Check for stub (disabled)"): + machine.fail('test -e /${libDir}/${ldsoBasename}') + ${if32 "machine.fail('test -e /${libDir32}/${ldsoBasename32}')"} + + with subtest("Create file in stub location (to be overwritten)"): + machine.succeed('mkdir -p /${libDir};touch /${libDir}/${ldsoBasename}') + ${if32 "machine.succeed('mkdir -p /${libDir32};touch /${libDir32}/${ldsoBasename32}')"} + + with subtest("Re-enable stub"): + machine.succeed("/run/booted-system/bin/switch-to-configuration test") + + with subtest("Check for stub (enabled, final)"): + machine.succeed('test -L /${libDir}/${ldsoBasename}') + ${if32 "machine.succeed('test -L /${libDir32}/${ldsoBasename32}')"} + ''; +}) diff --git a/nixpkgs/nixos/tests/telegraf.nix b/nixpkgs/nixos/tests/telegraf.nix index af9c5c387a5d..c3cdb1645213 100644 --- a/nixpkgs/nixos/tests/telegraf.nix +++ b/nixpkgs/nixos/tests/telegraf.nix @@ -12,7 +12,6 @@ import ./make-test-python.nix ({ pkgs, ...} : { services.telegraf.extraConfig = { agent.interval = "1s"; agent.flush_interval = "1s"; - inputs.procstat = {}; inputs.exec = { commands = [ "${pkgs.runtimeShell} -c 'echo $SECRET,tag=a i=42i'" diff --git a/nixpkgs/nixos/tests/timescaledb.nix b/nixpkgs/nixos/tests/timescaledb.nix index 00a7f9af09fb..ba0a3cec6076 100644 --- a/nixpkgs/nixos/tests/timescaledb.nix +++ b/nixpkgs/nixos/tests/timescaledb.nix @@ -52,7 +52,7 @@ let services.postgresql = { enable = true; package = postgresql-package; - extraPlugins = with postgresql-package.pkgs; [ + extraPlugins = ps: with ps; [ timescaledb timescaledb_toolkit ]; diff --git a/nixpkgs/nixos/tests/tsja.nix b/nixpkgs/nixos/tests/tsja.nix index 176783088d8d..f34358ff3f5f 100644 --- a/nixpkgs/nixos/tests/tsja.nix +++ b/nixpkgs/nixos/tests/tsja.nix @@ -11,7 +11,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { { services.postgresql = { enable = true; - extraPlugins = with config.services.postgresql.package.pkgs; [ + extraPlugins = ps: with ps; [ tsja ]; }; diff --git a/nixpkgs/nixos/tests/unbound.nix b/nixpkgs/nixos/tests/unbound.nix index f6732390b434..39a01259edeb 100644 --- a/nixpkgs/nixos/tests/unbound.nix +++ b/nixpkgs/nixos/tests/unbound.nix @@ -106,8 +106,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "."; forward-addr = [ - (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv6.addresses).address - (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv4.addresses).address + (lib.head nodes.authoritative.networking.interfaces.eth1.ipv6.addresses).address + (lib.head nodes.authoritative.networking.interfaces.eth1.ipv4.addresses).address ]; } ]; @@ -168,8 +168,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: "unbound-extra1.conf".text = '' forward-zone: name: "example.local." - forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv6.addresses).address} - forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv4.addresses).address} + forward-addr: ${(lib.head nodes.resolver.networking.interfaces.eth1.ipv6.addresses).address} + forward-addr: ${(lib.head nodes.resolver.networking.interfaces.eth1.ipv4.addresses).address} ''; "unbound-extra2.conf".text = '' auth-zone: @@ -187,8 +187,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: client = { lib, nodes, ... }: { imports = [ common ]; networking.nameservers = [ - (lib.head nodes.resolver.config.networking.interfaces.eth1.ipv6.addresses).address - (lib.head nodes.resolver.config.networking.interfaces.eth1.ipv4.addresses).address + (lib.head nodes.resolver.networking.interfaces.eth1.ipv6.addresses).address + (lib.head nodes.resolver.networking.interfaces.eth1.ipv4.addresses).address ]; networking.interfaces.eth1.ipv4.addresses = [ { address = "192.168.0.10"; prefixLength = 24; } @@ -276,7 +276,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: resolver.wait_for_unit("multi-user.target") with subtest("client should be able to query the resolver"): - test(client, ["${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv6.addresses).address}", "${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv4.addresses).address}"], doh=True) + test(client, ["${(lib.head nodes.resolver.networking.interfaces.eth1.ipv6.addresses).address}", "${(lib.head nodes.resolver.networking.interfaces.eth1.ipv4.addresses).address}"], doh=True) # discard the client we do not need anymore client.shutdown() @@ -298,7 +298,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: ).strip() # Thank you black! Can't really break this line into a readable version. - expected = "example.local. IN forward ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv6.addresses).address} ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv4.addresses).address}" + expected = "example.local. IN forward ${(lib.head nodes.resolver.networking.interfaces.eth1.ipv6.addresses).address} ${(lib.head nodes.resolver.networking.interfaces.eth1.ipv4.addresses).address}" assert out == expected, f"Expected `{expected}` but got `{out}` instead." local_resolver.fail("sudo -u unauthorizeduser -- unbound-control list_forwards") diff --git a/nixpkgs/nixos/tests/zammad.nix b/nixpkgs/nixos/tests/zammad.nix index 7a2d40e82b3e..faae1949e37b 100644 --- a/nixpkgs/nixos/tests/zammad.nix +++ b/nixpkgs/nixos/tests/zammad.nix @@ -4,9 +4,13 @@ import ./make-test-python.nix ( { name = "zammad"; - meta.maintainers = with lib.maintainers; [ garbas taeer n0emis ]; + meta.maintainers = with lib.maintainers; [ taeer n0emis netali ]; nodes.machine = { config, ... }: { + virtualisation = { + memorySize = 2048; + }; + services.zammad.enable = true; services.zammad.secretKeyBaseFile = pkgs.writeText "secret" '' 52882ef142066e09ab99ce816ba72522e789505caba224a52d750ec7dc872c2c371b2fd19f16b25dfbdd435a4dd46cb3df9f82eb63fafad715056bdfe25740d6 @@ -44,9 +48,10 @@ import ./make-test-python.nix ( testScript = '' start_all() machine.wait_for_unit("postgresql.service") + machine.wait_for_unit("redis-zammad.service") machine.wait_for_unit("zammad-web.service") machine.wait_for_unit("zammad-websocket.service") - machine.wait_for_unit("zammad-scheduler.service") + machine.wait_for_unit("zammad-worker.service") # wait for zammad to fully come up machine.sleep(120) |