diff options
| author | Alyssa Ross <hi@alyssa.is> | 2020-01-11 23:37:02 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2020-01-11 23:41:30 +0000 |
| commit | 6c557e3f1c28cf87e9fba232811d6875dd1399c1 (patch) | |
| tree | 035a071d5d8980df6de0fa42e2ef8fc0cce7055e /nixpkgs/nixos | |
| parent | da7500bc026e937ac7fce7b50f67a0e1765737a7 (diff) | |
| parent | e4134747f5666bcab8680aff67fa3b63384f9a0f (diff) | |
| download | nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.gz nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.bz2 nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.lz nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.xz nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.zst nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.zip | |
Merge commit 'e4134747f5666bcab8680aff67fa3b63384f9a0f'
Diffstat (limited to 'nixpkgs/nixos')
805 files changed, 20120 insertions, 11443 deletions
diff --git a/nixpkgs/nixos/doc/manual/configuration/abstractions.xml b/nixpkgs/nixos/doc/manual/configuration/abstractions.xml index 5bf0635cc1aa..df9ff2615e1a 100644 --- a/nixpkgs/nixos/doc/manual/configuration/abstractions.xml +++ b/nixpkgs/nixos/doc/manual/configuration/abstractions.xml @@ -11,50 +11,46 @@ <programlisting> { <xref linkend="opt-services.httpd.virtualHosts"/> = - [ { hostName = "example.org"; - documentRoot = "/webroot"; + { "blog.example.org" = { + documentRoot = "/webroot/blog.example.org"; adminAddr = "alice@example.org"; - enableUserDir = true; - } - { hostName = "example.org"; - documentRoot = "/webroot"; + forceSSL = true; + enableACME = true; + enablePHP = true; + }; + "wiki.example.org" = { + documentRoot = "/webroot/wiki.example.org"; adminAddr = "alice@example.org"; - enableUserDir = true; - enableSSL = true; - sslServerCert = "/root/ssl-example-org.crt"; - sslServerKey = "/root/ssl-example-org.key"; - } - ]; + forceSSL = true; + enableACME = true; + enablePHP = true; + }; + }; } </programlisting> It defines two virtual hosts with nearly identical configuration; the only - difference is that the second one has SSL enabled. To prevent this + difference is the document root directories. To prevent this duplication, we can use a <literal>let</literal>: <programlisting> let - exampleOrgCommon = - { hostName = "example.org"; - documentRoot = "/webroot"; - adminAddr = "alice@example.org"; - enableUserDir = true; + commonConfig = + { adminAddr = "alice@example.org"; + forceSSL = true; + enableACME = true; }; in { <xref linkend="opt-services.httpd.virtualHosts"/> = - [ exampleOrgCommon - (exampleOrgCommon // { - enableSSL = true; - sslServerCert = "/root/ssl-example-org.crt"; - sslServerKey = "/root/ssl-example-org.key"; - }) - ]; + { "blog.example.org" = (commonConfig // { documentRoot = "/webroot/blog.example.org"; }); + "wiki.example.org" = (commonConfig // { documentRoot = "/webroot/wiki.example.com"; }); + }; } </programlisting> - The <literal>let exampleOrgCommon = <replaceable>...</replaceable></literal> - defines a variable named <literal>exampleOrgCommon</literal>. The + The <literal>let commonConfig = <replaceable>...</replaceable></literal> + defines a variable named <literal>commonConfig</literal>. The <literal>//</literal> operator merges two attribute sets, so the configuration of the second virtual host is the set - <literal>exampleOrgCommon</literal> extended with the SSL options. + <literal>commonConfig</literal> extended with the document root option. </para> <para> @@ -63,13 +59,13 @@ in <programlisting> { <xref linkend="opt-services.httpd.virtualHosts"/> = - let exampleOrgCommon = <replaceable>...</replaceable>; in - [ exampleOrgCommon - (exampleOrgCommon // { <replaceable>...</replaceable> }) - ]; + let commonConfig = <replaceable>...</replaceable>; in + { "blog.example.org" = (commonConfig // { <replaceable>...</replaceable> }) + "wiki.example.org" = (commonConfig // { <replaceable>...</replaceable> }) + }; } </programlisting> - but not <literal>{ let exampleOrgCommon = <replaceable>...</replaceable>; in + but not <literal>{ let commonConfig = <replaceable>...</replaceable>; in <replaceable>...</replaceable>; }</literal> since attributes (as opposed to attribute values) are not expressions. </para> @@ -77,80 +73,29 @@ in <para> <emphasis>Functions</emphasis> provide another method of abstraction. For instance, suppose that we want to generate lots of different virtual hosts, - all with identical configuration except for the host name. This can be done + all with identical configuration except for the document root. This can be done as follows: <programlisting> { <xref linkend="opt-services.httpd.virtualHosts"/> = let - makeVirtualHost = name: - { hostName = name; - documentRoot = "/webroot"; + makeVirtualHost = webroot: + { documentRoot = webroot; adminAddr = "alice@example.org"; + forceSSL = true; + enableACME = true; }; in - [ (makeVirtualHost "example.org") - (makeVirtualHost "example.com") - (makeVirtualHost "example.gov") - (makeVirtualHost "example.nl") - ]; + { "example.org" = (makeVirtualHost "/webroot/example.org"); + "example.com" = (makeVirtualHost "/webroot/example.com"); + "example.gov" = (makeVirtualHost "/webroot/example.gov"); + "example.nl" = (makeVirtualHost "/webroot/example.nl"); + }; } </programlisting> Here, <varname>makeVirtualHost</varname> is a function that takes a single - argument <literal>name</literal> and returns the configuration for a virtual + argument <literal>webroot</literal> and returns the configuration for a virtual host. That function is then called for several names to produce the list of virtual host configurations. </para> - - <para> - We can further improve on this by using the function <varname>map</varname>, - which applies another function to every element in a list: -<programlisting> -{ - <xref linkend="opt-services.httpd.virtualHosts"/> = - let - makeVirtualHost = <replaceable>...</replaceable>; - in map makeVirtualHost - [ "example.org" "example.com" "example.gov" "example.nl" ]; -} -</programlisting> - (The function <literal>map</literal> is called a <emphasis>higher-order - function</emphasis> because it takes another function as an argument.) - </para> - - <para> - What if you need more than one argument, for instance, if we want to use a - different <literal>documentRoot</literal> for each virtual host? Then we can - make <varname>makeVirtualHost</varname> a function that takes a - <emphasis>set</emphasis> as its argument, like this: -<programlisting> -{ - <xref linkend="opt-services.httpd.virtualHosts"/> = - let - makeVirtualHost = { name, root }: - { hostName = name; - documentRoot = root; - adminAddr = "alice@example.org"; - }; - in map makeVirtualHost - [ { name = "example.org"; root = "/sites/example.org"; } - { name = "example.com"; root = "/sites/example.com"; } - { name = "example.gov"; root = "/sites/example.gov"; } - { name = "example.nl"; root = "/sites/example.nl"; } - ]; -} -</programlisting> - But in this case (where every root is a subdirectory of - <filename>/sites</filename> named after the virtual host), it would have been - shorter to define <varname>makeVirtualHost</varname> as -<programlisting> -makeVirtualHost = name: - { hostName = name; - documentRoot = "/sites/${name}"; - adminAddr = "alice@example.org"; - }; -</programlisting> - Here, the construct <literal>${<replaceable>...</replaceable>}</literal> - allows the result of an expression to be spliced into a string. - </para> </section> diff --git a/nixpkgs/nixos/doc/manual/configuration/config-file.xml b/nixpkgs/nixos/doc/manual/configuration/config-file.xml index eadafb94b8f6..7ccb5b3664ea 100644 --- a/nixpkgs/nixos/doc/manual/configuration/config-file.xml +++ b/nixpkgs/nixos/doc/manual/configuration/config-file.xml @@ -27,7 +27,7 @@ { <xref linkend="opt-services.httpd.enable"/> = true; <xref linkend="opt-services.httpd.adminAddr"/> = "alice@example.org"; - <xref linkend="opt-services.httpd.documentRoot"/> = "/webroot"; + <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.localhost.documentRoot</link> = "/webroot"; } </programlisting> defines a configuration with three option definitions that together enable @@ -50,7 +50,11 @@ httpd = { enable = true; adminAddr = "alice@example.org"; - documentRoot = "/webroot"; + virtualHosts = { + localhost = { + documentRoot = "/webroot"; + }; + }; }; }; } diff --git a/nixpkgs/nixos/doc/manual/configuration/profiles/graphical.xml b/nixpkgs/nixos/doc/manual/configuration/profiles/graphical.xml index 73e3abc59d0c..cc6d0825d241 100644 --- a/nixpkgs/nixos/doc/manual/configuration/profiles/graphical.xml +++ b/nixpkgs/nixos/doc/manual/configuration/profiles/graphical.xml @@ -13,9 +13,7 @@ <para> It sets <xref linkend="opt-services.xserver.enable"/>, <xref linkend="opt-services.xserver.displayManager.sddm.enable"/>, - <xref linkend="opt-services.xserver.desktopManager.plasma5.enable"/> ( - <link linkend="opt-services.xserver.desktopManager.plasma5.enableQt4Support"> - without Qt4 Support</link>), and + <xref linkend="opt-services.xserver.desktopManager.plasma5.enable"/>, and <xref linkend="opt-services.xserver.libinput.enable"/> to true. It also includes glxinfo and firefox in the system packages list. </para> diff --git a/nixpkgs/nixos/doc/manual/configuration/wireless.xml b/nixpkgs/nixos/doc/manual/configuration/wireless.xml index 9c0e3a8d7aa4..247d29d58314 100644 --- a/nixpkgs/nixos/doc/manual/configuration/wireless.xml +++ b/nixpkgs/nixos/doc/manual/configuration/wireless.xml @@ -19,10 +19,17 @@ NixOS lets you specify networks for wpa_supplicant declaratively: <programlisting> <xref linkend="opt-networking.wireless.networks"/> = { - echelon = { + echelon = { # SSID with no spaces or special characters psk = "abcdefgh"; }; - "free.wifi" = {}; + "echelon's AP" = { # SSID with spaces and/or special characters + psk = "ijklmnop"; + }; + echelon = { # Hidden SSID + hidden = true; + psk = "qrstuvwx"; + }; + free.wifi = {}; # Public wireless network }; </programlisting> Be aware that keys will be written to the nix store in plaintext! When no diff --git a/nixpkgs/nixos/doc/manual/configuration/x-windows.xml b/nixpkgs/nixos/doc/manual/configuration/x-windows.xml index f6f659b02afa..55ad9fe6e653 100644 --- a/nixpkgs/nixos/doc/manual/configuration/x-windows.xml +++ b/nixpkgs/nixos/doc/manual/configuration/x-windows.xml @@ -39,7 +39,7 @@ can select an alternative one by picking one of the following lines: <programlisting> <xref linkend="opt-services.xserver.displayManager.sddm.enable"/> = true; -<xref linkend="opt-services.xserver.displayManager.slim.enable"/> = true; +<xref linkend="opt-services.xserver.displayManager.gdm.enable"/> = true; </programlisting> </para> <para> @@ -83,8 +83,7 @@ desktop environment. If you wanted no desktop environment and i3 as your your window manager, you'd define: <programlisting> -<xref linkend="opt-services.xserver.desktopManager.default"/> = "none"; -<xref linkend="opt-services.xserver.windowManager.default"/> = "i3"; +<xref linkend="opt-services.xserver.displayManager.defaultSession"/> = "none+i3"; </programlisting> And, finally, to enable auto-login for a user <literal>johndoe</literal>: <programlisting> diff --git a/nixpkgs/nixos/doc/manual/configuration/xfce.xml b/nixpkgs/nixos/doc/manual/configuration/xfce.xml index 6ac99c6b2bee..7d2862f8b31f 100644 --- a/nixpkgs/nixos/doc/manual/configuration/xfce.xml +++ b/nixpkgs/nixos/doc/manual/configuration/xfce.xml @@ -7,22 +7,21 @@ <para> To enable the Xfce Desktop Environment, set <programlisting> -<link linkend="opt-services.xserver.desktopManager.default">services.xserver.desktopManager</link> = { - <link linkend="opt-services.xserver.desktopManager.xfce.enable">xfce.enable</link> = true; - <link linkend="opt-services.xserver.desktopManager.default">default</link> = "xfce"; +<xref linkend="opt-services.xserver.desktopManager.xfce.enable" /> = true; +<xref linkend="opt-services.xserver.displayManager.defaultSession" /> = "xfce"; }; </programlisting> </para> <para> - Optionally, <emphasis>compton</emphasis> can be enabled for nice graphical + Optionally, <emphasis>picom</emphasis> can be enabled for nice graphical effects, some example settings: <programlisting> -<link linkend="opt-services.compton.enable">services.compton</link> = { - <link linkend="opt-services.compton.enable">enable</link> = true; - <link linkend="opt-services.compton.fade">fade</link> = true; - <link linkend="opt-services.compton.inactiveOpacity">inactiveOpacity</link> = "0.9"; - <link linkend="opt-services.compton.shadow">shadow</link> = true; - <link linkend="opt-services.compton.fadeDelta">fadeDelta</link> = 4; +<link linkend="opt-services.picom.enable">services.picom</link> = { + <link linkend="opt-services.picom.enable">enable</link> = true; + <link linkend="opt-services.picom.fade">fade</link> = true; + <link linkend="opt-services.picom.inactiveOpacity">inactiveOpacity</link> = "0.9"; + <link linkend="opt-services.picom.shadow">shadow</link> = true; + <link linkend="opt-services.picom.fadeDelta">fadeDelta</link> = 4; }; </programlisting> </para> diff --git a/nixpkgs/nixos/doc/manual/default.nix b/nixpkgs/nixos/doc/manual/default.nix index f9de2db1a084..6ca75f869f45 100644 --- a/nixpkgs/nixos/doc/manual/default.nix +++ b/nixpkgs/nixos/doc/manual/default.nix @@ -62,14 +62,13 @@ let "--stringparam html.stylesheet 'style.css overrides.css highlightjs/mono-blue.css'" "--stringparam html.script './highlightjs/highlight.pack.js ./highlightjs/loader.js'" "--param xref.with.number.and.title 1" - "--param toc.section.depth 3" + "--param toc.section.depth 0" "--stringparam admon.style ''" "--stringparam callout.graphics.extension .svg" "--stringparam current.docid manual" "--param chunk.section.depth 0" "--param chunk.first.sections 1" "--param use.id.as.filename 1" - "--stringparam generate.toc 'book toc appendix toc'" "--stringparam chunk.toc ${toc}" ]; diff --git a/nixpkgs/nixos/doc/manual/development/option-declarations.xml b/nixpkgs/nixos/doc/manual/development/option-declarations.xml index eee81bf64263..56ebf4816306 100644 --- a/nixpkgs/nixos/doc/manual/development/option-declarations.xml +++ b/nixpkgs/nixos/doc/manual/development/option-declarations.xml @@ -99,7 +99,7 @@ xlink:href="https://nixos.org/nixpkgs/manual/#sec-package-naming"> <para> As an example, we will take the case of display managers. There is a central display manager module for generic display manager options and a module file - per display manager backend (slim, sddm, gdm ...). + per display manager backend (sddm, gdm ...). </para> <para> @@ -146,7 +146,7 @@ xlink:href="https://nixos.org/nixpkgs/manual/#sec-package-naming"> />), and to extend it in each backend module (<xref - linkend='ex-option-declaration-eot-backend-slim' />, + linkend='ex-option-declaration-eot-backend-gdm' />, <xref linkend='ex-option-declaration-eot-backend-sddm' />). </para> @@ -167,11 +167,11 @@ services.xserver.displayManager.enable = mkOption { };</screen> </example> - <example xml:id='ex-option-declaration-eot-backend-slim'> - <title>Extending <literal>services.xserver.displayManager.enable</literal> in the <literal>slim</literal> module</title> + <example xml:id='ex-option-declaration-eot-backend-gdm'> + <title>Extending <literal>services.xserver.displayManager.enable</literal> in the <literal>gdm</literal> module</title> <screen> services.xserver.displayManager.enable = mkOption { - type = with types; nullOr (enum [ "slim" ]); + type = with types; nullOr (enum [ "gdm" ]); };</screen> </example> diff --git a/nixpkgs/nixos/doc/manual/development/option-types.xml b/nixpkgs/nixos/doc/manual/development/option-types.xml index 8fcbb627342b..1ec7e3efad71 100644 --- a/nixpkgs/nixos/doc/manual/development/option-types.xml +++ b/nixpkgs/nixos/doc/manual/development/option-types.xml @@ -259,12 +259,66 @@ A set of sub options <replaceable>o</replaceable>. <replaceable>o</replaceable> can be an attribute set or a function returning an attribute set. Submodules are used in composed types to - create modular options. Submodule are detailed in + create modular options. This is equivalent to + <literal>types.submoduleWith { modules = toList o; shorthandOnlyDefinesConfig = true; }</literal>. + Submodules are detailed in <xref linkend='section-option-types-submodule' />. </para> </listitem> </varlistentry> + <varlistentry> + <term> + <varname>types.submoduleWith</varname> { + <replaceable>modules</replaceable>, + <replaceable>specialArgs</replaceable> ? {}, + <replaceable>shorthandOnlyDefinesConfig</replaceable> ? false } + </term> + <listitem> + <para> + Like <varname>types.submodule</varname>, but more flexible and with better defaults. + It has parameters + <itemizedlist> + <listitem><para> + <replaceable>modules</replaceable> + A list of modules to use by default for this submodule type. This gets combined + with all option definitions to build the final list of modules that will be included. + <note><para> + Only options defined with this argument are included in rendered documentation. + </para></note> + </para></listitem> + <listitem><para> + <replaceable>specialArgs</replaceable> + An attribute set of extra arguments to be passed to the module functions. + The option <literal>_module.args</literal> should be used instead + for most arguments since it allows overriding. <replaceable>specialArgs</replaceable> should only be + used for arguments that can't go through the module fixed-point, because of + infinite recursion or other problems. An example is overriding the + <varname>lib</varname> argument, because <varname>lib</varname> itself is used + to define <literal>_module.args</literal>, which makes using + <literal>_module.args</literal> to define it impossible. + </para></listitem> + <listitem><para> + <replaceable>shorthandOnlyDefinesConfig</replaceable> + Whether definitions of this type should default to the <literal>config</literal> + section of a module (see <xref linkend='ex-module-syntax'/>) if it is an attribute + set. Enabling this only has a benefit when the submodule defines an option named + <literal>config</literal> or <literal>options</literal>. In such a case it would + allow the option to be set with <literal>the-submodule.config = "value"</literal> + instead of requiring <literal>the-submodule.config.config = "value"</literal>. + This is because only when modules <emphasis>don't</emphasis> set the + <literal>config</literal> or <literal>options</literal> keys, all keys are interpreted + as option definitions in the <literal>config</literal> section. Enabling this option + implicitly puts all attributes in the <literal>config</literal> section. + </para> + <para> + With this option enabled, defining a non-<literal>config</literal> section requires + using a function: <literal>the-submodule = { ... }: { options = { ... }; }</literal>. + </para></listitem> + </itemizedlist> + </para> + </listitem> + </varlistentry> </variablelist> </section> diff --git a/nixpkgs/nixos/doc/manual/development/releases.xml b/nixpkgs/nixos/doc/manual/development/releases.xml index 1cdec64f69b0..9371af9984d1 100755 --- a/nixpkgs/nixos/doc/manual/development/releases.xml +++ b/nixpkgs/nixos/doc/manual/development/releases.xml @@ -45,12 +45,12 @@ <listitem> <para> <literal>git tag -a -s -m "Release 17.09-beta" 17.09-beta - && git push --tags</literal> + && git push origin 17.09-beta</literal> </para> </listitem> <listitem> <para> - From the master branch run <literal>git checkout -B + From the master branch run <literal>git checkout -b release-17.09</literal>. </para> </listitem> @@ -157,7 +157,7 @@ <listitem> <para> Release Nix (currently only Eelco Dolstra can do that). - <link xlink:href="https://github.com/NixOS/nixpkgs/commit/53710c752a85f00658882531bc90a23a3d1287e4"> + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/installer/tools/nix-fallback-paths.nix"> Make sure fallback is updated. </link> </para> </listitem> @@ -169,8 +169,8 @@ </listitem> <listitem> <para> - Change <literal>stableBranch</literal> to true and wait for channel to - update. + Change <literal>stableBranch</literal> to <literal>true</literal> in Hydra and wait for + the channel to update. </para> </listitem> </itemizedlist> @@ -193,9 +193,11 @@ </listitem> <listitem> <para> - Update http://nixos.org/nixos/download.html and - http://nixos.org/nixos/manual in - https://github.com/NixOS/nixos-org-configurations + Update the + <link xlink:href="https://github.com/NixOS/nixos-homepage/commit/2a37975d5a617ecdfca94696242b6f32ffcba9f1"><code>NIXOS_SERIES</code></link> + in the + <link xlink:href="https://github.com/NixOS/nixos-homepage">nixos-homepage</link> + repository. </para> </listitem> <listitem> @@ -212,7 +214,8 @@ </listitem> <listitem> <para> - Send an email to nix-dev to announce the release with above information. + Create a new topic on <link xlink:href="https://discourse.nixos.org/">the + Discourse instance</link> to announce the release with the above information. Best to check how previous email was formulated to see what needs to be included. </para> diff --git a/nixpkgs/nixos/doc/manual/development/replace-modules.xml b/nixpkgs/nixos/doc/manual/development/replace-modules.xml index 7b103c36d907..b4a466e22942 100644 --- a/nixpkgs/nixos/doc/manual/development/replace-modules.xml +++ b/nixpkgs/nixos/doc/manual/development/replace-modules.xml @@ -6,8 +6,8 @@ <title>Replace Modules</title> <para> - Modules that are imported can also be disabled. The option declarations and - config implementation of a disabled module will be ignored, allowing another + Modules that are imported can also be disabled. The option declarations, + config implementation and the imports of a disabled module will be ignored, allowing another to take it's place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release. </para> diff --git a/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml b/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml index e390d62fde2f..31216874c706 100644 --- a/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml +++ b/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml @@ -2,7 +2,7 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" - xml:id="sec-running-nixos-tests"> + xml:id="sec-running-nixos-tests-interactively"> <title>Running Tests interactively</title> <para> @@ -14,14 +14,14 @@ starting VDE switch for network 1 <prompt>></prompt> </screen> - You can then take any Perl statement, e.g. + You can then take any Python statement, e.g. <screen> -<prompt>></prompt> startAll -<prompt>></prompt> testScript -<prompt>></prompt> $machine->succeed("touch /tmp/foo") -<prompt>></prompt> print($machine->succeed("pwd")) # Show stdout of command +<prompt>></prompt> start_all() +<prompt>></prompt> test_script() +<prompt>></prompt> machine.succeed("touch /tmp/foo") +<prompt>></prompt> print(machine.succeed("pwd")) # Show stdout of command </screen> - The function <command>testScript</command> executes the entire test script + The function <command>test_script</command> executes the entire test script and drops you back into the test driver command line upon its completion. This allows you to inspect the state of the VMs after the test (e.g. to debug the test script). diff --git a/nixpkgs/nixos/doc/manual/development/running-nixos-tests.xml b/nixpkgs/nixos/doc/manual/development/running-nixos-tests.xml index 13ae1ed93699..e9257c907daf 100644 --- a/nixpkgs/nixos/doc/manual/development/running-nixos-tests.xml +++ b/nixpkgs/nixos/doc/manual/development/running-nixos-tests.xml @@ -2,7 +2,7 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" - xml:id="sec-running-nixos-tests-interactively"> + xml:id="sec-running-nixos-tests"> <title>Running Tests</title> <para> diff --git a/nixpkgs/nixos/doc/manual/development/sources.xml b/nixpkgs/nixos/doc/manual/development/sources.xml index 3c30c782746d..b333ccabb420 100644 --- a/nixpkgs/nixos/doc/manual/development/sources.xml +++ b/nixpkgs/nixos/doc/manual/development/sources.xml @@ -13,17 +13,16 @@ <screen> <prompt>$ </prompt>git clone https://github.com/NixOS/nixpkgs <prompt>$ </prompt>cd nixpkgs -<prompt>$ </prompt>git remote add channels https://github.com/NixOS/nixpkgs-channels -<prompt>$ </prompt>git remote update channels +<prompt>$ </prompt>git remote update origin </screen> This will check out the latest Nixpkgs sources to <filename>./nixpkgs</filename> the NixOS sources to <filename>./nixpkgs/nixos</filename>. (The NixOS source tree lives in a - subdirectory of the Nixpkgs repository.) The remote - <literal>channels</literal> refers to a read-only repository that tracks the - Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/> for more + subdirectory of the Nixpkgs repository.) The + <literal>nixpkgs</literal> repository has branches that correspond + to each Nixpkgs/NixOS channel (see <xref linkend="sec-upgrading"/> for more information about channels). Thus, the Git branch - <literal>channels/nixos-17.03</literal> will contain the latest built and + <literal>origin/nixos-17.03</literal> will contain the latest built and tested version available in the <literal>nixos-17.03</literal> channel. </para> <para> @@ -40,15 +39,15 @@ Or, to base your local branch on the latest version available in a NixOS channel: <screen> -<prompt>$ </prompt>git remote update channels -<prompt>$ </prompt>git checkout -b local channels/nixos-17.03 +<prompt>$ </prompt>git remote update origin +<prompt>$ </prompt>git checkout -b local origin/nixos-17.03 </screen> (Replace <literal>nixos-17.03</literal> with the name of the channel you want to use.) You can use <command>git merge</command> or <command>git rebase</command> to keep your local branch in sync with the channel, e.g. <screen> -<prompt>$ </prompt>git remote update channels -<prompt>$ </prompt>git merge channels/nixos-17.03 +<prompt>$ </prompt>git remote update origin +<prompt>$ </prompt>git merge origin/nixos-17.03 </screen> You can use <command>git cherry-pick</command> to copy commits from your local branch to the upstream branch. diff --git a/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.xml b/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.xml index 6be2d0a4d231..e5a887c18c77 100644 --- a/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.xml +++ b/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.xml @@ -8,7 +8,7 @@ <para> A NixOS test is a Nix expression that has the following structure: <programlisting> -import ./make-test.nix { +import ./make-test-python.nix { # Either the configuration of a single machine: machine = @@ -27,11 +27,11 @@ import ./make-test.nix { testScript = '' - <replaceable>Perl code…</replaceable> + <replaceable>Python code…</replaceable> ''; } </programlisting> - The attribute <literal>testScript</literal> is a bit of Perl code that + The attribute <literal>testScript</literal> is a bit of Python code that executes the test (described below). During the test, it will start one or more virtual machines, the configuration of which is described by the attribute <literal>machine</literal> (if you need only one machine in your @@ -96,26 +96,27 @@ xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualis </para> <para> - The test script is a sequence of Perl statements that perform various + The test script is a sequence of Python statements that perform various actions, such as starting VMs, executing commands in the VMs, and so on. Each virtual machine is represented as an object stored in the variable - <literal>$<replaceable>name</replaceable></literal>, where - <replaceable>name</replaceable> is the identifier of the machine (which is - just <literal>machine</literal> if you didn’t specify multiple machines - using the <literal>nodes</literal> attribute). For instance, the following - starts the machine, waits until it has finished booting, then executes a - command and checks that the output is more-or-less correct: + <literal><replaceable>name</replaceable></literal> if this is also the + identifier of the machine in the declarative config. + If you didn't specify multiple machines using the <literal>nodes</literal> + attribute, it is just <literal>machine</literal>. + The following example starts the machine, waits until it has finished booting, + then executes a command and checks that the output is more-or-less correct: <programlisting> -$machine->start; -$machine->waitForUnit("default.target"); -$machine->succeed("uname") =~ /Linux/ or die; +machine.start() +machine.wait_for_unit("default.target") +if not "Linux" in machine.succeed("uname"): + raise Exception("Wrong OS") </programlisting> The first line is actually unnecessary; machines are implicitly started when - you first execute an action on them (such as <literal>waitForUnit</literal> + you first execute an action on them (such as <literal>wait_for_unit</literal> or <literal>succeed</literal>). If you have multiple machines, you can speed up the test by starting them in parallel: <programlisting> -startAll; +start_all() </programlisting> </para> @@ -187,7 +188,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>getScreenText</methodname> + <methodname>get_screen_text</methodname> </term> <listitem> <para> @@ -204,7 +205,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>sendMonitorCommand</methodname> + <methodname>send_monitor_command</methodname> </term> <listitem> <para> @@ -215,23 +216,23 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>sendKeys</methodname> + <methodname>send_keys</methodname> </term> <listitem> <para> Simulate pressing keys on the virtual keyboard, e.g., - <literal>sendKeys("ctrl-alt-delete")</literal>. + <literal>send_keys("ctrl-alt-delete")</literal>. </para> </listitem> </varlistentry> <varlistentry> <term> - <methodname>sendChars</methodname> + <methodname>send_chars</methodname> </term> <listitem> <para> Simulate typing a sequence of characters on the virtual keyboard, e.g., - <literal>sendKeys("foobar\n")</literal> will type the string + <literal>send_keys("foobar\n")</literal> will type the string <literal>foobar</literal> followed by the Enter key. </para> </listitem> @@ -272,7 +273,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitUntilSucceeds</methodname> + <methodname>wait_until_succeeds</methodname> </term> <listitem> <para> @@ -282,7 +283,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitUntilFails</methodname> + <methodname>wait_until_fails</methodname> </term> <listitem> <para> @@ -292,7 +293,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForUnit</methodname> + <methodname>wait_for_unit</methodname> </term> <listitem> <para> @@ -302,7 +303,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForFile</methodname> + <methodname>wait_for_file</methodname> </term> <listitem> <para> @@ -312,7 +313,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForOpenPort</methodname> + <methodname>wait_for_open_port</methodname> </term> <listitem> <para> @@ -323,7 +324,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForClosedPort</methodname> + <methodname>wait_for_closed_port</methodname> </term> <listitem> <para> @@ -333,7 +334,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForX</methodname> + <methodname>wait_for_x</methodname> </term> <listitem> <para> @@ -343,13 +344,13 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForText</methodname> + <methodname>wait_for_text</methodname> </term> <listitem> <para> Wait until the supplied regular expressions matches the textual contents of the screen by using optical character recognition (see - <methodname>getScreenText</methodname>). + <methodname>get_screen_text</methodname>). </para> <note> <para> @@ -361,23 +362,23 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForWindow</methodname> + <methodname>wait_for_window</methodname> </term> <listitem> <para> Wait until an X11 window has appeared whose name matches the given - regular expression, e.g., <literal>waitForWindow(qr/Terminal/)</literal>. + regular expression, e.g., <literal>wait_for_window("Terminal")</literal>. </para> </listitem> </varlistentry> <varlistentry> <term> - <methodname>copyFileFromHost</methodname> + <methodname>copy_file_from_host</methodname> </term> <listitem> <para> Copies a file from host to machine, e.g., - <literal>copyFileFromHost("myfile", "/etc/my/important/file")</literal>. + <literal>copy_file_from_host("myfile", "/etc/my/important/file")</literal>. </para> <para> The first argument is the file on the host. The file needs to be @@ -397,8 +398,8 @@ startAll; </para> <para> <programlisting> -$machine->systemctl("list-jobs --no-pager"); // runs `systemctl list-jobs --no-pager` -$machine->systemctl("list-jobs --no-pager", "any-user"); // spawns a shell for `any-user` and runs `systemctl --user list-jobs --no-pager` +machine.systemctl("list-jobs --no-pager") # runs `systemctl list-jobs --no-pager` +machine.systemctl("list-jobs --no-pager", "any-user") # spawns a shell for `any-user` and runs `systemctl --user list-jobs --no-pager` </programlisting> </para> </listitem> @@ -408,14 +409,33 @@ $machine->systemctl("list-jobs --no-pager", "any-user"); // spawns a shell for ` <para> To test user units declared by <literal>systemd.user.services</literal> the - optional <literal>$user</literal> argument can be used: + optional <literal>user</literal> argument can be used: <programlisting> -$machine->start; -$machine->waitForX; -$machine->waitForUnit("xautolock.service", "x-session-user"); +machine.start() +machine.wait_for_x() +machine.wait_for_unit("xautolock.service", "x-session-user") +</programlisting> + This applies to <literal>systemctl</literal>, <literal>get_unit_info</literal>, + <literal>wait_for_unit</literal>, <literal>start_job</literal> and + <literal>stop_job</literal>. + </para> + + <para> + For faster dev cycles it's also possible to disable the code-linters (this shouldn't + be commited though): +<programlisting> +import ./make-test-python.nix { + skipLint = true; + machine = + { config, pkgs, ... }: + { <replaceable>configuration…</replaceable> + }; + + testScript = + '' + <replaceable>Python code…</replaceable> + ''; +} </programlisting> - This applies to <literal>systemctl</literal>, <literal>getUnitInfo</literal>, - <literal>waitForUnit</literal>, <literal>startJob</literal> and - <literal>stopJob</literal>. </para> </section> diff --git a/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml b/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml index 5c86eacfbf45..0ba909fa953f 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml +++ b/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml @@ -49,6 +49,11 @@ </listitem> <listitem> <para> + Click on Settings / Display / Screen and select VBoxVGA as Graphics Controller + </para> + </listitem> + <listitem> + <para> Save the settings, start the virtual machine, and continue installation like normal </para> diff --git a/nixpkgs/nixos/doc/manual/installation/installing.xml b/nixpkgs/nixos/doc/manual/installation/installing.xml index f1e1568c0349..4041b4ad163a 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing.xml +++ b/nixpkgs/nixos/doc/manual/installation/installing.xml @@ -68,7 +68,7 @@ If you would like to continue the installation from a different machine you need to activate the SSH daemon via <command>systemctl start sshd</command>. You then must set a password for either <literal>root</literal> or - <literal>nixos</literal> with <command>passwd></command> to be able to login. + <literal>nixos</literal> with <command>passwd</command> to be able to login. </para> </section> </section> @@ -380,7 +380,10 @@ </para> <para> If you need to configure networking for your machine the configuration - options are described in <xref linkend="sec-networking"/>. + options are described in <xref linkend="sec-networking"/>. In particular, + while wifi is supported on the installation image, it is not enabled by + default in the configuration generated by + <command>nixos-generate-config</command>. </para> <para> Another critical option is <option>fileSystems</option>, specifying the @@ -392,11 +395,11 @@ <filename>hardware-configuration.nix</filename> is included from <filename>configuration.nix</filename> and will be overwritten by future invocations of <command>nixos-generate-config</command>; thus, you - generally should not modify it.) Additionally, you may want to look at + generally should not modify it.) Additionally, you may want to look at <link xlink:href="https://github.com/NixOS/nixos-hardware">Hardware configuration for known-hardware</link> at this point or after installation. - + </para> <note> <para> @@ -418,11 +421,11 @@ Do the installation: <screen> <prompt># </prompt>nixos-install</screen> - Cross fingers. If this fails due to a temporary problem (such as a network - issue while downloading binaries from the NixOS binary cache), you can - just re-run <command>nixos-install</command>. Otherwise, fix your - <filename>configuration.nix</filename> and then re-run - <command>nixos-install</command>. + This will install your system based on the configuration you provided. + If anything fails due to a configuration problem or any other issue + (such as a network outage while downloading binaries from the NixOS + binary cache), you can re-run <command>nixos-install</command> after + fixing your <filename>configuration.nix</filename>. </para> <para> As the last step, <command>nixos-install</command> will ask you to set the @@ -475,7 +478,7 @@ Retype new UNIX password: ***</screen> shows what packages are available, and <screen> <prompt>$ </prompt>nix-env -f '<nixpkgs>' -iA w3m</screen> - install the <literal>w3m</literal> browser. + installs the <literal>w3m</literal> browser. </para> </listitem> </orderedlist> diff --git a/nixpkgs/nixos/doc/manual/installation/upgrading.xml b/nixpkgs/nixos/doc/manual/installation/upgrading.xml index 35b4d266e12e..8d3f35b7c26f 100644 --- a/nixpkgs/nixos/doc/manual/installation/upgrading.xml +++ b/nixpkgs/nixos/doc/manual/installation/upgrading.xml @@ -14,7 +14,7 @@ <para> <emphasis>Stable channels</emphasis>, such as <literal - xlink:href="https://nixos.org/channels/nixos-19.03">nixos-19.03</literal>. + xlink:href="https://nixos.org/channels/nixos-19.09">nixos-19.09</literal>. These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not from @@ -38,7 +38,7 @@ <para> <emphasis>Small channels</emphasis>, such as <literal - xlink:href="https://nixos.org/channels/nixos-19.03-small">nixos-19.03-small</literal> + xlink:href="https://nixos.org/channels/nixos-19.09-small">nixos-19.09-small</literal> or <literal xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. @@ -63,8 +63,8 @@ <para> When you first install NixOS, you’re automatically subscribed to the NixOS channel that corresponds to your installation source. For instance, if you - installed from a 19.03 ISO, you will be subscribed to the - <literal>nixos-19.03</literal> channel. To see which NixOS channel you’re + installed from a 19.09 ISO, you will be subscribed to the + <literal>nixos-19.09</literal> channel. To see which NixOS channel you’re subscribed to, run the following as root: <screen> # nix-channel --list | grep nixos @@ -75,13 +75,13 @@ nixos https://nixos.org/channels/nixos-unstable # nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos </screen> (Be sure to include the <literal>nixos</literal> parameter at the end.) For - instance, to use the NixOS 19.03 stable channel: + instance, to use the NixOS 19.09 stable channel: <screen> -# nix-channel --add https://nixos.org/channels/nixos-19.03 nixos +# nix-channel --add https://nixos.org/channels/nixos-19.09 nixos </screen> If you have a server, you may want to use the “small” channel instead: <screen> -# nix-channel --add https://nixos.org/channels/nixos-19.03-small nixos +# nix-channel --add https://nixos.org/channels/nixos-19.09-small nixos </screen> And if you want to live on the bleeding edge: <screen> @@ -127,7 +127,7 @@ nixos https://nixos.org/channels/nixos-unstable current channel. (To see when the service runs, see <command>systemctl list-timers</command>.) You can also specify a channel explicitly, e.g. <programlisting> -<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-19.03; +<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-19.09; </programlisting> </para> </section> diff --git a/nixpkgs/nixos/doc/manual/man-configuration.xml b/nixpkgs/nixos/doc/manual/man-configuration.xml index 9f30b7925101..ddb1408fdcf5 100644 --- a/nixpkgs/nixos/doc/manual/man-configuration.xml +++ b/nixpkgs/nixos/doc/manual/man-configuration.xml @@ -8,8 +8,8 @@ <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> </refmeta> <refnamediv> - <refname><filename>configuration.nix</filename> - </refname><refpurpose>NixOS system configuration specification</refpurpose> + <refname><filename>configuration.nix</filename></refname> + <refpurpose>NixOS system configuration specification</refpurpose> </refnamediv> <refsection> <title>Description</title> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-build-vms.xml b/nixpkgs/nixos/doc/manual/man-nixos-build-vms.xml index 7d6e04e0dd90..d114261f53be 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-build-vms.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-build-vms.xml @@ -8,8 +8,8 @@ <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> </refmeta> <refnamediv> - <refname><command>nixos-build-vms</command> - </refname><refpurpose>build a network of virtual machines from a network of NixOS configurations</refpurpose> + <refname><command>nixos-build-vms</command></refname> + <refpurpose>build a network of virtual machines from a network of NixOS configurations</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-enter.xml b/nixpkgs/nixos/doc/manual/man-nixos-enter.xml index 1481db467122..fe560d3efdd8 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-enter.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-enter.xml @@ -8,8 +8,8 @@ <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> </refmeta> <refnamediv> - <refname><command>nixos-enter</command> - </refname><refpurpose>run a command in a NixOS chroot environment</refpurpose> + <refname><command>nixos-enter</command></refname> + <refpurpose>run a command in a NixOS chroot environment</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-generate-config.xml b/nixpkgs/nixos/doc/manual/man-nixos-generate-config.xml index 61531a8f01ca..9ac3b918ff69 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-generate-config.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-generate-config.xml @@ -8,8 +8,8 @@ <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> </refmeta> <refnamediv> - <refname><command>nixos-generate-config</command> - </refname><refpurpose>generate NixOS configuration modules</refpurpose> + <refname><command>nixos-generate-config</command></refname> + <refpurpose>generate NixOS configuration modules</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-install.xml b/nixpkgs/nixos/doc/manual/man-nixos-install.xml index 4fb94ee7494c..0752c397182f 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-install.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-install.xml @@ -8,13 +8,33 @@ <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> </refmeta> <refnamediv> - <refname><command>nixos-install</command> - </refname><refpurpose>install bootloader and NixOS</refpurpose> + <refname><command>nixos-install</command></refname> + <refpurpose>install bootloader and NixOS</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>nixos-install</command> <arg> + <group choice='req'> + <arg choice='plain'> + <option>--verbose</option> + </arg> + <arg choice='plain'> + <option>-v</option> + </arg> + </group> + </arg> + <arg> + <group choice='req'> + <arg choice='plain'> + <option>--print-build-logs</option> + </arg> + <arg choice='plain'> + <option>-L</option> + </arg> + </group> + </arg> + <arg> <arg choice='plain'> <option>-I</option> </arg> @@ -36,6 +56,13 @@ </arg> <arg> + <arg choice='plain'> + <option>--channel</option> + </arg> + <replaceable>channel</replaceable> + </arg> + + <arg> <arg choice='plain'> <option>--no-channel-copy</option> </arg> @@ -107,6 +134,12 @@ </para> </listitem> <listitem> + <para> + It installs the current channel <quote>nixos</quote> in the target channel + profile (unless <option>--no-channel-copy</option> is specified). + </para> + </listitem> + <listitem> <para> It installs the GRUB boot loader on the device specified in the option <option>boot.loader.grub.device</option> (unless @@ -135,6 +168,23 @@ </para> <variablelist> <varlistentry> + <term><option>--verbose</option> / <option>-v</option></term> + <listitem> + <para>Increases the level of verbosity of diagnostic messages + printed on standard error. For each Nix operation, the information + printed on standard output is well-defined; any diagnostic + information is printed on standard error, never on standard + output.</para> + <para>Please note that this option may be specified repeatedly.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>--print-build-logs</option> / <option>-L</option></term> + <listitem> + <para>Print the full build logs of <command>nix build</command> to stderr.</para> + </listitem> + </varlistentry> + <varlistentry> <term> <option>--root</option> </term> @@ -166,6 +216,18 @@ </listitem> </varlistentry> <varlistentry> + <term> + <option>--channel</option> + </term> + <listitem> + <para> + If this option is provided, do not copy the current + <quote>nixos</quote> channel to the target host. Instead, use the + specified derivation. + </para> + </listitem> + </varlistentry> + <varlistentry> <term> <option>-I</option> </term> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-option.xml b/nixpkgs/nixos/doc/manual/man-nixos-option.xml index 3e316e10d4eb..b82f31256099 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-option.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-option.xml @@ -8,8 +8,8 @@ <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> </refmeta> <refnamediv> - <refname><command>nixos-option</command> - </refname><refpurpose>inspect a NixOS configuration</refpurpose> + <refname><command>nixos-option</command></refname> + <refpurpose>inspect a NixOS configuration</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> @@ -19,14 +19,10 @@ </arg> <arg> - <option>--verbose</option> + <option>--all</option> </arg> <arg> - <option>--xml</option> - </arg> - - <arg choice="plain"> <replaceable>option.name</replaceable> </arg> </cmdsynopsis> @@ -62,22 +58,11 @@ </varlistentry> <varlistentry> <term> - <option>--verbose</option> - </term> - <listitem> - <para> - This option enables verbose mode, which currently is just the Bash - <command>set</command> <option>-x</option> debug mode. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>--xml</option> + <option>--all</option> </term> <listitem> <para> - This option causes the output to be rendered as XML. + Print the values of all options. </para> </listitem> </varlistentry> @@ -134,4 +119,13 @@ Defined by: bug, please report to Nicolas Pierron. </para> </refsection> + <refsection> + <title>See also</title> + <para> + <citerefentry> + <refentrytitle>configuration.nix</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + </para> + </refsection> </refentry> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml b/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml index a83c4fb965eb..495dbc8859b1 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml @@ -9,8 +9,8 @@ </refmeta> <refnamediv> - <refname><command>nixos-rebuild</command> - </refname><refpurpose>reconfigure a NixOS machine</refpurpose> + <refname><command>nixos-rebuild</command></refname> + <refpurpose>reconfigure a NixOS machine</refpurpose> </refnamediv> <refsynopsisdiv> @@ -494,6 +494,20 @@ </para> </listitem> </varlistentry> + + <varlistentry> + <term> + <option>--use-remote-sudo</option> + </term> + <listitem> + <para> + When set, nixos-rebuild prefixes remote commands that run on + the <option>--build-host</option> and <option>--target-host</option> + systems with <command>sudo</command>. Setting this option allows + deploying as a non-root user. + </para> + </listitem> + </varlistentry> </variablelist> <para> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-version.xml b/nixpkgs/nixos/doc/manual/man-nixos-version.xml index 931c4a5ad029..e9ad8bddcace 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-version.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-version.xml @@ -7,8 +7,8 @@ <refmiscinfo class="source">NixOS</refmiscinfo> </refmeta> <refnamediv> - <refname><command>nixos-version</command> - </refname><refpurpose>show the NixOS version</refpurpose> + <refname><command>nixos-version</command></refname> + <refpurpose>show the NixOS version</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> diff --git a/nixpkgs/nixos/doc/manual/manual.xml b/nixpkgs/nixos/doc/manual/manual.xml index 12f52e1997c8..18a67a2dd941 100644 --- a/nixpkgs/nixos/doc/manual/manual.xml +++ b/nixpkgs/nixos/doc/manual/manual.xml @@ -8,32 +8,7 @@ <subtitle>Version <xi:include href="./generated/version" parse="text" /> </subtitle> </info> - <preface xml:id="preface"> - <title>Preface</title> - <para> - This manual describes how to install, use and extend NixOS, a Linux - distribution based on the purely functional package management system Nix. - </para> - <para> - If you encounter problems, please report them on the - <literal - xlink:href="https://discourse.nixos.org">Discourse</literal> or - on the <link - xlink:href="irc://irc.freenode.net/#nixos"> - <literal>#nixos</literal> channel on Freenode</link>. Bugs should be - reported in - <link - xlink:href="https://github.com/NixOS/nixpkgs/issues">NixOS’ - GitHub issue tracker</link>. - </para> - <note> - <para> - Commands prefixed with <literal>#</literal> have to be run as root, either - requiring to login as root user or temporarily switching to it using - <literal>sudo</literal> for example. - </para> - </note> - </preface> + <xi:include href="preface.xml" /> <xi:include href="installation/installation.xml" /> <xi:include href="configuration/configuration.xml" /> <xi:include href="administration/running.xml" /> diff --git a/nixpkgs/nixos/doc/manual/preface.xml b/nixpkgs/nixos/doc/manual/preface.xml new file mode 100644 index 000000000000..6ac9ae7e7861 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/preface.xml @@ -0,0 +1,37 @@ +<preface xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xml:id="preface"> + <title>Preface</title> + <para> + This manual describes how to install, use and extend NixOS, a Linux + distribution based on the purely functional package management system + <link xlink:href="https://nixos.org/nix">Nix</link>, that is composed + using modules and packages defined in the + <link xlink:href="https://nixos.org/nixpkgs">Nixpkgs</link> project. + </para> + <para> + Additional information regarding the Nix package manager and the Nixpkgs + project can be found in respectively the + <link xlink:href="https://nixos.org/nix/manual">Nix manual</link> and the + <link xlink:href="https://nixos.org/nixpkgs/manual">Nixpkgs manual</link>. + </para> + <para> + If you encounter problems, please report them on the + <literal + xlink:href="https://discourse.nixos.org">Discourse</literal> or + on the <link + xlink:href="irc://irc.freenode.net/#nixos"> + <literal>#nixos</literal> channel on Freenode</link>. Bugs should be + reported in + <link + xlink:href="https://github.com/NixOS/nixpkgs/issues">NixOS’ + GitHub issue tracker</link>. + </para> + <note> + <para> + Commands prefixed with <literal>#</literal> have to be run as root, either + requiring to login as root user or temporarily switching to it using + <literal>sudo</literal> for example. + </para> + </note> +</preface> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml index e4dcc90cdd30..4102fe206e19 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml @@ -3,7 +3,7 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-19.09"> - <title>Release 19.09 (“Loris”, 2019/09/??)</title> + <title>Release 19.09 (“Loris”, 2019/10/09)</title> <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" @@ -25,6 +25,26 @@ </listitem> <listitem> <para> + Nix has been updated to 2.3; see its + <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.3">release + notes</link>. + </para> + </listitem> + <listitem> + <para>Core version changes:</para> + <para>systemd: 239 -> 243</para> + <para>gcc: 7 -> 8</para> + <para>glibc: 2.27 (unchanged)</para> + <para>linux: 4.19 LTS (unchanged)</para> + <para>openssl: 1.0 -> 1.1</para> + </listitem> + <listitem> + <para>Desktop version changes:</para> + <para>plasma5: 5.14 -> 5.16</para> + <para>gnome3: 3.30 -> 3.32</para> + </listitem> + <listitem> + <para> PHP now defaults to PHP 7.3, updated from 7.2. </para> </listitem> @@ -170,6 +190,13 @@ </listitem> </itemizedlist> </listitem> + <listitem> + <para> + <xref linkend="opt-services.blueman.enable"/> has been added. + If you previously had blueman installed via <option>environment.systemPackages</option> please + migrate to using the NixOS module, as this would result in an insufficiently configured blueman. + </para> + </listitem> </itemizedlist> </section> @@ -513,6 +540,57 @@ must be owned by either <literal>root</literal> or the user specified in <option>services.gitlab.user</option>. </para> </listitem> + <listitem> + <para> + The <option>networking.useDHCP</option> option is unsupported in combination with + <option>networking.useNetworkd</option> in anticipation of defaulting to it. + It has to be set to <literal>false</literal> and enabled per + interface with <option>networking.interfaces.<name>.useDHCP = true;</option> + </para> + </listitem> + <listitem> + <para> + The Twitter client <literal>corebird</literal> has been dropped as <link xlink:href="https://www.patreon.com/posts/corebirds-future-18921328">it is discontinued and does not work against the new Twitter API</link>. + Please use the fork <literal>cawbird</literal> instead which has been adapted to the API changes and is still maintained. + </para> + </listitem> + <listitem> + <para> + The <literal>nodejs-11_x</literal> package has been removed as it's EOLed by upstream. + </para> + </listitem> + <listitem> + <para> + Because of the systemd upgrade, + <application>systemd-timesyncd</application> will no longer work if + <option>system.stateVersion</option> is not set correctly. When + upgrading from NixOS 19.03, please make sure that + <option>system.stateVersion</option> is set to + <literal>"19.03"</literal>, or lower if the installation dates back to an + earlier version of NixOS. + </para> + </listitem> + <listitem> + <para> + Due to the short lifetime of non-LTS kernel releases package attributes like <literal>linux_5_1</literal>, + <literal>linux_5_2</literal> and <literal>linux_5_3</literal> have been removed to discourage dependence + on specific non-LTS kernel versions in stable NixOS releases. + + Going forward, versioned attributes like <literal>linux_4_9</literal> will exist for LTS versions only. + Please use <literal>linux_latest</literal> or <literal>linux_testing</literal> if you depend on non-LTS + releases. Keep in mind that <literal>linux_latest</literal> and <literal>linux_testing</literal> will + change versions under the hood during the lifetime of a stable release and might include breaking changes. + </para> + </listitem> + <listitem> + <para> + Because of the systemd upgrade, + some network interfaces might change their name. For details see + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html#History"> + upstream docs</link> or <link xlink:href="https://github.com/NixOS/nixpkgs/issues/71086"> + our ticket</link>. + </para> + </listitem> </itemizedlist> </section> @@ -711,7 +789,7 @@ </para> </listitem> </itemizedlist> - This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>, + This also configures the kernel to pass core dumps to <literal>systemd-coredump</literal>, and restricts the SysRq key combinations to the sync command only. These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>, and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> @@ -720,12 +798,15 @@ </listitem> <listitem> <para> - Coredumps are now acquired by <literal>systemd-coredump</literal> by default. - <literal>systemd-coredump</literal> behaviour can still be modified via - <option>systemd.coredump.extraConfig</option>. - To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal> - in the working directory), without piping it through <literal>systemd-coredump</literal>, set - <option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>. + Core dumps are now processed by <literal>systemd-coredump</literal> + by default. <literal>systemd-coredump</literal> behaviour can + still be modified via + <option>systemd.coredump.extraConfig</option>. To stick to the + old behaviour (having the kernel dump to a file called + <literal>core</literal> in the working directory), without piping + it through <literal>systemd-coredump</literal>, set + <option>systemd.coredump.enable</option> to + <literal>false</literal>. </para> </listitem> <listitem> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml index c84bc8dbb379..ca319dfea411 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml @@ -23,6 +23,51 @@ Support is planned until the end of October 2020, handing over to 20.09. </para> </listitem> + <listitem> + <para> + Postgresql for NixOS service now defaults to v11. + </para> + </listitem> + <listitem> + <para> + The graphical installer image starts the graphical session automatically. + Before you'd be greeted by a tty and asked to enter <command>systemctl start display-manager</command>. + It is now possible to disable the display-manager from running by selecting the <literal>Disable display-manager</literal> + quirk in the boot menu. + </para> + </listitem> + <listitem> + <para> + By default zfs pools will now be trimmed on a weekly basis. + Trimming is only done on supported devices (i.e. NVME or SSDs) + and should improve throughput and lifetime of these devices. + It is controlled by the <varname>services.zfs.trim.enable</varname> varname. + The zfs scrub service (<varname>services.zfs.autoScrub.enable</varname>) + and the zfs autosnapshot service (<varname>services.zfs.autoSnapshot.enable</varname>) + are now only enabled if zfs is set in <varname>config.boot.initrd.supportedFilesystems</varname> or + <varname>config.boot.supportedFilesystems</varname>. These lists will automatically contain + zfs as soon as any zfs mountpoint is configured in <varname>fileSystems</varname>. + </para> + </listitem> + <listitem> + <para> + <command>nixos-option</command> has been rewritten in C++, speeding it up, improving correctness, + and adding a <option>--all</option> option which prints all options and their values. + </para> + </listitem> + <listitem> + <para> + <option>services.xserver.desktopManager.default</option> and <option>services.xserver.windowManager.default</option> options were replaced by a single <xref linkend="opt-services.xserver.displayManager.defaultSession"/> option to improve support for upstream session files. If you used something like: +<programlisting> +services.xserver.desktopManager.default = "xfce"; +services.xserver.windowManager.default = "icewm"; +</programlisting> + you should change it to: +<programlisting> +services.xserver.displayManager.defaultSession = "xfce+icewm"; +</programlisting> + </para> + </listitem> </itemizedlist> </section> @@ -39,7 +84,17 @@ <itemizedlist> <listitem> - <para /> + <para> + The kubernetes kube-proxy now supports a new hostname configuration + <literal>services.kubernetes.proxy.hostname</literal> which has to + be set if the hostname of the node should be non default. + </para> + </listitem> + <listitem> + <para> + UPower's configuration is now managed by NixOS and can be customized + via <option>services.upower</option>. + </para> </listitem> </itemizedlist> @@ -59,7 +114,282 @@ <itemizedlist> <listitem> - <para /> + <para> + GnuPG is now built without support for a graphical passphrase entry + by default. Please enable the <literal>gpg-agent</literal> user service + via the NixOS option <literal>programs.gnupg.agent.enable</literal>. + Note that upstream recommends using <literal>gpg-agent</literal> and + will spawn a <literal>gpg-agent</literal> on the first invocation of + GnuPG anyway. + </para> + </listitem> + <listitem> + <para> + The <literal>dynamicHosts</literal> option has been removed from the + <link linkend="opt-networking.networkmanager.enable">networkd</link> + module. Allowing (multiple) regular users to override host entries + affecting the whole system opens up a huge attack vector. + There seem to be very rare cases where this might be useful. + Consider setting system-wide host entries using + <link linkend="opt-networking.hosts">networking.hosts</link>, provide + them via the DNS server in your network, or use + <link linkend="opt-environment.etc">environment.etc</link> + to add a file into <literal>/etc/NetworkManager/dnsmasq.d</literal> + reconfiguring <literal>hostsdir</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>99-main.network</literal> file was removed. Maching all + network interfaces caused many breakages, see + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18962">#18962</link> + and <link xlink:href="https://github.com/NixOS/nixpkgs/pull/71106">#71106</link>. + </para> + <para> + We already don't support the global <link linkend="opt-networking.useDHCP">networking.useDHCP</link>, + <link linkend="opt-networking.defaultGateway">networking.defaultGateway</link> and + <link linkend="opt-networking.defaultGateway6">networking.defaultGateway6</link> options + if <link linkend="opt-networking.useNetworkd">networking.useNetworkd</link> is enabled, + but direct users to configure the per-device + <link linkend="opt-networking.interfaces">networking.interfaces.<name>.…</link> options. + </para> + </listitem> + <listitem> + <para> + The stdenv now runs all bash with <literal>set -u</literal>, to catch the use of undefined variables. + Before, it itself used <literal>set -u</literal> but was careful to unset it so other packages' code ran as before. + Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded. + </para> + </listitem> + <listitem> + <para> + The SLIM Display Manager has been removed, as it has been unmaintained since 2013. + Consider migrating to a different display manager such as LightDM (current default in NixOS), + SDDM, GDM, or using the startx module which uses Xinitrc. + </para> + </listitem> + <listitem> + <para> + The BEAM package set has been deleted. You will only find there the different interpreters. + You should now use the different build tools coming with the languages with sandbox mode disabled. + </para> + </listitem> + <listitem> + <para> + There is now only one Xfce package-set and module. This means attributes, <literal>xfce4-14</literal> + <literal>xfce4-12</literal>, and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14 + packages. And in future NixOS releases will be the latest released version of Xfce available at the + time during the releases development (if viable). + </para> + </listitem> + <listitem> + <para> + The <link linkend="opt-services.phpfpm.pools">phpfpm</link> module now sets + <literal>PrivateTmp=true</literal> in its systemd units for better process isolation. + If you rely on <literal>/tmp</literal> being shared with other services, explicitly override this by + setting <literal>serviceConfig.PrivateTmp</literal> to <literal>false</literal> for each phpfpm unit. + </para> + </listitem> + <listitem> + <para> + KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have <option>enableQt4Support</option> option any more. + </para> + </listitem> + <listitem> + <para> + The BeeGFS module has been removed. + </para> + </listitem> + <listitem> + <para> + The osquery module has been removed. + </para> + </listitem> + <listitem> + <para> + Going forward, <literal>~/bin</literal> in the users home directory will no longer be in <literal>PATH</literal> by default. + If you depend on this you should set the option <literal>environment.homeBinInPath</literal> to <literal>true</literal>. + The aforementioned option was added this release. + </para> + </listitem> + <listitem> + <para> + The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output. + This has led to drastically reduced closed sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output. + </para> + </listitem> + <listitem> + <para> + Pango was upgraded to 1.44, which no longer uses freetype for font loading. This means that type1 + and bitmap fonts are no longer supported in applications relying on Pango for font rendering + (notably, GTK application). See <link xlink:href="https://gitlab.gnome.org/GNOME/pango/issues/386"> + upstream issue</link> for more information. + </para> + </listitem> + <listitem> + <para> + The packages <literal>openobex</literal> and <literal>obexftp</literal> + are no longer installed when enabling Bluetooth via + <option>hardware.bluetooth.enable</option>. + </para> + </listitem> + <listitem> + <para> + The <literal>dump1090</literal> derivation has been changed to use FlightAware's dump1090 + as its upstream. However, this version does not have an internal webserver anymore. The + assets in the <literal>share/dump1090</literal> directory of the derivation can be used + in conjunction with an external webserver to replace this functionality. + </para> + </listitem> + <listitem> + <para> + The fourStore and fourStoreEndpoint modules have been removed. + </para> + </listitem> + <listitem> + <para> + Polkit no longer has the user of uid 0 (root) as an admin identity. + We now follow the upstream default of only having every member of the wheel + group admin privileged. Before it was root and members of wheel. + The positive outcome of this is pkexec GUI popups or terminal prompts + will no longer require the user to choose between two essentially equivalent + choices (whether to perform the action as themselves with wheel permissions, or as the root user). + </para> + </listitem> + <listitem> + <para> + NixOS containers no longer build NixOS manual by default. This saves evaluation time, + especially if there are many declarative containers defined. Note that this is already done + when <literal><nixos/modules/profiles/minimal.nix></literal> module is included + in container config. + </para> + </listitem> + <listitem> + <para> + The <literal>kresd</literal> services deprecates the <literal>interfaces</literal> option + in favor of the <literal>listenPlain</literal> option which requires full + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream=">systemd.socket compatible</link> + declaration which always include a port. + </para> + </listitem> + <listitem> + <para> + Virtual console options have been reorganized and can be found under + a single top-level attribute: <literal>console</literal>. + The full set of changes is as follows: + </para> + <itemizedlist> + <listitem> + <para> + <literal>i18n.consoleFont</literal> renamed to + <link linkend="opt-console.font">console.font</link> + </para> + </listitem> + <listitem> + <para> + <literal>i18n.consoleKeyMap</literal> renamed to + <link linkend="opt-console.keyMap">console.keyMap</link> + </para> + </listitem> + <listitem> + <para> + <literal>i18n.consoleColors</literal> renamed to + <link linkend="opt-console.colors">console.colors</link> + </para> + </listitem> + <listitem> + <para> + <literal>i18n.consolePackages</literal> renamed to + <link linkend="opt-console.packages">console.packages</link> + </para> + </listitem> + <listitem> + <para> + <literal>i18n.consoleUseXkbConfig</literal> renamed to + <link linkend="opt-console.useXkbConfig">console.useXkbConfig</link> + </para> + </listitem> + <listitem> + <para> + <literal>boot.earlyVconsoleSetup</literal> renamed to + <link linkend="opt-console.earlySetup">console.earlySetup</link> + </para> + </listitem> + <listitem> + <para> + <literal>boot.extraTTYs</literal> renamed to + <link linkend="opt-console.extraTTYs">console.extraTTYs</link> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <link linkend="opt-services.awstats.enable">awstats</link> module has been rewritten + to serve stats via static html pages, updated on a timer, over <link linkend="opt-services.nginx.virtualHosts">nginx</link>, + instead of dynamic cgi pages over <link linkend="opt-services.httpd.enable">apache</link>. + </para> + <para> + Minor changes will be required to migrate existing configurations. Details of the + required changes can seen by looking through the <link linkend="opt-services.awstats.enable">awstats</link> + module. + </para> + </listitem> + <listitem> + <para> + The httpd module no longer provides options to support serving web content without defining a virtual host. As a + result of this the <link linkend="opt-services.httpd.logPerVirtualHost">services.httpd.logPerVirtualHost</link> + option now defaults to <literal>true</literal> instead of <literal>false</literal>. Please update your + configuration to make use of <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts</link>. + </para> + <para> + The <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name></link> + option has changed type from a list of submodules to an attribute set of submodules, better matching + <link linkend="opt-services.nginx.virtualHosts">services.nginx.virtualHosts.<name></link>. + </para> + <para> + This change comes with the addition of the following options which mimic the functionality of their <literal>nginx</literal> counterparts: + <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.addSSL</link>, + <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.forceSSL</link>, + <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.onlySSL</link>, + <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.enableACME</link>, + <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.acmeRoot</link>, and + <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.useACMEHost</link>. + </para> + </listitem> + <listitem> + <para> + For NixOS configuration options, the <literal>loaOf</literal> type has + been deprecated and will be removed in a future release. In nixpkgs, + options of this type will be changed to <literal>attrsOf</literal> + instead. If you were using one of these in your configuration, you will + see a warning suggesting what changes will be required. + </para> + <para> + For example, <link linkend="opt-users.users">users.users</link> is a + <literal>loaOf</literal> option that is commonly used as follows: + <programlisting> +users.users = + [ { name = "me"; + description = "My personal user."; + isNormalUser = true; + } + ]; + </programlisting> + This should be rewritten by removing the list and using the + value of <literal>name</literal> as the name of the attribute set: + <programlisting> +users.users.me = + { description = "My personal user."; + isNormalUser = true; + }; + </programlisting> + </para> + <para> + For more information on this change have look at these links: + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue #1800</link>, + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR #63103</link>. + </para> </listitem> </itemizedlist> </section> @@ -73,7 +403,33 @@ <itemizedlist> <listitem> - <para /> + <para>SD images are now compressed by default using <literal>bzip2</literal>.</para> + </listitem> + <listitem> + <para> + The nginx web server previously started its master process as root + privileged, then ran worker processes as a less privileged identity user. + This was changed to start all of nginx as a less privileged user (defined by + <literal>services.nginx.user</literal> and + <literal>services.nginx.group</literal>). As a consequence, all files that + are needed for nginx to run (included configuration fragments, SSL + certificates and keys, etc.) must now be readable by this less privileged + user/group. + </para> + </listitem> + <listitem> + <para> + OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features + but with potential incompatibilities. Consult the + <link xlink:href="https://www.openssh.com/txt/release-8.1"> + release announcement</link> for more information. + </para> + </listitem> + <listitem> + <para> + <literal>PRETTY_NAME</literal> in <literal>/etc/os-release</literal> + now uses the short rather than full version string. + </para> </listitem> </itemizedlist> </section> diff --git a/nixpkgs/nixos/lib/make-ext4-fs.nix b/nixpkgs/nixos/lib/make-ext4-fs.nix index 932adcd97967..f46d3990c06b 100644 --- a/nixpkgs/nixos/lib/make-ext4-fs.nix +++ b/nixpkgs/nixos/lib/make-ext4-fs.nix @@ -4,8 +4,11 @@ # generated image is sized to only fit its contents, with the expectation # that a script resizes the filesystem at boot time. { pkgs +, lib # List of derivations to be included , storePaths +# Whether or not to compress the resulting image with zstd +, compressImage ? false, zstd # Shell commands to populate the ./files directory. # All files in that directory are copied to the root of the FS. , populateImageCommands ? "" @@ -20,18 +23,20 @@ let sdClosureInfo = pkgs.buildPackages.closureInfo { rootPaths = storePaths; }; in - pkgs.stdenv.mkDerivation { - name = "ext4-fs.img"; + name = "ext4-fs.img${lib.optionalString compressImage ".zst"}"; - nativeBuildInputs = [e2fsprogs.bin libfaketime perl lkl]; + nativeBuildInputs = [ e2fsprogs.bin libfaketime perl lkl ] + ++ lib.optional compressImage zstd; buildCommand = '' + ${if compressImage then "img=temp.img" else "img=$out"} ( mkdir -p ./files ${populateImageCommands} ) + # Add the closures of the top-level store objects. storePaths=$(cat ${sdClosureInfo}/store-paths) @@ -42,28 +47,26 @@ pkgs.stdenv.mkDerivation { bytes=$((2 * 4096 * $numInodes + 4096 * $numDataBlocks)) echo "Creating an EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks)" - truncate -s $bytes $out - faketime -f "1970-01-01 00:00:01" mkfs.ext4 -L ${volumeLabel} -U ${uuid} $out + truncate -s $bytes $img + faketime -f "1970-01-01 00:00:01" mkfs.ext4 -L ${volumeLabel} -U ${uuid} $img # Also include a manifest of the closures in a format suitable for nix-store --load-db. cp ${sdClosureInfo}/registration nix-path-registration - cptofs -t ext4 -i $out nix-path-registration / + cptofs -t ext4 -i $img nix-path-registration / # Create nix/store before copying paths faketime -f "1970-01-01 00:00:01" mkdir -p nix/store - cptofs -t ext4 -i $out nix / + cptofs -t ext4 -i $img nix / echo "copying store paths to image..." - cptofs -t ext4 -i $out $storePaths /nix/store/ + cptofs -t ext4 -i $img $storePaths /nix/store/ - ( echo "copying files to image..." - cd ./files - cptofs -t ext4 -i $out ./* / - ) + cptofs -t ext4 -i $img ./files/* / + # I have ended up with corrupted images sometimes, I suspect that happens when the build machine's disk gets full during the build. - if ! fsck.ext4 -n -f $out; then + if ! fsck.ext4 -n -f $img; then echo "--- Fsck failed for EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks) ---" cat errorlog return 1 @@ -71,9 +74,9 @@ pkgs.stdenv.mkDerivation { ( # Resizes **snugly** to its actual limits (or closer to) - free=$(dumpe2fs $out | grep '^Free blocks:') - blocksize=$(dumpe2fs $out | grep '^Block size:') - blocks=$(dumpe2fs $out | grep '^Block count:') + free=$(dumpe2fs $img | grep '^Free blocks:') + blocksize=$(dumpe2fs $img | grep '^Block size:') + blocks=$(dumpe2fs $img | grep '^Block count:') blocks=$((''${blocks##*:})) # format the number. blocksize=$((''${blocksize##*:})) # format the number. # System can't boot with 0 blocks free. @@ -82,10 +85,15 @@ pkgs.stdenv.mkDerivation { size=$(( blocks - ''${free##*:} + fudge )) echo "Resizing from $blocks blocks to $size blocks. (~ $((size*blocksize/1024/1024))MiB)" - EXT2FS_NO_MTAB_OK=yes resize2fs $out -f $size + EXT2FS_NO_MTAB_OK=yes resize2fs $img -f $size ) # And a final fsck, because of the previous truncating. - fsck.ext4 -n -f $out + fsck.ext4 -n -f $img + + if [ ${builtins.toString compressImage} ]; then + echo "Compressing image" + zstd -v --no-progress ./$img -o $out + fi ''; } diff --git a/nixpkgs/nixos/lib/make-iso9660-image.nix b/nixpkgs/nixos/lib/make-iso9660-image.nix index 8cd19b6e1874..0f3f2b5b5234 100644 --- a/nixpkgs/nixos/lib/make-iso9660-image.nix +++ b/nixpkgs/nixos/lib/make-iso9660-image.nix @@ -10,9 +10,9 @@ contents , # In addition to `contents', the closure of the store paths listed - # in `packages' are also placed in the Nix store of the CD. This is - # a list of attribute sets {object, symlink} where `object' if a - # store path whose closure will be copied, and `symlink' is a + # in `storeContents' are also placed in the Nix store of the CD. + # This is a list of attribute sets {object, symlink} where `object' + # is a store path whose closure will be copied, and `symlink' is a # symlink to `object' that will be added to the CD. storeContents ? [] diff --git a/nixpkgs/nixos/lib/make-options-doc/default.nix b/nixpkgs/nixos/lib/make-options-doc/default.nix index 35c8b543dece..eee8f612410d 100644 --- a/nixpkgs/nixos/lib/make-options-doc/default.nix +++ b/nixpkgs/nixos/lib/make-options-doc/default.nix @@ -86,7 +86,7 @@ let optionsList = lib.sort optionLess optionsListDesc; # Convert the list of options into an XML file. - optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList); + optionsXML = pkgs.writeText "options.xml" (builtins.toXML optionsList); optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList); diff --git a/nixpkgs/nixos/lib/test-driver/test-driver.py b/nixpkgs/nixos/lib/test-driver/test-driver.py new file mode 100644 index 000000000000..7e575189209a --- /dev/null +++ b/nixpkgs/nixos/lib/test-driver/test-driver.py @@ -0,0 +1,900 @@ +#! /somewhere/python3 +from contextlib import contextmanager, _GeneratorContextManager +from xml.sax.saxutils import XMLGenerator +import _thread +import atexit +import os +import ptpython.repl +import pty +from queue import Queue, Empty +import re +import shutil +import socket +import subprocess +import sys +import tempfile +import time +import unicodedata +from typing import Tuple, Any, Callable, Dict, Iterator, Optional, List +import shlex +import pathlib + +CHAR_TO_KEY = { + "A": "shift-a", + "N": "shift-n", + "-": "0x0C", + "_": "shift-0x0C", + "B": "shift-b", + "O": "shift-o", + "=": "0x0D", + "+": "shift-0x0D", + "C": "shift-c", + "P": "shift-p", + "[": "0x1A", + "{": "shift-0x1A", + "D": "shift-d", + "Q": "shift-q", + "]": "0x1B", + "}": "shift-0x1B", + "E": "shift-e", + "R": "shift-r", + ";": "0x27", + ":": "shift-0x27", + "F": "shift-f", + "S": "shift-s", + "'": "0x28", + '"': "shift-0x28", + "G": "shift-g", + "T": "shift-t", + "`": "0x29", + "~": "shift-0x29", + "H": "shift-h", + "U": "shift-u", + "\\": "0x2B", + "|": "shift-0x2B", + "I": "shift-i", + "V": "shift-v", + ",": "0x33", + "<": "shift-0x33", + "J": "shift-j", + "W": "shift-w", + ".": "0x34", + ">": "shift-0x34", + "K": "shift-k", + "X": "shift-x", + "/": "0x35", + "?": "shift-0x35", + "L": "shift-l", + "Y": "shift-y", + " ": "spc", + "M": "shift-m", + "Z": "shift-z", + "\n": "ret", + "!": "shift-0x02", + "@": "shift-0x03", + "#": "shift-0x04", + "$": "shift-0x05", + "%": "shift-0x06", + "^": "shift-0x07", + "&": "shift-0x08", + "*": "shift-0x09", + "(": "shift-0x0A", + ")": "shift-0x0B", +} + +# Forward references +nr_tests: int +nr_succeeded: int +log: "Logger" +machines: "List[Machine]" + + +def eprint(*args: object, **kwargs: Any) -> None: + print(*args, file=sys.stderr, **kwargs) + + +def make_command(args: list) -> str: + return " ".join(map(shlex.quote, (map(str, args)))) + + +def create_vlan(vlan_nr: str) -> Tuple[str, str, "subprocess.Popen[bytes]", Any]: + global log + log.log("starting VDE switch for network {}".format(vlan_nr)) + vde_socket = os.path.abspath("./vde{}.ctl".format(vlan_nr)) + pty_master, pty_slave = pty.openpty() + vde_process = subprocess.Popen( + ["vde_switch", "-s", vde_socket, "--dirmode", "0777"], + bufsize=1, + stdin=pty_slave, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + shell=False, + ) + fd = os.fdopen(pty_master, "w") + fd.write("version\n") + # TODO: perl version checks if this can be read from + # an if not, dies. we could hang here forever. Fix it. + vde_process.stdout.readline() + if not os.path.exists(os.path.join(vde_socket, "ctl")): + raise Exception("cannot start vde_switch") + + return (vlan_nr, vde_socket, vde_process, fd) + + +def retry(fn: Callable) -> None: + """Call the given function repeatedly, with 1 second intervals, + until it returns True or a timeout is reached. + """ + + for _ in range(900): + if fn(False): + return + time.sleep(1) + + if not fn(True): + raise Exception("action timed out") + + +class Logger: + def __init__(self) -> None: + self.logfile = os.environ.get("LOGFILE", "/dev/null") + self.logfile_handle = open(self.logfile, "wb") + self.xml = XMLGenerator(self.logfile_handle, encoding="utf-8") + self.queue: "Queue[Dict[str, str]]" = Queue(1000) + + self.xml.startDocument() + self.xml.startElement("logfile", attrs={}) + + def close(self) -> None: + self.xml.endElement("logfile") + self.xml.endDocument() + self.logfile_handle.close() + + def sanitise(self, message: str) -> str: + return "".join(ch for ch in message if unicodedata.category(ch)[0] != "C") + + def maybe_prefix(self, message: str, attributes: Dict[str, str]) -> str: + if "machine" in attributes: + return "{}: {}".format(attributes["machine"], message) + return message + + def log_line(self, message: str, attributes: Dict[str, str]) -> None: + self.xml.startElement("line", attributes) + self.xml.characters(message) + self.xml.endElement("line") + + def log(self, message: str, attributes: Dict[str, str] = {}) -> None: + eprint(self.maybe_prefix(message, attributes)) + self.drain_log_queue() + self.log_line(message, attributes) + + def enqueue(self, message: Dict[str, str]) -> None: + self.queue.put(message) + + def drain_log_queue(self) -> None: + try: + while True: + item = self.queue.get_nowait() + attributes = {"machine": item["machine"], "type": "serial"} + self.log_line(self.sanitise(item["msg"]), attributes) + except Empty: + pass + + @contextmanager + def nested(self, message: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + eprint(self.maybe_prefix(message, attributes)) + + self.xml.startElement("nest", attrs={}) + self.xml.startElement("head", attributes) + self.xml.characters(message) + self.xml.endElement("head") + + tic = time.time() + self.drain_log_queue() + yield + self.drain_log_queue() + toc = time.time() + self.log("({:.2f} seconds)".format(toc - tic)) + + self.xml.endElement("nest") + + +class Machine: + def __init__(self, args: Dict[str, Any]) -> None: + if "name" in args: + self.name = args["name"] + else: + self.name = "machine" + cmd = args.get("startCommand", None) + if cmd: + match = re.search("run-(.+)-vm$", cmd) + if match: + self.name = match.group(1) + + self.script = args.get("startCommand", self.create_startcommand(args)) + + tmp_dir = os.environ.get("TMPDIR", tempfile.gettempdir()) + + def create_dir(name: str) -> str: + path = os.path.join(tmp_dir, name) + os.makedirs(path, mode=0o700, exist_ok=True) + return path + + self.state_dir = create_dir("vm-state-{}".format(self.name)) + self.shared_dir = create_dir("{}/xchg".format(self.state_dir)) + + self.booted = False + self.connected = False + self.pid: Optional[int] = None + self.socket = None + self.monitor: Optional[socket.socket] = None + self.logger: Logger = args["log"] + self.allow_reboot = args.get("allowReboot", False) + + @staticmethod + def create_startcommand(args: Dict[str, str]) -> str: + net_backend = "-netdev user,id=net0" + net_frontend = "-device virtio-net-pci,netdev=net0" + + if "netBackendArgs" in args: + net_backend += "," + args["netBackendArgs"] + + if "netFrontendArgs" in args: + net_frontend += "," + args["netFrontendArgs"] + + start_command = ( + "qemu-kvm -m 384 " + net_backend + " " + net_frontend + " $QEMU_OPTS " + ) + + if "hda" in args: + hda_path = os.path.abspath(args["hda"]) + if args.get("hdaInterface", "") == "scsi": + start_command += ( + "-drive id=hda,file=" + + hda_path + + ",werror=report,if=none " + + "-device scsi-hd,drive=hda " + ) + else: + start_command += ( + "-drive file=" + + hda_path + + ",if=" + + args["hdaInterface"] + + ",werror=report " + ) + + if "cdrom" in args: + start_command += "-cdrom " + args["cdrom"] + " " + + if "usb" in args: + start_command += ( + "-device piix3-usb-uhci -drive " + + "id=usbdisk,file=" + + args["usb"] + + ",if=none,readonly " + + "-device usb-storage,drive=usbdisk " + ) + if "bios" in args: + start_command += "-bios " + args["bios"] + " " + + start_command += args.get("qemuFlags", "") + + return start_command + + def is_up(self) -> bool: + return self.booted and self.connected + + def log(self, msg: str) -> None: + self.logger.log(msg, {"machine": self.name}) + + def nested(self, msg: str, attrs: Dict[str, str] = {}) -> _GeneratorContextManager: + my_attrs = {"machine": self.name} + my_attrs.update(attrs) + return self.logger.nested(msg, my_attrs) + + def wait_for_monitor_prompt(self) -> str: + assert self.monitor is not None + answer = "" + while True: + undecoded_answer = self.monitor.recv(1024) + if not undecoded_answer: + break + answer += undecoded_answer.decode() + if answer.endswith("(qemu) "): + break + return answer + + def send_monitor_command(self, command: str) -> str: + message = ("{}\n".format(command)).encode() + self.log("sending monitor command: {}".format(command)) + assert self.monitor is not None + self.monitor.send(message) + return self.wait_for_monitor_prompt() + + def wait_for_unit(self, unit: str, user: Optional[str] = None) -> None: + """Wait for a systemd unit to get into "active" state. + Throws exceptions on "failed" and "inactive" states as well as + after timing out. + """ + + def check_active(_: Any) -> bool: + info = self.get_unit_info(unit, user) + state = info["ActiveState"] + if state == "failed": + raise Exception('unit "{}" reached state "{}"'.format(unit, state)) + + if state == "inactive": + status, jobs = self.systemctl("list-jobs --full 2>&1", user) + if "No jobs" in jobs: + info = self.get_unit_info(unit, user) + if info["ActiveState"] == state: + raise Exception( + ( + 'unit "{}" is inactive and there ' "are no pending jobs" + ).format(unit) + ) + + return state == "active" + + retry(check_active) + + def get_unit_info(self, unit: str, user: Optional[str] = None) -> Dict[str, str]: + status, lines = self.systemctl('--no-pager show "{}"'.format(unit), user) + if status != 0: + raise Exception( + 'retrieving systemctl info for unit "{}" {} failed with exit code {}'.format( + unit, "" if user is None else 'under user "{}"'.format(user), status + ) + ) + + line_pattern = re.compile(r"^([^=]+)=(.*)$") + + def tuple_from_line(line: str) -> Tuple[str, str]: + match = line_pattern.match(line) + assert match is not None + return match[1], match[2] + + return dict( + tuple_from_line(line) + for line in lines.split("\n") + if line_pattern.match(line) + ) + + def systemctl(self, q: str, user: Optional[str] = None) -> Tuple[int, str]: + if user is not None: + q = q.replace("'", "\\'") + return self.execute( + ( + "su -l {} -c " + "$'XDG_RUNTIME_DIR=/run/user/`id -u` " + "systemctl --user {}'" + ).format(user, q) + ) + return self.execute("systemctl {}".format(q)) + + def require_unit_state(self, unit: str, require_state: str = "active") -> None: + with self.nested( + "checking if unit ‘{}’ has reached state '{}'".format(unit, require_state) + ): + info = self.get_unit_info(unit) + state = info["ActiveState"] + if state != require_state: + raise Exception( + "Expected unit ‘{}’ to to be in state ".format(unit) + + "'active' but it is in state ‘{}’".format(state) + ) + + def execute(self, command: str) -> Tuple[int, str]: + self.connect() + + out_command = "( {} ); echo '|!EOF' $?\n".format(command) + self.shell.send(out_command.encode()) + + output = "" + status_code_pattern = re.compile(r"(.*)\|\!EOF\s+(\d+)") + + while True: + chunk = self.shell.recv(4096).decode() + match = status_code_pattern.match(chunk) + if match: + output += match[1] + status_code = int(match[2]) + return (status_code, output) + output += chunk + + def succeed(self, *commands: str) -> str: + """Execute each command and check that it succeeds.""" + output = "" + for command in commands: + with self.nested("must succeed: {}".format(command)): + (status, out) = self.execute(command) + if status != 0: + self.log("output: {}".format(out)) + raise Exception( + "command `{}` failed (exit code {})".format(command, status) + ) + output += out + return output + + def fail(self, *commands: str) -> None: + """Execute each command and check that it fails.""" + for command in commands: + with self.nested("must fail: {}".format(command)): + status, output = self.execute(command) + if status == 0: + raise Exception( + "command `{}` unexpectedly succeeded".format(command) + ) + + def wait_until_succeeds(self, command: str) -> str: + """Wait until a command returns success and return its output. + Throws an exception on timeout. + """ + output = "" + + def check_success(_: Any) -> bool: + nonlocal output + status, output = self.execute(command) + return status == 0 + + with self.nested("waiting for success: {}".format(command)): + retry(check_success) + return output + + def wait_until_fails(self, command: str) -> str: + """Wait until a command returns failure. + Throws an exception on timeout. + """ + output = "" + + def check_failure(_: Any) -> bool: + nonlocal output + status, output = self.execute(command) + return status != 0 + + with self.nested("waiting for failure: {}".format(command)): + retry(check_failure) + return output + + def wait_for_shutdown(self) -> None: + if not self.booted: + return + + with self.nested("waiting for the VM to power off"): + sys.stdout.flush() + self.process.wait() + + self.pid = None + self.booted = False + self.connected = False + + def get_tty_text(self, tty: str) -> str: + status, output = self.execute( + "fold -w$(stty -F /dev/tty{0} size | " + "awk '{{print $2}}') /dev/vcs{0}".format(tty) + ) + return output + + def wait_until_tty_matches(self, tty: str, regexp: str) -> None: + """Wait until the visible output on the chosen TTY matches regular + expression. Throws an exception on timeout. + """ + matcher = re.compile(regexp) + + def tty_matches(last: bool) -> bool: + text = self.get_tty_text(tty) + if last: + self.log( + f"Last chance to match /{regexp}/ on TTY{tty}, " + f"which currently contains: {text}" + ) + return len(matcher.findall(text)) > 0 + + with self.nested("waiting for {} to appear on tty {}".format(regexp, tty)): + retry(tty_matches) + + def send_chars(self, chars: List[str]) -> None: + with self.nested("sending keys ‘{}‘".format(chars)): + for char in chars: + self.send_key(char) + + def wait_for_file(self, filename: str) -> None: + """Waits until the file exists in machine's file system.""" + + def check_file(_: Any) -> bool: + status, _ = self.execute("test -e {}".format(filename)) + return status == 0 + + with self.nested("waiting for file ‘{}‘".format(filename)): + retry(check_file) + + def wait_for_open_port(self, port: int) -> None: + def port_is_open(_: Any) -> bool: + status, _ = self.execute("nc -z localhost {}".format(port)) + return status == 0 + + with self.nested("waiting for TCP port {}".format(port)): + retry(port_is_open) + + def wait_for_closed_port(self, port: int) -> None: + def port_is_closed(_: Any) -> bool: + status, _ = self.execute("nc -z localhost {}".format(port)) + return status != 0 + + retry(port_is_closed) + + def start_job(self, jobname: str, user: Optional[str] = None) -> Tuple[int, str]: + return self.systemctl("start {}".format(jobname), user) + + def stop_job(self, jobname: str, user: Optional[str] = None) -> Tuple[int, str]: + return self.systemctl("stop {}".format(jobname), user) + + def wait_for_job(self, jobname: str) -> None: + self.wait_for_unit(jobname) + + def connect(self) -> None: + if self.connected: + return + + with self.nested("waiting for the VM to finish booting"): + self.start() + + tic = time.time() + self.shell.recv(1024) + # TODO: Timeout + toc = time.time() + + self.log("connected to guest root shell") + self.log("(connecting took {:.2f} seconds)".format(toc - tic)) + self.connected = True + + def screenshot(self, filename: str) -> None: + out_dir = os.environ.get("out", os.getcwd()) + word_pattern = re.compile(r"^\w+$") + if word_pattern.match(filename): + filename = os.path.join(out_dir, "{}.png".format(filename)) + tmp = "{}.ppm".format(filename) + + with self.nested( + "making screenshot {}".format(filename), + {"image": os.path.basename(filename)}, + ): + self.send_monitor_command("screendump {}".format(tmp)) + ret = subprocess.run("pnmtopng {} > {}".format(tmp, filename), shell=True) + os.unlink(tmp) + if ret.returncode != 0: + raise Exception("Cannot convert screenshot") + + def copy_from_vm(self, source: str, target_dir: str = "") -> None: + """Copy a file from the VM (specified by an in-VM source path) to a path + relative to `$out`. The file is copied via the `shared_dir` shared among + all the VMs (using a temporary directory). + """ + # Compute the source, target, and intermediate shared file names + out_dir = pathlib.Path(os.environ.get("out", os.getcwd())) + vm_src = pathlib.Path(source) + with tempfile.TemporaryDirectory(dir=self.shared_dir) as shared_td: + shared_temp = pathlib.Path(shared_td) + vm_shared_temp = pathlib.Path("/tmp/xchg") / shared_temp.name + vm_intermediate = vm_shared_temp / vm_src.name + intermediate = shared_temp / vm_src.name + # Copy the file to the shared directory inside VM + self.succeed(make_command(["mkdir", "-p", vm_shared_temp])) + self.succeed(make_command(["cp", "-r", vm_src, vm_intermediate])) + self.succeed("sync") + abs_target = out_dir / target_dir / vm_src.name + abs_target.parent.mkdir(exist_ok=True, parents=True) + # Copy the file from the shared directory outside VM + if intermediate.is_dir(): + shutil.copytree(intermediate, abs_target) + else: + shutil.copy(intermediate, abs_target) + # Make sure the cleanup is synced into VM + self.succeed("sync") + + def dump_tty_contents(self, tty: str) -> None: + """Debugging: Dump the contents of the TTY<n> + """ + self.execute("fold -w 80 /dev/vcs{} | systemd-cat".format(tty)) + + def get_screen_text(self) -> str: + if shutil.which("tesseract") is None: + raise Exception("get_screen_text used but enableOCR is false") + + magick_args = ( + "-filter Catrom -density 72 -resample 300 " + + "-contrast -normalize -despeckle -type grayscale " + + "-sharpen 1 -posterize 3 -negate -gamma 100 " + + "-blur 1x65535" + ) + + tess_args = "-c debug_file=/dev/null --psm 11 --oem 2" + + with self.nested("performing optical character recognition"): + with tempfile.NamedTemporaryFile() as tmpin: + self.send_monitor_command("screendump {}".format(tmpin.name)) + + cmd = "convert {} {} tiff:- | tesseract - - {}".format( + magick_args, tmpin.name, tess_args + ) + ret = subprocess.run(cmd, shell=True, capture_output=True) + if ret.returncode != 0: + raise Exception( + "OCR failed with exit code {}".format(ret.returncode) + ) + + return ret.stdout.decode("utf-8") + + def wait_for_text(self, regex: str) -> None: + def screen_matches(last: bool) -> bool: + text = self.get_screen_text() + matches = re.search(regex, text) is not None + + if last and not matches: + self.log("Last OCR attempt failed. Text was: {}".format(text)) + + return matches + + with self.nested("waiting for {} to appear on screen".format(regex)): + retry(screen_matches) + + def send_key(self, key: str) -> None: + key = CHAR_TO_KEY.get(key, key) + self.send_monitor_command("sendkey {}".format(key)) + + def start(self) -> None: + if self.booted: + return + + self.log("starting vm") + + def create_socket(path: str) -> socket.socket: + if os.path.exists(path): + os.unlink(path) + s = socket.socket(family=socket.AF_UNIX, type=socket.SOCK_STREAM) + s.bind(path) + s.listen(1) + return s + + monitor_path = os.path.join(self.state_dir, "monitor") + self.monitor_socket = create_socket(monitor_path) + + shell_path = os.path.join(self.state_dir, "shell") + self.shell_socket = create_socket(shell_path) + + qemu_options = ( + " ".join( + [ + "" if self.allow_reboot else "-no-reboot", + "-monitor unix:{}".format(monitor_path), + "-chardev socket,id=shell,path={}".format(shell_path), + "-device virtio-serial", + "-device virtconsole,chardev=shell", + "-device virtio-rng-pci", + "-serial stdio" if "DISPLAY" in os.environ else "-nographic", + ] + ) + + " " + + os.environ.get("QEMU_OPTS", "") + ) + + environment = dict(os.environ) + environment.update( + { + "TMPDIR": self.state_dir, + "SHARED_DIR": self.shared_dir, + "USE_TMPDIR": "1", + "QEMU_OPTS": qemu_options, + } + ) + + self.process = subprocess.Popen( + self.script, + bufsize=1, + stdin=subprocess.DEVNULL, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + shell=True, + cwd=self.state_dir, + env=environment, + ) + self.monitor, _ = self.monitor_socket.accept() + self.shell, _ = self.shell_socket.accept() + + def process_serial_output() -> None: + for _line in self.process.stdout: + line = _line.decode("unicode_escape").replace("\r", "").rstrip() + eprint("{} # {}".format(self.name, line)) + self.logger.enqueue({"msg": line, "machine": self.name}) + + _thread.start_new_thread(process_serial_output, ()) + + self.wait_for_monitor_prompt() + + self.pid = self.process.pid + self.booted = True + + self.log("QEMU running (pid {})".format(self.pid)) + + def shutdown(self) -> None: + if not self.booted: + return + + self.shell.send("poweroff\n".encode()) + self.wait_for_shutdown() + + def crash(self) -> None: + if not self.booted: + return + + self.log("forced crash") + self.send_monitor_command("quit") + self.wait_for_shutdown() + + def wait_for_x(self) -> None: + """Wait until it is possible to connect to the X server. Note that + testing the existence of /tmp/.X11-unix/X0 is insufficient. + """ + + def check_x(_: Any) -> bool: + cmd = ( + "journalctl -b SYSLOG_IDENTIFIER=systemd | " + + 'grep "Reached target Current graphical"' + ) + status, _ = self.execute(cmd) + if status != 0: + return False + status, _ = self.execute("[ -e /tmp/.X11-unix/X0 ]") + return status == 0 + + with self.nested("waiting for the X11 server"): + retry(check_x) + + def get_window_names(self) -> List[str]: + return self.succeed( + r"xwininfo -root -tree | sed 's/.*0x[0-9a-f]* \"\([^\"]*\)\".*/\1/; t; d'" + ).splitlines() + + def wait_for_window(self, regexp: str) -> None: + pattern = re.compile(regexp) + + def window_is_visible(last_try: bool) -> bool: + names = self.get_window_names() + if last_try: + self.log( + "Last chance to match {} on the window list,".format(regexp) + + " which currently contains: " + + ", ".join(names) + ) + return any(pattern.search(name) for name in names) + + with self.nested("Waiting for a window to appear"): + retry(window_is_visible) + + def sleep(self, secs: int) -> None: + time.sleep(secs) + + def forward_port(self, host_port: int = 8080, guest_port: int = 80) -> None: + """Forward a TCP port on the host to a TCP port on the guest. + Useful during interactive testing. + """ + self.send_monitor_command( + "hostfwd_add tcp::{}-:{}".format(host_port, guest_port) + ) + + def block(self) -> None: + """Make the machine unreachable by shutting down eth1 (the multicast + interface used to talk to the other VMs). We keep eth0 up so that + the test driver can continue to talk to the machine. + """ + self.send_monitor_command("set_link virtio-net-pci.1 off") + + def unblock(self) -> None: + """Make the machine reachable. + """ + self.send_monitor_command("set_link virtio-net-pci.1 on") + + +def create_machine(args: Dict[str, Any]) -> Machine: + global log + args["log"] = log + args["redirectSerial"] = os.environ.get("USE_SERIAL", "0") == "1" + return Machine(args) + + +def start_all() -> None: + global machines + with log.nested("starting all VMs"): + for machine in machines: + machine.start() + + +def join_all() -> None: + global machines + with log.nested("waiting for all VMs to finish"): + for machine in machines: + machine.wait_for_shutdown() + + +def test_script() -> None: + exec(os.environ["testScript"]) + + +def run_tests() -> None: + global machines + tests = os.environ.get("tests", None) + if tests is not None: + with log.nested("running the VM test script"): + try: + exec(tests, globals()) + except Exception as e: + eprint("error: {}".format(str(e))) + sys.exit(1) + else: + ptpython.repl.embed(locals(), globals()) + + # TODO: Collect coverage data + + for machine in machines: + if machine.is_up(): + machine.execute("sync") + + if nr_tests != 0: + eprint("{} out of {} tests succeeded".format(nr_succeeded, nr_tests)) + if nr_tests > nr_succeeded: + sys.exit(1) + + +@contextmanager +def subtest(name: str) -> Iterator[None]: + global nr_tests + global nr_succeeded + + with log.nested(name): + nr_tests += 1 + try: + yield + nr_succeeded += 1 + return True + except Exception as e: + log.log("error: {}".format(str(e))) + + return False + + +if __name__ == "__main__": + log = Logger() + + vlan_nrs = list(dict.fromkeys(os.environ["VLANS"].split())) + vde_sockets = [create_vlan(v) for v in vlan_nrs] + for nr, vde_socket, _, _ in vde_sockets: + os.environ["QEMU_VDE_SOCKET_{}".format(nr)] = vde_socket + + vm_scripts = sys.argv[1:] + machines = [create_machine({"startCommand": s}) for s in vm_scripts] + machine_eval = [ + "{0} = machines[{1}]".format(m.name, idx) for idx, m in enumerate(machines) + ] + exec("\n".join(machine_eval)) + + nr_tests = 0 + nr_succeeded = 0 + + @atexit.register + def clean_up() -> None: + with log.nested("cleaning up"): + for machine in machines: + if machine.pid is None: + continue + log.log("killing {} (pid {})".format(machine.name, machine.pid)) + machine.process.kill() + + for _, _, process, _ in vde_sockets: + process.kill() + log.close() + + tic = time.time() + run_tests() + toc = time.time() + print("test script finished in {:.2f}s".format(toc - tic)) diff --git a/nixpkgs/nixos/lib/testing-python.nix b/nixpkgs/nixos/lib/testing-python.nix new file mode 100644 index 000000000000..3d09be3b6cd5 --- /dev/null +++ b/nixpkgs/nixos/lib/testing-python.nix @@ -0,0 +1,284 @@ +{ system +, pkgs ? import ../.. { inherit system config; } + # Use a minimal kernel? +, minimal ? false + # Ignored +, config ? {} + # Modules to add to each VM +, extraConfigurations ? [] }: + +with import ./build-vms.nix { inherit system pkgs minimal extraConfigurations; }; +with pkgs; + +let + jquery-ui = callPackage ./testing/jquery-ui.nix { }; + jquery = callPackage ./testing/jquery.nix { }; + +in rec { + + inherit pkgs; + + + testDriver = let + testDriverScript = ./test-driver/test-driver.py; + in stdenv.mkDerivation { + name = "nixos-test-driver"; + + nativeBuildInputs = [ makeWrapper ]; + buildInputs = [ (python3.withPackages (p: [ p.ptpython ])) ]; + checkInputs = with python3Packages; [ pylint black mypy ]; + + dontUnpack = true; + + preferLocalBuild = true; + + doCheck = true; + checkPhase = '' + mypy --disallow-untyped-defs \ + --no-implicit-optional \ + --ignore-missing-imports ${testDriverScript} + pylint --errors-only ${testDriverScript} + black --check --diff ${testDriverScript} + ''; + + installPhase = + '' + mkdir -p $out/bin + cp ${testDriverScript} $out/bin/nixos-test-driver + chmod u+x $out/bin/nixos-test-driver + # TODO: copy user script part into this file (append) + + wrapProgram $out/bin/nixos-test-driver \ + --prefix PATH : "${lib.makeBinPath [ qemu_test vde2 netpbm coreutils ]}" \ + ''; + }; + + + # Run an automated test suite in the given virtual network. + # `driver' is the script that runs the network. + runTests = driver: + stdenv.mkDerivation { + name = "vm-test-run-${driver.testName}"; + + requiredSystemFeatures = [ "kvm" "nixos-test" ]; + + buildInputs = [ libxslt ]; + + buildCommand = + '' + mkdir -p $out/nix-support + + LOGFILE=$out/log.xml tests='exec(os.environ["testScript"])' ${driver}/bin/nixos-test-driver + + # Generate a pretty-printed log. + xsltproc --output $out/log.html ${./test-driver/log2html.xsl} $out/log.xml + ln -s ${./test-driver/logfile.css} $out/logfile.css + ln -s ${./test-driver/treebits.js} $out/treebits.js + ln -s ${jquery}/js/jquery.min.js $out/ + ln -s ${jquery}/js/jquery.js $out/ + ln -s ${jquery-ui}/js/jquery-ui.min.js $out/ + ln -s ${jquery-ui}/js/jquery-ui.js $out/ + + touch $out/nix-support/hydra-build-products + echo "report testlog $out log.html" >> $out/nix-support/hydra-build-products + + for i in */xchg/coverage-data; do + mkdir -p $out/coverage-data + mv $i $out/coverage-data/$(dirname $(dirname $i)) + done + ''; + }; + + + makeTest = + { testScript + , makeCoverageReport ? false + , enableOCR ? false + , name ? "unnamed" + # Skip linting (mainly intended for faster dev cycles) + , skipLint ? false + , ... + } @ t: + + let + # A standard store path to the vm monitor is built like this: + # /tmp/nix-build-vm-test-run-$name.drv-0/vm-state-machine/monitor + # The max filename length of a unix domain socket is 108 bytes. + # This means $name can at most be 50 bytes long. + maxTestNameLen = 50; + testNameLen = builtins.stringLength name; + + testDriverName = with builtins; + if testNameLen > maxTestNameLen then + abort ("The name of the test '${name}' must not be longer than ${toString maxTestNameLen} " + + "it's currently ${toString testNameLen} characters long.") + else + "nixos-test-driver-${name}"; + + nodes = buildVirtualNetwork ( + t.nodes or (if t ? machine then { machine = t.machine; } else { })); + + testScript' = + # Call the test script with the computed nodes. + if lib.isFunction testScript + then testScript { inherit nodes; } + else testScript; + + vlans = map (m: m.config.virtualisation.vlans) (lib.attrValues nodes); + + vms = map (m: m.config.system.build.vm) (lib.attrValues nodes); + + ocrProg = tesseract4.override { enableLanguages = [ "eng" ]; }; + + imagemagick_tiff = imagemagick_light.override { inherit libtiff; }; + + # Generate onvenience wrappers for running the test driver + # interactively with the specified network, and for starting the + # VMs from the command line. + driver = let warn = if skipLint then lib.warn "Linting is disabled!" else lib.id; in warn (runCommand testDriverName + { buildInputs = [ makeWrapper]; + testScript = testScript'; + preferLocalBuild = true; + testName = name; + } + '' + mkdir -p $out/bin + + echo -n "$testScript" > $out/test-script + ${lib.optionalString (!skipLint) '' + ${python3Packages.black}/bin/black --check --diff $out/test-script + ''} + + ln -s ${testDriver}/bin/nixos-test-driver $out/bin/ + vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)) + wrapProgram $out/bin/nixos-test-driver \ + --add-flags "''${vms[*]}" \ + ${lib.optionalString enableOCR + "--prefix PATH : '${ocrProg}/bin:${imagemagick_tiff}/bin'"} \ + --run "export testScript=\"\$(cat $out/test-script)\"" \ + --set VLANS '${toString vlans}' + ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms + wrapProgram $out/bin/nixos-run-vms \ + --add-flags "''${vms[*]}" \ + ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \ + --set tests 'start_all(); join_all();' \ + --set VLANS '${toString vlans}' \ + ${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"} + ''); # " + + passMeta = drv: drv // lib.optionalAttrs (t ? meta) { + meta = (drv.meta or {}) // t.meta; + }; + + test = passMeta (runTests driver); + report = passMeta (releaseTools.gcovReport { coverageRuns = [ test ]; }); + + nodeNames = builtins.attrNames nodes; + invalidNodeNames = lib.filter + (node: builtins.match "^[A-z_][A-z0-9_]+$" node == null) nodeNames; + + in + if lib.length invalidNodeNames > 0 then + throw '' + Cannot create machines out of (${lib.concatStringsSep ", " invalidNodeNames})! + All machines are referenced as perl variables in the testing framework which will break the + script when special characters are used. + + Please stick to alphanumeric chars and underscores as separation. + '' + else + (if makeCoverageReport then report else test) // { + inherit nodes driver test; + }; + + runInMachine = + { drv + , machine + , preBuild ? "" + , postBuild ? "" + , ... # ??? + }: + let + vm = buildVM { } + [ machine + { key = "run-in-machine"; + networking.hostName = "client"; + nix.readOnlyStore = false; + virtualisation.writableStore = false; + } + ]; + + buildrunner = writeText "vm-build" '' + source $1 + + ${coreutils}/bin/mkdir -p $TMPDIR + cd $TMPDIR + + exec $origBuilder $origArgs + ''; + + testScript = '' + startAll; + $client->waitForUnit("multi-user.target"); + ${preBuild} + $client->succeed("env -i ${bash}/bin/bash ${buildrunner} /tmp/xchg/saved-env >&2"); + ${postBuild} + $client->succeed("sync"); # flush all data before pulling the plug + ''; + + vmRunCommand = writeText "vm-run" '' + xchg=vm-state-client/xchg + ${coreutils}/bin/mkdir $out + ${coreutils}/bin/mkdir -p $xchg + + for i in $passAsFile; do + i2=''${i}Path + _basename=$(${coreutils}/bin/basename ''${!i2}) + ${coreutils}/bin/cp ''${!i2} $xchg/$_basename + eval $i2=/tmp/xchg/$_basename + ${coreutils}/bin/ls -la $xchg + done + + unset i i2 _basename + export | ${gnugrep}/bin/grep -v '^xchg=' > $xchg/saved-env + unset xchg + + export tests='${testScript}' + ${testDriver}/bin/nixos-test-driver ${vm.config.system.build.vm}/bin/run-*-vm + ''; # */ + + in + lib.overrideDerivation drv (attrs: { + requiredSystemFeatures = [ "kvm" ]; + builder = "${bash}/bin/sh"; + args = ["-e" vmRunCommand]; + origArgs = attrs.args; + origBuilder = attrs.builder; + }); + + + runInMachineWithX = { require ? [], ... } @ args: + let + client = + { ... }: + { + inherit require; + virtualisation.memorySize = 1024; + services.xserver.enable = true; + services.xserver.displayManager.auto.enable = true; + services.xserver.displayManager.defaultSession = "none+icewm"; + services.xserver.windowManager.icewm.enable = true; + }; + in + runInMachine ({ + machine = client; + preBuild = + '' + $client->waitForX; + ''; + } // args); + + + simpleTest = as: (makeTest as).test; + +} diff --git a/nixpkgs/nixos/lib/testing.nix b/nixpkgs/nixos/lib/testing.nix index 767068771036..ae8ecd6270ce 100644 --- a/nixpkgs/nixos/lib/testing.nix +++ b/nixpkgs/nixos/lib/testing.nix @@ -248,11 +248,9 @@ in rec { inherit require; virtualisation.memorySize = 1024; services.xserver.enable = true; - services.xserver.displayManager.slim.enable = false; services.xserver.displayManager.auto.enable = true; - services.xserver.windowManager.default = "icewm"; + services.xserver.displayManager.defaultSession = "none+icewm"; services.xserver.windowManager.icewm.enable = true; - services.xserver.desktopManager.default = "none"; }; in runInMachine ({ diff --git a/nixpkgs/nixos/maintainers/scripts/azure/create-azure.sh b/nixpkgs/nixos/maintainers/scripts/azure/create-azure.sh index 2b22cb536619..0558f8dfffcb 100755 --- a/nixpkgs/nixos/maintainers/scripts/azure/create-azure.sh +++ b/nixpkgs/nixos/maintainers/scripts/azure/create-azure.sh @@ -1,6 +1,6 @@ -#! /bin/sh -e +#! /bin/sh -eu -export NIX_PATH=nixpkgs=../../../.. +export NIX_PATH=nixpkgs=$(dirname $(readlink -f $0))/../../../.. export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/azure-image.nix export TIMESTAMP=$(date +%Y%m%d%H%M) diff --git a/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh b/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh index c4149e3e8ffe..5dc1c5aaed57 100755 --- a/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh +++ b/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh @@ -14,7 +14,7 @@ set -euo pipefail # configuration -state_dir=/home/deploy/amis/ec2-images +state_dir=$HOME/amis/ec2-images home_region=eu-west-1 bucket=nixos-amis @@ -211,11 +211,11 @@ upload_image() { log "Registering snapshot $snapshot_id as AMI" local block_device_mappings=( - "DeviceName=/dev/sda1,Ebs={SnapshotId=$snapshot_id,VolumeSize=$image_logical_gigabytes,DeleteOnTermination=true,VolumeType=gp2}" + "DeviceName=/dev/xvda,Ebs={SnapshotId=$snapshot_id,VolumeSize=$image_logical_gigabytes,DeleteOnTermination=true,VolumeType=gp2}" ) local extra_flags=( - --root-device-name /dev/sda1 + --root-device-name /dev/xvda --sriov-net-support simple --ena-support --virtualization-type hvm diff --git a/nixpkgs/nixos/maintainers/scripts/gce/create-gce.sh b/nixpkgs/nixos/maintainers/scripts/gce/create-gce.sh index 48748a59d298..77cc64e591e9 100755 --- a/nixpkgs/nixos/maintainers/scripts/gce/create-gce.sh +++ b/nixpkgs/nixos/maintainers/scripts/gce/create-gce.sh @@ -15,7 +15,7 @@ nix-build '<nixpkgs/nixos/lib/eval-config.nix>' \ -j 10 img_path=$(echo gce/*.tar.gz) -img_name=$(basename "$img_path") +img_name=${IMAGE_NAME:-$(basename "$img_path")} img_id=$(echo "$img_name" | sed 's|.raw.tar.gz$||;s|\.|-|g;s|_|-|g') if ! gsutil ls "gs://${BUCKET_NAME}/$img_name"; then gsutil cp "$img_path" "gs://${BUCKET_NAME}/$img_name" diff --git a/nixpkgs/nixos/modules/config/console.nix b/nixpkgs/nixos/modules/config/console.nix new file mode 100644 index 000000000000..f662ed62d31d --- /dev/null +++ b/nixpkgs/nixos/modules/config/console.nix @@ -0,0 +1,203 @@ + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.console; + + makeColor = i: concatMapStringsSep "," (x: "0x" + substring (2*i) 2 x); + + isUnicode = hasSuffix "UTF-8" (toUpper config.i18n.defaultLocale); + + optimizedKeymap = pkgs.runCommand "keymap" { + nativeBuildInputs = [ pkgs.buildPackages.kbd ]; + LOADKEYS_KEYMAP_PATH = "${consoleEnv}/share/keymaps/**"; + preferLocalBuild = true; + } '' + loadkeys -b ${optionalString isUnicode "-u"} "${cfg.keyMap}" > $out + ''; + + # Sadly, systemd-vconsole-setup doesn't support binary keymaps. + vconsoleConf = pkgs.writeText "vconsole.conf" '' + KEYMAP=${cfg.keyMap} + FONT=${cfg.font} + ''; + + consoleEnv = pkgs.buildEnv { + name = "console-env"; + paths = [ pkgs.kbd ] ++ cfg.packages; + pathsToLink = [ + "/share/consolefonts" + "/share/consoletrans" + "/share/keymaps" + "/share/unimaps" + ]; + }; + + setVconsole = !config.boot.isContainer; +in + +{ + ###### interface + + options.console = { + font = mkOption { + type = types.str; + default = "Lat2-Terminus16"; + example = "LatArCyrHeb-16"; + description = '' + The font used for the virtual consoles. Leave empty to use + whatever the <command>setfont</command> program considers the + default font. + ''; + }; + + keyMap = mkOption { + type = with types; either str path; + default = "us"; + example = "fr"; + description = '' + The keyboard mapping table for the virtual consoles. + ''; + }; + + colors = mkOption { + type = types.listOf types.str; + default = []; + example = [ + "002b36" "dc322f" "859900" "b58900" + "268bd2" "d33682" "2aa198" "eee8d5" + "002b36" "cb4b16" "586e75" "657b83" + "839496" "6c71c4" "93a1a1" "fdf6e3" + ]; + description = '' + The 16 colors palette used by the virtual consoles. + Leave empty to use the default colors. + Colors must be in hexadecimal format and listed in + order from color 0 to color 15. + ''; + + }; + + packages = mkOption { + type = types.listOf types.package; + default = with pkgs.kbdKeymaps; [ dvp neo ]; + defaultText = ''with pkgs.kbdKeymaps; [ dvp neo ]''; + description = '' + List of additional packages that provide console fonts, keymaps and + other resources for virtual consoles use. + ''; + }; + + extraTTYs = mkOption { + default = []; + type = types.listOf types.str; + example = ["tty8" "tty9"]; + description = '' + TTY (virtual console) devices, in addition to the consoles on + which mingetty and syslogd run, that must be initialised. + Only useful if you have some program that you want to run on + some fixed console. For example, the NixOS installation CD + opens the manual in a web browser on console 7, so it sets + <option>console.extraTTYs</option> to <literal>["tty7"]</literal>. + ''; + }; + + useXkbConfig = mkOption { + type = types.bool; + default = false; + description = '' + If set, configure the virtual console keymap from the xserver + keyboard settings. + ''; + }; + + earlySetup = mkOption { + default = false; + type = types.bool; + description = '' + Enable setting virtual console options as early as possible (in initrd). + ''; + }; + + }; + + + ###### implementation + + config = mkMerge [ + { console.keyMap = with config.services.xserver; + mkIf cfg.useXkbConfig + (pkgs.runCommand "xkb-console-keymap" { preferLocalBuild = true; } '' + '${pkgs.ckbcomp}/bin/ckbcomp' -model '${xkbModel}' -layout '${layout}' \ + -option '${xkbOptions}' -variant '${xkbVariant}' > "$out" + ''); + } + + (mkIf (!setVconsole) { + systemd.services.systemd-vconsole-setup.enable = false; + }) + + (mkIf setVconsole (mkMerge [ + { environment.systemPackages = [ pkgs.kbd ]; + + # Let systemd-vconsole-setup.service do the work of setting up the + # virtual consoles. + environment.etc."vconsole.conf".source = vconsoleConf; + # Provide kbd with additional packages. + environment.etc.kbd.source = "${consoleEnv}/share"; + + boot.initrd.preLVMCommands = mkBefore '' + kbd_mode ${if isUnicode then "-u" else "-a"} -C /dev/console + printf "\033%%${if isUnicode then "G" else "@"}" >> /dev/console + loadkmap < ${optimizedKeymap} + + ${optionalString cfg.earlySetup '' + setfont -C /dev/console $extraUtils/share/consolefonts/font.psf + ''} + ''; + + systemd.services.systemd-vconsole-setup = + { before = [ "display-manager.service" ]; + after = [ "systemd-udev-settle.service" ]; + restartTriggers = [ vconsoleConf consoleEnv ]; + }; + } + + (mkIf (cfg.colors != []) { + boot.kernelParams = [ + "vt.default_red=${makeColor 0 cfg.colors}" + "vt.default_grn=${makeColor 1 cfg.colors}" + "vt.default_blu=${makeColor 2 cfg.colors}" + ]; + }) + + (mkIf cfg.earlySetup { + boot.initrd.extraUtilsCommands = '' + mkdir -p $out/share/consolefonts + ${if substring 0 1 cfg.font == "/" then '' + font="${cfg.font}" + '' else '' + font="$(echo ${consoleEnv}/share/consolefonts/${cfg.font}.*)" + ''} + if [[ $font == *.gz ]]; then + gzip -cd $font > $out/share/consolefonts/font.psf + else + cp -L $font $out/share/consolefonts/font.psf + fi + ''; + }) + ])) + ]; + + imports = [ + (mkRenamedOptionModule [ "i18n" "consoleFont" ] [ "console" "font" ]) + (mkRenamedOptionModule [ "i18n" "consoleKeyMap" ] [ "console" "keyMap" ]) + (mkRenamedOptionModule [ "i18n" "consoleColors" ] [ "console" "colors" ]) + (mkRenamedOptionModule [ "i18n" "consolePackages" ] [ "console" "packages" ]) + (mkRenamedOptionModule [ "i18n" "consoleUseXkbConfig" ] [ "console" "useXkbConfig" ]) + (mkRenamedOptionModule [ "boot" "earlyVconsoleSetup" ] [ "console" "earlySetup" ]) + (mkRenamedOptionModule [ "boot" "extraTTYs" ] [ "console" "extraTTYs" ]) + ]; +} diff --git a/nixpkgs/nixos/modules/config/fonts/corefonts.nix b/nixpkgs/nixos/modules/config/fonts/corefonts.nix deleted file mode 100644 index b9f69879a103..000000000000 --- a/nixpkgs/nixos/modules/config/fonts/corefonts.nix +++ /dev/null @@ -1,36 +0,0 @@ -# This module is deprecated, since you can just say ‘fonts.fonts = [ -# pkgs.corefonts ];’ instead. - -{ config, lib, pkgs, ... }: - -with lib; - -{ - - options = { - - fonts = { - - enableCoreFonts = mkOption { - visible = false; - default = false; - description = '' - Whether to include Microsoft's proprietary Core Fonts. These fonts - are redistributable, but only verbatim, among other restrictions. - See <link xlink:href="http://corefonts.sourceforge.net/eula.htm"/> - for details. - ''; - }; - - }; - - }; - - - config = mkIf config.fonts.enableCoreFonts { - - fonts.fonts = [ pkgs.corefonts ]; - - }; - -} diff --git a/nixpkgs/nixos/modules/config/fonts/fontconfig-ultimate.nix b/nixpkgs/nixos/modules/config/fonts/fontconfig-ultimate.nix deleted file mode 100644 index 84d90899dfff..000000000000 --- a/nixpkgs/nixos/modules/config/fonts/fontconfig-ultimate.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let cfg = config.fonts.fontconfig.ultimate; - - latestVersion = pkgs.fontconfig.configVersion; - - # The configuration to be included in /etc/font/ - confPkg = pkgs.runCommand "font-ultimate-conf" { preferLocalBuild = true; } '' - support_folder=$out/etc/fonts/conf.d - latest_folder=$out/etc/fonts/${latestVersion}/conf.d - - mkdir -p $support_folder - mkdir -p $latest_folder - - # fontconfig ultimate substitutions - ${optionalString (cfg.substitutions != "none") '' - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \ - $support_folder - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \ - $latest_folder - ''} - - # fontconfig ultimate various configuration files - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \ - $support_folder - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \ - $latest_folder - ''; - -in -{ - - options = { - - fonts = { - - fontconfig = { - - ultimate = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable fontconfig-ultimate settings (formerly known as - Infinality). Besides the customizable settings in this NixOS - module, fontconfig-ultimate also provides many font-specific - rendering tweaks. - ''; - }; - - substitutions = mkOption { - type = types.enum ["free" "combi" "ms" "none"]; - default = "free"; - description = '' - Font substitutions to replace common Type 1 fonts with nicer - TrueType fonts. <literal>free</literal> uses free fonts, - <literal>ms</literal> uses Microsoft fonts, - <literal>combi</literal> uses a combination, and - <literal>none</literal> disables the substitutions. - ''; - }; - - preset = mkOption { - type = types.enum ["ultimate1" "ultimate2" "ultimate3" "ultimate4" "ultimate5" "osx" "windowsxp"]; - default = "ultimate3"; - description = '' - FreeType rendering settings preset. Any of the presets may be - customized by setting environment variables. - ''; - }; - }; - }; - }; - - }; - - config = mkIf (config.fonts.fontconfig.enable && cfg.enable) { - - fonts.fontconfig.confPackages = [ confPkg ]; - environment.variables.INFINALITY_FT = cfg.preset; - - }; - -} diff --git a/nixpkgs/nixos/modules/config/fonts/fontconfig.nix b/nixpkgs/nixos/modules/config/fonts/fontconfig.nix index 8f227c423266..3bfa1893a8ba 100644 --- a/nixpkgs/nixos/modules/config/fonts/fontconfig.nix +++ b/nixpkgs/nixos/modules/config/fonts/fontconfig.nix @@ -264,6 +264,16 @@ let }; in { + imports = [ + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "fonts" "fontconfig" "allowBitmaps" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowType1" ] [ "fonts" "fontconfig" "allowType1" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "fonts" "fontconfig" "useEmbeddedBitmaps" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) + (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "") + (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "") + (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "") + ]; options = { diff --git a/nixpkgs/nixos/modules/config/fonts/fonts.nix b/nixpkgs/nixos/modules/config/fonts/fonts.nix index abb806b601a7..b9bae44b2f9c 100644 --- a/nixpkgs/nixos/modules/config/fonts/fonts.nix +++ b/nixpkgs/nixos/modules/config/fonts/fonts.nix @@ -3,6 +3,9 @@ with lib; { + imports = [ + (mkRemovedOptionModule [ "fonts" "enableCoreFonts" ] "Use fonts.fonts = [ pkgs.corefonts ]; instead.") + ]; options = { diff --git a/nixpkgs/nixos/modules/config/i18n.nix b/nixpkgs/nixos/modules/config/i18n.nix index dc7305b1ba24..cc2ddda9d32f 100644 --- a/nixpkgs/nixos/modules/config/i18n.nix +++ b/nixpkgs/nixos/modules/config/i18n.nix @@ -58,66 +58,6 @@ with lib; ''; }; - consolePackages = mkOption { - type = types.listOf types.package; - default = with pkgs.kbdKeymaps; [ dvp neo ]; - defaultText = ''with pkgs.kbdKeymaps; [ dvp neo ]''; - description = '' - List of additional packages that provide console fonts, keymaps and - other resources. - ''; - }; - - consoleFont = mkOption { - type = types.str; - default = "Lat2-Terminus16"; - example = "LatArCyrHeb-16"; - description = '' - The font used for the virtual consoles. Leave empty to use - whatever the <command>setfont</command> program considers the - default font. - ''; - }; - - consoleUseXkbConfig = mkOption { - type = types.bool; - default = false; - description = '' - If set, configure the console keymap from the xserver keyboard - settings. - ''; - }; - - consoleKeyMap = mkOption { - type = mkOptionType { - name = "string or path"; - check = t: (isString t || types.path.check t); - }; - - default = "us"; - example = "fr"; - description = '' - The keyboard mapping table for the virtual consoles. - ''; - }; - - consoleColors = mkOption { - type = types.listOf types.str; - default = []; - example = [ - "002b36" "dc322f" "859900" "b58900" - "268bd2" "d33682" "2aa198" "eee8d5" - "002b36" "cb4b16" "586e75" "657b83" - "839496" "6c71c4" "93a1a1" "fdf6e3" - ]; - description = '' - The 16 colors palette used by the virtual consoles. - Leave empty to use the default colors. - Colors must be in hexadecimal format and listed in - order from color 0 to color 15. - ''; - }; - }; }; @@ -127,13 +67,6 @@ with lib; config = { - i18n.consoleKeyMap = with config.services.xserver; - mkIf config.i18n.consoleUseXkbConfig - (pkgs.runCommand "xkb-console-keymap" { preferLocalBuild = true; } '' - '${pkgs.ckbcomp}/bin/ckbcomp' -model '${xkbModel}' -layout '${layout}' \ - -option '${xkbOptions}' -variant '${xkbVariant}' > "$out" - ''); - environment.systemPackages = optional (config.i18n.supportedLocales != []) config.i18n.glibcLocales; @@ -147,14 +80,11 @@ with lib; }; # ‘/etc/locale.conf’ is used by systemd. - environment.etc = singleton - { target = "locale.conf"; - source = pkgs.writeText "locale.conf" - '' - LANG=${config.i18n.defaultLocale} - ${concatStringsSep "\n" (mapAttrsToList (n: v: ''${n}=${v}'') config.i18n.extraLocaleSettings)} - ''; - }; + environment.etc."locale.conf".source = pkgs.writeText "locale.conf" + '' + LANG=${config.i18n.defaultLocale} + ${concatStringsSep "\n" (mapAttrsToList (n: v: ''${n}=${v}'') config.i18n.extraLocaleSettings)} + ''; }; } diff --git a/nixpkgs/nixos/modules/config/ldap.nix b/nixpkgs/nixos/modules/config/ldap.nix index e008497a2a6e..9c8e9d149371 100644 --- a/nixpkgs/nixos/modules/config/ldap.nix +++ b/nixpkgs/nixos/modules/config/ldap.nix @@ -224,7 +224,9 @@ in config = mkIf cfg.enable { - environment.etc = optional (!cfg.daemon.enable) ldapConfig; + environment.etc = optionalAttrs (!cfg.daemon.enable) { + "ldap.conf" = ldapConfig; + }; system.activationScripts = mkIf (!cfg.daemon.enable) { ldap = stringAfter [ "etc" "groups" "users" ] '' diff --git a/nixpkgs/nixos/modules/config/networking.nix b/nixpkgs/nixos/modules/config/networking.nix index a89667ea221c..81427bb8ee64 100644 --- a/nixpkgs/nixos/modules/config/networking.nix +++ b/nixpkgs/nixos/modules/config/networking.nix @@ -16,6 +16,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "networking" "hostConf" ] "Use environment.etc.\"host.conf\" instead.") + ]; options = { @@ -41,19 +44,6 @@ in ''; }; - networking.hostConf = lib.mkOption { - type = types.lines; - default = "multi on"; - example = '' - multi on - reorder on - trim lan - ''; - description = '' - The contents of <filename>/etc/host.conf</filename>. See also <citerefentry><refentrytitle>host.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. - ''; - }; - networking.timeServers = mkOption { default = [ "0.nixos.pool.ntp.org" @@ -186,7 +176,9 @@ in ''; # /etc/host.conf: resolver configuration file - "host.conf".text = cfg.hostConf; + "host.conf".text = '' + multi on + ''; } // optionalAttrs (pkgs.stdenv.hostPlatform.libc == "glibc") { # /etc/rpc: RPC program numbers. diff --git a/nixpkgs/nixos/modules/config/no-x-libs.nix b/nixpkgs/nixos/modules/config/no-x-libs.nix index 74cf74d74181..873b8073fed9 100644 --- a/nixpkgs/nixos/modules/config/no-x-libs.nix +++ b/nixpkgs/nixos/modules/config/no-x-libs.nix @@ -34,7 +34,6 @@ with lib; networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; }; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; - pinentry = super.pinentry.override { gtk2 = null; gcr = null; qt4 = null; qt5 = null; }; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; })); }; diff --git a/nixpkgs/nixos/modules/config/pulseaudio.nix b/nixpkgs/nixos/modules/config/pulseaudio.nix index 5c3e39302583..048bbb30c73d 100644 --- a/nixpkgs/nixos/modules/config/pulseaudio.nix +++ b/nixpkgs/nixos/modules/config/pulseaudio.nix @@ -51,8 +51,7 @@ let # that we can disable the autospawn feature in programs that # are built with PulseAudio support (like KDE). clientConf = writeText "client.conf" '' - autospawn=${if nonSystemWide then "yes" else "no"} - ${optionalString nonSystemWide "daemon-binary=${binary}"} + autospawn=no ${cfg.extraClientConf} ''; @@ -99,11 +98,12 @@ in { description = '' If false, a PulseAudio server is launched automatically for each user that tries to use the sound system. The server runs - with user privileges. This is the recommended and most secure - way to use PulseAudio. If true, one system-wide PulseAudio + with user privileges. If true, one system-wide PulseAudio server is launched on boot, running as the user "pulse", and only users in the "audio" group will have access to the server. Please read the PulseAudio documentation for more details. + + Don't enable this option unless you know what you are doing. ''; }; @@ -215,9 +215,8 @@ in { config = mkMerge [ { - environment.etc = singleton { - target = "pulse/client.conf"; - source = clientConf; + environment.etc = { + "pulse/client.conf".source = clientConf; }; hardware.pulseaudio.configFile = mkDefault "${getBin overriddenPackage}/etc/pulse/default.pa"; @@ -228,19 +227,16 @@ in { sound.enable = true; - environment.etc = [ - { target = "asound.conf"; - source = alsaConf; } + environment.etc = { + "asound.conf".source = alsaConf; - { target = "pulse/daemon.conf"; - source = writeText "daemon.conf" (lib.generators.toKeyValue {} cfg.daemon.config); } + "pulse/daemon.conf".source = writeText "daemon.conf" + (lib.generators.toKeyValue {} cfg.daemon.config); - { target = "openal/alsoft.conf"; - source = writeText "alsoft.conf" "drivers=pulse"; } + "openal/alsoft.conf".source = writeText "alsoft.conf" "drivers=pulse"; - { target = "libao.conf"; - source = writeText "libao.conf" "default_driver=pulse"; } - ]; + "libao.conf".source = writeText "libao.conf" "default_driver=pulse"; + }; # Disable flat volumes to enable relative ones hardware.pulseaudio.daemon.config.flat-volumes = mkDefault "no"; @@ -275,9 +271,8 @@ in { }) (mkIf nonSystemWide { - environment.etc = singleton { - target = "pulse/default.pa"; - source = myConfigFile; + environment.etc = { + "pulse/default.pa".source = myConfigFile; }; systemd.user = { services.pulseaudio = { diff --git a/nixpkgs/nixos/modules/config/qt5.nix b/nixpkgs/nixos/modules/config/qt5.nix index 7de1c0f5d557..d9dec74f1552 100644 --- a/nixpkgs/nixos/modules/config/qt5.nix +++ b/nixpkgs/nixos/modules/config/qt5.nix @@ -10,7 +10,7 @@ let isQtStyle = cfg.platformTheme == "gtk2" && cfg.style != "adwaita"; packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ] - else if isQtStyle then [ pkgs.qtstyleplugins ] + else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ] else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible."; in diff --git a/nixpkgs/nixos/modules/config/resolvconf.nix b/nixpkgs/nixos/modules/config/resolvconf.nix index 406c6a7ac329..7d2f252a8886 100644 --- a/nixpkgs/nixos/modules/config/resolvconf.nix +++ b/nixpkgs/nixos/modules/config/resolvconf.nix @@ -33,6 +33,12 @@ let in { + imports = [ + (mkRenamedOptionModule [ "networking" "dnsSingleRequest" ] [ "networking" "resolvconf" "dnsSingleRequest" ]) + (mkRenamedOptionModule [ "networking" "dnsExtensionMechanism" ] [ "networking" "resolvconf" "dnsExtensionMechanism" ]) + (mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ]) + (mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ]) + ]; options = { diff --git a/nixpkgs/nixos/modules/config/shells-environment.nix b/nixpkgs/nixos/modules/config/shells-environment.nix index d939cbb393ee..a0a20228a742 100644 --- a/nixpkgs/nixos/modules/config/shells-environment.nix +++ b/nixpkgs/nixos/modules/config/shells-environment.nix @@ -118,6 +118,14 @@ in type = with types; attrsOf (nullOr (either str path)); }; + environment.homeBinInPath = mkOption { + description = '' + Include ~/bin/ in $PATH. + ''; + default = false; + type = types.bool; + }; + environment.binsh = mkOption { default = "${config.system.build.binsh}/bin/sh"; defaultText = "\${config.system.build.binsh}/bin/sh"; @@ -186,8 +194,10 @@ in ${cfg.extraInit} - # ~/bin if it exists overrides other bin directories. - export PATH="$HOME/bin:$PATH" + ${optionalString cfg.homeBinInPath '' + # ~/bin if it exists overrides other bin directories. + export PATH="$HOME/bin:$PATH" + ''} ''; system.activationScripts.binsh = stringAfter [ "stdio" ] diff --git a/nixpkgs/nixos/modules/config/swap.nix b/nixpkgs/nixos/modules/config/swap.nix index fed3fa3bc7c8..d0fc0d4a3ea4 100644 --- a/nixpkgs/nixos/modules/config/swap.nix +++ b/nixpkgs/nixos/modules/config/swap.nix @@ -58,7 +58,7 @@ let device = mkOption { example = "/dev/sda3"; type = types.str; - description = "Path of the device."; + description = "Path of the device or swap file."; }; label = mkOption { diff --git a/nixpkgs/nixos/modules/config/sysctl.nix b/nixpkgs/nixos/modules/config/sysctl.nix index fb2b58eed720..e59c7a32c287 100644 --- a/nixpkgs/nixos/modules/config/sysctl.nix +++ b/nixpkgs/nixos/modules/config/sysctl.nix @@ -54,7 +54,7 @@ in # Hide kernel pointers (e.g. in /proc/modules) for unprivileged # users as these make it easier to exploit kernel vulnerabilities. - boot.kernel.sysctl."kernel.kptr_restrict" = 1; + boot.kernel.sysctl."kernel.kptr_restrict" = mkDefault 1; # Disable YAMA by default to allow easy debugging. boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0; diff --git a/nixpkgs/nixos/modules/config/system-environment.nix b/nixpkgs/nixos/modules/config/system-environment.nix index 792d1dbb38f6..4888740ba3d5 100644 --- a/nixpkgs/nixos/modules/config/system-environment.nix +++ b/nixpkgs/nixos/modules/config/system-environment.nix @@ -8,11 +8,6 @@ let cfg = config.environment; - pamProfiles = - map - (replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"]) - cfg.profiles; - in { @@ -75,19 +70,31 @@ in let suffixedVariables = flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes: - flip concatMap pamProfiles (profile: + flip concatMap cfg.profiles (profile: map (suffix: "${profile}${suffix}") suffixes ) ); + # We're trying to use the same syntax for PAM variables and env variables. + # That means we need to map the env variables that people might use to their + # equivalent PAM variable. + replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"]; + pamVariable = n: v: - ''${n} DEFAULT="${concatStringsSep ":" (toList v)}"''; + ''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"''; pamVariables = concatStringsSep "\n" (mapAttrsToList pamVariable (zipAttrsWith (n: concatLists) [ + # Make sure security wrappers are prioritized without polluting + # shell environments with an extra entry. Sessions which depend on + # pam for its environment will otherwise have eg. broken sudo. In + # particular Gnome Shell sometimes fails to source a proper + # environment from a shell. + { PATH = [ config.security.wrapperDir ]; } + (mapAttrs (n: toList) cfg.sessionVariables) suffixedVariables ])); diff --git a/nixpkgs/nixos/modules/config/unix-odbc-drivers.nix b/nixpkgs/nixos/modules/config/unix-odbc-drivers.nix index 8dd811727389..abc12a627d6f 100644 --- a/nixpkgs/nixos/modules/config/unix-odbc-drivers.nix +++ b/nixpkgs/nixos/modules/config/unix-odbc-drivers.nix @@ -24,7 +24,7 @@ in { Specifies Unix ODBC drivers to be registered in <filename>/etc/odbcinst.ini</filename>. You may also want to add <literal>pkgs.unixODBC</literal> to the system path to get - a command line client to connnect to ODBC databases. + a command line client to connect to ODBC databases. ''; }; }; diff --git a/nixpkgs/nixos/modules/config/update-users-groups.pl b/nixpkgs/nixos/modules/config/update-users-groups.pl index ee5c77c1a908..e97d46ccf7f7 100644 --- a/nixpkgs/nixos/modules/config/update-users-groups.pl +++ b/nixpkgs/nixos/modules/config/update-users-groups.pl @@ -57,12 +57,12 @@ sub allocGid { $gidsUsed{$prevGid} = 1; return $prevGid; } - return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) }); + return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 999, 0, sub { my ($gid) = @_; getgrgid($gid) }); } sub allocUid { my ($name, $isSystemUser) = @_; - my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1); + my ($min, $max, $up) = $isSystemUser ? (400, 999, 0) : (1000, 29999, 1); my $prevUid = $uidMap->{$name}; if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) { print STDERR "reviving user '$name' with UID $prevUid\n"; diff --git a/nixpkgs/nixos/modules/config/users-groups.nix b/nixpkgs/nixos/modules/config/users-groups.nix index ba79bd3d6ecc..141e43fec39b 100644 --- a/nixpkgs/nixos/modules/config/users-groups.nix +++ b/nixpkgs/nixos/modules/config/users-groups.nix @@ -251,7 +251,7 @@ let default = []; example = literalExample "[ pkgs.firefox pkgs.thunderbird ]"; description = '' - The set of packages that should be made availabe to the user. + The set of packages that should be made available to the user. This is in contrast to <option>environment.systemPackages</option>, which adds packages to all users. ''; @@ -403,6 +403,10 @@ let filter types.shellPackage.check shells; in { + imports = [ + (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) + (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) + ]; ###### interface diff --git a/nixpkgs/nixos/modules/config/vpnc.nix b/nixpkgs/nixos/modules/config/vpnc.nix deleted file mode 100644 index 356e007c0a3e..000000000000 --- a/nixpkgs/nixos/modules/config/vpnc.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, lib, ... }: - -with lib; - -let - cfg = config.networking.vpnc; - mkServiceDef = name: value: - { - name = "vpnc/${name}.conf"; - value = { text = value; }; - }; - -in -{ - options = { - networking.vpnc = { - services = mkOption { - type = types.attrsOf types.str; - default = {}; - example = literalExample '' - { test = ''' - IPSec gateway 192.168.1.1 - IPSec ID someID - IPSec secret secretKey - Xauth username name - Xauth password pass - '''; - } - ''; - description = - '' - The names of cisco VPNs and their associated definitions - ''; - }; - }; - }; - - config.environment.etc = mapAttrs' mkServiceDef cfg.services; -} - - diff --git a/nixpkgs/nixos/modules/config/xdg/portal.nix b/nixpkgs/nixos/modules/config/xdg/portal.nix index bdbbfda2bb42..95fa8e05fa3f 100644 --- a/nixpkgs/nixos/modules/config/xdg/portal.nix +++ b/nixpkgs/nixos/modules/config/xdg/portal.nix @@ -3,6 +3,10 @@ with lib; { + imports = [ + (mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ]) + ]; + options.xdg.portal = { enable = mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>"//{ diff --git a/nixpkgs/nixos/modules/config/xdg/sounds.nix b/nixpkgs/nixos/modules/config/xdg/sounds.nix index 148240d631cf..14d6340fc33b 100644 --- a/nixpkgs/nixos/modules/config/xdg/sounds.nix +++ b/nixpkgs/nixos/modules/config/xdg/sounds.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; { @@ -14,6 +14,10 @@ with lib; }; config = mkIf config.xdg.sounds.enable { + environment.systemPackages = [ + pkgs.sound-theme-freedesktop + ]; + environment.pathsToLink = [ "/share/sounds" ]; diff --git a/nixpkgs/nixos/modules/hardware/all-firmware.nix b/nixpkgs/nixos/modules/hardware/all-firmware.nix index 534fcc34276b..16be8bcfdd7d 100644 --- a/nixpkgs/nixos/modules/hardware/all-firmware.nix +++ b/nixpkgs/nixos/modules/hardware/all-firmware.nix @@ -6,6 +6,14 @@ let cfg = config.hardware; in { + imports = [ + (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + (mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) + ]; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/hardware/brillo.nix b/nixpkgs/nixos/modules/hardware/brillo.nix new file mode 100644 index 000000000000..e970c9480998 --- /dev/null +++ b/nixpkgs/nixos/modules/hardware/brillo.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.hardware.brillo; +in +{ + options = { + hardware.brillo = { + enable = mkEnableOption '' + Enable brillo in userspace. + This will allow brightness control from users in the video group. + ''; + }; + }; + + + config = mkIf cfg.enable { + services.udev.packages = [ pkgs.brillo ]; + environment.systemPackages = [ pkgs.brillo ]; + }; +} diff --git a/nixpkgs/nixos/modules/hardware/ckb-next.nix b/nixpkgs/nixos/modules/hardware/ckb-next.nix index 20b2756d8b26..fe0ca9f26d54 100644 --- a/nixpkgs/nixos/modules/hardware/ckb-next.nix +++ b/nixpkgs/nixos/modules/hardware/ckb-next.nix @@ -7,6 +7,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "hardware" "ckb" "enable" ] [ "hardware" "ckb-next" "enable" ]) + (mkRenamedOptionModule [ "hardware" "ckb" "package" ] [ "hardware" "ckb-next" "package" ]) + ]; + options.hardware.ckb-next = { enable = mkEnableOption "the Corsair keyboard/mouse driver"; diff --git a/nixpkgs/nixos/modules/hardware/ksm.nix b/nixpkgs/nixos/modules/hardware/ksm.nix index 99d46c25236e..0938dbdc1101 100644 --- a/nixpkgs/nixos/modules/hardware/ksm.nix +++ b/nixpkgs/nixos/modules/hardware/ksm.nix @@ -6,6 +6,10 @@ let cfg = config.hardware.ksm; in { + imports = [ + (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ]) + ]; + options.hardware.ksm = { enable = mkEnableOption "Kernel Same-Page Merging"; sleep = mkOption { diff --git a/nixpkgs/nixos/modules/hardware/opengl.nix b/nixpkgs/nixos/modules/hardware/opengl.nix index 57cac56bd8ab..89dc5008df58 100644 --- a/nixpkgs/nixos/modules/hardware/opengl.nix +++ b/nixpkgs/nixos/modules/hardware/opengl.nix @@ -31,6 +31,11 @@ let in { + + imports = [ + (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) + ]; + options = { hardware.opengl = { diff --git a/nixpkgs/nixos/modules/hardware/steam-hardware.nix b/nixpkgs/nixos/modules/hardware/steam-hardware.nix index 378aeffe71b5..6218c9ffbb9b 100644 --- a/nixpkgs/nixos/modules/hardware/steam-hardware.nix +++ b/nixpkgs/nixos/modules/hardware/steam-hardware.nix @@ -21,5 +21,12 @@ in services.udev.packages = [ pkgs.steamPackages.steam ]; + + # The uinput module needs to be loaded in order to trigger the udev rules + # defined in the steam package for setting permissions on /dev/uinput. + # + # If the udev rules are not triggered, some controllers won't work with + # steam. + boot.kernelModules = [ "uinput" ]; }; } diff --git a/nixpkgs/nixos/modules/hardware/video/displaylink.nix b/nixpkgs/nixos/modules/hardware/video/displaylink.nix index 669ac849cbad..912f53da836a 100644 --- a/nixpkgs/nixos/modules/hardware/video/displaylink.nix +++ b/nixpkgs/nixos/modules/hardware/video/displaylink.nix @@ -19,6 +19,21 @@ in config = mkIf enabled { boot.extraModulePackages = [ evdi ]; + boot.kernelModules = [ "evdi" ]; + + environment.etc."X11/xorg.conf.d/40-displaylink.conf".text = '' + Section "OutputClass" + Identifier "DisplayLink" + MatchDriver "evdi" + Driver "modesetting" + Option "AccelMethod" "none" + EndSection + ''; + + # make the device available + services.xserver.displayManager.sessionCommands = '' + ${lib.getBin pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource 1 0 + ''; # Those are taken from displaylink-installer.sh and from Arch Linux AUR package. @@ -47,18 +62,13 @@ in description = "DisplayLink Manager Service"; after = [ "display-manager.service" ]; conflicts = [ "getty@tty7.service" ]; - path = [ pkgs.kmod ]; serviceConfig = { ExecStart = "${displaylink}/bin/DisplayLinkManager"; Restart = "always"; RestartSec = 5; + LogsDirectory = "displaylink"; }; - - preStart = '' - mkdir -p /var/log/displaylink - modprobe evdi - ''; }; }; diff --git a/nixpkgs/nixos/modules/hardware/video/nvidia.nix b/nixpkgs/nixos/modules/hardware/video/nvidia.nix index 3ab2afc97407..1794bb4b433d 100644 --- a/nixpkgs/nixos/modules/hardware/video/nvidia.nix +++ b/nixpkgs/nixos/modules/hardware/video/nvidia.nix @@ -75,7 +75,7 @@ in Note that this configuration will only be successful when a display manager for which the <option>services.xserver.displayManager.setupCommands</option> - option is supported is used; notably, SLiM is not supported. + option is supported is used. ''; }; @@ -111,9 +111,10 @@ in config = mkIf enabled { assertions = [ { - assertion = with config.services.xserver.displayManager; gdm.enable -> !gdm.wayland; - message = "NVIDIA drivers don't support wayland, set services.xserver.displayManager.gdm.wayland=false"; + assertion = with config.services.xserver.displayManager; gdm.nvidiaWayland -> cfg.modesetting.enable; + message = "You cannot use wayland with GDM without modesetting enabled for NVIDIA drivers, set `hardware.nvidia.modesetting.enable = true`"; } + { assertion = !optimusCfg.enable || (optimusCfg.nvidiaBusId != "" && optimusCfg.intelBusId != ""); @@ -197,10 +198,11 @@ in # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. services.udev.extraRules = '' - KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" - KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" - KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'" - KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" + KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" + KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" + KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" ''; boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ]; diff --git a/nixpkgs/nixos/modules/i18n/input-method/ibus.nix b/nixpkgs/nixos/modules/i18n/input-method/ibus.nix index 8109ef76c402..a3d97619fc45 100644 --- a/nixpkgs/nixos/modules/i18n/input-method/ibus.nix +++ b/nixpkgs/nixos/modules/i18n/input-method/ibus.nix @@ -27,6 +27,10 @@ let }; in { + imports = [ + (mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ]) + ]; + options = { i18n.inputMethod.ibus = { engines = mkOption { @@ -53,9 +57,17 @@ in config = mkIf (config.i18n.inputMethod.enabled == "ibus") { i18n.inputMethod.package = ibusPackage; + environment.systemPackages = [ + ibusAutostart + ]; + # Without dconf enabled it is impossible to use IBus - environment.systemPackages = with pkgs; [ - gnome3.dconf ibusAutostart + programs.dconf.enable = true; + + programs.dconf.profiles.ibus = "${ibusPackage}/etc/dconf/profile/ibus"; + + services.dbus.packages = [ + ibusAutostart ]; environment.variables = { diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix index 1578e1547bc1..e0b558dcb0d8 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix @@ -22,20 +22,7 @@ with lib; }); ''; - services.xserver = { - enable = true; - - # Don't start the X server by default. - autorun = mkForce false; - - # Automatically login as nixos. - displayManager.slim = { - enable = true; - defaultUser = "nixos"; - autoLogin = true; - }; - - }; + services.xserver.enable = true; # Provide networkmanager for easy wireless configuration. networking.networkmanager.enable = true; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 0b813bbf37b4..23c3426bff08 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -10,8 +10,6 @@ with lib; services.xserver.desktopManager.gnome3.enable = true; - services.xserver.displayManager.slim.enable = mkForce false; - # Auto-login as root. services.xserver.displayManager.gdm.autoLogin = { enable = true; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix index 559899b0a3b1..e00d3f7535b2 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix @@ -11,7 +11,15 @@ with lib; services.xserver = { desktopManager.plasma5 = { enable = true; - enableQt4Support = false; + }; + + # Automatically login as nixos. + displayManager.sddm = { + enable = true; + autoLogin = { + enable = true; + user = "nixos"; + }; }; }; @@ -22,14 +30,8 @@ with lib; system.activationScripts.installerDesktop = let - manualDesktopFile = pkgs.writeScript "nixos-manual.desktop" '' - [Desktop Entry] - Version=1.0 - Type=Application - Name=NixOS Manual - Exec=firefox ${config.system.build.manual.manual}/share/doc/nixos/index.html - Icon=text-html - ''; + # Comes from documentation.nix when xserver and nixos.enable are true. + manualDesktopFile = "/run/current-system/sw/share/applications/nixos-manual.desktop"; homeDir = "/home/nixos/"; desktopDir = homeDir + "Desktop/"; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix b/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix index d5c92cfc1d9e..11319e5f4f82 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix @@ -24,7 +24,7 @@ let # Name appended to menuentry defaults to params if no specific name given. option.name or (if option ? params then "(${option.params})" else "") }' ${if option ? class then " --class ${option.class}" else ""} { - linux ${defaults.image} ${defaults.params} ${ + linux ${defaults.image} \''${isoboot} ${defaults.params} ${ option.params or "" } initrd ${defaults.initrd} @@ -165,8 +165,8 @@ let else "# No refind for ${targetArch}" ; - - grubPkgs = if config.boot.loader.grub.forcei686 then pkgs.pkgsi686Linux else pkgs; + + grubPkgs = if config.boot.loader.grub.forcei686 then pkgs.pkgsi686Linux else pkgs; grubMenuCfg = '' # @@ -268,6 +268,12 @@ let set timeout=10 ${grubMenuCfg} + # If the parameter iso_path is set, append the findiso parameter to the kernel + # line. We need this to allow the nixos iso to be booted from grub directly. + if [ \''${iso_path} ] ; then + set isoboot="findiso=\''${iso_path}" + fi + # # Menu entries # @@ -284,6 +290,14 @@ let ${buildMenuAdditionalParamsGrub2 config "video=1920x1080@60"} } + # If we boot into a graphical environment where X is autoran + # and always crashes, it makes the media unusable. Allow the user + # to disable this. + submenu "Disable display-manager" --class quirk-disable-displaymanager { + ${grubMenuCfg} + ${buildMenuAdditionalParamsGrub2 config "systemd.mask=display-manager.service"} + } + # Some laptop and convertibles have the panel installed in an # inconvenient way, rotated away from the keyboard. # Those entries makes it easier to use the installer. @@ -562,8 +576,6 @@ in boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "uas" ]; - boot.blacklistedKernelModules = [ "nouveau" ]; - boot.initrd.kernelModules = [ "loop" ]; # Closures to be copied to the Nix store on the CD, namely the init @@ -591,9 +603,6 @@ in { source = config.system.build.squashfsStore; target = "/nix-store.squashfs"; } - { source = config.isoImage.efiSplashImage; - target = "/EFI/boot/efi-background.png"; - } { source = config.isoImage.splashImage; target = "/isolinux/background.png"; } @@ -618,6 +627,9 @@ in { source = "${efiDir}/EFI"; target = "/EFI"; } + { source = (pkgs.writeTextDir "grub/loopback.cfg" "source /EFI/boot/grub.cfg") + "/grub"; + target = "/boot/grub"; + } ] ++ optionals (config.boot.loader.grub.memtest86.enable && canx86BiosBoot) [ { source = "${pkgs.memtest86plus}/memtest.bin"; target = "/boot/memtest.bin"; @@ -626,6 +638,10 @@ in { source = config.isoImage.grubTheme; target = "/EFI/boot/grub-theme"; } + ] ++ [ + { source = config.isoImage.efiSplashImage; + target = "/EFI/boot/efi-background.png"; + } ]; boot.loader.timeout = 10; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix index 2a131d9ce980..ba4127eaa0e8 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix @@ -19,7 +19,7 @@ in boot.loader.generic-extlinux-compatible.enable = true; boot.consoleLogLevel = lib.mkDefault 7; - boot.kernelPackages = pkgs.linuxPackages_rpi; + boot.kernelPackages = pkgs.linuxPackages_rpi1; sdImage = { populateFirmwareCommands = let diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix new file mode 100644 index 000000000000..c545a1e7e242 --- /dev/null +++ b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix @@ -0,0 +1,31 @@ +# To build, use: +# nix-build nixos -I nixos-config=nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix -A config.system.build.sdImage +{ config, lib, pkgs, ... }: + +{ + imports = [ + ../../profiles/base.nix + ../../profiles/installation-device.nix + ./sd-image.nix + ]; + + boot.loader.grub.enable = false; + boot.loader.raspberryPi.enable = true; + boot.loader.raspberryPi.version = 4; + boot.kernelPackages = pkgs.linuxPackages_rpi4; + + boot.consoleLogLevel = lib.mkDefault 7; + + sdImage = { + firmwareSize = 128; + # This is a hack to avoid replicating config.txt from boot.loader.raspberryPi + populateFirmwareCommands = + "${config.system.build.installBootLoader} ${config.system.build.toplevel} -d ./firmware"; + # As the boot process is done entirely in the firmware partition. + populateRootCommands = ""; + }; + + # the installation media is also the installation target, + # so we don't want to provide the installation configuration.nix. + installer.cloneConfig = false; +} diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix index a2a8e8ef7522..901c60befb6c 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix @@ -18,6 +18,7 @@ with lib; let rootfsImage = pkgs.callPackage ../../../lib/make-ext4-fs.nix ({ inherit (config.sdImage) storePaths; + compressImage = true; populateImageCommands = config.sdImage.populateRootCommands; volumeLabel = "NIXOS_SD"; } // optionalAttrs (config.sdImage.rootPartitionUUID != null) { @@ -98,6 +99,16 @@ in populate the ./files/boot (/boot) directory. ''; }; + + compressImage = mkOption { + type = types.bool; + default = true; + description = '' + Whether the SD image should be compressed using + <command>bzip2</command>. + ''; + }; + }; config = { @@ -118,23 +129,33 @@ in sdImage.storePaths = [ config.system.build.toplevel ]; - system.build.sdImage = pkgs.callPackage ({ stdenv, dosfstools, e2fsprogs, mtools, libfaketime, utillinux }: stdenv.mkDerivation { + system.build.sdImage = pkgs.callPackage ({ stdenv, dosfstools, e2fsprogs, + mtools, libfaketime, utillinux, bzip2, zstd }: stdenv.mkDerivation { name = config.sdImage.imageName; - nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime utillinux ]; + nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime utillinux bzip2 zstd ]; + + inherit (config.sdImage) compressImage; buildCommand = '' mkdir -p $out/nix-support $out/sd-image export img=$out/sd-image/${config.sdImage.imageName} echo "${pkgs.stdenv.buildPlatform.system}" > $out/nix-support/system - echo "file sd-image $img" >> $out/nix-support/hydra-build-products + if test -n "$compressImage"; then + echo "file sd-image $img.bz2" >> $out/nix-support/hydra-build-products + else + echo "file sd-image $img" >> $out/nix-support/hydra-build-products + fi + + echo "Decompressing rootfs image" + zstd -d --no-progress "${rootfsImage}" -o ./root-fs.img # Gap in front of the first partition, in MiB gap=8 # Create the image file sized to fit /boot/firmware and /, plus slack for the gap. - rootSizeBlocks=$(du -B 512 --apparent-size ${rootfsImage} | awk '{ print $1 }') + rootSizeBlocks=$(du -B 512 --apparent-size ./root-fs.img | awk '{ print $1 }') firmwareSizeBlocks=$((${toString config.sdImage.firmwareSize} * 1024 * 1024 / 512)) imageSize=$((rootSizeBlocks * 512 + firmwareSizeBlocks * 512 + gap * 1024 * 1024)) truncate -s $imageSize $img @@ -152,7 +173,7 @@ in # Copy the rootfs into the SD image eval $(partx $img -o START,SECTORS --nr 2 --pairs) - dd conv=notrunc if=${rootfsImage} of=$img seek=$START count=$SECTORS + dd conv=notrunc if=./root-fs.img of=$img seek=$START count=$SECTORS # Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img eval $(partx $img -o START,SECTORS --nr 1 --pairs) @@ -168,6 +189,9 @@ in # Verify the FAT partition before copying it. fsck.vfat -vn firmware_part.img dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS + if test -n "$compressImage"; then + bzip2 $img + fi ''; }) {}; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix index bf8b7deb59eb..f2af7dcde3d5 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-pc.nix @@ -122,11 +122,10 @@ in /* fake entry, just to have a happy stage-1. Users may boot without having stage-1 though */ - fileSystems = [ + fileSystems.fake = { mountPoint = "/"; device = "/dev/something"; - } - ]; + }; nixpkgs.config = { packageOverrides = p: { diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix index 90a5128c02a5..8408f56f94f9 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix @@ -117,11 +117,10 @@ in /* fake entry, just to have a happy stage-1. Users may boot without having stage-1 though */ - fileSystems = [ + fileSystems.fake = { mountPoint = "/"; device = "/dev/something"; - } - ]; + }; services.mingetty = { # Some more help text. diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball.nix b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball.nix index b84096861f56..58098c45535d 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/system-tarball.nix @@ -41,7 +41,7 @@ in # In stage 1 of the boot, mount the CD/DVD as the root FS by label # so that we don't need to know its device. - fileSystems = [ ]; + fileSystems = { }; # boot.initrd.availableKernelModules = [ "mvsdio" "reiserfs" "ext3" "ext4" ]; diff --git a/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix index 2673887d2b96..c2f2578733ba 100644 --- a/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/3ds3cgji9vjxdbgp10av6smyym1126d1-nix-2.3"; - i686-linux = "/nix/store/ln1ndqvfpc9cdl03vqxi6kvlxm9wfv9g-nix-2.3"; - aarch64-linux = "/nix/store/n8a1rwzrp20qcr2c4hvyn6c5q9zx8csw-nix-2.3"; - x86_64-darwin = "/nix/store/jq6npmpld02sz4rgniz0qrsdfnm6j17a-nix-2.3"; + x86_64-linux = "/nix/store/0q5qnh10m2sfrriszc1ysmggw659q6qm-nix-2.3.2"; + i686-linux = "/nix/store/i7ad7r5d8a5b3l22hg4a1im2qq05y6vd-nix-2.3.2"; + aarch64-linux = "/nix/store/bv06pavfw0dbqzr8w3l7s71nx27gnxa0-nix-2.3.2"; + x86_64-darwin = "/nix/store/x6mnl1nij7y4v5ihlplr4k937ayr403r-nix-2.3.2"; } diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl index cfdbdaabf5c5..629c56814a16 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl @@ -335,6 +335,9 @@ if (@swaps) { next unless -e $swapFilename; my $dev = findStableDevPath $swapFilename; if ($swapType =~ "partition") { + # zram devices are more likely created by configuration.nix, so + # ignore them here + next if ($swapFilename =~ /^\/dev\/zram/); push @swapDevices, "{ device = \"$dev\"; }"; } elsif ($swapType =~ "file") { # swap *files* are more likely specified in configuration.nix, so @@ -498,7 +501,7 @@ if (-f $fb_modes_file && -r $fb_modes_file) { my $console_width = $1, my $console_height = $2; if ($console_width > 1920) { push @attrs, "# High-DPI console"; - push @attrs, 'i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";'; + push @attrs, 'console.font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";'; } } @@ -563,6 +566,24 @@ $fsAndSwap ${\join "", (map { " $_\n" } (uniq @attrs))}} EOF +sub generateNetworkingDhcpConfig { + my $config = <<EOF; + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; +EOF + + foreach my $path (glob "/sys/class/net/*") { + my $dev = basename($path); + if ($dev ne "lo") { + $config .= " networking.interfaces.$dev.useDHCP = true;\n"; + } + } + + return $config; +} + if ($showHardwareConfig) { print STDOUT $hwConfig; @@ -606,6 +627,8 @@ EOF EOF } + my $networkingDhcpConfig = generateNetworkingDhcpConfig(); + write_file($fn, <<EOF); @configuration@ EOF diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-install.sh b/nixpkgs/nixos/modules/installer/tools/nixos-install.sh index 8685cb345e1e..a3ff3fe2c0c1 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-install.sh +++ b/nixpkgs/nixos/modules/installer/tools/nixos-install.sh @@ -14,6 +14,8 @@ extraBuildFlags=() mountPoint=/mnt channelPath= system= +verbosity=() +buildLogs= while [ "$#" -gt 0 ]; do i="$1"; shift 1 @@ -55,6 +57,12 @@ while [ "$#" -gt 0 ]; do --debug) set -x ;; + -v*|--verbose) + verbosity+=("$i") + ;; + -L|--print-build-logs) + buildLogs="$i" + ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -94,7 +102,7 @@ if [[ -z $system ]]; then outLink="$tmpdir/system" nix build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ --extra-substituters "$sub" \ - -f '<nixpkgs/nixos>' system -I "nixos-config=$NIXOS_CONFIG" + -f '<nixpkgs/nixos>' system -I "nixos-config=$NIXOS_CONFIG" ${verbosity[@]} ${buildLogs} system=$(readlink -f $outLink) fi @@ -103,7 +111,7 @@ fi # a progress bar. nix-env --store "$mountPoint" "${extraBuildFlags[@]}" \ --extra-substituters "$sub" \ - -p $mountPoint/nix/var/nix/profiles/system --set "$system" + -p $mountPoint/nix/var/nix/profiles/system --set "$system" ${verbosity[@]} # Copy the NixOS/Nixpkgs sources to the target as the initial contents # of the NixOS channel. @@ -115,7 +123,8 @@ if [[ -z $noChannelCopy ]]; then echo "copying channel..." mkdir -p $mountPoint/nix/var/nix/profiles/per-user/root nix-env --store "$mountPoint" "${extraBuildFlags[@]}" --extra-substituters "$sub" \ - -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet + -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet \ + ${verbosity[@]} install -m 0700 -d $mountPoint/root/.nix-defexpr ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels fi diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option.sh b/nixpkgs/nixos/modules/installer/tools/nixos-option.sh deleted file mode 100644 index 4560e9c7403a..000000000000 --- a/nixpkgs/nixos/modules/installer/tools/nixos-option.sh +++ /dev/null @@ -1,327 +0,0 @@ -#! @shell@ -e - -# FIXME: rewrite this in a more suitable language. - -usage () { - exec man nixos-option - exit 1 -} - -##################### -# Process Arguments # -##################### - -xml=false -verbose=false -nixPath="" - -option="" -exit_code=0 - -argfun="" -for arg; do - if test -z "$argfun"; then - case $arg in - -*) - sarg="$arg" - longarg="" - while test "$sarg" != "-"; do - case $sarg in - --*) longarg=$arg; sarg="--";; - -I) argfun="include_nixpath";; - -*) usage;; - esac - # remove the first letter option - sarg="-${sarg#??}" - done - ;; - *) longarg=$arg;; - esac - for larg in $longarg; do - case $larg in - --xml) xml=true;; - --verbose) verbose=true;; - --help) usage;; - -*) usage;; - *) if test -z "$option"; then - option="$larg" - else - usage - fi;; - esac - done - else - case $argfun in - set_*) - var=$(echo $argfun | sed 's,^set_,,') - eval $var=$arg - ;; - include_nixpath) - nixPath="-I $arg $nixPath" - ;; - esac - argfun="" - fi -done - -if $verbose; then - set -x -else - set +x -fi - -############################# -# Process the configuration # -############################# - -evalNix(){ - # disable `-e` flag, it's possible that the evaluation of `nix-instantiate` fails (e.g. due to broken pkgs) - set +e - result=$(nix-instantiate ${nixPath:+$nixPath} - --eval-only "$@" 2>&1) - exit_code=$? - set -e - - if test $exit_code -eq 0; then - sed '/^warning: Nix search path/d' <<EOF -$result -EOF - return 0; - else - sed -n ' - /^error/ { s/, at (string):[0-9]*:[0-9]*//; p; }; - /^warning: Nix search path/ { p; }; -' >&2 <<EOF -$result -EOF - exit_code=1 - fi -} - -header="let - nixos = import <nixpkgs/nixos> {}; - nixpkgs = import <nixpkgs> {}; -in with nixpkgs.lib; -" - -# This function is used for converting the option definition path given by -# the user into accessors for reaching the definition and the declaration -# corresponding to this option. -generateAccessors(){ - if result=$(evalNix --strict --show-trace <<EOF -$header - -let - path = "${option:+$option}"; - pathList = splitString "." path; - - walkOptions = attrsNames: result: - if attrsNames == [] then - result - else - let name = head attrsNames; rest = tail attrsNames; in - if isOption result.options then - walkOptions rest { - options = result.options.type.getSubOptions ""; - opt = ''(\${result.opt}.type.getSubOptions "")''; - cfg = ''\${result.cfg}."\${name}"''; - } - else - walkOptions rest { - options = result.options.\${name}; - opt = ''\${result.opt}."\${name}"''; - cfg = ''\${result.cfg}."\${name}"''; - } - ; - - walkResult = (if path == "" then x: x else walkOptions pathList) { - options = nixos.options; - opt = ''nixos.options''; - cfg = ''nixos.config''; - }; - -in - ''let option = \${walkResult.opt}; config = \${walkResult.cfg}; in'' -EOF -) - then - echo $result - else - # In case of error we want to ignore the error message roduced by the - # script above, as it is iterating over each attribute, which does not - # produce a nice error message. The following code is a fallback - # solution which is cause a nicer error message in the next - # evaluation. - echo "\"let option = nixos.options${option:+.$option}; config = nixos.config${option:+.$option}; in\"" - fi -} - -header="$header -$(eval echo $(generateAccessors)) -" - -evalAttr(){ - local prefix="$1" - local strict="$2" - local suffix="$3" - - # If strict is set, then set it to "true". - test -n "$strict" && strict=true - - evalNix ${strict:+--strict} <<EOF -$header - -let - value = $prefix${suffix:+.$suffix}; - strict = ${strict:-false}; - cleanOutput = x: with nixpkgs.lib; - if isDerivation x then x.outPath - else if isFunction x then "<CODE>" - else if strict then - if isAttrs x then mapAttrs (n: cleanOutput) x - else if isList x then map cleanOutput x - else x - else x; -in - cleanOutput value -EOF -} - -evalOpt(){ - evalAttr "option" "" "$@" -} - -evalCfg(){ - local strict="$1" - evalAttr "config" "$strict" -} - -findSources(){ - local suffix=$1 - evalNix --strict <<EOF -$header - -option.$suffix -EOF -} - -# Given a result from nix-instantiate, recover the list of attributes it -# contains. -attrNames() { - local attributeset=$1 - # sed is used to replace un-printable subset by 0s, and to remove most of - # the inner-attribute set, which reduce the likelyhood to encounter badly - # pre-processed input. - echo "builtins.attrNames $attributeset" | \ - sed 's,<[A-Z]*>,0,g; :inner; s/{[^\{\}]*};/0;/g; t inner;' | \ - evalNix --strict -} - -# map a simple list which contains strings or paths. -nixMap() { - local fun="$1" - local list="$2" - local elem - for elem in $list; do - test $elem = '[' -o $elem = ']' && continue; - $fun $elem - done -} - -# This duplicates the work made below, but it is useful for processing -# the output of nixos-option with other tools such as nixos-gui. -if $xml; then - evalNix --xml --no-location <<EOF -$header - -let - sources = builtins.map (f: f.source); - opt = option; - cfg = config; -in - -with nixpkgs.lib; - -let - optStrict = v: - let - traverse = x : - if isAttrs x then - if x ? outPath then true - else all id (mapAttrsFlatten (n: traverseNoAttrs) x) - else traverseNoAttrs x; - traverseNoAttrs = x: - # do not continue in attribute sets - if isAttrs x then true - else if isList x then all id (map traverse x) - else true; - in assert traverse v; v; -in - -if isOption opt then - optStrict ({} - // optionalAttrs (opt ? default) { inherit (opt) default; } - // optionalAttrs (opt ? example) { inherit (opt) example; } - // optionalAttrs (opt ? description) { inherit (opt) description; } - // optionalAttrs (opt ? type) { typename = opt.type.description; } - // optionalAttrs (opt ? options) { inherit (opt) options; } - // { - # to disambiguate the xml output. - _isOption = true; - declarations = sources opt.declarations; - definitions = sources opt.definitions; - value = cfg; - }) -else - opt -EOF - exit $? -fi - -if test "$(evalOpt "_type" 2> /dev/null)" = '"option"'; then - echo "Value:" - evalCfg 1 - - echo - - echo "Default:" - if default=$(evalOpt "default" - 2> /dev/null); then - echo "$default" - else - echo "<None>" - fi - echo - if example=$(evalOpt "example" - 2> /dev/null); then - echo "Example:" - echo "$example" - echo - fi - echo "Description:" - echo - echo $(evalOpt "description") - - echo $desc; - - printPath () { echo " $1"; } - - echo "Declared by:" - nixMap printPath "$(findSources "declarations")" - echo - echo "Defined by:" - nixMap printPath "$(findSources "files")" - echo - -else - # echo 1>&2 "Warning: This value is not an option." - - result=$(evalCfg "") - if [ ! -z "$result" ]; then - names=$(attrNames "$result" 2> /dev/null) - echo 1>&2 "This attribute set contains:" - escapeQuotes () { eval echo "$1"; } - nixMap escapeQuotes "$names" - else - echo 1>&2 "An error occurred while looking for attribute names. Are you sure that '$option' exists?" - fi -fi - -exit $exit_code diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/CMakeLists.txt b/nixpkgs/nixos/modules/installer/tools/nixos-option/CMakeLists.txt new file mode 100644 index 000000000000..e5834598c4fd --- /dev/null +++ b/nixpkgs/nixos/modules/installer/tools/nixos-option/CMakeLists.txt @@ -0,0 +1,8 @@ +cmake_minimum_required (VERSION 2.6) +project (nixos-option) + +add_executable(nixos-option nixos-option.cc libnix-copy-paste.cc) +target_link_libraries(nixos-option PRIVATE -lnixmain -lnixexpr -lnixstore -lnixutil) +target_compile_features(nixos-option PRIVATE cxx_std_17) + +install (TARGETS nixos-option DESTINATION bin) diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/default.nix b/nixpkgs/nixos/modules/installer/tools/nixos-option/default.nix new file mode 100644 index 000000000000..753fd92c7bbf --- /dev/null +++ b/nixpkgs/nixos/modules/installer/tools/nixos-option/default.nix @@ -0,0 +1,11 @@ +{lib, stdenv, boost, cmake, pkgconfig, nix, ... }: +stdenv.mkDerivation rec { + name = "nixos-option"; + src = ./.; + nativeBuildInputs = [ cmake pkgconfig ]; + buildInputs = [ boost nix ]; + meta = { + license = stdenv.lib.licenses.lgpl2Plus; + maintainers = with lib.maintainers; [ chkno ]; + }; +} diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.cc b/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.cc new file mode 100644 index 000000000000..875c07da6399 --- /dev/null +++ b/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.cc @@ -0,0 +1,83 @@ +// These are useful methods inside the nix library that ought to be exported. +// Since they are not, copy/paste them here. +// TODO: Delete these and use the ones in the library as they become available. + +#include <nix/config.h> // for nix/globals.hh's reference to SYSTEM + +#include "libnix-copy-paste.hh" +#include <boost/format/alt_sstream.hpp> // for basic_altstringbuf... +#include <boost/format/alt_sstream_impl.hpp> // for basic_altstringbuf... +#include <boost/format/format_class.hpp> // for basic_format +#include <boost/format/format_fwd.hpp> // for format +#include <boost/format/format_implementation.hpp> // for basic_format::basi... +#include <boost/optional/optional.hpp> // for get_pointer +#include <iostream> // for operator<<, basic_... +#include <nix/types.hh> // for Strings, Error +#include <string> // for string, basic_string + +using boost::format; +using nix::Error; +using nix::Strings; +using std::string; + +// From nix/src/libexpr/attr-path.cc +Strings parseAttrPath(const string & s) +{ + Strings res; + string cur; + string::const_iterator i = s.begin(); + while (i != s.end()) { + if (*i == '.') { + res.push_back(cur); + cur.clear(); + } else if (*i == '"') { + ++i; + while (1) { + if (i == s.end()) + throw Error(format("missing closing quote in selection path '%1%'") % s); + if (*i == '"') + break; + cur.push_back(*i++); + } + } else + cur.push_back(*i); + ++i; + } + if (!cur.empty()) + res.push_back(cur); + return res; +} + +// From nix/src/nix/repl.cc +bool isVarName(const string & s) +{ + if (s.size() == 0) + return false; + char c = s[0]; + if ((c >= '0' && c <= '9') || c == '-' || c == '\'') + return false; + for (auto & i : s) + if (!((i >= 'a' && i <= 'z') || (i >= 'A' && i <= 'Z') || (i >= '0' && i <= '9') || i == '_' || i == '-' || + i == '\'')) + return false; + return true; +} + +// From nix/src/nix/repl.cc +std::ostream & printStringValue(std::ostream & str, const char * string) +{ + str << "\""; + for (const char * i = string; *i; i++) + if (*i == '\"' || *i == '\\') + str << "\\" << *i; + else if (*i == '\n') + str << "\\n"; + else if (*i == '\r') + str << "\\r"; + else if (*i == '\t') + str << "\\t"; + else + str << *i; + str << "\""; + return str; +} diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.hh b/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.hh new file mode 100644 index 000000000000..2274e9a0f853 --- /dev/null +++ b/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.hh @@ -0,0 +1,9 @@ +#pragma once + +#include <iostream> +#include <nix/types.hh> +#include <string> + +nix::Strings parseAttrPath(const std::string & s); +bool isVarName(const std::string & s); +std::ostream & printStringValue(std::ostream & str, const char * string); diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/nixos-option.cc b/nixpkgs/nixos/modules/installer/tools/nixos-option/nixos-option.cc new file mode 100644 index 000000000000..9b92dc829cd1 --- /dev/null +++ b/nixpkgs/nixos/modules/installer/tools/nixos-option/nixos-option.cc @@ -0,0 +1,618 @@ +#include <nix/config.h> // for nix/globals.hh's reference to SYSTEM + +#include <exception> // for exception_ptr, current_exception +#include <functional> // for function +#include <iostream> // for operator<<, basic_ostream, ostrin... +#include <iterator> // for next +#include <list> // for _List_iterator +#include <memory> // for allocator, unique_ptr, make_unique +#include <new> // for operator new +#include <nix/args.hh> // for argvToStrings, UsageError +#include <nix/attr-path.hh> // for findAlongAttrPath +#include <nix/attr-set.hh> // for Attr, Bindings, Bindings::iterator +#include <nix/common-eval-args.hh> // for MixEvalArgs +#include <nix/eval-inline.hh> // for EvalState::forceValue +#include <nix/eval.hh> // for EvalState, initGC, operator<< +#include <nix/globals.hh> // for initPlugins, Settings, settings +#include <nix/nixexpr.hh> // for Pos +#include <nix/shared.hh> // for getArg, LegacyArgs, printVersion +#include <nix/store-api.hh> // for openStore +#include <nix/symbol-table.hh> // for Symbol, SymbolTable +#include <nix/types.hh> // for Error, Path, Strings, PathSet +#include <nix/util.hh> // for absPath, baseNameOf +#include <nix/value.hh> // for Value, Value::(anonymous), Value:... +#include <string> // for string, operator+, operator== +#include <utility> // for move +#include <variant> // for get, holds_alternative, variant +#include <vector> // for vector<>::iterator, vector + +#include "libnix-copy-paste.hh" + +using nix::absPath; +using nix::Bindings; +using nix::Error; +using nix::EvalError; +using nix::EvalState; +using nix::Path; +using nix::PathSet; +using nix::Strings; +using nix::Symbol; +using nix::tAttrs; +using nix::ThrownError; +using nix::tLambda; +using nix::tString; +using nix::UsageError; +using nix::Value; + +// An ostream wrapper to handle nested indentation +class Out +{ + public: + class Separator + {}; + const static Separator sep; + enum LinePolicy + { + ONE_LINE, + MULTI_LINE + }; + explicit Out(std::ostream & ostream) : ostream(ostream), policy(ONE_LINE), writeSinceSep(true) {} + Out(Out & o, const std::string & start, const std::string & end, LinePolicy policy); + Out(Out & o, const std::string & start, const std::string & end, int count) + : Out(o, start, end, count < 2 ? ONE_LINE : MULTI_LINE) + {} + Out(const Out &) = delete; + Out(Out &&) = default; + Out & operator=(const Out &) = delete; + Out & operator=(Out &&) = delete; + ~Out() { ostream << end; } + + private: + std::ostream & ostream; + std::string indentation; + std::string end; + LinePolicy policy; + bool writeSinceSep; + template <typename T> friend Out & operator<<(Out & o, T thing); +}; + +template <typename T> Out & operator<<(Out & o, T thing) +{ + if (!o.writeSinceSep && o.policy == Out::MULTI_LINE) { + o.ostream << o.indentation; + } + o.writeSinceSep = true; + o.ostream << thing; + return o; +} + +template <> Out & operator<<<Out::Separator>(Out & o, Out::Separator /* thing */) +{ + o.ostream << (o.policy == Out::ONE_LINE ? " " : "\n"); + o.writeSinceSep = false; + return o; +} + +Out::Out(Out & o, const std::string & start, const std::string & end, LinePolicy policy) + : ostream(o.ostream), indentation(policy == ONE_LINE ? o.indentation : o.indentation + " "), + end(policy == ONE_LINE ? end : o.indentation + end), policy(policy), writeSinceSep(true) +{ + o << start; + *this << Out::sep; +} + +// Stuff needed for evaluation +struct Context +{ + Context(EvalState & state, Bindings & autoArgs, Value optionsRoot, Value configRoot) + : state(state), autoArgs(autoArgs), optionsRoot(optionsRoot), configRoot(configRoot), + underscoreType(state.symbols.create("_type")) + {} + EvalState & state; + Bindings & autoArgs; + Value optionsRoot; + Value configRoot; + Symbol underscoreType; +}; + +Value evaluateValue(Context & ctx, Value & v) +{ + ctx.state.forceValue(v); + if (ctx.autoArgs.empty()) { + return v; + } + Value called{}; + ctx.state.autoCallFunction(ctx.autoArgs, v, called); + return called; +} + +bool isOption(Context & ctx, const Value & v) +{ + if (v.type != tAttrs) { + return false; + } + const auto & atualType = v.attrs->find(ctx.underscoreType); + if (atualType == v.attrs->end()) { + return false; + } + try { + Value evaluatedType = evaluateValue(ctx, *atualType->value); + if (evaluatedType.type != tString) { + return false; + } + return static_cast<std::string>(evaluatedType.string.s) == "option"; + } catch (Error &) { + return false; + } +} + +// Add quotes to a component of a path. +// These are needed for paths like: +// fileSystems."/".fsType +// systemd.units."dbus.service".text +std::string quoteAttribute(const std::string & attribute) +{ + if (isVarName(attribute)) { + return attribute; + } + std::ostringstream buf; + printStringValue(buf, attribute.c_str()); + return buf.str(); +} + +const std::string appendPath(const std::string & prefix, const std::string & suffix) +{ + if (prefix.empty()) { + return quoteAttribute(suffix); + } + return prefix + "." + quoteAttribute(suffix); +} + +bool forbiddenRecursionName(std::string name) { return (!name.empty() && name[0] == '_') || name == "haskellPackages"; } + +void recurse(const std::function<bool(const std::string & path, std::variant<Value, std::exception_ptr>)> & f, + Context & ctx, Value v, const std::string & path) +{ + std::variant<Value, std::exception_ptr> evaluated; + try { + evaluated = evaluateValue(ctx, v); + } catch (Error &) { + evaluated = std::current_exception(); + } + if (!f(path, evaluated)) { + return; + } + if (std::holds_alternative<std::exception_ptr>(evaluated)) { + return; + } + const Value & evaluated_value = std::get<Value>(evaluated); + if (evaluated_value.type != tAttrs) { + return; + } + for (const auto & child : evaluated_value.attrs->lexicographicOrder()) { + if (forbiddenRecursionName(child->name)) { + continue; + } + recurse(f, ctx, *child->value, appendPath(path, child->name)); + } +} + +// Calls f on all the option names +void mapOptions(const std::function<void(const std::string & path)> & f, Context & ctx, Value root) +{ + recurse( + [f, &ctx](const std::string & path, std::variant<Value, std::exception_ptr> v) { + bool isOpt = std::holds_alternative<std::exception_ptr>(v) || isOption(ctx, std::get<Value>(v)); + if (isOpt) { + f(path); + } + return !isOpt; + }, + ctx, root, ""); +} + +// Calls f on all the config values inside one option. +// Simple options have one config value inside, like sound.enable = true. +// Compound options have multiple config values. For example, the option +// "users.users" has about 1000 config values inside it: +// users.users.avahi.createHome = false; +// users.users.avahi.cryptHomeLuks = null; +// users.users.avahi.description = "`avahi-daemon' privilege separation user"; +// ... +// users.users.avahi.openssh.authorizedKeys.keyFiles = [ ]; +// users.users.avahi.openssh.authorizedKeys.keys = [ ]; +// ... +// users.users.avahi.uid = 10; +// users.users.avahi.useDefaultShell = false; +// users.users.cups.createHome = false; +// ... +// users.users.cups.useDefaultShell = false; +// users.users.gdm = ... ... ... +// users.users.messagebus = ... .. ... +// users.users.nixbld1 = ... .. ... +// ... +// users.users.systemd-timesync = ... .. ... +void mapConfigValuesInOption( + const std::function<void(const std::string & path, std::variant<Value, std::exception_ptr> v)> & f, + const std::string & path, Context & ctx) +{ + Value * option; + try { + option = findAlongAttrPath(ctx.state, path, ctx.autoArgs, ctx.configRoot); + } catch (Error &) { + f(path, std::current_exception()); + return; + } + recurse( + [f, ctx](const std::string & path, std::variant<Value, std::exception_ptr> v) { + bool leaf = std::holds_alternative<std::exception_ptr>(v) || std::get<Value>(v).type != tAttrs || + ctx.state.isDerivation(std::get<Value>(v)); + if (!leaf) { + return true; // Keep digging + } + f(path, v); + return false; + }, + ctx, *option, path); +} + +std::string describeError(const Error & e) { return "«error: " + e.msg() + "»"; } + +void describeDerivation(Context & ctx, Out & out, Value v) +{ + // Copy-pasted from nix/src/nix/repl.cc :( + Bindings::iterator i = v.attrs->find(ctx.state.sDrvPath); + PathSet pathset; + try { + Path drvPath = i != v.attrs->end() ? ctx.state.coerceToPath(*i->pos, *i->value, pathset) : "???"; + out << "«derivation " << drvPath << "»"; + } catch (Error & e) { + out << describeError(e); + } +} + +Value parseAndEval(EvalState & state, const std::string & expression, const std::string & path) +{ + Value v{}; + state.eval(state.parseExprFromString(expression, absPath(path)), v); + return v; +} + +void printValue(Context & ctx, Out & out, std::variant<Value, std::exception_ptr> maybeValue, const std::string & path); + +void printList(Context & ctx, Out & out, Value & v) +{ + Out listOut(out, "[", "]", v.listSize()); + for (unsigned int n = 0; n < v.listSize(); ++n) { + printValue(ctx, listOut, *v.listElems()[n], ""); + listOut << Out::sep; + } +} + +void printAttrs(Context & ctx, Out & out, Value & v, const std::string & path) +{ + Out attrsOut(out, "{", "}", v.attrs->size()); + for (const auto & a : v.attrs->lexicographicOrder()) { + std::string name = a->name; + attrsOut << name << " = "; + printValue(ctx, attrsOut, *a->value, appendPath(path, name)); + attrsOut << ";" << Out::sep; + } +} + +void multiLineStringEscape(Out & out, const std::string & s) +{ + int i; + for (i = 1; i < s.size(); i++) { + if (s[i - 1] == '$' && s[i] == '{') { + out << "''${"; + i++; + } else if (s[i - 1] == '\'' && s[i] == '\'') { + out << "'''"; + i++; + } else { + out << s[i - 1]; + } + } + if (i == s.size()) { + out << s[i - 1]; + } +} + +void printMultiLineString(Out & out, const Value & v) +{ + std::string s = v.string.s; + Out strOut(out, "''", "''", Out::MULTI_LINE); + std::string::size_type begin = 0; + while (begin < s.size()) { + std::string::size_type end = s.find('\n', begin); + if (end == std::string::npos) { + multiLineStringEscape(strOut, s.substr(begin, s.size() - begin)); + break; + } + multiLineStringEscape(strOut, s.substr(begin, end - begin)); + strOut << Out::sep; + begin = end + 1; + } +} + +void printValue(Context & ctx, Out & out, std::variant<Value, std::exception_ptr> maybeValue, const std::string & path) +{ + try { + if (auto ex = std::get_if<std::exception_ptr>(&maybeValue)) { + std::rethrow_exception(*ex); + } + Value v = evaluateValue(ctx, std::get<Value>(maybeValue)); + if (ctx.state.isDerivation(v)) { + describeDerivation(ctx, out, v); + } else if (v.isList()) { + printList(ctx, out, v); + } else if (v.type == tAttrs) { + printAttrs(ctx, out, v, path); + } else if (v.type == tString && std::string(v.string.s).find('\n') != std::string::npos) { + printMultiLineString(out, v); + } else { + ctx.state.forceValueDeep(v); + out << v; + } + } catch (ThrownError & e) { + if (e.msg() == "The option `" + path + "' is used but not defined.") { + // 93% of errors are this, and just letting this message through would be + // misleading. These values may or may not actually be "used" in the + // config. The thing throwing the error message assumes that if anything + // ever looks at this value, it is a "use" of this value. But here in + // nixos-option, we are looking at this value only to print it. + // In order to avoid implying that this undefined value is actually + // referenced, eat the underlying error message and emit "«not defined»". + out << "«not defined»"; + } else { + out << describeError(e); + } + } catch (Error & e) { + out << describeError(e); + } +} + +void printConfigValue(Context & ctx, Out & out, const std::string & path, std::variant<Value, std::exception_ptr> v) +{ + out << path << " = "; + printValue(ctx, out, std::move(v), path); + out << ";\n"; +} + +void printAll(Context & ctx, Out & out) +{ + mapOptions( + [&ctx, &out](const std::string & optionPath) { + mapConfigValuesInOption( + [&ctx, &out](const std::string & configPath, std::variant<Value, std::exception_ptr> v) { + printConfigValue(ctx, out, configPath, v); + }, + optionPath, ctx); + }, + ctx, ctx.optionsRoot); +} + +void printAttr(Context & ctx, Out & out, const std::string & path, Value & root) +{ + try { + printValue(ctx, out, *findAlongAttrPath(ctx.state, path, ctx.autoArgs, root), path); + } catch (Error & e) { + out << describeError(e); + } +} + +bool hasExample(Context & ctx, Value & option) +{ + try { + findAlongAttrPath(ctx.state, "example", ctx.autoArgs, option); + return true; + } catch (Error &) { + return false; + } +} + +void printOption(Context & ctx, Out & out, const std::string & path, Value & option) +{ + out << "Value:\n"; + printAttr(ctx, out, path, ctx.configRoot); + + out << "\n\nDefault:\n"; + printAttr(ctx, out, "default", option); + + out << "\n\nType:\n"; + printAttr(ctx, out, "type.description", option); + + if (hasExample(ctx, option)) { + out << "\n\nExample:\n"; + printAttr(ctx, out, "example", option); + } + + out << "\n\nDescription:\n"; + printAttr(ctx, out, "description", option); + + out << "\n\nDeclared by:\n"; + printAttr(ctx, out, "declarations", option); + + out << "\n\nDefined by:\n"; + printAttr(ctx, out, "files", option); + out << "\n"; +} + +void printListing(Out & out, Value & v) +{ + out << "This attribute set contains:\n"; + for (const auto & a : v.attrs->lexicographicOrder()) { + std::string name = a->name; + if (!name.empty() && name[0] != '_') { + out << name << "\n"; + } + } +} + +bool optionTypeIs(Context & ctx, Value & v, const std::string & soughtType) +{ + try { + const auto & typeLookup = v.attrs->find(ctx.state.sType); + if (typeLookup == v.attrs->end()) { + return false; + } + Value type = evaluateValue(ctx, *typeLookup->value); + if (type.type != tAttrs) { + return false; + } + const auto & nameLookup = type.attrs->find(ctx.state.sName); + if (nameLookup == type.attrs->end()) { + return false; + } + Value name = evaluateValue(ctx, *nameLookup->value); + if (name.type != tString) { + return false; + } + return name.string.s == soughtType; + } catch (Error &) { + return false; + } +} + +bool isAggregateOptionType(Context & ctx, Value & v) +{ + return optionTypeIs(ctx, v, "attrsOf") || optionTypeIs(ctx, v, "listOf") || optionTypeIs(ctx, v, "loaOf"); +} + +MakeError(OptionPathError, EvalError); + +Value getSubOptions(Context & ctx, Value & option) +{ + Value getSubOptions = evaluateValue(ctx, *findAlongAttrPath(ctx.state, "type.getSubOptions", ctx.autoArgs, option)); + if (getSubOptions.type != tLambda) { + throw OptionPathError("Option's type.getSubOptions isn't a function"); + } + Value emptyString{}; + nix::mkString(emptyString, ""); + Value v; + ctx.state.callFunction(getSubOptions, emptyString, v, nix::Pos{}); + return v; +} + +// Carefully walk an option path, looking for sub-options when a path walks past +// an option value. +Value findAlongOptionPath(Context & ctx, const std::string & path) +{ + Strings tokens = parseAttrPath(path); + Value v = ctx.optionsRoot; + for (auto i = tokens.begin(); i != tokens.end(); i++) { + const auto & attr = *i; + try { + bool lastAttribute = std::next(i) == tokens.end(); + v = evaluateValue(ctx, v); + if (attr.empty()) { + throw OptionPathError("empty attribute name"); + } + if (isOption(ctx, v) && optionTypeIs(ctx, v, "submodule")) { + v = getSubOptions(ctx, v); + } + if (isOption(ctx, v) && isAggregateOptionType(ctx, v) && !lastAttribute) { + v = getSubOptions(ctx, v); + // Note that we've consumed attr, but didn't actually use it. This is the path component that's looked + // up in the list or attribute set that doesn't name an option -- the "root" in "users.users.root.name". + } else if (v.type != tAttrs) { + throw OptionPathError("Value is %s while a set was expected", showType(v)); + } else { + const auto & next = v.attrs->find(ctx.state.symbols.create(attr)); + if (next == v.attrs->end()) { + throw OptionPathError("Attribute not found", attr, path); + } + v = *next->value; + } + } catch (OptionPathError & e) { + throw OptionPathError("At '%s' in path '%s': %s", attr, path, e.msg()); + } + } + return v; +} + +void printOne(Context & ctx, Out & out, const std::string & path) +{ + try { + Value option = findAlongOptionPath(ctx, path); + option = evaluateValue(ctx, option); + if (isOption(ctx, option)) { + printOption(ctx, out, path, option); + } else { + printListing(out, option); + } + } catch (Error & e) { + std::cerr << "error: " << e.msg() + << "\nAn error occurred while looking for attribute names. Are " + "you sure that '" + << path << "' exists?\n"; + } +} + +int main(int argc, char ** argv) +{ + bool all = false; + std::string path = "."; + std::string optionsExpr = "(import <nixpkgs/nixos> {}).options"; + std::string configExpr = "(import <nixpkgs/nixos> {}).config"; + std::vector<std::string> args; + + struct MyArgs : nix::LegacyArgs, nix::MixEvalArgs + { + using nix::LegacyArgs::LegacyArgs; + }; + + MyArgs myArgs(nix::baseNameOf(argv[0]), [&](Strings::iterator & arg, const Strings::iterator & end) { + if (*arg == "--help") { + nix::showManPage("nixos-option"); + } else if (*arg == "--version") { + nix::printVersion("nixos-option"); + } else if (*arg == "--all") { + all = true; + } else if (*arg == "--path") { + path = nix::getArg(*arg, arg, end); + } else if (*arg == "--options_expr") { + optionsExpr = nix::getArg(*arg, arg, end); + } else if (*arg == "--config_expr") { + configExpr = nix::getArg(*arg, arg, end); + } else if (!arg->empty() && arg->at(0) == '-') { + return false; + } else { + args.push_back(*arg); + } + return true; + }); + + myArgs.parseCmdline(nix::argvToStrings(argc, argv)); + + nix::initPlugins(); + nix::initGC(); + nix::settings.readOnlyMode = true; + auto store = nix::openStore(); + auto state = std::make_unique<EvalState>(myArgs.searchPath, store); + + Value optionsRoot = parseAndEval(*state, optionsExpr, path); + Value configRoot = parseAndEval(*state, configExpr, path); + + Context ctx{*state, *myArgs.getAutoArgs(*state), optionsRoot, configRoot}; + Out out(std::cout); + + if (all) { + if (!args.empty()) { + throw UsageError("--all cannot be used with arguments"); + } + printAll(ctx, out); + } else { + if (args.empty()) { + printOne(ctx, out, ""); + } + for (const auto & arg : args) { + printOne(ctx, out, arg); + } + } + + ctx.state.printStats(); + + return 0; +} diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh b/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh index 6a08c9b4c6c6..c53dc1000c4a 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh @@ -22,6 +22,7 @@ repair= profile=/nix/var/nix/profiles/system buildHost= targetHost= +maybeSudo= while [ "$#" -gt 0 ]; do i="$1"; shift 1 @@ -89,6 +90,11 @@ while [ "$#" -gt 0 ]; do targetHost="$1" shift 1 ;; + --use-remote-sudo) + # note the trailing space + maybeSudo="sudo " + shift 1 + ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -96,7 +102,6 @@ while [ "$#" -gt 0 ]; do esac done - if [ -z "$buildHost" -a -n "$targetHost" ]; then buildHost="$targetHost" fi @@ -111,9 +116,9 @@ buildHostCmd() { if [ -z "$buildHost" ]; then "$@" elif [ -n "$remoteNix" ]; then - ssh $SSHOPTS "$buildHost" PATH="$remoteNix:$PATH" "$@" + ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "$maybeSudo$@" else - ssh $SSHOPTS "$buildHost" "$@" + ssh $SSHOPTS "$buildHost" "$maybeSudo$@" fi } @@ -121,7 +126,7 @@ targetHostCmd() { if [ -z "$targetHost" ]; then "$@" else - ssh $SSHOPTS "$targetHost" "$@" + ssh $SSHOPTS "$targetHost" "$maybeSudo$@" fi } diff --git a/nixpkgs/nixos/modules/installer/tools/tools.nix b/nixpkgs/nixos/modules/installer/tools/tools.nix index 05add59117d1..e4db39b5c810 100644 --- a/nixpkgs/nixos/modules/installer/tools/tools.nix +++ b/nixpkgs/nixos/modules/installer/tools/tools.nix @@ -41,10 +41,7 @@ let inherit (config.system.nixos-generate-config) configuration; }; - nixos-option = makeProg { - name = "nixos-option"; - src = ./nixos-option.sh; - }; + nixos-option = pkgs.callPackage ./nixos-option { }; nixos-version = makeProg { name = "nixos-version"; @@ -96,6 +93,7 @@ in # networking.hostName = "nixos"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + $networkingDhcpConfig # Configure network proxy if necessary # networking.proxy.default = "http://user:password\@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; @@ -119,7 +117,11 @@ in # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; - # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # pinentryFlavor = "gnome3"; + # }; # List services that you want to enable: diff --git a/nixpkgs/nixos/modules/misc/documentation.nix b/nixpkgs/nixos/modules/misc/documentation.nix index deecb005270f..d09afadd6097 100644 --- a/nixpkgs/nixos/modules/misc/documentation.nix +++ b/nixpkgs/nixos/modules/misc/documentation.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, baseModules, extraModules, modules, ... }: +{ config, lib, pkgs, baseModules, extraModules, modules, modulesPath, ... }: with lib; @@ -22,7 +22,10 @@ let scrubbedEval = evalModules { modules = [ { nixpkgs.localSystem = config.nixpkgs.localSystem; } ] ++ manualModules; args = (config._module.args) // { modules = [ ]; }; - specialArgs = { pkgs = scrubDerivations "pkgs" pkgs; }; + specialArgs = { + pkgs = scrubDerivations "pkgs" pkgs; + inherit modulesPath; + }; }; scrubDerivations = namePrefix: pkgSet: mapAttrs (name: value: @@ -67,6 +70,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "programs" "info" "enable" ] [ "documentation" "info" "enable" ]) + (mkRenamedOptionModule [ "programs" "man" "enable" ] [ "documentation" "man" "enable" ]) + (mkRenamedOptionModule [ "services" "nixosManual" "enable" ] [ "documentation" "nixos" "enable" ]) + ]; options = { diff --git a/nixpkgs/nixos/modules/misc/ids.nix b/nixpkgs/nixos/modules/misc/ids.nix index 14d162540fe7..0218855198ac 100644 --- a/nixpkgs/nixos/modules/misc/ids.nix +++ b/nixpkgs/nixos/modules/misc/ids.nix @@ -11,6 +11,9 @@ { lib, ... }: +let + inherit (lib) types; +in { options = { @@ -19,6 +22,7 @@ description = '' The user IDs used in NixOS. ''; + type = types.attrsOf types.int; }; ids.gids = lib.mkOption { @@ -26,6 +30,7 @@ description = '' The group IDs used in NixOS. ''; + type = types.attrsOf types.int; }; }; @@ -75,8 +80,8 @@ #kdm = 39; # dropped in 17.03 #ghostone = 40; # dropped in 18.03 git = 41; - fourstore = 42; - fourstorehttp = 43; + #fourstore = 42; # dropped in 20.03 + #fourstorehttp = 43; # dropped in 20.03 virtuoso = 44; rtkit = 45; dovecot2 = 46; @@ -128,7 +133,7 @@ tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice. firebird = 95; #keys = 96; # unused - haproxy = 97; + #haproxy = 97; # DynamicUser as of 2019-11-08 mongodb = 98; openldap = 99; #users = 100; # unused @@ -328,7 +333,7 @@ qemu-libvirtd = 301; # kvm = 302; # unused # render = 303; # unused - zeronet = 304; + # zeronet = 304; # removed 2019-01-03 lirc = 305; lidarr = 306; slurm = 307; @@ -443,7 +448,7 @@ #tcpcryptd = 93; # unused firebird = 95; keys = 96; - haproxy = 97; + #haproxy = 97; # DynamicUser as of 2019-11-08 #mongodb = 98; # unused openldap = 99; munin = 102; @@ -629,7 +634,7 @@ qemu-libvirtd = 301; kvm = 302; # default udev rules from systemd requires these render = 303; # default udev rules from systemd requires these - zeronet = 304; + # zeronet = 304; # removed 2019-01-03 lirc = 305; lidarr = 306; slurm = 307; diff --git a/nixpkgs/nixos/modules/misc/locate.nix b/nixpkgs/nixos/modules/misc/locate.nix index 449149e4bb65..552535c253e6 100644 --- a/nixpkgs/nixos/modules/misc/locate.nix +++ b/nixpkgs/nixos/modules/misc/locate.nix @@ -7,6 +7,11 @@ let isMLocate = hasPrefix "mlocate" cfg.locate.name; isFindutils = hasPrefix "findutils" cfg.locate.name; in { + imports = [ + (mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ]) + (mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths" ) + ]; + options.services.locate = with types; { enable = mkOption { type = bool; @@ -128,7 +133,10 @@ in { # directory creation needs to be separated from main service # because ReadWritePaths fails when the directory doesn't already exist - systemd.tmpfiles.rules = [ "d ${dirOf cfg.output} 0755 root root -" ]; + systemd.tmpfiles.rules = + let dir = dirOf cfg.output; in + mkIf (dir != "/var/cache") + [ "d ${dir} 0755 root root -" ]; systemd.services.update-locatedb = { description = "Update Locate Database"; diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index 773724ffbd5e..0540b493003f 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -10,6 +10,12 @@ let in { + imports = [ + (mkRenamedOptionModule [ "system" "nixosVersion" ] [ "system" "nixos" "version" ]) + (mkRenamedOptionModule [ "system" "nixosVersionSuffix" ] [ "system" "nixos" "versionSuffix" ]) + (mkRenamedOptionModule [ "system" "nixosRevision" ] [ "system" "nixos" "revision" ]) + (mkRenamedOptionModule [ "system" "nixosLabel" ] [ "system" "nixos" "label" ]) + ]; options.system = { @@ -92,7 +98,7 @@ in VERSION="${cfg.version} (${cfg.codeName})" VERSION_CODENAME=${toLower cfg.codeName} VERSION_ID="${cfg.version}" - PRETTY_NAME="NixOS ${cfg.version} (${cfg.codeName})" + PRETTY_NAME="NixOS ${cfg.release} (${cfg.codeName})" LOGO="nix-snowflake" HOME_URL="https://nixos.org/" DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html" diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 46a8232dc8e0..105c86c6ba52 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -1,9 +1,7 @@ [ ./config/debug-info.nix - ./config/fonts/corefonts.nix ./config/fonts/fontconfig.nix ./config/fonts/fontconfig-penultimate.nix - ./config/fonts/fontconfig-ultimate.nix ./config/fonts/fontdir.nix ./config/fonts/fonts.nix ./config/fonts/ghostscript.nix @@ -13,6 +11,7 @@ ./config/xdg/mime.nix ./config/xdg/portal.nix ./config/appstream.nix + ./config/console.nix ./config/xdg/sounds.nix ./config/gtk/gtk-icon-cache.nix ./config/gnu.nix @@ -37,13 +36,13 @@ ./config/terminfo.nix ./config/unix-odbc-drivers.nix ./config/users-groups.nix - ./config/vpnc.nix ./config/vte.nix ./config/zram.nix ./hardware/acpilight.nix ./hardware/all-firmware.nix ./hardware/bladeRF.nix ./hardware/brightnessctl.nix + ./hardware/brillo.nix ./hardware/ckb-next.nix ./hardware/cpu/amd-microcode.nix ./hardware/cpu/intel-microcode.nix @@ -96,9 +95,9 @@ ./programs/adb.nix ./programs/atop.nix ./programs/autojump.nix + ./programs/bandwhich.nix ./programs/bash/bash.nix ./programs/bcc.nix - ./programs/blcr.nix ./programs/browserpass.nix ./programs/captive-browser.nix ./programs/ccache.nix @@ -143,7 +142,6 @@ ./programs/seahorse.nix ./programs/slock.nix ./programs/shadow.nix - ./programs/shell.nix ./programs/spacefm.nix ./programs/singularity.nix ./programs/ssh.nix @@ -229,6 +227,7 @@ ./services/backup/rsnapshot.nix ./services/backup/tarsnap.nix ./services/backup/tsm.nix + ./services/backup/zfs-replication.nix ./services/backup/znapzend.nix ./services/cluster/hadoop/default.nix ./services/cluster/kubernetes/addons/dns.nix @@ -257,8 +256,6 @@ ./services/continuous-integration/jenkins/default.nix ./services/continuous-integration/jenkins/job-builder.nix ./services/continuous-integration/jenkins/slave.nix - ./services/databases/4store-endpoint.nix - ./services/databases/4store.nix ./services/databases/aerospike.nix ./services/databases/cassandra.nix ./services/databases/clickhouse.nix @@ -299,16 +296,18 @@ ./services/desktops/gnome3/chrome-gnome-shell.nix ./services/desktops/gnome3/evolution-data-server.nix ./services/desktops/gnome3/glib-networking.nix + ./services/desktops/gnome3/gnome-initial-setup.nix ./services/desktops/gnome3/gnome-keyring.nix ./services/desktops/gnome3/gnome-online-accounts.nix - ./services/desktops/gnome3/gnome-remote-desktop.nix ./services/desktops/gnome3/gnome-online-miners.nix + ./services/desktops/gnome3/gnome-remote-desktop.nix ./services/desktops/gnome3/gnome-settings-daemon.nix ./services/desktops/gnome3/gnome-user-share.nix ./services/desktops/gnome3/rygel.nix ./services/desktops/gnome3/sushi.nix ./services/desktops/gnome3/tracker.nix ./services/desktops/gnome3/tracker-miners.nix + ./services/desktops/neard.nix ./services/desktops/profile-sync-daemon.nix ./services/desktops/system-config-printer.nix ./services/desktops/telepathy.nix @@ -317,11 +316,13 @@ ./services/development/bloop.nix ./services/development/hoogle.nix ./services/development/jupyter/default.nix + ./services/development/lorri.nix ./services/editors/emacs.nix ./services/editors/infinoted.nix ./services/games/factorio.nix ./services/games/minecraft-server.nix ./services/games/minetest-server.nix + ./services/games/openarena.nix ./services/games/terraria.nix ./services/hardware/acpid.nix ./services/hardware/actkbd.nix @@ -329,6 +330,7 @@ ./services/hardware/bolt.nix ./services/hardware/brltty.nix ./services/hardware/evscript.nix + ./services/hardware/fancontrol.nix ./services/hardware/freefall.nix ./services/hardware/fwupd.nix ./services/hardware/illum.nix @@ -445,6 +447,7 @@ ./services/misc/logkeys.nix ./services/misc/leaps.nix ./services/misc/lidarr.nix + ./services/misc/mame.nix ./services/misc/mathics.nix ./services/misc/matrix-synapse.nix ./services/misc/mbpfan.nix @@ -504,6 +507,7 @@ ./services/monitoring/das_watchdog.nix ./services/monitoring/datadog-agent.nix ./services/monitoring/dd-agent/dd-agent.nix + ./services/monitoring/do-agent.nix ./services/monitoring/fusion-inventory.nix ./services/monitoring/grafana.nix ./services/monitoring/grafana-reporter.nix @@ -518,7 +522,6 @@ ./services/monitoring/munin.nix ./services/monitoring/nagios.nix ./services/monitoring/netdata.nix - ./services/monitoring/osquery.nix ./services/monitoring/prometheus/default.nix ./services/monitoring/prometheus/alertmanager.nix ./services/monitoring/prometheus/exporters.nix @@ -538,7 +541,6 @@ ./services/monitoring/zabbix-agent.nix ./services/monitoring/zabbix-proxy.nix ./services/monitoring/zabbix-server.nix - ./services/network-filesystems/beegfs.nix ./services/network-filesystems/cachefilesd.nix ./services/network-filesystems/davfs2.nix ./services/network-filesystems/drbd.nix @@ -549,6 +551,8 @@ ./services/network-filesystems/nfsd.nix ./services/network-filesystems/openafs/client.nix ./services/network-filesystems/openafs/server.nix + ./services/network-filesystems/orangefs/server.nix + ./services/network-filesystems/orangefs/client.nix ./services/network-filesystems/rsyncd.nix ./services/network-filesystems/samba.nix ./services/network-filesystems/tahoe.nix @@ -557,6 +561,7 @@ ./services/network-filesystems/yandex-disk.nix ./services/network-filesystems/xtreemfs.nix ./services/network-filesystems/ceph.nix + ./services/networking/3proxy.nix ./services/networking/amuled.nix ./services/networking/aria2.nix ./services/networking/asterisk.nix @@ -602,6 +607,7 @@ ./services/networking/gdomap.nix ./services/networking/git-daemon.nix ./services/networking/gnunet.nix + ./services/networking/go-shadowsocks2.nix ./services/networking/gogoclient.nix ./services/networking/gvpe.nix ./services/networking/hans.nix @@ -615,7 +621,6 @@ ./services/networking/iodine.nix ./services/networking/iperf3.nix ./services/networking/ircd-hybrid/default.nix - ./services/networking/jormungandr.nix ./services/networking/iwd.nix ./services/networking/keepalived/default.nix ./services/networking/keybase.nix @@ -667,6 +672,7 @@ ./services/networking/polipo.nix ./services/networking/powerdns.nix ./services/networking/pdns-recursor.nix + ./services/networking/pppd.nix ./services/networking/pptpd.nix ./services/networking/prayer.nix ./services/networking/privoxy.nix @@ -688,10 +694,13 @@ ./services/networking/skydns.nix ./services/networking/shadowsocks.nix ./services/networking/shairport-sync.nix + ./services/networking/shorewall.nix + ./services/networking/shorewall6.nix ./services/networking/shout.nix ./services/networking/sniproxy.nix ./services/networking/smokeping.nix ./services/networking/softether.nix + ./services/networking/spacecookie.nix ./services/networking/spiped.nix ./services/networking/squid.nix ./services/networking/sslh.nix @@ -713,12 +722,14 @@ ./services/networking/tinc.nix ./services/networking/tinydns.nix ./services/networking/tftpd.nix + ./services/networking/trickster.nix ./services/networking/tox-bootstrapd.nix ./services/networking/tox-node.nix ./services/networking/toxvpn.nix ./services/networking/tvheadend.nix ./services/networking/unbound.nix ./services/networking/unifi.nix + ./services/networking/v2ray.nix ./services/networking/vsftpd.nix ./services/networking/wakeonlan.nix ./services/networking/websockify.nix @@ -729,6 +740,7 @@ ./services/networking/xinetd.nix ./services/networking/xl2tpd.nix ./services/networking/xrdp.nix + ./services/networking/yggdrasil.nix ./services/networking/zerobin.nix ./services/networking/zeronet.nix ./services/networking/zerotierone.nix @@ -793,8 +805,10 @@ ./services/web-apps/cryptpad.nix ./services/web-apps/documize.nix ./services/web-apps/frab.nix + ./services/web-apps/gotify-server.nix ./services/web-apps/icingaweb2/icingaweb2.nix ./services/web-apps/icingaweb2/module-monitoring.nix + ./services/web-apps/ihatemoney ./services/web-apps/limesurvey.nix ./services/web-apps/mattermost.nix ./services/web-apps/mediawiki.nix @@ -804,9 +818,13 @@ ./services/web-apps/nexus.nix ./services/web-apps/pgpkeyserver-lite.nix ./services/web-apps/matomo.nix + ./services/web-apps/moinmoin.nix ./services/web-apps/restya-board.nix ./services/web-apps/tt-rss.nix + ./services/web-apps/trac.nix + ./services/web-apps/trilium.nix ./services/web-apps/selfoss.nix + ./services/web-apps/shiori.nix ./services/web-apps/virtlyst.nix ./services/web-apps/wordpress.nix ./services/web-apps/youtrack.nix @@ -832,13 +850,14 @@ ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix ./services/web-servers/traefik.nix + ./services/web-servers/ttyd.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix ./services/web-servers/zope2.nix ./services/x11/extra-layouts.nix ./services/x11/clight.nix ./services/x11/colord.nix - ./services/x11/compton.nix + ./services/x11/picom.nix ./services/x11/unclutter.nix ./services/x11/unclutter-xfixes.nix ./services/x11/desktop-managers/default.nix @@ -855,8 +874,10 @@ ./services/x11/hardware/multitouch.nix ./services/x11/hardware/synaptics.nix ./services/x11/hardware/wacom.nix + ./services/x11/hardware/digimend.nix ./services/x11/hardware/cmt.nix ./services/x11/gdk-pixbuf.nix + ./services/x11/imwheel.nix ./services/x11/redshift.nix ./services/x11/urxvtd.nix ./services/x11/window-managers/awesome.nix @@ -927,7 +948,6 @@ ./tasks/filesystems/vfat.nix ./tasks/filesystems/xfs.nix ./tasks/filesystems/zfs.nix - ./tasks/kbd.nix ./tasks/lvm.nix ./tasks/network-interfaces.nix ./tasks/network-interfaces-systemd.nix diff --git a/nixpkgs/nixos/modules/profiles/graphical.nix b/nixpkgs/nixos/modules/profiles/graphical.nix index 649f5564ac61..d80456cede56 100644 --- a/nixpkgs/nixos/modules/profiles/graphical.nix +++ b/nixpkgs/nixos/modules/profiles/graphical.nix @@ -9,14 +9,12 @@ displayManager.sddm.enable = true; desktopManager.plasma5 = { enable = true; - enableQt4Support = false; }; libinput.enable = true; # for touchpad support on many laptops }; # Enable sound in virtualbox appliances. hardware.pulseaudio.enable = true; - hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root. environment.systemPackages = [ pkgs.glxinfo pkgs.firefox ]; } diff --git a/nixpkgs/nixos/modules/profiles/hardened.nix b/nixpkgs/nixos/modules/profiles/hardened.nix index 626d8b1d2bde..f7b2f5c7fc1e 100644 --- a/nixpkgs/nixos/modules/profiles/hardened.nix +++ b/nixpkgs/nixos/modules/profiles/hardened.nix @@ -52,6 +52,27 @@ with lib; "ax25" "netrom" "rose" + + # Old or rare or insufficiently audited filesystems + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "qnx4" + "qnx6" + "sysv" + "ufs" ]; # Restrict ptrace() usage to processes with a pre-defined relationship diff --git a/nixpkgs/nixos/modules/profiles/installation-device.nix b/nixpkgs/nixos/modules/profiles/installation-device.nix index fd30220ce1c9..4596e163404c 100644 --- a/nixpkgs/nixos/modules/profiles/installation-device.nix +++ b/nixpkgs/nixos/modules/profiles/installation-device.nix @@ -31,9 +31,6 @@ with lib; # Let the user play Rogue on TTY 8 during the installation. #services.rogue.enable = true; - # Disable some other stuff we don't need. - services.udisks2.enable = mkDefault false; - # Use less privileged nixos user users.users.nixos = { isNormalUser = true; diff --git a/nixpkgs/nixos/modules/programs/adb.nix b/nixpkgs/nixos/modules/programs/adb.nix index 250d8c252a3b..83bcfe886aa1 100644 --- a/nixpkgs/nixos/modules/programs/adb.nix +++ b/nixpkgs/nixos/modules/programs/adb.nix @@ -23,7 +23,8 @@ with lib; ###### implementation config = mkIf config.programs.adb.enable { services.udev.packages = [ pkgs.android-udev-rules ]; - environment.systemPackages = [ pkgs.androidenv.androidPkgs_9_0.platform-tools ]; + # Give platform-tools lower priority so mke2fs+friends are taken from other packages first + environment.systemPackages = [ (lowPrio pkgs.androidenv.androidPkgs_9_0.platform-tools) ]; users.groups.adbusers = {}; }; } diff --git a/nixpkgs/nixos/modules/programs/bandwhich.nix b/nixpkgs/nixos/modules/programs/bandwhich.nix new file mode 100644 index 000000000000..5413044f4614 --- /dev/null +++ b/nixpkgs/nixos/modules/programs/bandwhich.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.programs.bandwhich; +in { + meta.maintainers = with maintainers; [ filalex77 ]; + + options = { + programs.bandwhich = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add bandwhich to the global environment and configure a + setcap wrapper for it. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ bandwhich ]; + security.wrappers.bandwhich = { + source = "${pkgs.bandwhich}/bin/bandwhich"; + capabilities = "cap_net_raw,cap_net_admin+ep"; + }; + }; +} diff --git a/nixpkgs/nixos/modules/programs/bash/bash.nix b/nixpkgs/nixos/modules/programs/bash/bash.nix index 548babac38ca..366c07c0a352 100644 --- a/nixpkgs/nixos/modules/programs/bash/bash.nix +++ b/nixpkgs/nixos/modules/programs/bash/bash.nix @@ -40,6 +40,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") + ]; + options = { programs.bash = { diff --git a/nixpkgs/nixos/modules/programs/blcr.nix b/nixpkgs/nixos/modules/programs/blcr.nix deleted file mode 100644 index 804e1d01f12b..000000000000 --- a/nixpkgs/nixos/modules/programs/blcr.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, lib, ... }: - -let - inherit (lib) mkOption mkIf; - cfg = config.environment.blcr; - blcrPkg = config.boot.kernelPackages.blcr; -in - -{ - ###### interface - - options = { - environment.blcr.enable = mkOption { - default = false; - description = - "Whether to enable support for the BLCR checkpointing tool."; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - boot.kernelModules = [ "blcr" "blcr_imports" ]; - boot.extraModulePackages = [ blcrPkg ]; - environment.systemPackages = [ blcrPkg ]; - }; -} diff --git a/nixpkgs/nixos/modules/programs/dconf.nix b/nixpkgs/nixos/modules/programs/dconf.nix index eeebc3558bdf..6702e8efd1cb 100644 --- a/nixpkgs/nixos/modules/programs/dconf.nix +++ b/nixpkgs/nixos/modules/programs/dconf.nix @@ -6,7 +6,10 @@ let cfg = config.programs.dconf; mkDconfProfile = name: path: - { source = path; target = "dconf/profile/${name}"; }; + { + name = "dconf/profile/${name}"; + value.source = path; + }; in { @@ -29,16 +32,16 @@ in ###### implementation config = mkIf (cfg.profiles != {} || cfg.enable) { - environment.etc = optionals (cfg.profiles != {}) - (mapAttrsToList mkDconfProfile cfg.profiles); + environment.etc = optionalAttrs (cfg.profiles != {}) + (mapAttrs' mkDconfProfile cfg.profiles); - services.dbus.packages = [ pkgs.gnome3.dconf ]; + services.dbus.packages = [ pkgs.dconf ]; # For dconf executable - environment.systemPackages = [ pkgs.gnome3.dconf ]; + environment.systemPackages = [ pkgs.dconf ]; # Needed for unwrapped applications - environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.gnome3.dconf.lib}/lib/gio/modules" ]; + environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ]; }; } diff --git a/nixpkgs/nixos/modules/programs/environment.nix b/nixpkgs/nixos/modules/programs/environment.nix index fcffb2134980..38bdabb4fa81 100644 --- a/nixpkgs/nixos/modules/programs/environment.nix +++ b/nixpkgs/nixos/modules/programs/environment.nix @@ -21,8 +21,6 @@ in PAGER = mkDefault "less -R"; EDITOR = mkDefault "nano"; XDG_CONFIG_DIRS = [ "/etc/xdg" ]; # needs to be before profile-relative paths to allow changes through environment.etc - GTK_DATA_PREFIX = "${config.system.path}"; # needed for gtk2 apps to find themes - GTK_EXE_PREFIX = "${config.system.path}"; }; environment.profiles = mkAfter diff --git a/nixpkgs/nixos/modules/programs/gnupg.nix b/nixpkgs/nixos/modules/programs/gnupg.nix index bcbc994efe9b..2d262d906579 100644 --- a/nixpkgs/nixos/modules/programs/gnupg.nix +++ b/nixpkgs/nixos/modules/programs/gnupg.nix @@ -6,6 +6,19 @@ let cfg = config.programs.gnupg; + xserverCfg = config.services.xserver; + + defaultPinentryFlavor = + if xserverCfg.desktopManager.lxqt.enable + || xserverCfg.desktopManager.plasma5.enable then + "qt" + else if xserverCfg.desktopManager.xfce.enable then + "gtk2" + else if xserverCfg.enable || config.programs.sway.enable then + "gnome3" + else + null; + in { @@ -54,6 +67,20 @@ in ''; }; + agent.pinentryFlavor = mkOption { + type = types.nullOr (types.enum pkgs.pinentry.flavors); + example = "gnome3"; + description = '' + Which pinentry interface to use. If not null, the path to the + pinentry binary will be passed to gpg-agent via commandline and + thus overrides the pinentry option in gpg-agent.conf in the user's + home directory. + If not set at all, it'll pick an appropriate flavor depending on the + system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce + 4.12, gnome3 on all other systems with X enabled, ncurses otherwise). + ''; + }; + dirmngr.enable = mkOption { type = types.bool; default = false; @@ -64,6 +91,16 @@ in }; config = mkIf cfg.agent.enable { + programs.gnupg.agent.pinentryFlavor = mkDefault defaultPinentryFlavor; + + # This overrides the systemd user unit shipped with the gnupg package + systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) { + serviceConfig.ExecStart = [ "" '' + ${pkgs.gnupg}/bin/gpg-agent --supervised \ + --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry + '' ]; + }; + systemd.user.sockets.gpg-agent = { wantedBy = [ "sockets.target" ]; }; @@ -83,7 +120,9 @@ in systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable { wantedBy = [ "sockets.target" ]; }; - + + services.dbus.packages = mkIf (cfg.agent.pinentryFlavor == "gnome3") [ pkgs.gcr ]; + environment.systemPackages = with pkgs; [ cfg.package ]; systemd.packages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/programs/nm-applet.nix b/nixpkgs/nixos/modules/programs/nm-applet.nix index e42219e9638c..1b806071c43c 100644 --- a/nixpkgs/nixos/modules/programs/nm-applet.nix +++ b/nixpkgs/nixos/modules/programs/nm-applet.nix @@ -10,5 +10,7 @@ partOf = [ "graphical-session.target" ]; serviceConfig.ExecStart = "${pkgs.networkmanagerapplet}/bin/nm-applet"; }; + + services.dbus.packages = [ pkgs.gcr ]; }; } diff --git a/nixpkgs/nixos/modules/programs/oblogout.nix b/nixpkgs/nixos/modules/programs/oblogout.nix index 720c29b1eaee..a039b0623b52 100644 --- a/nixpkgs/nixos/modules/programs/oblogout.nix +++ b/nixpkgs/nixos/modules/programs/oblogout.nix @@ -1,176 +1,11 @@ -# Global configuration for oblogout. - { config, lib, pkgs, ... }: with lib; -let cfg = config.programs.oblogout; - -in { - ###### interface - - options = { - - programs.oblogout = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to install OBLogout and create <filename>/etc/oblogout.conf</filename>. - See <filename>${pkgs.oblogout}/share/doc/README</filename>. - ''; - }; - - opacity = mkOption { - type = types.int; - default = 70; - description = '' - Opacity percentage of Cairo rendered backgrounds. - ''; - }; - - bgcolor = mkOption { - type = types.str; - default = "black"; - description = '' - Colour name or hex code (#ffffff) of the background color. - ''; - }; - - buttontheme = mkOption { - type = types.str; - default = "simplistic"; - description = '' - Icon theme for the buttons, must be in the themes folder of - the package, or in - <filename>~/.themes/<name>/oblogout/</filename>. - ''; - }; - - buttons = mkOption { - type = types.str; - default = "cancel, logout, restart, shutdown, suspend, hibernate"; - description = '' - List and order of buttons to show. - ''; - }; - - cancel = mkOption { - type = types.str; - default = "Escape"; - description = '' - Cancel logout/shutdown shortcut. - ''; - }; - - shutdown = mkOption { - type = types.str; - default = "S"; - description = '' - Shutdown shortcut. - ''; - }; - - restart = mkOption { - type = types.str; - default = "R"; - description = '' - Restart shortcut. - ''; - }; - - suspend = mkOption { - type = types.str; - default = "U"; - description = '' - Suspend shortcut. - ''; - }; - - logout = mkOption { - type = types.str; - default = "L"; - description = '' - Logout shortcut. - ''; - }; - - lock = mkOption { - type = types.str; - default = "K"; - description = '' - Lock session shortcut. - ''; - }; - - hibernate = mkOption { - type = types.str; - default = "H"; - description = '' - Hibernate shortcut. - ''; - }; - - clogout = mkOption { - type = types.str; - default = "openbox --exit"; - description = '' - Command to logout. - ''; - }; - - clock = mkOption { - type = types.str; - default = ""; - description = '' - Command to lock screen. - ''; - }; - - cswitchuser = mkOption { - type = types.str; - default = ""; - description = '' - Command to switch user. - ''; - }; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.oblogout ]; - - environment.etc."oblogout.conf".text = '' - [settings] - usehal = false - - [looks] - opacity = ${toString cfg.opacity} - bgcolor = ${cfg.bgcolor} - buttontheme = ${cfg.buttontheme} - buttons = ${cfg.buttons} - [shortcuts] - cancel = ${cfg.cancel} - shutdown = ${cfg.shutdown} - restart = ${cfg.restart} - suspend = ${cfg.suspend} - logout = ${cfg.logout} - lock = ${cfg.lock} - hibernate = ${cfg.hibernate} + imports = [ + (mkRemovedOptionModule [ "programs" "oblogout" ] "programs.oblogout has been removed from NixOS. This is because the oblogout repository has been archived upstream.") + ]; - [commands] - shutdown = systemctl poweroff - restart = systemctl reboot - suspend = systemctl suspend - hibernate = systemctl hibernate - logout = ${cfg.clogout} - lock = ${cfg.clock} - switchuser = ${cfg.cswitchuser} - ''; - }; } diff --git a/nixpkgs/nixos/modules/programs/screen.nix b/nixpkgs/nixos/modules/programs/screen.nix index 4fd800dbae79..728a0eb8cea5 100644 --- a/nixpkgs/nixos/modules/programs/screen.nix +++ b/nixpkgs/nixos/modules/programs/screen.nix @@ -27,6 +27,7 @@ in environment.etc.screenrc.text = cfg.screenrc; environment.systemPackages = [ pkgs.screen ]; + security.pam.services.screen = {}; }; } diff --git a/nixpkgs/nixos/modules/programs/seahorse.nix b/nixpkgs/nixos/modules/programs/seahorse.nix index c08b0a85374c..b229d2a2c0db 100644 --- a/nixpkgs/nixos/modules/programs/seahorse.nix +++ b/nixpkgs/nixos/modules/programs/seahorse.nix @@ -31,6 +31,8 @@ with lib; config = mkIf config.programs.seahorse.enable { + programs.ssh.askPassword = mkDefault "${pkgs.gnome3.seahorse}/libexec/seahorse/ssh-askpass"; + environment.systemPackages = [ pkgs.gnome3.seahorse ]; diff --git a/nixpkgs/nixos/modules/programs/shadow.nix b/nixpkgs/nixos/modules/programs/shadow.nix index 8ec4169207db..fc352795c017 100644 --- a/nixpkgs/nixos/modules/programs/shadow.nix +++ b/nixpkgs/nixos/modules/programs/shadow.nix @@ -6,17 +6,27 @@ with lib; let + /* + There are three different sources for user/group id ranges, each of which gets + used by different programs: + - The login.defs file, used by the useradd, groupadd and newusers commands + - The update-users-groups.pl file, used by NixOS in the activation phase to + decide on which ids to use for declaratively defined users without a static + id + - Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used + by systemd for features like ConditionUser=@system and systemd-sysusers + */ loginDefs = '' DEFAULT_HOME yes SYS_UID_MIN 400 - SYS_UID_MAX 499 + SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 - SYS_GID_MAX 499 + SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 @@ -66,22 +76,18 @@ in config.users.defaultUserShell; environment.etc = - [ { # /etc/login.defs: global configuration for pwdutils. You - # cannot login without it! - source = pkgs.writeText "login.defs" loginDefs; - target = "login.defs"; - } - - { # /etc/default/useradd: configuration for useradd. - source = pkgs.writeText "useradd" - '' - GROUP=100 - HOME=/home - SHELL=${utils.toShellPath config.users.defaultUserShell} - ''; - target = "default/useradd"; - } - ]; + { # /etc/login.defs: global configuration for pwdutils. You + # cannot login without it! + "login.defs".source = pkgs.writeText "login.defs" loginDefs; + + # /etc/default/useradd: configuration for useradd. + "default/useradd".source = pkgs.writeText "useradd" + '' + GROUP=100 + HOME=/home + SHELL=${utils.toShellPath config.users.defaultUserShell} + ''; + }; security.pam.services = { chsh = { rootOK = true; }; diff --git a/nixpkgs/nixos/modules/programs/shell.nix b/nixpkgs/nixos/modules/programs/shell.nix deleted file mode 100644 index b7f7b91b5fbe..000000000000 --- a/nixpkgs/nixos/modules/programs/shell.nix +++ /dev/null @@ -1,54 +0,0 @@ -# This module defines a standard configuration for NixOS shells. - -{ config, lib, ... }: - -with lib; - -{ - - config = { - - environment.shellInit = - '' - # Set up the per-user profile. - mkdir -m 0755 -p "$NIX_USER_PROFILE_DIR" - if [ "$(stat -c '%u' "$NIX_USER_PROFILE_DIR")" != "$(id -u)" ]; then - echo "WARNING: the per-user profile dir $NIX_USER_PROFILE_DIR should belong to user id $(id -u)" >&2 - fi - - if [ -w "$HOME" ]; then - if ! [ -L "$HOME/.nix-profile" ]; then - if [ "$USER" != root ]; then - ln -s "$NIX_USER_PROFILE_DIR/profile" "$HOME/.nix-profile" - else - # Root installs in the system-wide profile by default. - ln -s /nix/var/nix/profiles/default "$HOME/.nix-profile" - fi - fi - - # Subscribe the root user to the NixOS channel by default. - if [ "$USER" = root -a ! -e "$HOME/.nix-channels" ]; then - echo "${config.system.defaultChannel} nixos" > "$HOME/.nix-channels" - fi - - # Create the per-user garbage collector roots directory. - NIX_USER_GCROOTS_DIR="/nix/var/nix/gcroots/per-user/$USER" - mkdir -m 0755 -p "$NIX_USER_GCROOTS_DIR" - if [ "$(stat -c '%u' "$NIX_USER_GCROOTS_DIR")" != "$(id -u)" ]; then - echo "WARNING: the per-user gcroots dir $NIX_USER_GCROOTS_DIR should belong to user id $(id -u)" >&2 - fi - - # Set up a default Nix expression from which to install stuff. - if [ ! -e "$HOME/.nix-defexpr" -o -L "$HOME/.nix-defexpr" ]; then - rm -f "$HOME/.nix-defexpr" - mkdir -p "$HOME/.nix-defexpr" - if [ "$USER" != root ]; then - ln -s /nix/var/nix/profiles/per-user/root/channels "$HOME/.nix-defexpr/channels_root" - fi - fi - fi - ''; - - }; - -} diff --git a/nixpkgs/nixos/modules/programs/ssh.nix b/nixpkgs/nixos/modules/programs/ssh.nix index 733b8f7636fd..80198990ed11 100644 --- a/nixpkgs/nixos/modules/programs/ssh.nix +++ b/nixpkgs/nixos/modules/programs/ssh.nix @@ -115,6 +115,16 @@ in ''; }; + agentPKCS11Whitelist = mkOption { + type = types.nullOr types.str; + default = null; + example = "\${pkgs.opensc}/lib/opensc-pkcs11.so"; + description = '' + A pattern-list of acceptable paths for PKCS#11 shared libraries + that may be used with the -s option to ssh-add. + ''; + }; + package = mkOption { type = types.package; default = pkgs.openssh; @@ -241,6 +251,7 @@ in ExecStart = "${cfg.package}/bin/ssh-agent " + optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") + + optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ") + "-a %t/ssh-agent"; StandardOutput = "null"; Type = "forking"; diff --git a/nixpkgs/nixos/modules/programs/ssmtp.nix b/nixpkgs/nixos/modules/programs/ssmtp.nix index 0e060e3f5226..f794eac8af00 100644 --- a/nixpkgs/nixos/modules/programs/ssmtp.nix +++ b/nixpkgs/nixos/modules/programs/ssmtp.nix @@ -8,18 +8,21 @@ with lib; let - - cfg = config.networking.defaultMailServer; + cfg = config.services.ssmtp; in - { + imports = [ + (mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ]) + (mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ]) + ]; + options = { - networking.defaultMailServer = { + services.ssmtp = { - directDelivery = mkOption { + enable = mkOption { type = types.bool; default = false; description = '' @@ -29,7 +32,7 @@ in <command>sendmail</command> or <command>postfix</command> on your machine, set this option to <literal>true</literal>, and set the option - <option>networking.defaultMailServer.hostName</option> to the + <option>services.ssmtp.hostName</option> to the host name of your preferred mail server. ''; }; @@ -129,9 +132,9 @@ in }; - config = mkIf cfg.directDelivery { + config = mkIf cfg.enable { - networking.defaultMailServer.authPassFile = mkIf (cfg.authPass != "") + services.ssmtp.authPassFile = mkIf (cfg.authPass != "") (mkDefault (toString (pkgs.writeTextFile { name = "ssmtp-authpass"; text = cfg.authPass; diff --git a/nixpkgs/nixos/modules/programs/sway.nix b/nixpkgs/nixos/modules/programs/sway.nix index f92d09a7ef44..e2a4018e9023 100644 --- a/nixpkgs/nixos/modules/programs/sway.nix +++ b/nixpkgs/nixos/modules/programs/sway.nix @@ -4,26 +4,32 @@ with lib; let cfg = config.programs.sway; - swayPackage = pkgs.sway; - swayWrapped = pkgs.writeShellScriptBin "sway" '' - set -o errexit - - if [ ! "$_SWAY_WRAPPER_ALREADY_EXECUTED" ]; then - export _SWAY_WRAPPER_ALREADY_EXECUTED=1 - ${cfg.extraSessionCommands} - fi + wrapperOptions = types.submodule { + options = + let + mkWrapperFeature = default: description: mkOption { + type = types.bool; + inherit default; + example = !default; + description = "Whether to make use of the ${description}"; + }; + in { + base = mkWrapperFeature true '' + base wrapper to execute extra session commands and prepend a + dbus-run-session to the sway command. + ''; + gtk = mkWrapperFeature false '' + wrapGAppsHook wrapper to execute sway with required environment + variables for GTK applications. + ''; + }; + }; - if [ "$DBUS_SESSION_BUS_ADDRESS" ]; then - export DBUS_SESSION_BUS_ADDRESS - exec ${swayPackage}/bin/sway "$@" - else - exec ${pkgs.dbus}/bin/dbus-run-session ${swayPackage}/bin/sway "$@" - fi - ''; - swayJoined = pkgs.symlinkJoin { - name = "sway-joined"; - paths = [ swayWrapped swayPackage ]; + swayPackage = pkgs.sway.override { + extraSessionCommands = cfg.extraSessionCommands; + withBaseWrapper = cfg.wrapperFeatures.base; + withGtkWrapper = cfg.wrapperFeatures.gtk; }; in { options.programs.sway = { @@ -35,6 +41,15 @@ in { Please have a look at the "extraSessionCommands" example for running programs natively under Wayland''; + wrapperFeatures = mkOption { + type = wrapperOptions; + default = { }; + example = { gtk = true; }; + description = '' + Attribute set of features to enable in the wrapper. + ''; + }; + extraSessionCommands = mkOption { type = types.lines; default = ""; @@ -55,7 +70,7 @@ in { extraPackages = mkOption { type = with types; listOf package; default = with pkgs; [ - swaylock swayidle swaybg + swaylock swayidle xwayland rxvt_unicode dmenu ]; defaultText = literalExample '' @@ -75,8 +90,17 @@ in { }; config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.extraSessionCommands != "" -> cfg.wrapperFeatures.base; + message = '' + The extraSessionCommands for Sway will not be run if + wrapperFeatures.base is disabled. + ''; + } + ]; environment = { - systemPackages = [ swayJoined ] ++ cfg.extraPackages; + systemPackages = [ swayPackage ] ++ cfg.extraPackages; etc = { "sway/config".source = mkOptionDefault "${swayPackage}/etc/sway/config"; #"sway/security.d".source = mkOptionDefault "${swayPackage}/etc/sway/security.d/"; @@ -87,6 +111,8 @@ in { hardware.opengl.enable = mkDefault true; fonts.enableDefaultFonts = mkDefault true; programs.dconf.enable = mkDefault true; + # To make a Sway session available if a display manager like SDDM is enabled: + services.xserver.displayManager.sessionPackages = [ swayPackage ]; }; meta.maintainers = with lib.maintainers; [ gnidorah primeos colemickens ]; diff --git a/nixpkgs/nixos/modules/programs/x2goserver.nix b/nixpkgs/nixos/modules/programs/x2goserver.nix index 77a1a0da7993..7d74231e956b 100644 --- a/nixpkgs/nixos/modules/programs/x2goserver.nix +++ b/nixpkgs/nixos/modules/programs/x2goserver.nix @@ -69,6 +69,7 @@ in { users.users.x2go = { home = "/var/lib/x2go/db"; group = "x2go"; + isSystemUser = true; }; security.wrappers.x2gosqliteWrapper = { diff --git a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix index f4df4e983e42..932a780a356a 100644 --- a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix +++ b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix @@ -29,6 +29,13 @@ let in { + imports = [ + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ]) + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ]) + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) + (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) + ]; + options = { programs.zsh.ohMyZsh = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix index ded17f38a618..037888fdc5a8 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix @@ -6,6 +6,10 @@ let cfg = config.programs.zsh.autosuggestions; in { + imports = [ + (mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) + ]; + options.programs.zsh.autosuggestions = { enable = mkEnableOption "zsh-autosuggestions"; diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix index 7184e5d9b9a8..927a904369d5 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix @@ -6,6 +6,13 @@ let cfg = config.programs.zsh.syntaxHighlighting; in { + imports = [ + (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) + (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) + (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ]) + (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ]) + ]; + options = { programs.zsh.syntaxHighlighting = { enable = mkEnableOption "zsh-syntax-highlighting"; @@ -81,7 +88,7 @@ in ]; programs.zsh.interactiveShellInit = with pkgs; - lib.concatStringsSep "\n" ([ + lib.mkAfter (lib.concatStringsSep "\n" ([ "source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" ] ++ optional (length(cfg.highlighters) > 0) "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})" @@ -95,6 +102,6 @@ in styles: design: "ZSH_HIGHLIGHT_STYLES[${styles}]='${design}'" ) cfg.styles) - ); + )); }; } diff --git a/nixpkgs/nixos/modules/rename.nix b/nixpkgs/nixos/modules/rename.nix index 802ffcdc94eb..7109ab5a1099 100644 --- a/nixpkgs/nixos/modules/rename.nix +++ b/nixpkgs/nixos/modules/rename.nix @@ -4,289 +4,30 @@ with lib; { imports = [ - (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) - (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) - (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ] - (config: - let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config; - in if enabled then [ pkgs.gutenprint ] else [ ])) - (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ] - (config: - let value = getAttrFromPath [ "services" "ddclient" "domain" ] config; - in if value != "" then [ value ] else [])) - (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "") - (mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ]) - (mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "port" ] ["services" "kubernetes" "apiserver" "insecurePort"]) - (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") - (mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) - (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "port" ] ["services" "kubernetes" "controllerManager" "insecurePort"]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) - (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "applyManifests" ] "") - (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "cadvisorPort" ] "") - (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "allowPrivileged" ] "") - (mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"]) - (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") - (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) - (mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ]) - (mkRenamedOptionModule [ "services" "neo4j" "listenAddress" ] [ "services" "neo4j" "defaultListenAddress" ]) - (mkRenamedOptionModule [ "services" "neo4j" "enableBolt" ] [ "services" "neo4j" "bolt" "enable" ]) - (mkRenamedOptionModule [ "services" "neo4j" "enableHttps" ] [ "services" "neo4j" "https" "enable" ]) - (mkRenamedOptionModule [ "services" "neo4j" "certDir" ] [ "services" "neo4j" "directories" "certificates" ]) - (mkRenamedOptionModule [ "services" "neo4j" "dataDir" ] [ "services" "neo4j" "directories" "home" ]) - (mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.") - (mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.") - (mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.") - (mkRemovedOptionModule [ "services" "misc" "nzbget" "configFile" ] "The configuration of nzbget is now managed by users through the web interface.") - (mkRemovedOptionModule [ "services" "misc" "nzbget" "dataDir" ] "The data directory for nzbget is now /var/lib/nzbget.") - (mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.") - (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.") - (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.") - (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerURL" ] '' - Due to incompatibility, the alertmanagerURL option has been removed, - please use 'services.prometheus2.alertmanagers' instead. - '') - (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) - (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ]) - (mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ]) - (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ]) + /* + This file defines some renaming/removing options for backwards compatibility - (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ]) - (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "") - - (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ]) - - (mkRemovedOptionModule [ "services" "pykms" "verbose" ] "Use services.pykms.logLevel instead") - - (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") - (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") - - (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - - # PAM - (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) - - # rmilter/rspamd - (mkRemovedOptionModule [ "services" "rmilter" ] "Use services.rspamd.* instead to set up milter service") - - # Xsession script - (mkRenamedOptionModule [ "services" "xserver" "displayManager" "job" "logsXsession" ] [ "services" "xserver" "displayManager" "job" "logToFile" ]) - (mkRenamedOptionModule [ "services" "xserver" "displayManager" "logToJournal" ] [ "services" "xserver" "displayManager" "job" "logToJournal" ]) - - # Old Grub-related options. - (mkRenamedOptionModule [ "boot" "loader" "grub" "timeout" ] [ "boot" "loader" "timeout" ]) - (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "timeout" ] [ "boot" "loader" "timeout" ]) - - # OpenSSH - (mkAliasOptionModule [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ]) - (mkAliasOptionModule [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ]) - - # libvirtd - (mkRemovedOptionModule [ "virtualisation" "libvirtd" "enableKVM" ] - "Set the option `virtualisation.libvirtd.qemuPackage' instead.") - - # ibus - (mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ]) - - # sandboxing - (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) - (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) - - (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) + It should ONLY be used when the relevant module can't define these imports + itself, such as when the module was removed completely. + See https://github.com/NixOS/nixpkgs/pull/61570 for explanation + */ + # This alias module can't be where _module.check is defined because it would + # be added to submodules as well there (mkAliasOptionModule [ "environment" "checkConfigurationOptions" ] [ "_module" "check" ]) - # opendkim - (mkRenamedOptionModule [ "services" "opendkim" "keyFile" ] [ "services" "opendkim" "keyPath" ]) - - # Enlightenment - (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "e19" "enable" ] [ "services" "xserver" "desktopManager" "enlightenment" "enable" ]) - - # Iodine - (mkRenamedOptionModule [ "services" "iodined" "enable" ] [ "services" "iodine" "server" "enable" ]) - (mkRenamedOptionModule [ "services" "iodined" "domain" ] [ "services" "iodine" "server" "domain" ]) - (mkRenamedOptionModule [ "services" "iodined" "ip" ] [ "services" "iodine" "server" "ip" ]) - (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) - (mkRemovedOptionModule [ "services" "iodined" "client" ] "") - - # Unity3D - (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) - - # murmur - (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ]) - (mkRemovedOptionModule [ "services" "murmur" "pidfile" ] "Hardcoded to /run/murmur/murmurd.pid now") - - # parsoid - (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] "Use services.parsoid.wikis instead") - - # plexpy / tautulli - (mkRenamedOptionModule [ "services" "plexpy" ] [ "services" "tautulli" ]) - - # piwik was renamed to matomo - (mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ]) - (mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ]) - (mkRenamedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] [ "services" "matomo" "phpfpmProcessManagerConfig" ]) - (mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ]) - - # tarsnap - (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") - - # alsa - (mkRenamedOptionModule [ "sound" "enableMediaKeys" ] [ "sound" "mediaKeys" "enable" ]) - - # postgrey - (mkMergedOptionModule [ [ "services" "postgrey" "inetAddr" ] [ "services" "postgrey" "inetPort" ] ] [ "services" "postgrey" "socket" ] (config: let - value = p: getAttrFromPath p config; - inetAddr = [ "services" "postgrey" "inetAddr" ]; - inetPort = [ "services" "postgrey" "inetPort" ]; - in - if value inetAddr == null - then { path = "/run/postgrey.sock"; } - else { addr = value inetAddr; port = value inetPort; } - )) - - # dhcpd - (mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ]) - - # locate - (mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ]) - (mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths" ) - - # nfs - (mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ]) - (mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ]) - - # KDE Plasma 5 - (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "kde5" ] [ "services" "xserver" "desktopManager" "plasma5" ]) - - # Fontconfig - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "fonts" "fontconfig" "allowBitmaps" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowType1" ] [ "fonts" "fontconfig" "allowType1" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "fonts" "fontconfig" "useEmbeddedBitmaps" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ]) - (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) - - # postgresqlBackup - (mkRemovedOptionModule [ "services" "postgresqlBackup" "period" ] '' - A systemd timer is now used instead of cron. - The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>. - '') - - # phpfpm - (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.") - - # zabbixServer - (mkRenamedOptionModule [ "services" "zabbixServer" "dbServer" ] [ "services" "zabbixServer" "database" "host" ]) - - # Profile splitting - (mkRenamedOptionModule [ "virtualisation" "growPartition" ] [ "boot" "growPartition" ]) - - # misc/version.nix - (mkRenamedOptionModule [ "system" "nixosVersion" ] [ "system" "nixos" "version" ]) - (mkRenamedOptionModule [ "system" "nixosVersionSuffix" ] [ "system" "nixos" "versionSuffix" ]) - (mkRenamedOptionModule [ "system" "nixosRevision" ] [ "system" "nixos" "revision" ]) - (mkRenamedOptionModule [ "system" "nixosLabel" ] [ "system" "nixos" "label" ]) - - # Users - (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) - (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) - - # Options that are obsolete and have no replacement. - (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "") - (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") - (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "") - (mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ] "") - (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ] "") - (mkRemovedOptionModule [ "ec2" "metadata" ] "") - (mkRemovedOptionModule [ "services" "openvpn" "enable" ] "") - (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "") - (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "") - (mkRemovedOptionModule [ "services" "tor" "relay" "isBridge" ] "Use services.tor.relay.role instead.") - (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.") - (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ] - "See the 16.09 release notes for more information.") - (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "") - (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "") + # Completely removed modules (mkRemovedOptionModule [ "services" "firefox" "syncserver" "user" ] "") (mkRemovedOptionModule [ "services" "firefox" "syncserver" "group" ] "") - (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "") - (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ] - "Set the option `services.xserver.displayManager.sddm.package' instead.") - (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "xfce" "screenLock" ] "") - (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "") - (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "") - (mkRemovedOptionModule [ "virtualisation" "xen" "qemu" ] "You don't need this option anymore, it will work without it.") - (mkRemovedOptionModule [ "services" "logstash" "enableWeb" ] "The web interface was removed from logstash") - (mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.") - (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd") - (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") - (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") - (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") - (mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.") - - # ZSH - (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) - - (mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) - - # Xen - (mkRenamedOptionModule [ "virtualisation" "xen" "qemu-package" ] [ "virtualisation" "xen" "package-qemu" ]) - - (mkRenamedOptionModule [ "programs" "info" "enable" ] [ "documentation" "info" "enable" ]) - (mkRenamedOptionModule [ "programs" "man" "enable" ] [ "documentation" "man" "enable" ]) - (mkRenamedOptionModule [ "services" "nixosManual" "enable" ] [ "documentation" "nixos" "enable" ]) - - # ckb - (mkRenamedOptionModule [ "hardware" "ckb" "enable" ] [ "hardware" "ckb-next" "enable" ]) - (mkRenamedOptionModule [ "hardware" "ckb" "package" ] [ "hardware" "ckb-next" "package" ]) - - # binfmt - (mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ]) - - # ACME - (mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") - (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") - (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") - - # KSM - (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ]) - - # resolvconf - (mkRenamedOptionModule [ "networking" "dnsSingleRequest" ] [ "networking" "resolvconf" "dnsSingleRequest" ]) - (mkRenamedOptionModule [ "networking" "dnsExtensionMechanism" ] [ "networking" "resolvconf" "dnsExtensionMechanism" ]) - (mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ]) - (mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ]) - - # Redis - (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") - (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") - (mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") - (mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") - (mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") - - ] ++ (forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" - "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" - "snmpExporter" "unifiExporter" "varnishExporter" ] - (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' - The prometheus exporters are now configured using `services.prometheus.exporters'. - See the 18.03 release notes for more information. - '' )); + (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.") + (mkRemovedOptionModule [ "environment.blcr.enable" ] "The BLCR module has been removed") + (mkRemovedOptionModule [ "services.beegfsEnable" ] "The BeeGFS module has been removed") + (mkRemovedOptionModule [ "services.beegfs" ] "The BeeGFS module has been removed") + (mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed") + (mkRemovedOptionModule [ "services.fourStore" ] "The fourStore module has been removed") + (mkRemovedOptionModule [ "services.fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed") + + # Do NOT add any option renames here, see top of the file + ]; } diff --git a/nixpkgs/nixos/modules/security/acme.nix b/nixpkgs/nixos/modules/security/acme.nix index b321c04e574c..890c421b0ea9 100644 --- a/nixpkgs/nixos/modules/security/acme.nix +++ b/nixpkgs/nixos/modules/security/acme.nix @@ -20,6 +20,16 @@ let ''; }; + server = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + ACME Directory Resource URI. Defaults to let's encrypt + production endpoint, + https://acme-v02.api.letsencrypt.org/directory, if unset. + ''; + }; + domain = mkOption { type = types.str; default = name; @@ -69,9 +79,9 @@ let plugins = mkOption { type = types.listOf (types.enum [ "cert.der" "cert.pem" "chain.pem" "external.sh" - "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" + "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "account_reg.json" ]); - default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; + default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ]; description = '' Plugins to enable. With default settings simp_le will store public certificate bundle in <filename>fullchain.pem</filename>, @@ -109,7 +119,18 @@ in { ###### interface - + imports = [ + (mkRemovedOptionModule [ "security" "acme" "production" ] '' + Use security.acme.server to define your staging ACME server URL instead. + + To use the let's encrypt staging server, use security.acme.server = + "https://acme-staging-v02.api.letsencrypt.org/directory". + '' + ) + (mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") + (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") + (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") + ]; options = { security.acme = { @@ -129,6 +150,16 @@ in ''; }; + server = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + ACME Directory Resource URI. Defaults to let's encrypt + production endpoint, + <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset. + ''; + }; + preliminarySelfsigned = mkOption { type = types.bool; default = true; @@ -142,20 +173,6 @@ in ''; }; - production = mkOption { - type = types.bool; - default = true; - description = '' - If set to true, use Let's Encrypt's production environment - instead of the staging environment. The main benefit of the - staging environment is to get much higher rate limits. - - See - <literal>https://letsencrypt.org/docs/staging-environment</literal> - for more detail. - ''; - }; - certs = mkOption { default = { }; type = with types; attrsOf (submodule certOpts); @@ -198,13 +215,24 @@ in ++ optionals (data.email != null) [ "--email" data.email ] ++ concatMap (p: [ "-f" p ]) data.plugins ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) - ++ optionals (!cfg.production) ["--server" "https://acme-staging.api.letsencrypt.org/directory"]; + ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; acmeService = { description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; wants = [ "network-online.target" ]; + # simp_le uses requests, which uses certifi under the hood, + # which doesn't respect the system trust store. + # At least in the acme test, we provision a fake CA, impersonating the LE endpoint. + # REQUESTS_CA_BUNDLE is a way to teach python requests to use something else + environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; serviceConfig = { Type = "oneshot"; + # With RemainAfterExit the service is considered active even + # after the main process having exited, which means when it + # gets changed, the activation phase restarts it, meaning + # the permissions of the StateDirectory get adjusted + # according to the specified group + RemainAfterExit = true; SuccessExitStatus = [ "0" "1" ]; User = data.user; Group = data.group; @@ -213,9 +241,9 @@ in StateDirectoryMode = rights; WorkingDirectory = "/var/lib/${lpath}"; ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}"; - ExecStopPost = + ExecStartPost = let - script = pkgs.writeScript "acme-post-stop" '' + script = pkgs.writeScript "acme-post-start" '' #!${pkgs.runtimeShell} -e ${data.postRun} ''; diff --git a/nixpkgs/nixos/modules/security/apparmor-suid.nix b/nixpkgs/nixos/modules/security/apparmor-suid.nix index 498c2f25d1c0..3c93f5440ab5 100644 --- a/nixpkgs/nixos/modules/security/apparmor-suid.nix +++ b/nixpkgs/nixos/modules/security/apparmor-suid.nix @@ -4,6 +4,9 @@ let in with lib; { + imports = [ + (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) + ]; options.security.apparmor.confineSUIDApplications = mkOption { default = true; diff --git a/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix b/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix index 2255477f26e4..b83dbc4202a8 100644 --- a/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix @@ -7,6 +7,10 @@ let sandbox = pkgs.chromium.sandbox; in { + imports = [ + (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) + ]; + options.security.chromiumSuidSandbox.enable = mkOption { type = types.bool; default = false; diff --git a/nixpkgs/nixos/modules/security/duosec.nix b/nixpkgs/nixos/modules/security/duosec.nix index 997328ad9e6a..78a82b7154e7 100644 --- a/nixpkgs/nixos/modules/security/duosec.nix +++ b/nixpkgs/nixos/modules/security/duosec.nix @@ -25,19 +25,21 @@ let accept_env_factor=${boolToStr cfg.acceptEnvFactor} ''; - loginCfgFile = optional cfg.ssh.enable - { source = pkgs.writeText "login_duo.conf" configFileLogin; - mode = "0600"; - user = "sshd"; - target = "duo/login_duo.conf"; - }; + loginCfgFile = optionalAttrs cfg.ssh.enable { + "duo/login_duo.conf" = + { source = pkgs.writeText "login_duo.conf" configFileLogin; + mode = "0600"; + user = "sshd"; + }; + }; - pamCfgFile = optional cfg.pam.enable - { source = pkgs.writeText "pam_duo.conf" configFilePam; - mode = "0600"; - user = "sshd"; - target = "duo/pam_duo.conf"; - }; + pamCfgFile = optional cfg.pam.enable { + "duo/pam_duo.conf" = + { source = pkgs.writeText "pam_duo.conf" configFilePam; + mode = "0600"; + user = "sshd"; + }; + }; in { options = { @@ -186,7 +188,7 @@ in environment.systemPackages = [ pkgs.duo-unix ]; security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; - environment.etc = loginCfgFile ++ pamCfgFile; + environment.etc = loginCfgFile // pamCfgFile; /* If PAM *and* SSH are enabled, then don't do anything special. If PAM isn't used, set the default SSH-only options. */ diff --git a/nixpkgs/nixos/modules/security/pam.nix b/nixpkgs/nixos/modules/security/pam.nix index 11227354ad3b..bfc2a881387f 100644 --- a/nixpkgs/nixos/modules/security/pam.nix +++ b/nixpkgs/nixos/modules/security/pam.nix @@ -475,15 +475,19 @@ let motd = pkgs.writeText "motd" config.users.motd; - makePAMService = pamService: - { source = pkgs.writeText "${pamService.name}.pam" pamService.text; - target = "pam.d/${pamService.name}"; + makePAMService = name: service: + { name = "pam.d/${name}"; + value.source = pkgs.writeText "${name}.pam" service.text; }; in { + imports = [ + (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) + ]; + ###### interface options = { @@ -707,7 +711,7 @@ in Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further - details on how to configure offline Challenge-Response validation. + details on how to configure offline Challenge-Response validation. More information can be found <link xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. @@ -756,8 +760,7 @@ in }; }; - environment.etc = - mapAttrsToList (n: v: makePAMService v) config.security.pam.services; + environment.etc = mapAttrs' makePAMService config.security.pam.services; security.pam.services = { other.text = @@ -773,11 +776,8 @@ in ''; # Most of these should be moved to specific modules. - cups = {}; - ftp = {}; i3lock = {}; i3lock-color = {}; - screen = {}; vlock = {}; xlock = {}; xscreensaver = {}; diff --git a/nixpkgs/nixos/modules/security/pam_mount.nix b/nixpkgs/nixos/modules/security/pam_mount.nix index 8b131c54a2a5..77e22a96b553 100644 --- a/nixpkgs/nixos/modules/security/pam_mount.nix +++ b/nixpkgs/nixos/modules/security/pam_mount.nix @@ -36,8 +36,7 @@ in config = mkIf (cfg.enable || anyPamMount) { environment.systemPackages = [ pkgs.pam_mount ]; - environment.etc = [{ - target = "security/pam_mount.conf.xml"; + environment.etc."security/pam_mount.conf.xml" = { source = let extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null) config.users.users; @@ -50,9 +49,6 @@ in <pam_mount> <debug enable="0" /> - ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} - ${concatStringsSep "\n" cfg.extraVolumes} - <!-- if activated, requires ofl from hxtools to be present --> <logout wait="0" hup="no" term="no" kill="no" /> <!-- set PATH variable for pam_mount module --> @@ -64,9 +60,12 @@ in <cryptmount>${pkgs.pam_mount}/bin/mount.crypt %(VOLUME) %(MNTPT)</cryptmount> <cryptumount>${pkgs.pam_mount}/bin/umount.crypt %(MNTPT)</cryptumount> <pmvarrun>${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun> + + ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} + ${concatStringsSep "\n" cfg.extraVolumes} </pam_mount> ''; - }]; + }; }; } diff --git a/nixpkgs/nixos/modules/security/polkit.nix b/nixpkgs/nixos/modules/security/polkit.nix index f2b2df4004cb..a6724bd75832 100644 --- a/nixpkgs/nixos/modules/security/polkit.nix +++ b/nixpkgs/nixos/modules/security/polkit.nix @@ -42,15 +42,14 @@ in security.polkit.adminIdentities = mkOption { type = types.listOf types.str; - default = [ "unix-user:0" "unix-group:wheel" ]; + default = [ "unix-group:wheel" ]; example = [ "unix-user:alice" "unix-group:admin" ]; description = '' Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an <literal>auth_admin</literal> - value). By default, this is the <literal>root</literal> - user and all users in the <literal>wheel</literal> group. + value). By default, this is all users in the <literal>wheel</literal> group. ''; }; diff --git a/nixpkgs/nixos/modules/security/rtkit.nix b/nixpkgs/nixos/modules/security/rtkit.nix index f6dda21c6006..a7b27cbcf215 100644 --- a/nixpkgs/nixos/modules/security/rtkit.nix +++ b/nixpkgs/nixos/modules/security/rtkit.nix @@ -34,9 +34,8 @@ with lib; services.dbus.packages = [ pkgs.rtkit ]; - users.users = singleton - { name = "rtkit"; - uid = config.ids.uids.rtkit; + users.users.rtkit = + { uid = config.ids.uids.rtkit; description = "RealtimeKit daemon"; }; diff --git a/nixpkgs/nixos/modules/security/sudo.nix b/nixpkgs/nixos/modules/security/sudo.nix index 10ee036be84e..d899806ef058 100644 --- a/nixpkgs/nixos/modules/security/sudo.nix +++ b/nixpkgs/nixos/modules/security/sudo.nix @@ -212,7 +212,7 @@ in security.pam.services.sudo = { sshAgentAuth = true; }; - environment.etc = singleton + environment.etc.sudoers = { source = pkgs.runCommand "sudoers" { @@ -222,7 +222,6 @@ in # Make sure that the sudoers file is syntactically valid. # (currently disabled - NIXOS-66) "${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out"; - target = "sudoers"; mode = "0440"; }; diff --git a/nixpkgs/nixos/modules/security/wrappers/default.nix b/nixpkgs/nixos/modules/security/wrappers/default.nix index 47738e7962ea..a0fadb018eca 100644 --- a/nixpkgs/nixos/modules/security/wrappers/default.nix +++ b/nixpkgs/nixos/modules/security/wrappers/default.nix @@ -94,6 +94,10 @@ let ) programs; in { + imports = [ + (lib.mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") + (lib.mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/admin/oxidized.nix b/nixpkgs/nixos/modules/services/admin/oxidized.nix index 39112c3970d5..94b44630ba6c 100644 --- a/nixpkgs/nixos/modules/services/admin/oxidized.nix +++ b/nixpkgs/nixos/modules/services/admin/oxidized.nix @@ -89,6 +89,7 @@ in group = cfg.group; home = cfg.dataDir; createHome = true; + isSystemUser = true; }; systemd.services.oxidized = { @@ -110,6 +111,7 @@ in Restart = "always"; WorkingDirectory = cfg.dataDir; KillSignal = "SIGKILL"; + PIDFile = "${cfg.dataDir}/.config/oxidized/pid"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix b/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix index 302b94de1965..697732426ccf 100644 --- a/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix @@ -80,7 +80,7 @@ in { configItems = mkOption { default = {}; type = types.attrsOf types.str; - example = '' + example = literalExample '' { "auth_backends.1.authn" = "rabbit_auth_backend_ldap"; "auth_backends.1.authz" = "rabbit_auth_backend_internal"; diff --git a/nixpkgs/nixos/modules/services/audio/alsa.nix b/nixpkgs/nixos/modules/services/audio/alsa.nix index f632644af09e..990398e65463 100644 --- a/nixpkgs/nixos/modules/services/audio/alsa.nix +++ b/nixpkgs/nixos/modules/services/audio/alsa.nix @@ -12,6 +12,9 @@ let in { + imports = [ + (mkRenamedOptionModule [ "sound" "enableMediaKeys" ] [ "sound" "mediaKeys" "enable" ]) + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/audio/jack.nix b/nixpkgs/nixos/modules/services/audio/jack.nix index aa3351f401af..ceff366d0bbb 100644 --- a/nixpkgs/nixos/modules/services/audio/jack.nix +++ b/nixpkgs/nixos/modules/services/audio/jack.nix @@ -223,6 +223,7 @@ in { group = "jackaudio"; extraGroups = [ "audio" ]; description = "JACK Audio system service user"; + isSystemUser = true; }; # http://jackaudio.org/faq/linux_rt_config.html security.pam.loginLimits = [ diff --git a/nixpkgs/nixos/modules/services/audio/mpd.nix b/nixpkgs/nixos/modules/services/audio/mpd.nix index 0df8f9688d25..e20591b5beb4 100644 --- a/nixpkgs/nixos/modules/services/audio/mpd.nix +++ b/nixpkgs/nixos/modules/services/audio/mpd.nix @@ -18,7 +18,6 @@ let ''} state_file "${cfg.dataDir}/state" sticker_file "${cfg.dataDir}/sticker.sql" - log_file "syslog" user "${cfg.user}" group "${cfg.group}" @@ -181,22 +180,23 @@ in { ProtectKernelModules = true; RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; RestrictNamespaces = true; + Restart = "always"; }; }; - users.users = optionalAttrs (cfg.user == name) (singleton { - inherit uid; - inherit name; - group = cfg.group; - extraGroups = [ "audio" ]; - description = "Music Player Daemon user"; - home = "${cfg.dataDir}"; - }); - - users.groups = optionalAttrs (cfg.group == name) (singleton { - inherit name; - gid = gid; - }); + users.users = optionalAttrs (cfg.user == name) { + ${name} = { + inherit uid; + group = cfg.group; + extraGroups = [ "audio" ]; + description = "Music Player Daemon user"; + home = "${cfg.dataDir}"; + }; + }; + + users.groups = optionalAttrs (cfg.group == name) { + ${name}.gid = gid; + }; }; } diff --git a/nixpkgs/nixos/modules/services/audio/roon-server.nix b/nixpkgs/nixos/modules/services/audio/roon-server.nix index 4eda3c5708da..6aed485638cc 100644 --- a/nixpkgs/nixos/modules/services/audio/roon-server.nix +++ b/nixpkgs/nixos/modules/services/audio/roon-server.nix @@ -66,7 +66,8 @@ in { if cfg.user == "roon-server" then { isSystemUser = true; description = "Roon Server user"; - groups = [ cfg.group "audio" ]; + group = cfg.group; + extraGroups = [ "audio" ]; } else {}; }; diff --git a/nixpkgs/nixos/modules/services/backup/automysqlbackup.nix b/nixpkgs/nixos/modules/services/backup/automysqlbackup.nix index 1884f3536a97..e3a8d1f79934 100644 --- a/nixpkgs/nixos/modules/services/backup/automysqlbackup.nix +++ b/nixpkgs/nixos/modules/services/backup/automysqlbackup.nix @@ -99,7 +99,10 @@ in environment.systemPackages = [ pkg ]; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; users.groups.${group} = { }; systemd.tmpfiles.rules = [ diff --git a/nixpkgs/nixos/modules/services/backup/bacula.nix b/nixpkgs/nixos/modules/services/backup/bacula.nix index 41bda7893a75..cef304734aee 100644 --- a/nixpkgs/nixos/modules/services/backup/bacula.nix +++ b/nixpkgs/nixos/modules/services/backup/bacula.nix @@ -44,7 +44,17 @@ let Pid Directory = "/run"; ${sd_cfg.extraStorageConfig} } - + + ${concatStringsSep "\n" (mapAttrsToList (name: value: '' + Autochanger { + Name = "${name}"; + Device = ${concatStringsSep ", " (map (a: "\"${a}\"") value.devices)}; + Changer Device = "${value.changerDevice}"; + Changer Command = "${value.changerCommand}"; + ${value.extraAutochangerConfig} + } + '') sd_cfg.autochanger)} + ${concatStringsSep "\n" (mapAttrsToList (name: value: '' Device { Name = "${name}"; @@ -103,7 +113,19 @@ let password = mkOption { # TODO: required? description = '' - Specifies the password that must be supplied for a Director to b + Specifies the password that must be supplied for the default Bacula + Console to be authorized. The same password must appear in the + Director resource of the Console configuration file. For added + security, the password is never passed across the network but instead + a challenge response hash code created with the password. This + directive is required. If you have either /dev/random or bc on your + machine, Bacula will generate a random password during the + configuration process, otherwise it will be left blank and you must + manually supply it. + + The password is plain text. It is not generated through any special + process but as noted above, it is better to use random text for + security reasons. ''; }; @@ -111,26 +133,133 @@ let default = "no"; example = "yes"; description = '' - If Monitor is set to no (default), this director will have full + If Monitor is set to <literal>no</literal>, this director will have + full access to this Storage daemon. If Monitor is set to + <literal>yes</literal>, this director will only be able to fetch the + current status of this Storage daemon. + + Please note that if this director is being used by a Monitor, we + highly recommend to set this directive to yes to avoid serious + security problems. + ''; + }; + }; + }; + + autochangerOptions = {...}: + { + options = { + changerDevice = mkOption { + description = '' + The specified name-string must be the generic SCSI device name of the + autochanger that corresponds to the normal read/write Archive Device + specified in the Device resource. This generic SCSI device name + should be specified if you have an autochanger or if you have a + standard tape drive and want to use the Alert Command (see below). + For example, on Linux systems, for an Archive Device name of + <literal>/dev/nst0</literal>, you would specify + <literal>/dev/sg0</literal> for the Changer Device name. Depending + on your exact configuration, and the number of autochangers or the + type of autochanger, what you specify here can vary. This directive + is optional. See the Using AutochangersAutochangersChapter chapter of + this manual for more details of using this and the following + autochanger directives. + ''; + }; + + changerCommand = mkOption { + description = '' + The name-string specifies an external program to be called that will + automatically change volumes as required by Bacula. Normally, this + directive will be specified only in the AutoChanger resource, which + is then used for all devices. However, you may also specify the + different Changer Command in each Device resource. Most frequently, + you will specify the Bacula supplied mtx-changer script as follows: + + <literal>"/path/mtx-changer %c %o %S %a %d"</literal> + + and you will install the mtx on your system (found in the depkgs + release). An example of this command is in the default bacula-sd.conf + file. For more details on the substitution characters that may be + specified to configure your autochanger please see the + AutochangersAutochangersChapter chapter of this manual. For FreeBSD + users, you might want to see one of the several chio scripts in + examples/autochangers. + ''; + default = "/etc/bacula/mtx-changer %c %o %S %a %d"; + }; + + devices = mkOption { + description = '' + ''; + }; + + extraAutochangerConfig = mkOption { + default = ""; + description = '' + Extra configuration to be passed in Autochanger directive. + ''; + example = '' + ''; }; }; }; + deviceOptions = {...}: { options = { archiveDevice = mkOption { # TODO: required? description = '' - The specified name-string gives the system file name of the storage device managed by this storage daemon. This will usually be the device file name of a removable storage device (tape drive), for example " /dev/nst0" or "/dev/rmt/0mbn". For a DVD-writer, it will be for example /dev/hdc. It may also be a directory name if you are archiving to disk storage. + The specified name-string gives the system file name of the storage + device managed by this storage daemon. This will usually be the + device file name of a removable storage device (tape drive), for + example <literal>/dev/nst0</literal> or + <literal>/dev/rmt/0mbn</literal>. For a DVD-writer, it will be for + example <literal>/dev/hdc</literal>. It may also be a directory name + if you are archiving to disk storage. In this case, you must supply + the full absolute path to the directory. When specifying a tape + device, it is preferable that the "non-rewind" variant of the device + file name be given. ''; }; mediaType = mkOption { # TODO: required? description = '' - The specified name-string names the type of media supported by this device, for example, "DLT7000". Media type names are arbitrary in that you set them to anything you want, but they must be known to the volume database to keep track of which storage daemons can read which volumes. In general, each different storage type should have a unique Media Type associated with it. The same name-string must appear in the appropriate Storage resource definition in the Director's configuration file. + The specified name-string names the type of media supported by this + device, for example, <literal>DLT7000</literal>. Media type names are + arbitrary in that you set them to anything you want, but they must be + known to the volume database to keep track of which storage daemons + can read which volumes. In general, each different storage type + should have a unique Media Type associated with it. The same + name-string must appear in the appropriate Storage resource + definition in the Director's configuration file. + + Even though the names you assign are arbitrary (i.e. you choose the + name you want), you should take care in specifying them because the + Media Type is used to determine which storage device Bacula will + select during restore. Thus you should probably use the same Media + Type specification for all drives where the Media can be freely + interchanged. This is not generally an issue if you have a single + Storage daemon, but it is with multiple Storage daemons, especially + if they have incompatible media. + + For example, if you specify a Media Type of <literal>DDS-4</literal> + then during the restore, Bacula will be able to choose any Storage + Daemon that handles <literal>DDS-4</literal>. If you have an + autochanger, you might want to name the Media Type in a way that is + unique to the autochanger, unless you wish to possibly use the + Volumes in other drives. You should also ensure to have unique Media + Type names if the Media is not compatible between drives. This + specification is required for all devices. + + In addition, if you are using disk storage, each Device resource will + generally have a different mount point or directory. In order for + Bacula to select the correct Device resource, each one must have a + unique Media Type. ''; }; @@ -166,8 +295,8 @@ in { default = "${config.networking.hostName}-fd"; description = '' The client name that must be used by the Director when connecting. - Generally, it is a good idea to use a name related to the machine - so that error messages can be easily identified if you have multiple + Generally, it is a good idea to use a name related to the machine so + that error messages can be easily identified if you have multiple Clients. This directive is required. ''; }; @@ -232,7 +361,8 @@ in { default = 9103; type = types.int; description = '' - Specifies port number on which the Storage daemon listens for Director connections. The default is 9103. + Specifies port number on which the Storage daemon listens for + Director connections. ''; }; @@ -251,7 +381,15 @@ in { ''; type = with types; attrsOf (submodule deviceOptions); }; - + + autochanger = mkOption { + default = {}; + description = '' + This option defines Autochanger resources in Bacula Storage Daemon. + ''; + type = with types; attrsOf (submodule autochangerOptions); + }; + extraStorageConfig = mkOption { default = ""; description = '' @@ -287,7 +425,8 @@ in { name = mkOption { default = "${config.networking.hostName}-dir"; description = '' - The director name used by the system administrator. This directive is required. + The director name used by the system administrator. This directive is + required. ''; }; @@ -295,7 +434,12 @@ in { default = 9101; type = types.int; description = '' - Specify the port (a positive integer) on which the Director daemon will listen for Bacula Console connections. This same port number must be specified in the Director resource of the Console configuration file. The default is 9101, so normally this directive need not be specified. This directive should not be used if you specify DirAddresses (N.B plural) directive. + Specify the port (a positive integer) on which the Director daemon + will listen for Bacula Console connections. This same port number + must be specified in the Director resource of the Console + configuration file. The default is 9101, so normally this directive + need not be specified. This directive should not be used if you + specify DirAddresses (N.B plural) directive. ''; }; diff --git a/nixpkgs/nixos/modules/services/backup/borgbackup.nix b/nixpkgs/nixos/modules/services/backup/borgbackup.nix index 2ad116a7872a..a2eb80c55a8c 100644 --- a/nixpkgs/nixos/modules/services/backup/borgbackup.nix +++ b/nixpkgs/nixos/modules/services/backup/borgbackup.nix @@ -8,7 +8,7 @@ let builtins.substring 0 1 x == "/" # absolute path || builtins.substring 0 1 x == "." # relative path || builtins.match "[.*:.*]" == null; # not machine:path - + mkExcludeFile = cfg: # Write each exclude pattern to a new line pkgs.writeText "excludefile" (concatStringsSep "\n" cfg.exclude); @@ -68,7 +68,7 @@ let { BORG_PASSPHRASE = passphrase; } else { }; - mkBackupService = name: cfg: + mkBackupService = name: cfg: let userHome = config.users.users.${cfg.user}.home; in nameValuePair "borgbackup-job-${name}" { @@ -98,18 +98,35 @@ let inherit (cfg) startAt; }; + # utility function around makeWrapper + mkWrapperDrv = { + original, name, set ? {} + }: + pkgs.runCommandNoCC "${name}-wrapper" { + buildInputs = [ pkgs.makeWrapper ]; + } (with lib; '' + makeWrapper "${original}" "$out/bin/${name}" \ + ${concatStringsSep " \\\n " (mapAttrsToList (name: value: ''--set ${name} "${value}"'') set)} + ''); + + mkBorgWrapper = name: cfg: mkWrapperDrv { + original = "${pkgs.borgbackup}/bin/borg"; + name = "borg-job-${name}"; + set = { BORG_REPO = cfg.repo; } // (mkPassEnv cfg) // cfg.environment; + }; + # Paths listed in ReadWritePaths must exist before service is started mkActivationScript = name: cfg: let install = "install -o ${cfg.user} -g ${cfg.group}"; in nameValuePair "borgbackup-job-${name}" (stringAfter [ "users" ] ('' - # Eensure that the home directory already exists + # Ensure that the home directory already exists # We can't assert createHome == true because that's not the case for root - cd "${config.users.users.${cfg.user}.home}" + cd "${config.users.users.${cfg.user}.home}" ${install} -d .config/borg ${install} -d .cache/borg - '' + optionalString (isLocalPath cfg.repo) '' + '' + optionalString (isLocalPath cfg.repo && !cfg.removableDevice) '' ${install} -d ${escapeShellArg cfg.repo} '')); @@ -163,13 +180,24 @@ let + " without at least one public key"; }; + mkRemovableDeviceAssertions = name: cfg: { + assertion = !(isLocalPath cfg.repo) -> !cfg.removableDevice; + message = '' + borgbackup.repos.${name}: repo isn't a local path, thus it can't be a removable device! + ''; + }; + in { meta.maintainers = with maintainers; [ dotlambda ]; ###### interface options.services.borgbackup.jobs = mkOption { - description = "Deduplicating backups using BorgBackup."; + description = '' + Deduplicating backups using BorgBackup. + Adding a job will cause a borg-job-NAME wrapper to be added + to your system path, so that you can perform maintenance easily. + ''; default = { }; example = literalExample '' { @@ -202,6 +230,12 @@ in { example = "user@machine:/path/to/repo"; }; + removableDevice = mkOption { + type = types.bool; + default = false; + description = "Whether the repo (which must be local) is a removable device."; + }; + archiveBaseName = mkOption { type = types.strMatching "[^/{}]+"; default = "${globalConfig.networking.hostName}-${name}"; @@ -511,7 +545,6 @@ in { type = types.attrsOf (types.submodule ( { ... }: { options = { - path = mkOption { type = types.path; description = '' @@ -598,7 +631,8 @@ in { (with config.services.borgbackup; { assertions = mapAttrsToList mkPassAssertion jobs - ++ mapAttrsToList mkKeysAssertion repos; + ++ mapAttrsToList mkKeysAssertion repos + ++ mapAttrsToList mkRemovableDeviceAssertions jobs; system.activationScripts = mapAttrs' mkActivationScript jobs; @@ -610,6 +644,6 @@ in { users = mkMerge (mapAttrsToList mkUsersConfig repos); - environment.systemPackages = with pkgs; [ borgbackup ]; + environment.systemPackages = with pkgs; [ borgbackup ] ++ (mapAttrsToList mkBorgWrapper jobs); }); } diff --git a/nixpkgs/nixos/modules/services/backup/mysql-backup.nix b/nixpkgs/nixos/modules/services/backup/mysql-backup.nix index dbd5605143f6..f58af82773f3 100644 --- a/nixpkgs/nixos/modules/services/backup/mysql-backup.nix +++ b/nixpkgs/nixos/modules/services/backup/mysql-backup.nix @@ -84,13 +84,14 @@ in }; config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == defaultUser) (singleton - { name = defaultUser; + users.users = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = { isSystemUser = true; createHome = false; home = cfg.location; group = "nogroup"; - }); + }; + }; services.mysql.ensureUsers = [{ name = cfg.user; diff --git a/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix b/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix index 13a36ae32ac0..580c7ce68f1d 100644 --- a/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixpkgs/nixos/modules/services/backup/postgresql-backup.nix @@ -35,6 +35,13 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "postgresqlBackup" "period" ] '' + A systemd timer is now used instead of cron. + The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>. + '') + ]; + options = { services.postgresqlBackup = { enable = mkOption { @@ -82,7 +89,7 @@ in { pgdumpOptions = mkOption { type = types.separatedString " "; - default = "-Cbo"; + default = "-C"; description = '' Command line options for pg_dump. This options is not used if <literal>config.services.postgresqlBackup.backupAll</literal> is enabled. diff --git a/nixpkgs/nixos/modules/services/backup/tarsnap.nix b/nixpkgs/nixos/modules/services/backup/tarsnap.nix index 4fc7c24813a5..6d99a1efb613 100644 --- a/nixpkgs/nixos/modules/services/backup/tarsnap.nix +++ b/nixpkgs/nixos/modules/services/backup/tarsnap.nix @@ -23,6 +23,10 @@ let ''; in { + imports = [ + (mkRemovedOptionModule [ "services" "tarsnap" "cachedir" ] "Use services.tarsnap.archives.<name>.cachedir") + ]; + options = { services.tarsnap = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/backup/znapzend.nix b/nixpkgs/nixos/modules/services/backup/znapzend.nix index f317078ddda2..203631a577f0 100644 --- a/nixpkgs/nixos/modules/services/backup/znapzend.nix +++ b/nixpkgs/nixos/modules/services/backup/znapzend.nix @@ -34,6 +34,8 @@ let description = "string of the form number{b|k|M|G}"; }; + enabledFeatures = concatLists (mapAttrsToList (name: enabled: optional enabled name) cfg.features); + # Type for a string that must contain certain other strings (the list parameter). # Note that these would need regex escaping. stringContainingStrings = list: let @@ -354,6 +356,22 @@ in ''; default = false; }; + + features.recvu = mkEnableOption '' + recvu feature which uses <literal>-u</literal> on the receiving end to keep the destination + filesystem unmounted. + ''; + features.compressed = mkEnableOption '' + compressed feature which adds the options <literal>-Lce</literal> to + the <command>zfs send</command> command. When this is enabled, make + sure that both the sending and receiving pool have the same relevant + features enabled. Using <literal>-c</literal> will skip unneccessary + decompress-compress stages, <literal>-L</literal> is for large block + support and -e is for embedded data support. see + <citerefentry><refentrytitle>znapzend</refentrytitle><manvolnum>1</manvolnum></citerefentry> + and <citerefentry><refentrytitle>zfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for more info. + ''; }; }; @@ -381,12 +399,22 @@ in ''; serviceConfig = { + # znapzendzetup --import apparently tries to connect to the backup + # host 3 times with a timeout of 30 seconds, leading to a startup + # delay of >90s when the host is down, which is just above the default + # service timeout of 90 seconds. Increase the timeout so it doesn't + # make the service fail in that case. + TimeoutStartSec = 180; + # Needs to have write access to ZFS + User = "root"; ExecStart = let args = concatStringsSep " " [ "--logto=${cfg.logTo}" "--loglevel=${cfg.logLevel}" (optionalString cfg.noDestroy "--nodestroy") (optionalString cfg.autoCreation "--autoCreation") + (optionalString (enabledFeatures != []) + "--features=${concatStringsSep "," enabledFeatures}") ]; in "${pkgs.znapzend}/bin/znapzend ${args}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "on-failure"; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix index 70f96d75a461..2ed7742eda09 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix @@ -5,6 +5,10 @@ with lib; let cfg = config.services.kubernetes.addons.dashboard; in { + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ]) + ]; + options.services.kubernetes.addons.dashboard = { enable = mkEnableOption "kubernetes dashboard addon"; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix index 47e588de3c93..f12e866930da 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix @@ -3,7 +3,7 @@ with lib; let - version = "1.5.0"; + version = "1.6.4"; cfg = config.services.kubernetes.addons.dns; ports = { dns = 10053; @@ -55,9 +55,9 @@ in { type = types.attrs; default = { imageName = "coredns/coredns"; - imageDigest = "sha256:e83beb5e43f8513fa735e77ffc5859640baea30a882a11cc75c4c3244a737d3c"; + imageDigest = "sha256:493ee88e1a92abebac67cbd4b5658b4730e0f33512461442d8d9214ea6734a9b"; finalImageTag = version; - sha256 = "15sbmhrxjxidj0j0cccn1qxpg6al175w43m6ngspl0mc132zqc9q"; + sha256 = "0fm9zdjavpf5hni8g7fkdd3csjbhd7n7py7llxjc66sbii087028"; }; }; }; @@ -68,7 +68,7 @@ in { services.kubernetes.addonManager.bootstrapAddons = { coredns-cr = { - apiVersion = "rbac.authorization.k8s.io/v1beta1"; + apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRole"; metadata = { labels = { @@ -94,7 +94,7 @@ in { }; coredns-crb = { - apiVersion = "rbac.authorization.k8s.io/v1beta1"; + apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRoleBinding"; metadata = { annotations = { @@ -170,7 +170,7 @@ in { }; coredns-deploy = { - apiVersion = "extensions/v1beta1"; + apiVersion = "apps/v1"; kind = "Deployment"; metadata = { labels = { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix index 33796bf2e080..95bdb4c0d14e 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -13,6 +13,18 @@ let )) + ".1"); in { + + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) + (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "port" ] ["services" "kubernetes" "apiserver" "insecurePort"]) + (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]) + (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) + ]; + ###### interface options.services.kubernetes.apiserver = with lib.types; { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix index 0b73d090f241..a99ef6640e97 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -7,6 +7,11 @@ let cfg = top.controllerManager; in { + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) + (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "port" ] ["services" "kubernetes" "controllerManager" "insecurePort"]) + ]; + ###### interface options.services.kubernetes.controllerManager = with lib.types; { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix index 3790ac9b6918..3a11a6513a49 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix @@ -74,6 +74,10 @@ let }; in { + imports = [ + (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") + ]; + ###### interface options.services.kubernetes = { @@ -262,8 +266,7 @@ in { "d /var/lib/kubernetes 0755 kubernetes kubernetes -" ]; - users.users = singleton { - name = "kubernetes"; + users.users.kubernetes = { uid = config.ids.uids.kubernetes; description = "Kubernetes user"; extraGroups = [ "docker" ]; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix index d799e638fc94..548ffed1ddb5 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix @@ -40,6 +40,7 @@ in cni.config = mkDefault [{ name = "mynet"; type = "flannel"; + cniVersion = "0.3.1"; delegate = { isDefaultGateway = true; bridge = "docker0"; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix index 250da4c807ec..c3d67552cc8c 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -52,6 +52,12 @@ let taints = concatMapStringsSep "," (v: "${v.key}=${v.value}:${v.effect}") (mapAttrsToList (n: v: v) cfg.taints); in { + imports = [ + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "applyManifests" ] "") + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "cadvisorPort" ] "") + (mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "allowPrivileged" ] "") + ]; + ###### interface options.services.kubernetes.kubelet = with lib.types; { @@ -92,7 +98,7 @@ in default = []; example = literalExample '' [{ - "cniVersion": "0.2.0", + "cniVersion": "0.3.1", "name": "mynet", "type": "bridge", "bridge": "cni0", @@ -106,7 +112,7 @@ in ] } } { - "cniVersion": "0.2.0", + "cniVersion": "0.3.1", "type": "loopback" }] ''; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix index bd4bf04ea833..86d1dc2439bd 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -7,6 +7,9 @@ let cfg = top.proxy; in { + imports = [ + (mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"]) + ]; ###### interface options.services.kubernetes.proxy = with lib.types; { @@ -31,6 +34,12 @@ in type = listOf str; }; + hostname = mkOption { + description = "Kubernetes proxy hostname override."; + default = config.networking.hostName; + type = str; + }; + kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes proxy"; verbosity = mkOption { @@ -59,6 +68,7 @@ in "--cluster-cidr=${top.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ + --hostname-override=${cfg.hostname} \ --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} @@ -69,6 +79,8 @@ in }; }; + services.kubernetes.proxy.hostname = with config.networking; mkDefault hostName; + services.kubernetes.pki.certs = { kubeProxyClient = top.lib.mkCert { name = "kube-proxy-client"; diff --git a/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix b/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix index d1a1383e45b0..c70d999ca96d 100644 --- a/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix @@ -18,7 +18,7 @@ let ${optionalString (cfg.controlAddr != null) ''controlAddr=${cfg.controlAddr}''} ${toString (map (x: "NodeName=${x}\n") cfg.nodeName)} ${toString (map (x: "PartitionName=${x}\n") cfg.partitionName)} - PlugStackConfig=${plugStackConfig} + PlugStackConfig=${plugStackConfig}/plugstack.conf ProctrackType=${cfg.procTrackType} ${cfg.extraConfig} ''; @@ -39,6 +39,8 @@ let DbdHost=${cfg.dbdserver.dbdHost} SlurmUser=${cfg.user} StorageType=accounting_storage/mysql + StorageUser=${cfg.dbdserver.storageUser} + ${optionalString (cfg.dbdserver.storagePass != null) "StoragePass=${cfg.dbdserver.storagePass}"} ${cfg.dbdserver.extraConfig} ''; @@ -48,7 +50,6 @@ let name = "etc-slurm"; paths = [ configFile cgroupConfig plugStackConfig ] ++ cfg.extraConfigPaths; }; - in { @@ -86,6 +87,37 @@ in ''; }; + storageUser = mkOption { + type = types.str; + default = cfg.user; + description = '' + Database user name. + ''; + }; + + storagePass = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Database password. Note that this password will be publicable + readable in the nix store. Use <option>configFile</option> + to store the and config file and password outside the nix store. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to <literal>slurmdbd.conf</literal>. The password for the database connection + is stored in the config file. Use this option to specfify a path + outside the nix store. If this option is unset a configuration file + will be generated. See also: + <citerefentry><refentrytitle>slurmdbd.conf</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -112,7 +144,7 @@ in package = mkOption { type = types.package; - default = pkgs.slurm; + default = pkgs.slurm.override { enableX11 = ! cfg.enableSrunX11; }; defaultText = "pkgs.slurm"; example = literalExample "pkgs.slurm-full"; description = '' @@ -178,9 +210,14 @@ in If enabled srun will accept the option "--x11" to allow for X11 forwarding from within an interactive session or a batch job. This activates the slurm-spank-x11 module. Note that this option also enables - 'services.openssh.forwardX11' on the client. + <option>services.openssh.forwardX11</option> on the client. This option requires slurm to be compiled without native X11 support. + The default behavior is to re-compile the slurm package with native X11 + support disabled if this option is set to true. + + To use the native X11 support add <literal>PrologFlags=X11</literal> in <option>extraConfig</option>. + Note that this method will only work RSA SSH host keys. ''; }; @@ -356,7 +393,11 @@ in requires = [ "munged.service" "mysql.service" ]; # slurm strips the last component off the path - environment.SLURM_CONF = "${slurmdbdConf}/slurm.conf"; + environment.SLURM_CONF = + if (cfg.dbdserver.configFile == null) then + "${slurmdbdConf}/slurm.conf" + else + cfg.dbdserver.configFile; serviceConfig = { Type = "forking"; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix index 9c615fbe885f..326d2cbd82cc 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -223,18 +223,19 @@ in { config = mkIf cfg.enable { users.groups = optional (cfg.group == "buildbot") { - name = "buildbot"; + buildbot = { }; }; - users.users = optional (cfg.user == "buildbot") { - name = "buildbot"; - description = "Buildbot User."; - isNormalUser = true; - createHome = true; - home = cfg.home; - group = cfg.group; - extraGroups = cfg.extraGroups; - useDefaultShell = true; + users.users = optionalAttrs (cfg.user == "buildbot") { + buildbot = { + description = "Buildbot User."; + isNormalUser = true; + createHome = true; + home = cfg.home; + group = cfg.group; + extraGroups = cfg.extraGroups; + useDefaultShell = true; + }; }; systemd.services.buildbot-master = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix index 49e04ca36228..7613692f0a34 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix @@ -137,18 +137,19 @@ in { services.buildbot-worker.workerPassFile = mkDefault (pkgs.writeText "buildbot-worker-password" cfg.workerPass); users.groups = optional (cfg.group == "bbworker") { - name = "bbworker"; + bbworker = { }; }; - users.users = optional (cfg.user == "bbworker") { - name = "bbworker"; - description = "Buildbot Worker User."; - isNormalUser = true; - createHome = true; - home = cfg.home; - group = cfg.group; - extraGroups = cfg.extraGroups; - useDefaultShell = true; + users.users = optionalAttrs (cfg.user == "bbworker") { + bbworker = { + description = "Buildbot Worker User."; + isNormalUser = true; + createHome = true; + home = cfg.home; + group = cfg.group; + extraGroups = cfg.extraGroups; + useDefaultShell = true; + }; }; systemd.services.buildbot-worker = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix index 12cc3d2b1ccc..32f361454bc1 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -191,6 +191,7 @@ in createHome = true; description = "Buildkite agent user"; extraGroups = [ "keys" ]; + isSystemUser = true; }; environment.systemPackages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix index 8126f27c2b0c..2e9e1c94857a 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix @@ -135,20 +135,20 @@ in { }; config = mkIf cfg.enable { - users.groups = optional (cfg.group == "gocd-agent") { - name = "gocd-agent"; - gid = config.ids.gids.gocd-agent; + users.groups = optionalAttrs (cfg.group == "gocd-agent") { + gocd-agent.gid = config.ids.gids.gocd-agent; }; - users.users = optional (cfg.user == "gocd-agent") { - name = "gocd-agent"; - description = "gocd-agent user"; - createHome = true; - home = cfg.workDir; - group = cfg.group; - extraGroups = cfg.extraGroups; - useDefaultShell = true; - uid = config.ids.uids.gocd-agent; + users.users = optionalAttrs (cfg.user == "gocd-agent") { + gocd-agent = { + description = "gocd-agent user"; + createHome = true; + home = cfg.workDir; + group = cfg.group; + extraGroups = cfg.extraGroups; + useDefaultShell = true; + uid = config.ids.uids.gocd-agent; + }; }; systemd.services.gocd-agent = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix index 8f177da129e5..4fa41ac49edf 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix @@ -143,20 +143,20 @@ in { }; config = mkIf cfg.enable { - users.groups = optional (cfg.group == "gocd-server") { - name = "gocd-server"; - gid = config.ids.gids.gocd-server; + users.groups = optionalAttrs (cfg.group == "gocd-server") { + gocd-server.gid = config.ids.gids.gocd-server; }; - users.users = optional (cfg.user == "gocd-server") { - name = "gocd-server"; - description = "gocd-server user"; - createHome = true; - home = cfg.workDir; - group = cfg.group; - extraGroups = cfg.extraGroups; - useDefaultShell = true; - uid = config.ids.uids.gocd-server; + users.users = optionalAttrs (cfg.user == "gocd-server") { + gocd-server = { + description = "gocd-server user"; + createHome = true; + home = cfg.workDir; + group = cfg.group; + extraGroups = cfg.extraGroups; + useDefaultShell = true; + uid = config.ids.uids.gocd-server; + }; }; systemd.services.gocd-server = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix index 2da10a9a5e2a..30c5550f71c5 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix @@ -242,8 +242,8 @@ in environment.variables = hydraEnv; nix.extraOptions = '' - gc-keep-outputs = true - gc-keep-derivations = true + keep-outputs = true + keep-derivations = true # The default (`true') slows Nix down a lot since the build farm # has so many GC roots. diff --git a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix index 0ec906713885..1477c471f8ab 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix @@ -150,20 +150,20 @@ in { pkgs.dejavu_fonts ]; - users.groups = optional (cfg.group == "jenkins") { - name = "jenkins"; - gid = config.ids.gids.jenkins; + users.groups = optionalAttrs (cfg.group == "jenkins") { + jenkins.gid = config.ids.gids.jenkins; }; - users.users = optional (cfg.user == "jenkins") { - name = "jenkins"; - description = "jenkins user"; - createHome = true; - home = cfg.home; - group = cfg.group; - extraGroups = cfg.extraGroups; - useDefaultShell = true; - uid = config.ids.uids.jenkins; + users.users = optionalAttrs (cfg.user == "jenkins") { + jenkins = { + description = "jenkins user"; + createHome = true; + home = cfg.home; + group = cfg.group; + extraGroups = cfg.extraGroups; + useDefaultShell = true; + uid = config.ids.uids.jenkins; + }; }; systemd.services.jenkins = { diff --git a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix index 92deabc3dd3b..26368cb94e47 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix @@ -51,18 +51,18 @@ in { config = mkIf (cfg.enable && !masterCfg.enable) { users.groups = optional (cfg.group == "jenkins") { - name = "jenkins"; - gid = config.ids.gids.jenkins; + jenkins.gid = config.ids.gids.jenkins; }; - users.users = optional (cfg.user == "jenkins") { - name = "jenkins"; - description = "jenkins user"; - createHome = true; - home = cfg.home; - group = cfg.group; - useDefaultShell = true; - uid = config.ids.uids.jenkins; + users.users = optionalAttrs (cfg.user == "jenkins") { + jenkins = { + description = "jenkins user"; + createHome = true; + home = cfg.home; + group = cfg.group; + useDefaultShell = true; + uid = config.ids.uids.jenkins; + }; }; }; } diff --git a/nixpkgs/nixos/modules/services/databases/4store-endpoint.nix b/nixpkgs/nixos/modules/services/databases/4store-endpoint.nix deleted file mode 100644 index 59ed0e5f0afd..000000000000 --- a/nixpkgs/nixos/modules/services/databases/4store-endpoint.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.services.fourStoreEndpoint; - endpointUser = "fourstorehttp"; - run = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${endpointUser} -c"; -in -with lib; -{ - - ###### interface - - options = { - - services.fourStoreEndpoint = { - - enable = mkOption { - default = false; - description = "Whether to enable 4Store SPARQL endpoint."; - }; - - database = mkOption { - default = config.services.fourStore.database; - description = "RDF database name to expose via the endpoint. Defaults to local 4Store database name."; - }; - - listenAddress = mkOption { - default = null; - description = "IP address to listen on."; - }; - - port = mkOption { - default = 8080; - description = "port to listen on."; - }; - - options = mkOption { - default = ""; - description = "Extra CLI options to pass to 4Store's 4s-httpd process."; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - assertions = singleton - { assertion = cfg.enable -> cfg.database != ""; - message = "Must specify 4Store database name"; - }; - - users.users = singleton - { name = endpointUser; - uid = config.ids.uids.fourstorehttp; - description = "4Store SPARQL endpoint user"; - }; - - services.avahi.enable = true; - - systemd.services."4store-endpoint" = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - script = '' - ${run} '${pkgs.rdf4store}/bin/4s-httpd -D ${cfg.options} ${if cfg.listenAddress!=null then "-H ${cfg.listenAddress}" else "" } -p ${toString cfg.port} ${cfg.database}' - ''; - }; - - }; - -} diff --git a/nixpkgs/nixos/modules/services/databases/4store.nix b/nixpkgs/nixos/modules/services/databases/4store.nix deleted file mode 100644 index be4351c1c38f..000000000000 --- a/nixpkgs/nixos/modules/services/databases/4store.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.services.fourStore; - stateDir = "/var/lib/4store"; - fourStoreUser = "fourstore"; - run = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${fourStoreUser}"; -in -with lib; -{ - - ###### interface - - options = { - - services.fourStore = { - - enable = mkOption { - default = false; - description = "Whether to enable 4Store RDF database server."; - }; - - database = mkOption { - default = ""; - description = "RDF database name. If it doesn't exist, it will be created. Databases are stored in ${stateDir}."; - }; - - options = mkOption { - default = ""; - description = "Extra CLI options to pass to 4Store."; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - assertions = singleton - { assertion = cfg.enable -> cfg.database != ""; - message = "Must specify 4Store database name."; - }; - - users.users = singleton - { name = fourStoreUser; - uid = config.ids.uids.fourstore; - description = "4Store database user"; - home = stateDir; - }; - - services.avahi.enable = true; - - systemd.services."4store" = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = '' - mkdir -p ${stateDir}/ - chown ${fourStoreUser} ${stateDir} - if ! test -e "${stateDir}/${cfg.database}"; then - ${run} -c '${pkgs.rdf4store}/bin/4s-backend-setup ${cfg.database}' - fi - ''; - - script = '' - ${run} -c '${pkgs.rdf4store}/bin/4s-backend -D ${cfg.options} ${cfg.database}' - ''; - }; - }; -} diff --git a/nixpkgs/nixos/modules/services/databases/cockroachdb.nix b/nixpkgs/nixos/modules/services/databases/cockroachdb.nix index 268fdcc819fd..b6f94a4881a0 100644 --- a/nixpkgs/nixos/modules/services/databases/cockroachdb.nix +++ b/nixpkgs/nixos/modules/services/databases/cockroachdb.nix @@ -171,17 +171,17 @@ in environment.systemPackages = [ crdb ]; - users.users = optionalAttrs (cfg.user == "cockroachdb") (singleton - { name = "cockroachdb"; + users.users = optionalAttrs (cfg.user == "cockroachdb") { + cockroachdb = { description = "CockroachDB Server User"; uid = config.ids.uids.cockroachdb; group = cfg.group; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "cockroachdb") (singleton - { name = "cockroachdb"; - gid = config.ids.gids.cockroachdb; - }); + users.groups = optionalAttrs (cfg.group == "cockroachdb") { + cockroachdb.gid = config.ids.gids.cockroachdb; + }; networking.firewall.allowedTCPPorts = lib.optionals cfg.openPorts [ cfg.http.port cfg.listen.port ]; diff --git a/nixpkgs/nixos/modules/services/databases/foundationdb.nix b/nixpkgs/nixos/modules/services/databases/foundationdb.nix index 8f8d0da7c8d3..18727acc7c75 100644 --- a/nixpkgs/nixos/modules/services/databases/foundationdb.nix +++ b/nixpkgs/nixos/modules/services/databases/foundationdb.nix @@ -341,17 +341,17 @@ in environment.systemPackages = [ pkg ]; - users.users = optionalAttrs (cfg.user == "foundationdb") (singleton - { name = "foundationdb"; + users.users = optionalAttrs (cfg.user == "foundationdb") { + foundationdb = { description = "FoundationDB User"; uid = config.ids.uids.foundationdb; group = cfg.group; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "foundationdb") (singleton - { name = "foundationdb"; - gid = config.ids.gids.foundationdb; - }); + users.groups = optionalAttrs (cfg.group == "foundationdb") { + foundationdb.gid = config.ids.gids.foundationdb; + }; networking.firewall.allowedTCPPortRanges = mkIf cfg.openFirewall [ { from = cfg.listenPortStart; diff --git a/nixpkgs/nixos/modules/services/databases/influxdb.nix b/nixpkgs/nixos/modules/services/databases/influxdb.nix index 2f176a038729..dd5d69b1147a 100644 --- a/nixpkgs/nixos/modules/services/databases/influxdb.nix +++ b/nixpkgs/nixos/modules/services/databases/influxdb.nix @@ -182,15 +182,15 @@ in ''; }; - users.users = optional (cfg.user == "influxdb") { - name = "influxdb"; - uid = config.ids.uids.influxdb; - description = "Influxdb daemon user"; + users.users = optionalAttrs (cfg.user == "influxdb") { + influxdb = { + uid = config.ids.uids.influxdb; + description = "Influxdb daemon user"; + }; }; - users.groups = optional (cfg.group == "influxdb") { - name = "influxdb"; - gid = config.ids.gids.influxdb; + users.groups = optionalAttrs (cfg.group == "influxdb") { + influxdb.gid = config.ids.gids.influxdb; }; }; diff --git a/nixpkgs/nixos/modules/services/databases/memcached.nix b/nixpkgs/nixos/modules/services/databases/memcached.nix index 84d2c8674f4e..89ff957babf5 100644 --- a/nixpkgs/nixos/modules/services/databases/memcached.nix +++ b/nixpkgs/nixos/modules/services/databases/memcached.nix @@ -64,9 +64,9 @@ in config = mkIf config.services.memcached.enable { - users.users = optional (cfg.user == "memcached") { - name = "memcached"; - description = "Memcached server user"; + users.users = optionalAttrs (cfg.user == "memcached") { + memcached.description = "Memcached server user"; + memcached.isSystemUser = true; }; environment.systemPackages = [ memcached ]; diff --git a/nixpkgs/nixos/modules/services/databases/mysql.nix b/nixpkgs/nixos/modules/services/databases/mysql.nix index df74cfc9a26b..8d520b82fb55 100644 --- a/nixpkgs/nixos/modules/services/databases/mysql.nix +++ b/nixpkgs/nixos/modules/services/databases/mysql.nix @@ -8,15 +8,11 @@ let mysql = cfg.package; - isMariaDB = - let - pName = _p: (builtins.parseDrvName (_p.name)).name; - in pName mysql == pName pkgs.mariadb; + isMariaDB = lib.getName mysql == lib.getName pkgs.mariadb; + isMysqlAtLeast57 = - let - pName = _p: (builtins.parseDrvName (_p.name)).name; - in (pName mysql == pName pkgs.mysql57) - && ((builtins.compareVersions mysql.version "5.7") >= 0); + (lib.getName mysql == lib.getName pkgs.mysql57) + && (builtins.compareVersions mysql.version "5.7" >= 0); mysqldOptions = "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}"; @@ -28,6 +24,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd") + (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") + ]; ###### interface @@ -272,8 +272,13 @@ in port = ${toString cfg.port} datadir = ${cfg.dataDir} ${optionalString (cfg.bind != null) "bind-address = ${cfg.bind}" } - ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "log-bin=mysql-bin"} - ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "server-id = ${toString cfg.replication.serverId}"} + ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") + '' + log-bin=mysql-bin-${toString cfg.replication.serverId} + log-bin-index=mysql-bin-${toString cfg.replication.serverId}.index + relay-log=mysql-relay-bin + server-id = ${toString cfg.replication.serverId} + ''} ${optionalString (cfg.ensureUsers != []) '' plugin-load-add = auth_socket.so @@ -315,6 +320,8 @@ in Type = if hasNotify then "notify" else "simple"; RuntimeDirectory = "mysqld"; RuntimeDirectoryMode = "0755"; + Restart = "on-abort"; + RestartSec = "5s"; # The last two environment variables are used for starting Galera clusters ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION"; ExecStartPost = @@ -381,6 +388,7 @@ in ( echo "stop slave;" echo "change master to master_host='${cfg.replication.masterHost}', master_user='${cfg.replication.masterUser}', master_password='${cfg.replication.masterPassword}';" + echo "set global slave_exec_mode='IDEMPOTENT';" echo "start slave;" ) | ${mysql}/bin/mysql -u root -N ''} diff --git a/nixpkgs/nixos/modules/services/databases/neo4j.nix b/nixpkgs/nixos/modules/services/databases/neo4j.nix index 5533182c3116..09b453e75845 100644 --- a/nixpkgs/nixos/modules/services/databases/neo4j.nix +++ b/nixpkgs/nixos/modules/services/databases/neo4j.nix @@ -103,6 +103,18 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ]) + (mkRenamedOptionModule [ "services" "neo4j" "listenAddress" ] [ "services" "neo4j" "defaultListenAddress" ]) + (mkRenamedOptionModule [ "services" "neo4j" "enableBolt" ] [ "services" "neo4j" "bolt" "enable" ]) + (mkRenamedOptionModule [ "services" "neo4j" "enableHttps" ] [ "services" "neo4j" "https" "enable" ]) + (mkRenamedOptionModule [ "services" "neo4j" "certDir" ] [ "services" "neo4j" "directories" "certificates" ]) + (mkRenamedOptionModule [ "services" "neo4j" "dataDir" ] [ "services" "neo4j" "directories" "home" ]) + (mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.") + (mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.") + (mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.") + ]; + ###### interface options.services.neo4j = { @@ -638,8 +650,7 @@ in { environment.systemPackages = [ cfg.package ]; - users.users = singleton { - name = "neo4j"; + users.users.neo4j = { uid = config.ids.uids.neo4j; description = "Neo4j daemon user"; home = cfg.directories.home; diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.nix b/nixpkgs/nixos/modules/services/databases/postgresql.nix index 7bba4dacddcc..c8fdd89d0d8f 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.nix +++ b/nixpkgs/nixos/modules/services/databases/postgresql.nix @@ -226,7 +226,8 @@ in # Note: when changing the default, make it conditional on # ‘system.stateVersion’ to maintain compatibility with existing # systems! - mkDefault (if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql_9_6 + mkDefault (if versionAtLeast config.system.stateVersion "20.03" then pkgs.postgresql_11 + else if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql_9_6 else if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql_9_5 else throw "postgresql_9_4 was removed, please upgrade your postgresql version."); @@ -338,9 +339,9 @@ in '') cfg.ensureDatabases} '' + '' ${concatMapStrings (user: '' - $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc "CREATE USER ${user.name}" + $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' - $PSQL -tAc 'GRANT ${permission} ON ${database} TO ${user.name}' + $PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '') user.ensurePermissions)} '') cfg.ensureUsers} ''; diff --git a/nixpkgs/nixos/modules/services/databases/redis.nix b/nixpkgs/nixos/modules/services/databases/redis.nix index 9c389d80a6df..70895fa53e45 100644 --- a/nixpkgs/nixos/modules/services/databases/redis.nix +++ b/nixpkgs/nixos/modules/services/databases/redis.nix @@ -32,6 +32,13 @@ let ''; in { + imports = [ + (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") + (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") + (mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") + (mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") + (mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") + ]; ###### interface @@ -185,27 +192,22 @@ in ###### implementation config = mkIf config.services.redis.enable { - - boot.kernel.sysctl = mkIf cfg.vmOverCommit { - "vm.overcommit_memory" = "1"; - }; + boot.kernel.sysctl = (mkMerge [ + { "vm.nr_hugepages" = "0"; } + ( mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; } ) + ]); networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; - users.users.redis.description = "Redis database user"; + users.users.redis = { + description = "Redis database user"; + isSystemUser = true; + }; environment.systemPackages = [ cfg.package ]; - systemd.services.disable-transparent-huge-pages = { - description = "Disable Transparent Huge Pages (required by Redis)"; - before = [ "redis.service" ]; - wantedBy = [ "redis.service" ]; - script = "echo never > /sys/kernel/mm/transparent_hugepage/enabled"; - serviceConfig.Type = "oneshot"; - }; - systemd.services.redis = { description = "Redis Server"; diff --git a/nixpkgs/nixos/modules/services/databases/rethinkdb.nix b/nixpkgs/nixos/modules/services/databases/rethinkdb.nix index 4828e594b328..f18fbaf5b062 100644 --- a/nixpkgs/nixos/modules/services/databases/rethinkdb.nix +++ b/nixpkgs/nixos/modules/services/databases/rethinkdb.nix @@ -99,6 +99,7 @@ in users.users.rethinkdb = mkIf (cfg.user == "rethinkdb") { name = "rethinkdb"; description = "RethinkDB server user"; + isSystemUser = true; }; users.groups = optionalAttrs (cfg.group == "rethinkdb") (singleton diff --git a/nixpkgs/nixos/modules/services/databases/virtuoso.nix b/nixpkgs/nixos/modules/services/databases/virtuoso.nix index 6ffc44a5274e..0cc027cb1d74 100644 --- a/nixpkgs/nixos/modules/services/databases/virtuoso.nix +++ b/nixpkgs/nixos/modules/services/databases/virtuoso.nix @@ -54,9 +54,8 @@ with lib; config = mkIf cfg.enable { - users.users = singleton - { name = virtuosoUser; - uid = config.ids.uids.virtuoso; + users.users.${virtuosoUser} = + { uid = config.ids.uids.virtuoso; description = "virtuoso user"; home = stateDir; }; diff --git a/nixpkgs/nixos/modules/services/desktops/geoclue2.nix b/nixpkgs/nixos/modules/services/desktops/geoclue2.nix index 6007dddf50c0..542b2ead4104 100644 --- a/nixpkgs/nixos/modules/services/desktops/geoclue2.nix +++ b/nixpkgs/nixos/modules/services/desktops/geoclue2.nix @@ -188,34 +188,41 @@ in systemd.packages = [ package ]; - users.users.geoclue = { - isSystemUser = true; - home = "/var/lib/geoclue"; - group = "geoclue"; - description = "Geoinformation service"; - }; - - users.groups.geoclue = {}; + # we cannot use DynamicUser as we need the the geoclue user to exist for the dbus policy to work + users = { + users.geoclue = { + isSystemUser = true; + home = "/var/lib/geoclue"; + group = "geoclue"; + description = "Geoinformation service"; + }; - systemd.tmpfiles.rules = [ - "d /var/lib/geoclue 0755 geoclue geoclue" - ]; + groups.geoclue = {}; + }; - # restart geoclue service when the configuration changes - systemd.services.geoclue.restartTriggers = [ - config.environment.etc."geoclue/geoclue.conf".source - ]; + systemd.services.geoclue = { + # restart geoclue service when the configuration changes + restartTriggers = [ + config.environment.etc."geoclue/geoclue.conf".source + ]; + serviceConfig.StateDirectory = "geoclue"; + }; # this needs to run as a user service, since it's associated with the # user who is making the requests systemd.user.services = mkIf cfg.enableDemoAgent { geoclue-agent = { description = "Geoclue agent"; - script = "${package}/libexec/geoclue-2.0/demos/agent"; # this should really be `partOf = [ "geoclue.service" ]`, but # we can't be part of a system service, and the agent should # be okay with the main service coming and going wantedBy = [ "default.target" ]; + serviceConfig = { + Type = "exec"; + ExecStart = "${package}/libexec/geoclue-2.0/demos/agent"; + Restart = "on-failure"; + PrivateTmp = true; + }; }; }; @@ -256,4 +263,6 @@ in }; } // mapAttrs' appConfigToINICompatible cfg.appConfig); }; + + meta.maintainers = with lib.maintainers; [ worldofpeace ]; } diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix new file mode 100644 index 000000000000..d715d52c2d06 --- /dev/null +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix @@ -0,0 +1,86 @@ +# GNOME Initial Setup. + +{ config, pkgs, lib, ... }: + +with lib; + +let + + # GNOME initial setup's run is conditioned on whether + # the gnome-initial-setup-done file exists in XDG_CONFIG_HOME + # Because of this, every existing user will have initial setup + # running because they never ran it before. + # + # To prevent this we create the file if the users stateVersion + # is older than 20.03 (the release we added this module). + + script = pkgs.writeScript "create-gis-stamp-files" '' + #!${pkgs.runtimeShell} + setup_done=$HOME/.config/gnome-initial-setup-done + + echo "Creating g-i-s stamp file $setup_done ..." + cat - > $setup_done <<- EOF + yes + EOF + ''; + + createGisStampFilesAutostart = pkgs.writeTextFile rec { + name = "create-g-i-s-stamp-files"; + destination = "/etc/xdg/autostart/${name}.desktop"; + text = '' + [Desktop Entry] + Type=Application + Name=Create GNOME Initial Setup stamp files + Exec=${script} + StartupNotify=false + NoDisplay=true + OnlyShowIn=GNOME; + AutostartCondition=unless-exists gnome-initial-setup-done + X-GNOME-Autostart-Phase=EarlyInitialization + ''; + }; + +in + +{ + + ###### interface + + options = { + + services.gnome3.gnome-initial-setup = { + + enable = mkEnableOption "GNOME Initial Setup, a Simple, easy, and safe way to prepare a new system"; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.gnome3.gnome-initial-setup.enable { + + environment.systemPackages = [ + pkgs.gnome3.gnome-initial-setup + ] + ++ optional (versionOlder config.system.stateVersion "20.03") createGisStampFilesAutostart + ; + + systemd.packages = [ + pkgs.gnome3.gnome-initial-setup + ]; + + systemd.user.targets."gnome-session".wants = [ + "gnome-initial-setup-copy-worker.service" + "gnome-initial-setup-first-login.service" + "gnome-welcome-tour.service" + ]; + + systemd.user.targets."gnome-session@gnome-initial-setup".wants = [ + "gnome-initial-setup.service" + ]; + + }; + +} diff --git a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix index 7f7adcf26acf..2f83fd653bde 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix @@ -12,6 +12,12 @@ in { + imports = [ + (mkRemovedOptionModule + ["services" "gnome3" "gnome-settings-daemon" "package"] + "") + ]; + ###### interface options = { @@ -20,13 +26,6 @@ in enable = mkEnableOption "GNOME Settings Daemon"; - # There are many forks of gnome-settings-daemon - package = mkOption { - type = types.package; - default = pkgs.gnome3.gnome-settings-daemon; - description = "Which gnome-settings-daemon package to use."; - }; - }; }; @@ -36,9 +35,39 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ cfg.package ]; - - services.udev.packages = [ cfg.package ]; + environment.systemPackages = [ + pkgs.gnome3.gnome-settings-daemon + ]; + + services.udev.packages = [ + pkgs.gnome3.gnome-settings-daemon + ]; + + systemd.packages = [ + pkgs.gnome3.gnome-settings-daemon + ]; + + systemd.user.targets."gnome-session-initialized".wants = [ + "gsd-color.target" + "gsd-datetime.target" + "gsd-keyboard.target" + "gsd-media-keys.target" + "gsd-print-notifications.target" + "gsd-rfkill.target" + "gsd-screensaver-proxy.target" + "gsd-sharing.target" + "gsd-smartcard.target" + "gsd-sound.target" + "gsd-wacom.target" + "gsd-wwan.target" + "gsd-a11y-settings.target" + "gsd-housekeeping.target" + "gsd-power.target" + ]; + + systemd.user.targets."gnome-session-x11-services".wants = [ + "gsd-xsettings.target" + ]; }; diff --git a/nixpkgs/nixos/modules/services/desktops/neard.nix b/nixpkgs/nixos/modules/services/desktops/neard.nix new file mode 100644 index 000000000000..9b0f8d1b3a77 --- /dev/null +++ b/nixpkgs/nixos/modules/services/desktops/neard.nix @@ -0,0 +1,23 @@ +# neard service. +{ config, lib, pkgs, ... }: + +with lib; + +{ + ###### interface + options = { + services.neard = { + enable = mkEnableOption "neard, NFC daemon"; + }; + }; + + + ###### implementation + config = mkIf config.services.neard.enable { + environment.systemPackages = [ pkgs.neard ]; + + services.dbus.packages = [ pkgs.neard ]; + + systemd.packages = [ pkgs.neard ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix b/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix index 2638a21df733..c76145191a70 100644 --- a/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix +++ b/nixpkgs/nixos/modules/services/desktops/pantheon/contractor.nix @@ -6,35 +6,12 @@ with lib; { - meta.maintainers = pkgs.pantheon.maintainers; - - ###### interface - - options = { - - services.pantheon.contractor = { - - enable = mkEnableOption "contractor, a desktop-wide extension service used by pantheon"; - - }; - - }; - ###### implementation config = mkIf config.services.pantheon.contractor.enable { - environment.systemPackages = with pkgs.pantheon; [ - contractor - extra-elementary-contracts - ]; - - services.dbus.packages = [ pkgs.pantheon.contractor ]; - - environment.pathsToLink = [ - "/share/contractor" - ]; + }; diff --git a/nixpkgs/nixos/modules/services/desktops/pantheon/files.nix b/nixpkgs/nixos/modules/services/desktops/pantheon/files.nix index 577aad6c2987..8cee9f42b62f 100644 --- a/nixpkgs/nixos/modules/services/desktops/pantheon/files.nix +++ b/nixpkgs/nixos/modules/services/desktops/pantheon/files.nix @@ -6,33 +6,8 @@ with lib; { - meta.maintainers = pkgs.pantheon.maintainers; - - ###### interface - - options = { - - services.pantheon.files = { - - enable = mkEnableOption "pantheon files daemon"; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.pantheon.files.enable { - - environment.systemPackages = [ - pkgs.pantheon.elementary-files - ]; - - services.dbus.packages = [ - pkgs.pantheon.elementary-files - ]; - - }; + imports = [ + (mkRemovedOptionModule [ "services" "pantheon" "files" "enable" ] "Use `environment.systemPackages [ pkgs.pantheon.elementary-files ];`") + ]; } diff --git a/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix b/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix index 8a80be266b20..09c68c587b43 100644 --- a/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix +++ b/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix @@ -33,6 +33,9 @@ with lib; pkgs.system-config-printer ]; + # for $out/bin/install-printer-driver + services.packagekit.enable = true; + }; } diff --git a/nixpkgs/nixos/modules/services/desktops/tumbler.nix b/nixpkgs/nixos/modules/services/desktops/tumbler.nix index d18088d4634b..a833e99ff8c6 100644 --- a/nixpkgs/nixos/modules/services/desktops/tumbler.nix +++ b/nixpkgs/nixos/modules/services/desktops/tumbler.nix @@ -7,12 +7,17 @@ with lib; let cfg = config.services.tumbler; - tumbler = cfg.package; in { + imports = [ + (mkRemovedOptionModule + [ "services" "tumbler" "package" ] + "") + ]; + ###### interface options = { @@ -21,13 +26,6 @@ in enable = mkEnableOption "Tumbler, A D-Bus thumbnailer service"; - package = mkOption { - type = types.package; - default = pkgs.xfce4-14.tumbler; - description = "Which tumbler package to use"; - example = pkgs.xfce4-12.tumbler; - }; - }; }; @@ -37,11 +35,11 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ + environment.systemPackages = with pkgs.xfce; [ tumbler ]; - services.dbus.packages = [ + services.dbus.packages = with pkgs.xfce; [ tumbler ]; diff --git a/nixpkgs/nixos/modules/services/development/lorri.nix b/nixpkgs/nixos/modules/services/development/lorri.nix new file mode 100644 index 000000000000..c843aa56d133 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/lorri.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.lorri; + socketPath = "lorri/daemon.socket"; +in { + options = { + services.lorri = { + enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Enables the daemon for `lorri`, a nix-shell replacement for project + development. The socket-activated daemon starts on the first request + issued by the `lorri` command. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.user.sockets.lorri = { + description = "Socket for Lorri Daemon"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = "%t/${socketPath}"; + RuntimeDirectory = "lorri"; + }; + }; + + systemd.user.services.lorri = { + description = "Lorri Daemon"; + requires = [ "lorri.socket" ]; + after = [ "lorri.socket" ]; + path = with pkgs; [ config.nix.package git gnutar gzip ]; + serviceConfig = { + ExecStart = "${pkgs.lorri}/bin/lorri daemon"; + PrivateTmp = true; + ProtectSystem = "strict"; + ProtectHome = "read-only"; + Restart = "on-failure"; + }; + }; + + environment.systemPackages = [ pkgs.lorri ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/editors/infinoted.nix b/nixpkgs/nixos/modules/services/editors/infinoted.nix index 9cc8d421270e..8b997ccbf66e 100644 --- a/nixpkgs/nixos/modules/services/editors/infinoted.nix +++ b/nixpkgs/nixos/modules/services/editors/infinoted.nix @@ -111,13 +111,15 @@ in { }; config = mkIf (cfg.enable) { - users.users = optional (cfg.user == "infinoted") - { name = "infinoted"; - description = "Infinoted user"; - group = cfg.group; + users.users = optionalAttrs (cfg.user == "infinoted") + { infinoted = { + description = "Infinoted user"; + group = cfg.group; + isSystemUser = true; + }; }; - users.groups = optional (cfg.group == "infinoted") - { name = "infinoted"; + users.groups = optionalAttrs (cfg.group == "infinoted") + { infinoted = { }; }; systemd.services.infinoted = diff --git a/nixpkgs/nixos/modules/services/games/openarena.nix b/nixpkgs/nixos/modules/services/games/openarena.nix new file mode 100644 index 000000000000..8c014d78809b --- /dev/null +++ b/nixpkgs/nixos/modules/services/games/openarena.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.openarena; +in +{ + options = { + services.openarena = { + enable = mkEnableOption "OpenArena"; + + openPorts = mkOption { + type = types.bool; + default = false; + description = "Whether to open firewall ports for OpenArena"; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = ''Extra flags to pass to <command>oa_ded</command>''; + example = [ + "+set dedicated 2" + "+set sv_hostname 'My NixOS OpenArena Server'" + # Load a map. Mandatory for clients to be able to connect. + "+map oa_dm1" + ]; + }; + }; + }; + + config = mkIf cfg.enable { + networking.firewall = mkIf cfg.openPorts { + allowedUDPPorts = [ 27960 ]; + }; + + systemd.services.openarena = { + description = "OpenArena"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + StateDirectory = "openarena"; + ExecStart = "${pkgs.openarena}/bin/oa_ded +set fs_basepath ${pkgs.openarena}/openarena-0.8.8 +set fs_homepath /var/lib/openarena ${concatStringsSep " " cfg.extraFlags}"; + Restart = "on-failure"; + + # Hardening + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateDevices = true; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/hardware/bluetooth.nix b/nixpkgs/nixos/modules/services/hardware/bluetooth.nix index c5f9d1f9b725..dfa39e7f6024 100644 --- a/nixpkgs/nixos/modules/services/hardware/bluetooth.nix +++ b/nixpkgs/nixos/modules/services/hardware/bluetooth.nix @@ -36,17 +36,25 @@ in { ''; }; + config = mkOption { + type = with types; attrsOf (attrsOf (oneOf [ bool int str ])); + example = { + General = { + ControllerMode = "bredr"; + }; + }; + description = "Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf)."; + }; + extraConfig = mkOption { - type = types.lines; - default = ""; + type = with types; nullOr lines; + default = null; example = '' [General] ControllerMode = bredr ''; description = '' Set additional configuration for system-wide bluetooth (/etc/bluetooth/main.conf). - - NOTE: We already include [Policy], so any configuration under the Policy group should come first. ''; }; }; @@ -56,17 +64,19 @@ in { ###### implementation config = mkIf cfg.enable { + warnings = optional (cfg.extraConfig != null) "hardware.bluetooth.`extraConfig` is deprecated, please use hardware.bluetooth.`config`."; - environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ]; + hardware.bluetooth.config = { + Policy = { + AutoEnable = mkDefault cfg.powerOnBoot; + }; + }; - environment.etc = singleton { - source = pkgs.writeText "main.conf" '' - [Policy] - AutoEnable=${lib.boolToString cfg.powerOnBoot} + environment.systemPackages = [ bluez-bluetooth ]; - ${cfg.extraConfig} - ''; - target = "bluetooth/main.conf"; + environment.etc."bluetooth/main.conf"= { + source = pkgs.writeText "main.conf" + (generators.toINI { } cfg.config + optionalString (cfg.extraConfig != null) cfg.extraConfig); }; services.udev.packages = [ bluez-bluetooth ]; diff --git a/nixpkgs/nixos/modules/services/hardware/fancontrol.nix b/nixpkgs/nixos/modules/services/hardware/fancontrol.nix new file mode 100644 index 000000000000..bb4541a784da --- /dev/null +++ b/nixpkgs/nixos/modules/services/hardware/fancontrol.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.hardware.fancontrol; + configFile = pkgs.writeText "fancontrol.conf" cfg.config; + +in{ + options.hardware.fancontrol = { + enable = mkEnableOption "software fan control (requires fancontrol.config)"; + + config = mkOption { + default = null; + type = types.lines; + description = "Fancontrol configuration file content. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> from the lm_sensors package."; + example = '' + # Configuration file generated by pwmconfig + INTERVAL=10 + DEVPATH=hwmon3=devices/virtual/thermal/thermal_zone2 hwmon4=devices/platform/f71882fg.656 + DEVNAME=hwmon3=soc_dts1 hwmon4=f71869a + FCTEMPS=hwmon4/device/pwm1=hwmon3/temp1_input + FCFANS= hwmon4/device/pwm1=hwmon4/device/fan1_input + MINTEMP=hwmon4/device/pwm1=35 + MAXTEMP=hwmon4/device/pwm1=65 + MINSTART=hwmon4/device/pwm1=150 + MINSTOP=hwmon4/device/pwm1=0 + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.fancontrol = { + unitConfig.Documentation = "man:fancontrol(8)"; + description = "software fan control"; + wantedBy = [ "multi-user.target" ]; + after = [ "lm_sensors.service" ]; + + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.lm_sensors}/sbin/fancontrol ${configFile}"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/hardware/fwupd.nix b/nixpkgs/nixos/modules/services/hardware/fwupd.nix index 6c341bcbf240..51877970a8bc 100644 --- a/nixpkgs/nixos/modules/services/hardware/fwupd.nix +++ b/nixpkgs/nixos/modules/services/hardware/fwupd.nix @@ -74,7 +74,7 @@ in { default = false; description = '' Whether to enable test remote. This is used by - <link xlink:href="https://github.com/hughsie/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>. + <link xlink:href="https://github.com/fwupd/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>. ''; }; @@ -115,10 +115,6 @@ in { services.udev.packages = [ cfg.package ]; systemd.packages = [ cfg.package ]; - - systemd.tmpfiles.rules = [ - "d /var/lib/fwupd 0755 root root -" - ]; }; meta = { diff --git a/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix b/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix index f6ed4e25e9cb..6f49a1ab6d40 100644 --- a/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix +++ b/nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix @@ -67,11 +67,11 @@ in { options = { - hardware.sane.brscan4.enable = + hardware.sane.brscan4.enable = mkEnableOption "Brother's brscan4 scan backend" // { description = '' When enabled, will automatically register the "brscan4" sane - backend and bring configuration files to their expected location. + backend and bring configuration files to their expected location. ''; }; @@ -95,14 +95,11 @@ in pkgs.brscan4 ]; - environment.etc = singleton { - target = "opt/brother/scanner/brscan4"; - source = "${etcFiles}/etc/opt/brother/scanner/brscan4"; - }; + environment.etc."opt/brother/scanner/brscan4" = + { source = "${etcFiles}/etc/opt/brother/scanner/brscan4"; }; assertions = [ { assertion = all (x: !(null != x.ip && null != x.nodename)) netDeviceList; - message = '' When describing a network device as part of the attribute list `hardware.sane.brscan4.netDevices`, only one of its `ip` or `nodename` diff --git a/nixpkgs/nixos/modules/services/hardware/tcsd.nix b/nixpkgs/nixos/modules/services/hardware/tcsd.nix index 3876280ee6bc..68cb5d791aa3 100644 --- a/nixpkgs/nixos/modules/services/hardware/tcsd.nix +++ b/nixpkgs/nixos/modules/services/hardware/tcsd.nix @@ -137,15 +137,15 @@ in serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}"; }; - users.users = optionalAttrs (cfg.user == "tss") (singleton - { name = "tss"; + users.users = optionalAttrs (cfg.user == "tss") { + tss = { group = "tss"; uid = config.ids.uids.tss; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "tss") (singleton - { name = "tss"; - gid = config.ids.gids.tss; - }); + users.groups = optionalAttrs (cfg.group == "tss") { + tss.gid = config.ids.gids.tss; + }; }; } diff --git a/nixpkgs/nixos/modules/services/hardware/tlp.nix b/nixpkgs/nixos/modules/services/hardware/tlp.nix index 4f8af7978286..955a60677997 100644 --- a/nixpkgs/nixos/modules/services/hardware/tlp.nix +++ b/nixpkgs/nixos/modules/services/hardware/tlp.nix @@ -37,7 +37,7 @@ in enable = mkOption { type = types.bool; default = false; - description = "Whether to enable the TLP daemon."; + description = "Whether to enable the TLP power management daemon."; }; extraConfig = mkOption { @@ -103,13 +103,14 @@ in services.udev.packages = [ tlp ]; - environment.etc = [{ source = confFile; - target = "default/tlp"; - } - ] ++ optional enableRDW { - source = "${tlp}/etc/NetworkManager/dispatcher.d/99tlp-rdw-nm"; - target = "NetworkManager/dispatcher.d/99tlp-rdw-nm"; - }; + environment.etc = + { + "default/tlp".source = confFile; + } // optionalAttrs enableRDW { + "NetworkManager/dispatcher.d/99tlp-rdw-nm" = { + source = "${tlp}/etc/NetworkManager/dispatcher.d/99tlp-rdw-nm"; + }; + }; environment.systemPackages = [ tlp ]; diff --git a/nixpkgs/nixos/modules/services/hardware/trezord.nix b/nixpkgs/nixos/modules/services/hardware/trezord.nix index 62824ed7350a..c517e9fbb2bd 100644 --- a/nixpkgs/nixos/modules/services/hardware/trezord.nix +++ b/nixpkgs/nixos/modules/services/hardware/trezord.nix @@ -44,20 +44,7 @@ in { ### implementation config = mkIf cfg.enable { - services.udev.packages = lib.singleton (pkgs.writeTextFile { - name = "trezord-udev-rules"; - destination = "/etc/udev/rules.d/51-trezor.rules"; - text = '' - # TREZOR v1 (One) - SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n" - KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="trezord", TAG+="uaccess" - - # TREZOR v2 (T) - SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n" - SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n" - KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="trezord", TAG+="uaccess" - ''; - }); + services.udev.packages = [ pkgs.trezor-udev-rules ]; systemd.services.trezord = { description = "TREZOR Bridge"; @@ -74,6 +61,7 @@ in { users.users.trezord = { group = "trezord"; description = "Trezor bridge daemon user"; + isSystemUser = true; }; users.groups.trezord = {}; diff --git a/nixpkgs/nixos/modules/services/hardware/udev.nix b/nixpkgs/nixos/modules/services/hardware/udev.nix index 83ab93bd7cfc..168056a475e5 100644 --- a/nixpkgs/nixos/modules/services/hardware/udev.nix +++ b/nixpkgs/nixos/modules/services/hardware/udev.nix @@ -221,8 +221,8 @@ in type = types.lines; description = '' Additional <command>hwdb</command> files. They'll be written - into file <filename>10-local.hwdb</filename>. Thus they are - read before all other files. + into file <filename>99-local.hwdb</filename>. Thus they are + read after all other files. ''; }; @@ -281,13 +281,10 @@ in boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ]; environment.etc = - [ { source = udevRules; - target = "udev/rules.d"; - } - { source = hwdbBin; - target = "udev/hwdb.bin"; - } - ]; + { + "udev/rules.d".source = udevRules; + "udev/hwdb.bin".source = hwdbBin; + }; system.requiredKernelConfig = with config.lib.kernelConfig; [ (isEnabled "UNIX") diff --git a/nixpkgs/nixos/modules/services/hardware/udisks2.nix b/nixpkgs/nixos/modules/services/hardware/udisks2.nix index ed8703be921c..e898f3260585 100644 --- a/nixpkgs/nixos/modules/services/hardware/udisks2.nix +++ b/nixpkgs/nixos/modules/services/hardware/udisks2.nix @@ -34,10 +34,7 @@ with lib; services.dbus.packages = [ pkgs.udisks2 ]; - system.activationScripts.udisks2 = - '' - mkdir -m 0755 -p /var/lib/udisks2 - ''; + systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ]; services.udev.packages = [ pkgs.udisks2 ]; diff --git a/nixpkgs/nixos/modules/services/hardware/upower.nix b/nixpkgs/nixos/modules/services/hardware/upower.nix index 5e7ac7a6e659..449810b53150 100644 --- a/nixpkgs/nixos/modules/services/hardware/upower.nix +++ b/nixpkgs/nixos/modules/services/hardware/upower.nix @@ -37,6 +37,172 @@ in ''; }; + enableWattsUpPro = mkOption { + type = types.bool; + default = false; + description = '' + Enable the Watts Up Pro device. + + The Watts Up Pro contains a generic FTDI USB device without a specific + vendor and product ID. When we probe for WUP devices, we can cause + the user to get a perplexing "Device or resource busy" error when + attempting to use their non-WUP device. + + The generic FTDI device is known to also be used on: + + <itemizedlist> + <listitem><para>Sparkfun FT232 breakout board</para></listitem> + <listitem><para>Parallax Propeller</para></listitem> + </itemizedlist> + ''; + }; + + noPollBatteries = mkOption { + type = types.bool; + default = false; + description = '' + Don't poll the kernel for battery level changes. + + Some hardware will send us battery level changes through + events, rather than us having to poll for it. This option + allows disabling polling for hardware that sends out events. + ''; + }; + + ignoreLid = mkOption { + type = types.bool; + default = false; + description = '' + Do we ignore the lid state + + Some laptops are broken. The lid state is either inverted, or stuck + on or off. We can't do much to fix these problems, but this is a way + for users to make the laptop panel vanish, a state that might be used + by a couple of user-space daemons. On Linux systems, see also + logind.conf(5). + ''; + }; + + usePercentageForPolicy = mkOption { + type = types.bool; + default = true; + description = '' + Policy for warnings and action based on battery levels + + Whether battery percentage based policy should be used. The default + is to use the percentage, which + should work around broken firmwares. It is also more reliable than + the time left (frantically saving all your files is going to use more + battery than letting it rest for example). + ''; + }; + + percentageLow = mkOption { + type = types.ints.unsigned; + default = 10; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>true</literal>, the levels at which UPower will consider the + battery low. + + This will also be used for batteries which don't have time information + such as that of peripherals. + + If any value (of <literal>percentageLow</literal>, + <literal>percentageCritical</literal> and + <literal>percentageAction</literal>) is invalid, or not in descending + order, the defaults will be used. + ''; + }; + + percentageCritical = mkOption { + type = types.ints.unsigned; + default = 3; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>true</literal>, the levels at which UPower will consider the + battery critical. + + This will also be used for batteries which don't have time information + such as that of peripherals. + + If any value (of <literal>percentageLow</literal>, + <literal>percentageCritical</literal> and + <literal>percentageAction</literal>) is invalid, or not in descending + order, the defaults will be used. + ''; + }; + + percentageAction = mkOption { + type = types.ints.unsigned; + default = 2; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>true</literal>, the levels at which UPower will take action + for the critical battery level. + + This will also be used for batteries which don't have time information + such as that of peripherals. + + If any value (of <literal>percentageLow</literal>, + <literal>percentageCritical</literal> and + <literal>percentageAction</literal>) is invalid, or not in descending + order, the defaults will be used. + ''; + }; + + timeLow = mkOption { + type = types.ints.unsigned; + default = 1200; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>false</literal>, the time remaining at which UPower will + consider the battery low. + + If any value (of <literal>timeLow</literal>, + <literal>timeCritical</literal> and <literal>timeAction</literal>) is + invalid, or not in descending order, the defaults will be used. + ''; + }; + + timeCritical = mkOption { + type = types.ints.unsigned; + default = 300; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>false</literal>, the time remaining at which UPower will + consider the battery critical. + + If any value (of <literal>timeLow</literal>, + <literal>timeCritical</literal> and <literal>timeAction</literal>) is + invalid, or not in descending order, the defaults will be used. + ''; + }; + + timeAction = mkOption { + type = types.ints.unsigned; + default = 120; + description = '' + When <literal>usePercentageForPolicy</literal> is + <literal>false</literal>, the time remaining at which UPower will + take action for the critical battery level. + + If any value (of <literal>timeLow</literal>, + <literal>timeCritical</literal> and <literal>timeAction</literal>) is + invalid, or not in descending order, the defaults will be used. + ''; + }; + + criticalPowerAction = mkOption { + type = types.enum [ "PowerOff" "Hibernate" "HybridSleep" ]; + default = "HybridSleep"; + description = '' + The action to take when <literal>timeAction</literal> or + <literal>percentageAction</literal> has been reached for the batteries + (UPS or laptop batteries) supplying the computer + ''; + }; + }; }; @@ -54,6 +220,21 @@ in systemd.packages = [ cfg.package ]; + environment.etc."UPower/UPower.conf".text = generators.toINI {} { + UPower = { + EnableWattsUpPro = cfg.enableWattsUpPro; + NoPollBatteries = cfg.noPollBatteries; + IgnoreLid = cfg.ignoreLid; + UsePercentageForPolicy = cfg.usePercentageForPolicy; + PercentageLow = cfg.percentageLow; + PercentageCritical = cfg.percentageCritical; + PercentageAction = cfg.percentageAction; + TimeLow = cfg.timeLow; + TimeCritical = cfg.timeCritical; + TimeAction = cfg.timeAction; + CriticalPowerAction = cfg.criticalPowerAction; + }; + }; }; } diff --git a/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix b/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix index 93ced0b9f04d..50b931dcb487 100644 --- a/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix +++ b/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix @@ -43,14 +43,16 @@ in config = mkIf cfg.enable { - users.users = optional (cfg.user == defaultUserGroup) { - name = cfg.user; - description = "usbmuxd user"; - group = cfg.group; + users.users = optionalAttrs (cfg.user == defaultUserGroup) { + ${cfg.user} = { + description = "usbmuxd user"; + group = cfg.group; + isSystemUser = true; + }; }; users.groups = optional (cfg.group == defaultUserGroup) { - name = cfg.group; + ${cfg.group} = { }; }; # Give usbmuxd permission for Apple devices diff --git a/nixpkgs/nixos/modules/services/hardware/vdr.nix b/nixpkgs/nixos/modules/services/hardware/vdr.nix index 6e246f70f515..8a6cde51b06f 100644 --- a/nixpkgs/nixos/modules/services/hardware/vdr.nix +++ b/nixpkgs/nixos/modules/services/hardware/vdr.nix @@ -66,6 +66,7 @@ in { users.users.vdr = { group = "vdr"; home = libDir; + isSystemUser = true; }; users.groups.vdr = {}; diff --git a/nixpkgs/nixos/modules/services/logging/awstats.nix b/nixpkgs/nixos/modules/services/logging/awstats.nix index a92ff3bee490..5939d7808f7f 100644 --- a/nixpkgs/nixos/modules/services/logging/awstats.nix +++ b/nixpkgs/nixos/modules/services/logging/awstats.nix @@ -4,31 +4,117 @@ with lib; let cfg = config.services.awstats; - httpd = config.services.httpd; package = pkgs.awstats; -in + configOpts = {name, config, ...}: { + options = { + type = mkOption{ + type = types.enum [ "mail" "web" ]; + default = "web"; + example = "mail"; + description = '' + The type of log being collected. + ''; + }; + domain = mkOption { + type = types.str; + default = name; + description = "The domain name to collect stats for."; + example = "example.com"; + }; + + logFile = mkOption { + type = types.str; + example = "/var/spool/nginx/logs/access.log"; + description = '' + The log file to be scanned. + For mail, set this to + <literal> + journalctl $OLD_CURSOR -u postfix.service | ''${pkgs.perl}/bin/perl ''${pkgs.awstats.out}/share/awstats/tools/maillogconvert.pl standard | + </literal> + ''; + }; + + logFormat = mkOption { + type = types.str; + default = "1"; + description = '' + The log format being used. + + For mail, set this to + <literal> + %time2 %email %email_r %host %host_r %method %url %code %bytesd + </literal> + ''; + }; + + hostAliases = mkOption { + type = types.listOf types.str; + default = []; + example = "[ \"www.example.org\" ]"; + description = '' + List of aliases the site has. + ''; + }; + + extraConfig = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample '' + { + "ValidHTTPCodes" = "404"; + } + ''; + description = "Extra configuration to be appendend to awstats.\${name}.conf."; + }; + + webService = { + enable = mkEnableOption "awstats web service"; + + hostname = mkOption { + type = types.str; + default = config.domain; + description = "The hostname the web service appears under."; + }; + + urlPrefix = mkOption { + type = types.str; + default = "/awstats"; + description = "The URL prefix under which the awstats pages appear."; + }; + }; + }; + }; + webServices = filterAttrs (name: value: value.webService.enable) cfg.configs; +in { + imports = [ + (mkRemovedOptionModule [ "services" "awstats" "service" "enable" ] "Please enable per domain with `services.awstats.configs.<name>.webService.enable`") + (mkRemovedOptionModule [ "services" "awstats" "service" "urlPrefix" ] "Please set per domain with `services.awstats.configs.<name>.webService.urlPrefix`") + (mkRenamedOptionModule [ "services" "awstats" "vardir" ] [ "services" "awstats" "dataDir" ]) + ]; + options.services.awstats = { - enable = mkOption { - type = types.bool; - default = cfg.service.enable; - description = '' - Enable the awstats program (but not service). - Currently only simple httpd (Apache) configs are supported, - and awstats plugins may not work correctly. - ''; - }; - vardir = mkOption { + enable = mkEnableOption "awstats"; + + dataDir = mkOption { type = types.path; default = "/var/lib/awstats"; - description = "The directory where variable awstats data will be stored."; + description = "The directory where awstats data will be stored."; }; - extraConfig = mkOption { - type = types.lines; - default = ""; - description = "Extra configuration to be appendend to awstats.conf."; + configs = mkOption { + type = types.attrsOf (types.submodule configOpts); + default = {}; + example = literalExample '' + { + "mysite" = { + domain = "example.com"; + logFile = "/var/spool/nginx/logs/access.log"; + }; + } + ''; + description = "Attribute set of domains to collect stats for."; }; updateAt = mkOption { @@ -42,75 +128,129 @@ in <manvolnum>7</manvolnum></citerefentry>) ''; }; - - service = { - enable = mkOption { - type = types.bool; - default = false; - description = ''Enable the awstats web service. This switches on httpd.''; - }; - urlPrefix = mkOption { - type = types.str; - default = "/awstats"; - description = "The URL prefix under which the awstats service appears."; - }; - }; }; config = mkIf cfg.enable { environment.systemPackages = [ package.bin ]; - /* TODO: - - heed config.services.httpd.logPerVirtualHost, etc. - - Can't AllowToUpdateStatsFromBrowser, as CGI scripts don't have permission - to read the logs, and our httpd config apparently doesn't an option for that. - */ - environment.etc."awstats/awstats.conf".source = pkgs.runCommand "awstats.conf" + + environment.etc = mapAttrs' (name: opts: + nameValuePair "awstats/awstats.${name}.conf" { + source = pkgs.runCommand "awstats.${name}.conf" { preferLocalBuild = true; } - ( let - logFormat = - if httpd.logFormat == "combined" then "1" else - if httpd.logFormat == "common" then "4" else - throw "awstats service doesn't support Apache log format `${httpd.logFormat}`"; - in - '' - sed \ - -e 's|^\(DirData\)=.*$|\1="${cfg.vardir}"|' \ - -e 's|^\(DirIcons\)=.*$|\1="icons"|' \ - -e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \ - -e 's|^\(SiteDomain\)=.*$|\1="${httpd.hostName}"|' \ - -e 's|^\(LogFile\)=.*$|\1="${httpd.logDir}/access_log"|' \ - -e 's|^\(LogFormat\)=.*$|\1=${logFormat}|' \ - < '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out" - echo '${cfg.extraConfig}' >> "$out" - ''); - - systemd.tmpfiles.rules = optionals cfg.service.enable [ - "d '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -" - "Z '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -" - ]; - - # The httpd sub-service showing awstats. - services.httpd = optionalAttrs cfg.service.enable { - enable = true; - extraConfig = '' - Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/" - Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/" - Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/" - ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/" - - <Directory "${package.out}/wwwroot"> - Options None - Require all granted - </Directory> - ''; - }; + ('' + sed \ + '' + # set up mail stats + + optionalString (opts.type == "mail") + '' + -e 's|^\(LogType\)=.*$|\1=M|' \ + -e 's|^\(LevelForBrowsersDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForOSDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForRefererAnalyze\)=.*$|\1=0|' \ + -e 's|^\(LevelForRobotsDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForSearchEnginesDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForFileTypesDetection\)=.*$|\1=0|' \ + -e 's|^\(LevelForWormsDetection\)=.*$|\1=0|' \ + -e 's|^\(ShowMenu\)=.*$|\1=1|' \ + -e 's|^\(ShowSummary\)=.*$|\1=HB|' \ + -e 's|^\(ShowMonthStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowDaysOfMonthStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowDaysOfWeekStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowHoursStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowDomainsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowHostsStats\)=.*$|\1=HB|' \ + -e 's|^\(ShowAuthenticatedUsers\)=.*$|\1=0|' \ + -e 's|^\(ShowRobotsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowEMailSenders\)=.*$|\1=HBML|' \ + -e 's|^\(ShowEMailReceivers\)=.*$|\1=HBML|' \ + -e 's|^\(ShowSessionsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowPagesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowFileTypesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowFileSizesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowBrowsersStats\)=.*$|\1=0|' \ + -e 's|^\(ShowOSStats\)=.*$|\1=0|' \ + -e 's|^\(ShowOriginStats\)=.*$|\1=0|' \ + -e 's|^\(ShowKeyphrasesStats\)=.*$|\1=0|' \ + -e 's|^\(ShowKeywordsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowMiscStats\)=.*$|\1=0|' \ + -e 's|^\(ShowHTTPErrorsStats\)=.*$|\1=0|' \ + -e 's|^\(ShowSMTPErrorsStats\)=.*$|\1=1|' \ + '' + + + # common options + '' + -e 's|^\(DirData\)=.*$|\1="${cfg.dataDir}/${name}"|' \ + -e 's|^\(DirIcons\)=.*$|\1="icons"|' \ + -e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \ + -e 's|^\(SiteDomain\)=.*$|\1="${name}"|' \ + -e 's|^\(LogFile\)=.*$|\1="${opts.logFile}"|' \ + -e 's|^\(LogFormat\)=.*$|\1="${opts.logFormat}"|' \ + '' + + + # extra config + concatStringsSep "\n" (mapAttrsToList (n: v: '' + -e 's|^\(${n}\)=.*$|\1="${v}"|' \ + '') opts.extraConfig) + + + '' + < '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out" + ''); + }) cfg.configs; - systemd.services.awstats-update = mkIf (cfg.updateAt != null) { - description = "awstats log collector"; - script = "exec '${package.bin}/bin/awstats' -update -config=awstats.conf"; - startAt = cfg.updateAt; - }; + # create data directory with the correct permissions + systemd.tmpfiles.rules = + [ "d '${cfg.dataDir}' 755 root root - -" ] ++ + mapAttrsToList (name: opts: "d '${cfg.dataDir}/${name}' 755 root root - -") cfg.configs ++ + [ "Z '${cfg.dataDir}' 755 root root - -" ]; + + # nginx options + services.nginx.virtualHosts = mapAttrs'(name: opts: { + name = opts.webService.hostname; + value = { + locations = { + "${opts.webService.urlPrefix}/css/" = { + alias = "${package.out}/wwwroot/css/"; + }; + "${opts.webService.urlPrefix}/icons/" = { + alias = "${package.out}/wwwroot/icon/"; + }; + "${opts.webService.urlPrefix}/" = { + alias = "${cfg.dataDir}/${name}/"; + extraConfig = '' + autoindex on; + ''; + }; + }; + }; + }) webServices; + + # update awstats + systemd.services = mkIf (cfg.updateAt != null) (mapAttrs' (name: opts: + nameValuePair "awstats-${name}-update" { + description = "update awstats for ${name}"; + script = optionalString (opts.type == "mail") + '' + if [[ -f "${cfg.dataDir}/${name}-cursor" ]]; then + CURSOR="$(cat "${cfg.dataDir}/${name}-cursor" | tr -d '\n')" + if [[ -n "$CURSOR" ]]; then + echo "Using cursor: $CURSOR" + export OLD_CURSOR="--cursor $CURSOR" + fi + fi + NEW_CURSOR="$(journalctl $OLD_CURSOR -u postfix.service --show-cursor | tail -n 1 | tr -d '\n' | sed -e 's#^-- cursor: \(.*\)#\1#')" + echo "New cursor: $NEW_CURSOR" + ${package.bin}/bin/awstats -update -config=${name} + if [ -n "$NEW_CURSOR" ]; then + echo -n "$NEW_CURSOR" > ${cfg.dataDir}/${name}-cursor + fi + '' + '' + ${package.out}/share/awstats/tools/awstats_buildstaticpages.pl \ + -config=${name} -update -dir=${cfg.dataDir}/${name} \ + -awstatsprog=${package.bin}/bin/awstats + ''; + startAt = cfg.updateAt; + }) cfg.configs); }; } diff --git a/nixpkgs/nixos/modules/services/logging/logcheck.nix b/nixpkgs/nixos/modules/services/logging/logcheck.nix index 6d8be5b926d5..4296b2270c29 100644 --- a/nixpkgs/nixos/modules/services/logging/logcheck.nix +++ b/nixpkgs/nixos/modules/services/logging/logcheck.nix @@ -213,13 +213,14 @@ in mapAttrsToList writeIgnoreRule cfg.ignore ++ mapAttrsToList writeIgnoreCronRule cfg.ignoreCron; - users.users = optionalAttrs (cfg.user == "logcheck") (singleton - { name = "logcheck"; + users.users = optionalAttrs (cfg.user == "logcheck") { + logcheck = { uid = config.ids.uids.logcheck; shell = "/bin/sh"; description = "Logcheck user account"; extraGroups = cfg.extraGroups; - }); + }; + }; system.activationScripts.logcheck = '' mkdir -m 700 -p /var/{lib,lock}/logcheck diff --git a/nixpkgs/nixos/modules/services/logging/logstash.nix b/nixpkgs/nixos/modules/services/logging/logstash.nix index 4943e8d7db3a..21a83803fd8c 100644 --- a/nixpkgs/nixos/modules/services/logging/logstash.nix +++ b/nixpkgs/nixos/modules/services/logging/logstash.nix @@ -37,6 +37,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ]) + (mkRemovedOptionModule [ "services" "logstash" "enableWeb" ] "The web interface was removed from logstash") + ]; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/logging/syslog-ng.nix b/nixpkgs/nixos/modules/services/logging/syslog-ng.nix index 65e103ac2ba5..35055311680b 100644 --- a/nixpkgs/nixos/modules/services/logging/syslog-ng.nix +++ b/nixpkgs/nixos/modules/services/logging/syslog-ng.nix @@ -25,6 +25,10 @@ let ]; in { + imports = [ + (mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ] "") + (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ] "") + ]; options = { diff --git a/nixpkgs/nixos/modules/services/mail/dovecot.nix b/nixpkgs/nixos/modules/services/mail/dovecot.nix index cdbb776454b6..b5ed2c594f77 100644 --- a/nixpkgs/nixos/modules/services/mail/dovecot.nix +++ b/nixpkgs/nixos/modules/services/mail/dovecot.nix @@ -86,7 +86,7 @@ let } plugin { - quota_rule = *:storage=${cfg.quotaGlobalPerUser} + quota_rule = *:storage=${cfg.quotaGlobalPerUser} quota = maildir:User quota # per virtual mail user quota # BUG/FIXME broken, we couldn't get this working quota_status_success = DUNNO quota_status_nouser = DUNNO @@ -133,6 +133,9 @@ let }; in { + imports = [ + (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "") + ]; options.services.dovecot2 = { enable = mkEnableOption "Dovecot 2.x POP3/IMAP server"; @@ -181,7 +184,7 @@ in }; configFile = mkOption { - type = types.nullOr types.str; + type = types.nullOr types.path; default = null; description = "Config file used for the whole dovecot configuration."; apply = v: if v != null then v else pkgs.writeText "dovecot.conf" dovecotConf; @@ -307,36 +310,32 @@ in ++ optional cfg.enablePop3 "pop3" ++ optional cfg.enableLmtp "lmtp"; - users.users = [ - { name = "dovenull"; - uid = config.ids.uids.dovenull2; - description = "Dovecot user for untrusted logins"; - group = "dovenull"; - } - ] ++ optional (cfg.user == "dovecot2") - { name = "dovecot2"; - uid = config.ids.uids.dovecot2; + users.users = { + dovenull = + { uid = config.ids.uids.dovenull2; + description = "Dovecot user for untrusted logins"; + group = "dovenull"; + }; + } // optionalAttrs (cfg.user == "dovecot2") { + dovecot2 = + { uid = config.ids.uids.dovecot2; description = "Dovecot user"; group = cfg.group; - } - ++ optional (cfg.createMailUser && cfg.mailUser != null) - ({ name = cfg.mailUser; - description = "Virtual Mail User"; - } // optionalAttrs (cfg.mailGroup != null) { - group = cfg.mailGroup; - }); - - users.groups = optional (cfg.group == "dovecot2") - { name = "dovecot2"; - gid = config.ids.gids.dovecot2; - } - ++ optional (cfg.createMailUser && cfg.mailGroup != null) - { name = cfg.mailGroup; - } - ++ singleton - { name = "dovenull"; - gid = config.ids.gids.dovenull2; - }; + }; + } // optionalAttrs (cfg.createMailUser && cfg.mailUser != null) { + ${cfg.mailUser} = + { description = "Virtual Mail User"; } // + optionalAttrs (cfg.mailGroup != null) + { group = cfg.mailGroup; }; + }; + + users.groups = { + dovenull.gid = config.ids.gids.dovenull2; + } // optionalAttrs (cfg.group == "dovecot2") { + dovecot2.gid = config.ids.gids.dovecot2; + } // optionalAttrs (cfg.createMailUser && cfg.mailGroup != null) { + ${cfg.mailGroup} = { }; + }; environment.etc."dovecot/modules".source = modulesDir; environment.etc."dovecot/dovecot.conf".source = cfg.configFile; diff --git a/nixpkgs/nixos/modules/services/mail/dspam.nix b/nixpkgs/nixos/modules/services/mail/dspam.nix index 72b8c4c08b92..766ebc8095a0 100644 --- a/nixpkgs/nixos/modules/services/mail/dspam.nix +++ b/nixpkgs/nixos/modules/services/mail/dspam.nix @@ -86,16 +86,16 @@ in { config = mkIf cfg.enable (mkMerge [ { - users.users = optionalAttrs (cfg.user == "dspam") (singleton - { name = "dspam"; + users.users = optionalAttrs (cfg.user == "dspam") { + dspam = { group = cfg.group; uid = config.ids.uids.dspam; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "dspam") (singleton - { name = "dspam"; - gid = config.ids.gids.dspam; - }); + users.groups = optionalAttrs (cfg.group == "dspam") { + dspam.gid = config.ids.gids.dspam; + }; environment.systemPackages = [ dspam ]; diff --git a/nixpkgs/nixos/modules/services/mail/exim.nix b/nixpkgs/nixos/modules/services/mail/exim.nix index 47812dd1e40e..892fbd33214a 100644 --- a/nixpkgs/nixos/modules/services/mail/exim.nix +++ b/nixpkgs/nixos/modules/services/mail/exim.nix @@ -87,15 +87,13 @@ in systemPackages = [ cfg.package ]; }; - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { description = "Exim mail transfer agent user"; uid = config.ids.uids.exim; group = cfg.group; }; - users.groups = singleton { - name = cfg.group; + users.groups.${cfg.group} = { gid = config.ids.gids.exim; }; diff --git a/nixpkgs/nixos/modules/services/mail/mailcatcher.nix b/nixpkgs/nixos/modules/services/mail/mailcatcher.nix index f5b4508b335c..84f06ed199dc 100644 --- a/nixpkgs/nixos/modules/services/mail/mailcatcher.nix +++ b/nixpkgs/nixos/modules/services/mail/mailcatcher.nix @@ -25,6 +25,13 @@ in description = "The port address of the http server."; }; + http.path = mkOption { + type = with types; nullOr str; + default = null; + description = "Prefix to all HTTP paths."; + example = "/mailcatcher"; + }; + smtp.ip = mkOption { type = types.str; default = "127.0.0.1"; @@ -53,7 +60,7 @@ in serviceConfig = { DynamicUser = true; Restart = "always"; - ExecStart = "${pkgs.mailcatcher}/bin/mailcatcher --foreground --no-quit --http-ip ${cfg.http.ip} --http-port ${toString cfg.http.port} --smtp-ip ${cfg.smtp.ip} --smtp-port ${toString cfg.smtp.port}"; + ExecStart = "${pkgs.mailcatcher}/bin/mailcatcher --foreground --no-quit --http-ip ${cfg.http.ip} --http-port ${toString cfg.http.port} --smtp-ip ${cfg.smtp.ip} --smtp-port ${toString cfg.smtp.port}" + optionalString (cfg.http.path != null) " --http-path ${cfg.http.path}"; AmbientCapabilities = optionalString (cfg.http.port < 1024 || cfg.smtp.port < 1024) "cap_net_bind_service"; }; }; diff --git a/nixpkgs/nixos/modules/services/mail/mailhog.nix b/nixpkgs/nixos/modules/services/mail/mailhog.nix index b78f4c8e0e66..0f998c6d0ea6 100644 --- a/nixpkgs/nixos/modules/services/mail/mailhog.nix +++ b/nixpkgs/nixos/modules/services/mail/mailhog.nix @@ -27,6 +27,7 @@ in { users.users.mailhog = { name = cfg.user; description = "MailHog service user"; + isSystemUser = true; }; systemd.services.mailhog = { diff --git a/nixpkgs/nixos/modules/services/mail/mlmmj.nix b/nixpkgs/nixos/modules/services/mail/mlmmj.nix index 7ae00f3e501e..d58d93c4214c 100644 --- a/nixpkgs/nixos/modules/services/mail/mlmmj.nix +++ b/nixpkgs/nixos/modules/services/mail/mlmmj.nix @@ -94,8 +94,7 @@ in config = mkIf cfg.enable { - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { description = "mlmmj user"; home = stateDir; createHome = true; @@ -104,8 +103,7 @@ in useDefaultShell = true; }; - users.groups = singleton { - name = cfg.group; + users.groups.${cfg.group} = { gid = config.ids.gids.mlmmj; }; diff --git a/nixpkgs/nixos/modules/services/mail/nullmailer.nix b/nixpkgs/nixos/modules/services/mail/nullmailer.nix index 2c2910e0aa9b..fe3f8ef9b391 100644 --- a/nixpkgs/nixos/modules/services/mail/nullmailer.nix +++ b/nixpkgs/nixos/modules/services/mail/nullmailer.nix @@ -201,15 +201,12 @@ with lib; }; users = { - users = singleton { - name = cfg.user; + users.${cfg.user} = { description = "Nullmailer relay-only mta user"; group = cfg.group; }; - groups = singleton { - name = cfg.group; - }; + groups.${cfg.group} = { }; }; systemd.tmpfiles.rules = [ diff --git a/nixpkgs/nixos/modules/services/mail/opendkim.nix b/nixpkgs/nixos/modules/services/mail/opendkim.nix index 253823cbaf9c..eb6a426684d4 100644 --- a/nixpkgs/nixos/modules/services/mail/opendkim.nix +++ b/nixpkgs/nixos/modules/services/mail/opendkim.nix @@ -18,6 +18,9 @@ let ] ++ optionals (cfg.configFile != null) [ "-x" cfg.configFile ]; in { + imports = [ + (mkRenamedOptionModule [ "services" "opendkim" "keyFile" ] [ "services" "opendkim" "keyPath" ]) + ]; ###### interface @@ -88,16 +91,16 @@ in { config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == "opendkim") (singleton - { name = "opendkim"; + users.users = optionalAttrs (cfg.user == "opendkim") { + opendkim = { group = cfg.group; uid = config.ids.uids.opendkim; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "opendkim") (singleton - { name = "opendkim"; - gid = config.ids.gids.opendkim; - }); + users.groups = optionalAttrs (cfg.group == "opendkim") { + opendkim.gid = config.ids.gids.opendkim; + }; environment.systemPackages = [ pkgs.opendkim ]; diff --git a/nixpkgs/nixos/modules/services/mail/opensmtpd.nix b/nixpkgs/nixos/modules/services/mail/opensmtpd.nix index a870550ba50b..1fabe2da45c5 100644 --- a/nixpkgs/nixos/modules/services/mail/opensmtpd.nix +++ b/nixpkgs/nixos/modules/services/mail/opensmtpd.nix @@ -101,6 +101,12 @@ in { }; }; + systemd.tmpfiles.rules = [ + "d /var/spool/smtpd 711 root - - -" + "d /var/spool/smtpd/offline 770 root smtpq - -" + "d /var/spool/smtpd/purge 700 smtpq root - -" + ]; + systemd.services.opensmtpd = let procEnv = pkgs.buildEnv { name = "opensmtpd-procs"; @@ -110,18 +116,6 @@ in { in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - preStart = '' - mkdir -p /var/spool/smtpd - chmod 711 /var/spool/smtpd - - mkdir -p /var/spool/smtpd/offline - chown root.smtpq /var/spool/smtpd/offline - chmod 770 /var/spool/smtpd/offline - - mkdir -p /var/spool/smtpd/purge - chown smtpq.root /var/spool/smtpd/purge - chmod 700 /var/spool/smtpd/purge - ''; serviceConfig.ExecStart = "${cfg.package}/sbin/smtpd -d -f ${conf} ${args}"; environment.OPENSMTPD_PROC_PATH = "${procEnv}/libexec/opensmtpd"; }; diff --git a/nixpkgs/nixos/modules/services/mail/postfix.nix b/nixpkgs/nixos/modules/services/mail/postfix.nix index df438a0c69d1..d7378821440d 100644 --- a/nixpkgs/nixos/modules/services/mail/postfix.nix +++ b/nixpkgs/nixos/modules/services/mail/postfix.nix @@ -655,21 +655,20 @@ in setgid = true; }; - users.users = optional (user == "postfix") - { name = "postfix"; - description = "Postfix mail server user"; - uid = config.ids.uids.postfix; - group = group; + users.users = optionalAttrs (user == "postfix") + { postfix = { + description = "Postfix mail server user"; + uid = config.ids.uids.postfix; + group = group; + }; }; users.groups = - optional (group == "postfix") - { name = group; - gid = config.ids.gids.postfix; + optionalAttrs (group == "postfix") + { ${group}.gid = config.ids.gids.postfix; } - ++ optional (setgidGroup == "postdrop") - { name = setgidGroup; - gid = config.ids.gids.postdrop; + // optionalAttrs (setgidGroup == "postdrop") + { ${setgidGroup}.gid = config.ids.gids.postdrop; }; systemd.services.postfix = diff --git a/nixpkgs/nixos/modules/services/mail/postgrey.nix b/nixpkgs/nixos/modules/services/mail/postgrey.nix index 88fb7f0b4ad1..709f6b21aa0a 100644 --- a/nixpkgs/nixos/modules/services/mail/postgrey.nix +++ b/nixpkgs/nixos/modules/services/mail/postgrey.nix @@ -42,6 +42,17 @@ with lib; let }; in { + imports = [ + (mkMergedOptionModule [ [ "services" "postgrey" "inetAddr" ] [ "services" "postgrey" "inetPort" ] ] [ "services" "postgrey" "socket" ] (config: let + value = p: getAttrFromPath p config; + inetAddr = [ "services" "postgrey" "inetAddr" ]; + inetPort = [ "services" "postgrey" "inetPort" ]; + in + if value inetAddr == null + then { path = "/run/postgrey.sock"; } + else { addr = value inetAddr; port = value inetPort; } + )) + ]; options = { services.postgrey = with types; { diff --git a/nixpkgs/nixos/modules/services/mail/postsrsd.nix b/nixpkgs/nixos/modules/services/mail/postsrsd.nix index 8f12a16906c5..2ebc675ab10a 100644 --- a/nixpkgs/nixos/modules/services/mail/postsrsd.nix +++ b/nixpkgs/nixos/modules/services/mail/postsrsd.nix @@ -90,16 +90,16 @@ in { services.postsrsd.domain = mkDefault config.networking.hostName; - users.users = optionalAttrs (cfg.user == "postsrsd") (singleton - { name = "postsrsd"; + users.users = optionalAttrs (cfg.user == "postsrsd") { + postsrsd = { group = cfg.group; uid = config.ids.uids.postsrsd; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "postsrsd") (singleton - { name = "postsrsd"; - gid = config.ids.gids.postsrsd; - }); + users.groups = optionalAttrs (cfg.group == "postsrsd") { + postsrsd.gid = config.ids.gids.postsrsd; + }; systemd.services.postsrsd = { description = "PostSRSd SRS rewriting server"; diff --git a/nixpkgs/nixos/modules/services/mail/roundcube.nix b/nixpkgs/nixos/modules/services/mail/roundcube.nix index bdedfa1bb701..36dda619ad06 100644 --- a/nixpkgs/nixos/modules/services/mail/roundcube.nix +++ b/nixpkgs/nixos/modules/services/mail/roundcube.nix @@ -160,7 +160,7 @@ in ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create role ${cfg.database.username} with login password '${cfg.database.password}'"; ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create database ${cfg.database.dbname} with owner ${cfg.database.username}"; fi - PGPASSWORD=${cfg.database.password} ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \ + PGPASSWORD="${cfg.database.password}" ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \ -f ${cfg.package}/SQL/postgres.initial.sql \ -h ${cfg.database.host} ${cfg.database.dbname} touch /var/lib/roundcube/db-created diff --git a/nixpkgs/nixos/modules/services/mail/rspamd.nix b/nixpkgs/nixos/modules/services/mail/rspamd.nix index 4db35d9e89ab..aacdbe2aeed2 100644 --- a/nixpkgs/nixos/modules/services/mail/rspamd.nix +++ b/nixpkgs/nixos/modules/services/mail/rspamd.nix @@ -60,7 +60,7 @@ let }; type = mkOption { type = types.nullOr (types.enum [ - "normal" "controller" "fuzzy_storage" "rspamd_proxy" "lua" "proxy" + "normal" "controller" "fuzzy" "rspamd_proxy" "lua" "proxy" ]); description = '' The type of this worker. The type <literal>proxy</literal> is @@ -220,7 +220,6 @@ let in { - ###### interface options = { @@ -375,15 +374,13 @@ in # Allow users to run 'rspamc' and 'rspamadm'. environment.systemPackages = [ pkgs.rspamd ]; - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { description = "rspamd daemon"; uid = config.ids.uids.rspamd; group = cfg.group; }; - users.groups = singleton { - name = cfg.group; + users.groups.${cfg.group} = { gid = config.ids.gids.rspamd; }; @@ -414,5 +411,6 @@ in "Socket activation never worked correctly and could at this time not be fixed and so was removed") (mkRenamedOptionModule [ "services" "rspamd" "bindSocket" ] [ "services" "rspamd" "workers" "normal" "bindSockets" ]) (mkRenamedOptionModule [ "services" "rspamd" "bindUISocket" ] [ "services" "rspamd" "workers" "controller" "bindSockets" ]) + (mkRemovedOptionModule [ "services" "rmilter" ] "Use services.rspamd.* instead to set up milter service") ]; } diff --git a/nixpkgs/nixos/modules/services/mail/spamassassin.nix b/nixpkgs/nixos/modules/services/mail/spamassassin.nix index cea525606481..851dbacfbf2e 100644 --- a/nixpkgs/nixos/modules/services/mail/spamassassin.nix +++ b/nixpkgs/nixos/modules/services/mail/spamassassin.nix @@ -117,15 +117,13 @@ in # Allow users to run 'spamc'. environment.systemPackages = [ pkgs.spamassassin ]; - users.users = singleton { - name = "spamd"; + users.users.spamd = { description = "Spam Assassin Daemon"; uid = config.ids.uids.spamd; group = "spamd"; }; - users.groups = singleton { - name = "spamd"; + users.groups.spamd = { gid = config.ids.gids.spamd; }; diff --git a/nixpkgs/nixos/modules/services/misc/airsonic.nix b/nixpkgs/nixos/modules/services/misc/airsonic.nix index 919d3b2f6e64..c296e048cea4 100644 --- a/nixpkgs/nixos/modules/services/misc/airsonic.nix +++ b/nixpkgs/nixos/modules/services/misc/airsonic.nix @@ -148,6 +148,7 @@ in { name = cfg.user; home = cfg.home; createHome = true; + isSystemUser = true; }; }; } diff --git a/nixpkgs/nixos/modules/services/misc/apache-kafka.nix b/nixpkgs/nixos/modules/services/misc/apache-kafka.nix index 798e902ccae4..f3a650a260f1 100644 --- a/nixpkgs/nixos/modules/services/misc/apache-kafka.nix +++ b/nixpkgs/nixos/modules/services/misc/apache-kafka.nix @@ -124,14 +124,13 @@ in { environment.systemPackages = [cfg.package]; - users.users = singleton { - name = "apache-kafka"; + users.users.apache-kafka = { uid = config.ids.uids.apache-kafka; description = "Apache Kafka daemon user"; home = head cfg.logDirs; }; - systemd.tmpfiles.rules = map (logDir: "d '${logDir} 0700 apache-kafka - - -") cfg.logDirs; + systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.logDirs; systemd.services.apache-kafka = { description = "Apache Kafka Daemon"; diff --git a/nixpkgs/nixos/modules/services/misc/beanstalkd.nix b/nixpkgs/nixos/modules/services/misc/beanstalkd.nix index 06e881406b52..bcd133c97411 100644 --- a/nixpkgs/nixos/modules/services/misc/beanstalkd.nix +++ b/nixpkgs/nixos/modules/services/misc/beanstalkd.nix @@ -44,7 +44,8 @@ in serviceConfig = { DynamicUser = true; Restart = "always"; - ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port}"; + ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port} -b $STATE_DIRECTORY"; + StateDirectory = "beanstalkd"; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/bepasty.nix b/nixpkgs/nixos/modules/services/misc/bepasty.nix index 87d360681445..f69832e5b2bd 100644 --- a/nixpkgs/nixos/modules/services/misc/bepasty.nix +++ b/nixpkgs/nixos/modules/services/misc/bepasty.nix @@ -168,16 +168,12 @@ in }) ) cfg.servers; - users.users = [{ - uid = config.ids.uids.bepasty; - name = user; - group = group; - home = default_home; - }]; - - users.groups = [{ - name = group; - gid = config.ids.gids.bepasty; - }]; + users.users.${user} = + { uid = config.ids.uids.bepasty; + group = group; + home = default_home; + }; + + users.groups.${group}.gid = config.ids.gids.bepasty; }; } diff --git a/nixpkgs/nixos/modules/services/misc/cgminer.nix b/nixpkgs/nixos/modules/services/misc/cgminer.nix index b1cf5a7d1104..9fcae6452696 100644 --- a/nixpkgs/nixos/modules/services/misc/cgminer.nix +++ b/nixpkgs/nixos/modules/services/misc/cgminer.nix @@ -110,11 +110,12 @@ in config = mkIf config.services.cgminer.enable { - users.users = optionalAttrs (cfg.user == "cgminer") (singleton - { name = "cgminer"; + users.users = optionalAttrs (cfg.user == "cgminer") { + cgminer = { uid = config.ids.uids.cgminer; description = "Cgminer user"; - }); + }; + }; environment.systemPackages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/services/misc/couchpotato.nix b/nixpkgs/nixos/modules/services/misc/couchpotato.nix index 528af486b414..f5163cf86cf5 100644 --- a/nixpkgs/nixos/modules/services/misc/couchpotato.nix +++ b/nixpkgs/nixos/modules/services/misc/couchpotato.nix @@ -29,17 +29,14 @@ in }; }; - users.users = singleton - { name = "couchpotato"; - group = "couchpotato"; + users.users.couchpotato = + { group = "couchpotato"; home = "/var/lib/couchpotato/"; description = "CouchPotato daemon user"; uid = config.ids.uids.couchpotato; }; - users.groups = singleton - { name = "couchpotato"; - gid = config.ids.gids.couchpotato; - }; + users.groups.couchpotato = + { gid = config.ids.gids.couchpotato; }; }; } diff --git a/nixpkgs/nixos/modules/services/misc/dictd.nix b/nixpkgs/nixos/modules/services/misc/dictd.nix index d7b0997a1fc5..ae477dc3b634 100644 --- a/nixpkgs/nixos/modules/services/misc/dictd.nix +++ b/nixpkgs/nixos/modules/services/misc/dictd.nix @@ -49,18 +49,14 @@ in server localhost ''; - users.users = singleton - { name = "dictd"; - group = "dictd"; + users.users.dictd = + { group = "dictd"; description = "DICT.org dictd server"; home = "${dictdb}/share/dictd"; uid = config.ids.uids.dictd; }; - users.groups = singleton - { name = "dictd"; - gid = config.ids.gids.dictd; - }; + users.groups.dictd.gid = config.ids.gids.dictd; systemd.services.dictd = { description = "DICT.org Dictionary Server"; diff --git a/nixpkgs/nixos/modules/services/misc/docker-registry.nix b/nixpkgs/nixos/modules/services/misc/docker-registry.nix index c87607d2666a..89bac4f47d73 100644 --- a/nixpkgs/nixos/modules/services/misc/docker-registry.nix +++ b/nixpkgs/nixos/modules/services/misc/docker-registry.nix @@ -145,11 +145,13 @@ in { }; users.users.docker-registry = - if cfg.storagePath != null + (if cfg.storagePath != null then { createHome = true; home = cfg.storagePath; } - else {}; + else {}) // { + isSystemUser = true; + }; }; } diff --git a/nixpkgs/nixos/modules/services/misc/errbot.nix b/nixpkgs/nixos/modules/services/misc/errbot.nix index 256adce2f02e..b447ba5d438d 100644 --- a/nixpkgs/nixos/modules/services/misc/errbot.nix +++ b/nixpkgs/nixos/modules/services/misc/errbot.nix @@ -76,7 +76,10 @@ in { }; config = mkIf (cfg.instances != {}) { - users.users.errbot.group = "errbot"; + users.users.errbot = { + group = "errbot"; + isSystemUser = true; + }; users.groups.errbot = {}; systemd.services = mapAttrs' (name: instanceCfg: nameValuePair "errbot-${name}" ( diff --git a/nixpkgs/nixos/modules/services/misc/etcd.nix b/nixpkgs/nixos/modules/services/misc/etcd.nix index e4d5322f9b5f..7322e1c080be 100644 --- a/nixpkgs/nixos/modules/services/misc/etcd.nix +++ b/nixpkgs/nixos/modules/services/misc/etcd.nix @@ -186,8 +186,7 @@ in { environment.systemPackages = [ pkgs.etcdctl ]; - users.users = singleton { - name = "etcd"; + users.users.etcd = { uid = config.ids.uids.etcd; description = "Etcd daemon user"; home = cfg.dataDir; diff --git a/nixpkgs/nixos/modules/services/misc/ethminer.nix b/nixpkgs/nixos/modules/services/misc/ethminer.nix index 2958cf214473..95afb0460fb8 100644 --- a/nixpkgs/nixos/modules/services/misc/ethminer.nix +++ b/nixpkgs/nixos/modules/services/misc/ethminer.nix @@ -71,7 +71,7 @@ in maxPower = mkOption { type = types.int; - default = 115; + default = 113; description = "Miner max watt usage."; }; @@ -92,7 +92,9 @@ in serviceConfig = { DynamicUser = true; + ExecStartPre = "${pkgs.ethminer}/bin/.ethminer-wrapped --list-devices"; ExecStartPost = optional (cfg.toolkit == "cuda") "+${getBin config.boot.kernelPackages.nvidia_x11}/bin/nvidia-smi -pl ${toString cfg.maxPower}"; + Restart = "always"; }; environment = { diff --git a/nixpkgs/nixos/modules/services/misc/exhibitor.nix b/nixpkgs/nixos/modules/services/misc/exhibitor.nix index 74f4f671f460..f8c79f892da3 100644 --- a/nixpkgs/nixos/modules/services/misc/exhibitor.nix +++ b/nixpkgs/nixos/modules/services/misc/exhibitor.nix @@ -410,8 +410,7 @@ in sed -i 's/'"$replace_what"'/'"$replace_with"'/g' ${cfg.baseDir}/zookeeper/bin/zk*.sh ''; }; - users.users = singleton { - name = "zookeeper"; + users.users.zookeeper = { uid = config.ids.uids.zookeeper; description = "Zookeeper daemon user"; home = cfg.baseDir; diff --git a/nixpkgs/nixos/modules/services/misc/felix.nix b/nixpkgs/nixos/modules/services/misc/felix.nix index 1c5ece868258..188e45abc58b 100644 --- a/nixpkgs/nixos/modules/services/misc/felix.nix +++ b/nixpkgs/nixos/modules/services/misc/felix.nix @@ -47,14 +47,10 @@ in ###### implementation config = mkIf cfg.enable { - users.groups = singleton - { name = "osgi"; - gid = config.ids.gids.osgi; - }; + users.groups.osgi.gid = config.ids.gids.osgi; - users.users = singleton - { name = "osgi"; - uid = config.ids.uids.osgi; + users.users.osgi = + { uid = config.ids.uids.osgi; description = "OSGi user"; home = "/homeless-shelter"; }; diff --git a/nixpkgs/nixos/modules/services/misc/folding-at-home.nix b/nixpkgs/nixos/modules/services/misc/folding-at-home.nix index 122c89ce0680..fd2ea3948f64 100644 --- a/nixpkgs/nixos/modules/services/misc/folding-at-home.nix +++ b/nixpkgs/nixos/modules/services/misc/folding-at-home.nix @@ -42,9 +42,8 @@ in { config = mkIf cfg.enable { - users.users = singleton - { name = fahUser; - uid = config.ids.uids.foldingathome; + users.users.${fahUser} = + { uid = config.ids.uids.foldingathome; description = "Folding@Home user"; home = stateDir; }; diff --git a/nixpkgs/nixos/modules/services/misc/gitea.nix b/nixpkgs/nixos/modules/services/misc/gitea.nix index 4992b13c9d4a..258476dd9feb 100644 --- a/nixpkgs/nixos/modules/services/misc/gitea.nix +++ b/nixpkgs/nixos/modules/services/misc/gitea.nix @@ -394,6 +394,26 @@ in WorkingDirectory = cfg.stateDir; ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; + + # Filesystem + ProtectHome = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ReadWritePaths = cfg.stateDir; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; environment = { @@ -409,6 +429,7 @@ in home = cfg.stateDir; useDefaultShell = true; group = "gitea"; + isSystemUser = true; }; }; @@ -452,4 +473,5 @@ in timerConfig.OnCalendar = cfg.dump.interval; }; }; + meta.maintainers = with lib.maintainers; [ srhb ]; } diff --git a/nixpkgs/nixos/modules/services/misc/gitlab.nix b/nixpkgs/nixos/modules/services/misc/gitlab.nix index 4c1ffead00c8..aa9589853797 100644 --- a/nixpkgs/nixos/modules/services/misc/gitlab.nix +++ b/nixpkgs/nixos/modules/services/misc/gitlab.nix @@ -7,6 +7,11 @@ let ruby = cfg.packages.gitlab.ruby; + postgresqlPackage = if config.services.postgresql.enable then + config.services.postgresql.package + else + pkgs.postgresql; + gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url; @@ -22,6 +27,9 @@ let } // cfg.extraDatabaseConfig; }; + # We only want to create a database if we're actually going to connect to it. + databaseActuallyCreateLocally = cfg.databaseCreateLocally && cfg.databaseHost == ""; + gitalyToml = pkgs.writeText "gitaly.toml" '' socket_path = "${lib.escape ["\""] gitalySocket}" bin_dir = "${cfg.packages.gitaly}/bin" @@ -138,7 +146,7 @@ let mkdir -p $out/bin makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/rake $out/bin/gitlab-rake \ ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \ - --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package pkgs.coreutils pkgs.procps ]}:$PATH' \ + --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar postgresqlPackage pkgs.coreutils pkgs.procps ]}:$PATH' \ --set RAKEOPT '-f ${cfg.packages.gitlab}/share/gitlab/Rakefile' \ --run 'cd ${cfg.packages.gitlab}/share/gitlab' ''; @@ -153,7 +161,7 @@ let mkdir -p $out/bin makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/rails $out/bin/gitlab-rails \ ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \ - --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package pkgs.coreutils pkgs.procps ]}:$PATH' \ + --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar postgresqlPackage pkgs.coreutils pkgs.procps ]}:$PATH' \ --run 'cd ${cfg.packages.gitlab}/share/gitlab' ''; }; @@ -181,6 +189,11 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ]) + (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "") + ]; + options = { services.gitlab = { enable = mkOption { @@ -266,8 +279,8 @@ in { description = '' Whether a database should be automatically created on the local host. Set this to <literal>false</literal> if you plan - on provisioning a local database yourself or use an external - one. + on provisioning a local database yourself. This has no effect + if <option>services.gitlab.databaseHost</option> is customized. ''; }; @@ -557,8 +570,8 @@ in { assertions = [ { - assertion = cfg.databaseCreateLocally -> (cfg.user == cfg.databaseUsername); - message = "For local automatic database provisioning services.gitlab.user and services.gitlab.databaseUsername should be identical."; + assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.databaseUsername); + message = ''For local automatic database provisioning (services.gitlab.databaseCreateLocally == true) with peer authentication (services.gitlab.databaseHost == "") to work services.gitlab.user and services.gitlab.databaseUsername must be identical.''; } { assertion = (cfg.databaseHost != "") -> (cfg.databasePasswordFile != null); @@ -592,14 +605,16 @@ in { services.redis.enable = mkDefault true; # We use postgres as the main data store. - services.postgresql = optionalAttrs cfg.databaseCreateLocally { + services.postgresql = optionalAttrs databaseActuallyCreateLocally { enable = true; ensureUsers = singleton { name = cfg.databaseUsername; }; }; # The postgresql module doesn't currently support concepts like # objects owners and extensions; for now we tack on what's needed # here. - systemd.services.postgresql.postStart = mkAfter (optionalString cfg.databaseCreateLocally '' + systemd.services.postgresql.postStart = mkAfter (optionalString databaseActuallyCreateLocally '' + set -eu + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${cfg.databaseName}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${cfg.databaseName}" OWNER "${cfg.databaseUsername}"' current_owner=$($PSQL -tAc "SELECT pg_catalog.pg_get_userbyid(datdba) FROM pg_catalog.pg_database WHERE datname = '${cfg.databaseName}'") if [[ "$current_owner" != "${cfg.databaseUsername}" ]]; then @@ -618,20 +633,14 @@ in { # Use postfix to send out mails. services.postfix.enable = mkDefault true; - users.users = [ - { name = cfg.user; - group = cfg.group; + users.users.${cfg.user} = + { group = cfg.group; home = "${cfg.statePath}/home"; shell = "${pkgs.bash}/bin/bash"; uid = config.ids.uids.gitlab; - } - ]; + }; - users.groups = [ - { name = cfg.group; - gid = config.ids.gids.gitlab; - } - ]; + users.groups.${cfg.group}.gid = config.ids.gids.gitlab; systemd.tmpfiles.rules = [ "d /run/gitlab 0755 ${cfg.user} ${cfg.group} -" @@ -641,7 +650,7 @@ in { "d ${cfg.statePath} 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/builds 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/config 0750 ${cfg.user} ${cfg.group} -" - "D ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -" + "d ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/db 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/log 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/repositories 2770 ${cfg.user} ${cfg.group} -" @@ -658,7 +667,6 @@ in { "d ${gitlabConfig.production.shared.path}/artifacts 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/lfs-objects 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/pages 0750 ${cfg.user} ${cfg.group} -" - "L+ ${cfg.statePath}/lib - - - - ${cfg.packages.gitlab}/share/gitlab/lib" "L+ /run/gitlab/config - - - - ${cfg.statePath}/config" "L+ /run/gitlab/log - - - - ${cfg.statePath}/log" "L+ /run/gitlab/tmp - - - - ${cfg.statePath}/tmp" @@ -675,7 +683,7 @@ in { wantedBy = [ "multi-user.target" ]; environment = gitlabEnv; path = with pkgs; [ - config.services.postgresql.package + postgresqlPackage gitAndTools.git ruby openssh @@ -732,7 +740,6 @@ in { gitlab-workhorse ]; serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root Type = "simple"; User = cfg.user; Group = cfg.group; @@ -756,89 +763,109 @@ in { wantedBy = [ "multi-user.target" ]; environment = gitlabEnv; path = with pkgs; [ - config.services.postgresql.package + postgresqlPackage gitAndTools.git openssh nodejs procps gnupg ]; - preStart = '' - cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION - rm -rf ${cfg.statePath}/db/* - cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config - cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db - - ${cfg.packages.gitlab-shell}/bin/install - ${optionalString cfg.smtp.enable '' - install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb - ${optionalString (cfg.smtp.passwordFile != null) '' - smtp_password=$(<'${cfg.smtp.passwordFile}') - ${pkgs.replace}/bin/replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb' - ''} - ''} - - ( - umask u=rwx,g=,o= + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + TimeoutSec = "infinity"; + Restart = "on-failure"; + WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; + ExecStartPre = let + preStartFullPrivileges = '' + shopt -s dotglob nullglob + set -eu - ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret + chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/* + chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/config/* + ''; + preStart = '' + set -eu - ${if cfg.databasePasswordFile != null then '' - export db_password="$(<'${cfg.databasePasswordFile}')" + cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION + rm -rf ${cfg.statePath}/db/* + rm -rf ${cfg.statePath}/config/initializers/* + rm -f ${cfg.statePath}/lib + cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config + cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db - if [[ -z "$db_password" ]]; then - >&2 echo "Database password was an empty string!" - exit 1 - fi + ${cfg.packages.gitlab-shell}/bin/install - ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ - '.production.password = $ENV.db_password' \ - >'${cfg.statePath}/config/database.yml' - '' - else '' - ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ - >'${cfg.statePath}/config/database.yml' - '' - } - - ${utils.genJqSecretsReplacementSnippet - gitlabConfig - "${cfg.statePath}/config/gitlab.yml" - } - - if [[ -h '${cfg.statePath}/config/secrets.yml' ]]; then - rm '${cfg.statePath}/config/secrets.yml' - fi + ${optionalString cfg.smtp.enable '' + install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb + ${optionalString (cfg.smtp.passwordFile != null) '' + smtp_password=$(<'${cfg.smtp.passwordFile}') + ${pkgs.replace}/bin/replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb' + ''} + ''} - export secret="$(<'${cfg.secrets.secretFile}')" - export db="$(<'${cfg.secrets.dbFile}')" - export otp="$(<'${cfg.secrets.otpFile}')" - export jws="$(<'${cfg.secrets.jwsFile}')" - ${pkgs.jq}/bin/jq -n '{production: {secret_key_base: $ENV.secret, - otp_key_base: $ENV.otp, - db_key_base: $ENV.db, - openid_connect_signing_key: $ENV.jws}}' \ - > '${cfg.statePath}/config/secrets.yml' - ) + ( + umask u=rwx,g=,o= - initial_root_password="$(<'${cfg.initialRootPasswordFile}')" - ${gitlab-rake}/bin/gitlab-rake gitlab:db:configure GITLAB_ROOT_PASSWORD="$initial_root_password" \ - GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}' + ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret - # We remove potentially broken links to old gitlab-shell versions - rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks + if [[ -h '${cfg.statePath}/config/database.yml' ]]; then + rm '${cfg.statePath}/config/database.yml' + fi - ${pkgs.git}/bin/git config --global core.autocrlf "input" - ''; + ${if cfg.databasePasswordFile != null then '' + export db_password="$(<'${cfg.databasePasswordFile}')" + + if [[ -z "$db_password" ]]; then + >&2 echo "Database password was an empty string!" + exit 1 + fi + + ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ + '.production.password = $ENV.db_password' \ + >'${cfg.statePath}/config/database.yml' + '' + else '' + ${pkgs.jq}/bin/jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \ + >'${cfg.statePath}/config/database.yml' + '' + } + + ${utils.genJqSecretsReplacementSnippet + gitlabConfig + "${cfg.statePath}/config/gitlab.yml" + } + + if [[ -h '${cfg.statePath}/config/secrets.yml' ]]; then + rm '${cfg.statePath}/config/secrets.yml' + fi - serviceConfig = { - Type = "simple"; - User = cfg.user; - Group = cfg.group; - TimeoutSec = "infinity"; - Restart = "on-failure"; - WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; + export secret="$(<'${cfg.secrets.secretFile}')" + export db="$(<'${cfg.secrets.dbFile}')" + export otp="$(<'${cfg.secrets.otpFile}')" + export jws="$(<'${cfg.secrets.jwsFile}')" + ${pkgs.jq}/bin/jq -n '{production: {secret_key_base: $ENV.secret, + otp_key_base: $ENV.otp, + db_key_base: $ENV.db, + openid_connect_signing_key: $ENV.jws}}' \ + > '${cfg.statePath}/config/secrets.yml' + ) + + initial_root_password="$(<'${cfg.initialRootPasswordFile}')" + ${gitlab-rake}/bin/gitlab-rake gitlab:db:configure GITLAB_ROOT_PASSWORD="$initial_root_password" \ + GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}' > /dev/null + + # We remove potentially broken links to old gitlab-shell versions + rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks + + ${pkgs.git}/bin/git config --global core.autocrlf "input" + ''; + in [ + "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}" + "${pkgs.writeShellScript "gitlab-pre-start" preStart}" + ]; ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/unicorn -c ${cfg.statePath}/config/unicorn.rb -E production"; }; diff --git a/nixpkgs/nixos/modules/services/misc/gollum.nix b/nixpkgs/nixos/modules/services/misc/gollum.nix index 7653b415bf09..f4a9c72b1545 100644 --- a/nixpkgs/nixos/modules/services/misc/gollum.nix +++ b/nixpkgs/nixos/modules/services/misc/gollum.nix @@ -71,6 +71,7 @@ in group = config.users.users.gollum.name; description = "Gollum user"; createHome = false; + isSystemUser = true; }; users.groups.gollum = { }; diff --git a/nixpkgs/nixos/modules/services/misc/gpsd.nix b/nixpkgs/nixos/modules/services/misc/gpsd.nix index 3bfcb636a3c6..f954249942a8 100644 --- a/nixpkgs/nixos/modules/services/misc/gpsd.nix +++ b/nixpkgs/nixos/modules/services/misc/gpsd.nix @@ -86,17 +86,13 @@ in config = mkIf cfg.enable { - users.users = singleton - { name = "gpsd"; - inherit uid; + users.users.gpsd = + { inherit uid; description = "gpsd daemon user"; home = "/var/empty"; }; - users.groups = singleton - { name = "gpsd"; - inherit gid; - }; + users.groups.gpsd = { inherit gid; }; systemd.services.gpsd = { description = "GPSD daemon"; diff --git a/nixpkgs/nixos/modules/services/misc/headphones.nix b/nixpkgs/nixos/modules/services/misc/headphones.nix index 4a77045be28e..3ee0a4458bd0 100644 --- a/nixpkgs/nixos/modules/services/misc/headphones.nix +++ b/nixpkgs/nixos/modules/services/misc/headphones.nix @@ -59,19 +59,19 @@ in config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == name) (singleton { - name = name; - uid = config.ids.uids.headphones; - group = cfg.group; - description = "headphones user"; - home = cfg.dataDir; - createHome = true; - }); + users.users = optionalAttrs (cfg.user == name) { + ${name} = { + uid = config.ids.uids.headphones; + group = cfg.group; + description = "headphones user"; + home = cfg.dataDir; + createHome = true; + }; + }; - users.groups = optionalAttrs (cfg.group == name) (singleton { - name = name; - gid = config.ids.gids.headphones; - }); + users.groups = optionalAttrs (cfg.group == name) { + ${name}.gid = config.ids.gids.headphones; + }; systemd.services.headphones = { description = "Headphones Server"; diff --git a/nixpkgs/nixos/modules/services/misc/home-assistant.nix b/nixpkgs/nixos/modules/services/misc/home-assistant.nix index 74702c97f551..cc113ca2d0c1 100644 --- a/nixpkgs/nixos/modules/services/misc/home-assistant.nix +++ b/nixpkgs/nixos/modules/services/misc/home-assistant.nix @@ -11,6 +11,9 @@ let (recursiveUpdate defaultConfig cfg.config) else cfg.config)); configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } '' ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out + # Hack to support secrets, that are encoded as custom yaml objects, + # https://www.home-assistant.io/docs/configuration/secrets/ + sed -i -e "s/'\!secret \(.*\)'/\!secret \1/" $out ''; lovelaceConfigJSON = pkgs.writeText "ui-lovelace.json" @@ -98,6 +101,10 @@ in { { homeassistant = { name = "Home"; + latitude = "!secret latitude"; + longitude = "!secret longitude"; + elevation = "!secret elevation"; + unit_system = "metric"; time_zone = "UTC"; }; frontend = { }; @@ -108,6 +115,8 @@ in { description = '' Your <filename>configuration.yaml</filename> as a Nix attribute set. Beware that setting this option will delete your previous <filename>configuration.yaml</filename>. + <link xlink:href="https://www.home-assistant.io/docs/configuration/secrets/">Secrets</link> + are encoded as strings as shown in the example. ''; }; diff --git a/nixpkgs/nixos/modules/services/misc/jellyfin.nix b/nixpkgs/nixos/modules/services/misc/jellyfin.nix index 55559206568d..6ecdfb57dc35 100644 --- a/nixpkgs/nixos/modules/services/misc/jellyfin.nix +++ b/nixpkgs/nixos/modules/services/misc/jellyfin.nix @@ -41,7 +41,10 @@ in }; users.users = mkIf (cfg.user == "jellyfin") { - jellyfin.group = cfg.group; + jellyfin = { + group = cfg.group; + isSystemUser = true; + }; }; users.groups = mkIf (cfg.group == "jellyfin") { diff --git a/nixpkgs/nixos/modules/services/misc/lidarr.nix b/nixpkgs/nixos/modules/services/misc/lidarr.nix index 40755c162171..8ff1adadcf23 100644 --- a/nixpkgs/nixos/modules/services/misc/lidarr.nix +++ b/nixpkgs/nixos/modules/services/misc/lidarr.nix @@ -10,6 +10,12 @@ in services.lidarr = { enable = mkEnableOption "Lidarr"; + dataDir = mkOption { + type = types.str; + default = "/var/lib/lidarr/.config/Lidarr"; + description = "The directory where Lidarr stores its data files."; + }; + package = mkOption { type = types.package; default = pkgs.lidarr; @@ -44,6 +50,10 @@ in }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.lidarr = { description = "Lidarr"; after = [ "network.target" ]; @@ -53,11 +63,8 @@ in Type = "simple"; User = cfg.user; Group = cfg.group; - ExecStart = "${cfg.package}/bin/Lidarr"; + ExecStart = "${cfg.package}/bin/Lidarr -nobrowser -data='${cfg.dataDir}'"; Restart = "on-failure"; - - StateDirectory = "lidarr"; - StateDirectoryMode = "0770"; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/mame.nix b/nixpkgs/nixos/modules/services/misc/mame.nix new file mode 100644 index 000000000000..c5d5e9e48371 --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/mame.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.mame; + mame = "mame${lib.optionalString pkgs.stdenv.is64bit "64"}"; +in +{ + options = { + services.mame = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to setup TUN/TAP Ethernet interface for MAME emulator. + ''; + }; + user = mkOption { + type = types.str; + description = '' + User from which you run MAME binary. + ''; + }; + hostAddr = mkOption { + type = types.str; + description = '' + IP address of the host system. Usually an address of the main network + adapter or the adapter through which you get an internet connection. + ''; + example = "192.168.31.156"; + }; + emuAddr = mkOption { + type = types.str; + description = '' + IP address of the guest system. The same you set inside guest OS under + MAME. Should be on the same subnet as <option>services.mame.hostAddr</option>. + ''; + example = "192.168.31.155"; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.mame ]; + + security.wrappers."${mame}" = { + source = "${pkgs.mame}/bin/${mame}"; + capabilities = "cap_net_admin,cap_net_raw+eip"; + }; + + systemd.services.mame = { + description = "MAME TUN/TAP Ethernet interface"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.iproute ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.mame}/bin/taputil.sh -c ${cfg.user} ${cfg.emuAddr} ${cfg.hostAddr} -"; + ExecStop = "${pkgs.mame}/bin/taputil.sh -d ${cfg.user}"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ gnidorah ]; +} diff --git a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix index 018fac386163..750f4a292fb4 100644 --- a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix @@ -79,7 +79,11 @@ turn_user_lifetime: "${cfg.turn_user_lifetime}" user_creation_max_duration: ${cfg.user_creation_max_duration} bcrypt_rounds: ${cfg.bcrypt_rounds} allow_guest_access: ${boolToString cfg.allow_guest_access} -trusted_third_party_id_servers: ${builtins.toJSON cfg.trusted_third_party_id_servers} + +account_threepid_delegates: + ${optionalString (cfg.account_threepid_delegates.email != null) "email: ${cfg.account_threepid_delegates.email}"} + ${optionalString (cfg.account_threepid_delegates.msisdn != null) "msisdn: ${cfg.account_threepid_delegates.msisdn}"} + room_invite_state_types: ${builtins.toJSON cfg.room_invite_state_types} ${optionalString (cfg.macaroon_secret_key != null) '' macaroon_secret_key: "${cfg.macaroon_secret_key}" @@ -102,6 +106,7 @@ perspectives: '') cfg.servers)} } } +redaction_retention_period: ${toString cfg.redaction_retention_period} app_service_config_files: ${builtins.toJSON cfg.app_service_config_files} ${cfg.extraConfig} @@ -402,6 +407,9 @@ in { "192.168.0.0/16" "100.64.0.0/10" "169.254.0.0/16" + "::1/128" + "fe80::/64" + "fc00::/7" ]; description = '' List of IP address CIDR ranges that the URL preview spider is denied @@ -552,14 +560,18 @@ in { accessible to anonymous users. ''; }; - trusted_third_party_id_servers = mkOption { - type = types.listOf types.str; - default = [ - "matrix.org" - "vector.im" - ]; + account_threepid_delegates.email = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Delegate email sending to https://example.org + ''; + }; + account_threepid_delegates.msisdn = mkOption { + type = types.nullOr types.str; + default = null; description = '' - The list of identity servers trusted to verify third party identifiers by this server. + Delegate SMS sending to this local process (https://localhost:8090) ''; }; room_invite_state_types = mkOption { @@ -600,6 +612,13 @@ in { A list of application service config file to use ''; }; + redaction_retention_period = mkOption { + type = types.int; + default = 7; + description = '' + How long to keep redacted events in unredacted form in the database. + ''; + }; extraConfig = mkOption { type = types.lines; default = ""; @@ -638,57 +657,42 @@ in { }; config = mkIf cfg.enable { - users.users = [ - { name = "matrix-synapse"; + users.users.matrix-synapse = { group = "matrix-synapse"; home = cfg.dataDir; createHome = true; shell = "${pkgs.bash}/bin/bash"; uid = config.ids.uids.matrix-synapse; - } ]; + }; - users.groups = [ - { name = "matrix-synapse"; - gid = config.ids.gids.matrix-synapse; - } ]; + users.groups.matrix-synapse = { + gid = config.ids.gids.matrix-synapse; + }; - services.postgresql.enable = mkIf usePostgresql (mkDefault true); + services.postgresql = mkIf (usePostgresql && cfg.create_local_database) { + enable = mkDefault true; + ensureDatabases = [ cfg.database_name ]; + ensureUsers = [{ + name = cfg.database_user; + ensurePermissions = { "DATABASE \"${cfg.database_name}\"" = "ALL PRIVILEGES"; }; + }]; + }; systemd.services.matrix-synapse = { description = "Synapse Matrix homeserver"; - after = [ "network.target" "postgresql.service" ]; + after = [ "network.target" ] ++ lib.optional config.services.postgresql.enable "postgresql.service" ; wantedBy = [ "multi-user.target" ]; preStart = '' ${cfg.package}/bin/homeserver \ --config-path ${configFile} \ --keys-directory ${cfg.dataDir} \ --generate-keys - '' + optionalString (usePostgresql && cfg.create_local_database) '' - if ! test -e "${cfg.dataDir}/db-created"; then - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} \ - ${pg.package}/bin/createuser \ - --login \ - --no-createdb \ - --no-createrole \ - --encrypted \ - ${cfg.database_user} - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} \ - ${pg.package}/bin/createdb \ - --owner=${cfg.database_user} \ - --encoding=UTF8 \ - --lc-collate=C \ - --lc-ctype=C \ - --template=template0 \ - ${cfg.database_name} - touch "${cfg.dataDir}/db-created" - fi ''; serviceConfig = { Type = "notify"; User = "matrix-synapse"; Group = "matrix-synapse"; WorkingDirectory = cfg.dataDir; - PermissionsStartOnly = true; ExecStart = '' ${cfg.package}/bin/homeserver \ ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } @@ -699,4 +703,12 @@ in { }; }; }; + + imports = [ + (mkRemovedOptionModule [ "services" "matrix-synapse" "trusted_third_party_id_servers" ] '' + The `trusted_third_party_id_servers` option as been removed in `matrix-synapse` v1.4.0 + as the behavior is now obsolete. + '') + ]; + } diff --git a/nixpkgs/nixos/modules/services/misc/mediatomb.nix b/nixpkgs/nixos/modules/services/misc/mediatomb.nix index 107fb57fe1c4..529f584a201e 100644 --- a/nixpkgs/nixos/modules/services/misc/mediatomb.nix +++ b/nixpkgs/nixos/modules/services/misc/mediatomb.nix @@ -266,19 +266,19 @@ in { serviceConfig.User = "${cfg.user}"; }; - users.groups = optionalAttrs (cfg.group == "mediatomb") (singleton { - name = "mediatomb"; - gid = gid; - }); + users.groups = optionalAttrs (cfg.group == "mediatomb") { + mediatomb.gid = gid; + }; - users.users = optionalAttrs (cfg.user == "mediatomb") (singleton { - name = "mediatomb"; - isSystemUser = true; - group = cfg.group; - home = "${cfg.dataDir}"; - createHome = true; - description = "Mediatomb DLNA Server User"; - }); + users.users = optionalAttrs (cfg.user == "mediatomb") { + mediatomb = { + isSystemUser = true; + group = cfg.group; + home = "${cfg.dataDir}"; + createHome = true; + description = "Mediatomb DLNA Server User"; + }; + }; networking.firewall = { allowedUDPPorts = [ 1900 cfg.port ]; diff --git a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix index 3826f728afd0..17c3582db0f6 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix @@ -10,10 +10,11 @@ let nixVersion = getVersion nix; - isNix20 = versionAtLeast nixVersion "2.0pre"; + isNix23 = versionAtLeast nixVersion "2.3pre"; - makeNixBuildUser = nr: - { name = "nixbld${toString nr}"; + makeNixBuildUser = nr: { + name = "nixbld${toString nr}"; + value = { description = "Nix build user ${toString nr}"; /* For consistency with the setgid(2), setuid(2), and setgroups(2) @@ -23,47 +24,35 @@ let group = "nixbld"; extraGroups = [ "nixbld" ]; }; + }; - nixbldUsers = map makeNixBuildUser (range 1 cfg.nrBuildUsers); + nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers)); nixConf = - let - # In Nix < 2.0, If we're using sandbox for builds, then provide - # /bin/sh in the sandbox as a bind-mount to bash. This means we - # also need to include the entire closure of bash. Nix >= 2.0 - # provides a /bin/sh by default. - sh = pkgs.runtimeShell; - binshDeps = pkgs.writeReferencesToFile sh; - in - pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } ('' - ${optionalString (!isNix20) '' - extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done) - ''} + assert versionAtLeast nixVersion "2.2"; + pkgs.runCommand "nix.conf" { preferLocalBuild = true; extraOptions = cfg.extraOptions; } ( + '' cat > $out <<END # WARNING: this file is generated from the nix.* options in # your NixOS configuration, typically # /etc/nixos/configuration.nix. Do not edit it! build-users-group = nixbld - ${if isNix20 then "max-jobs" else "build-max-jobs"} = ${toString (cfg.maxJobs)} - ${if isNix20 then "cores" else "build-cores"} = ${toString (cfg.buildCores)} - ${if isNix20 then "sandbox" else "build-use-sandbox"} = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox} - ${if isNix20 then "extra-sandbox-paths" else "build-sandbox-paths"} = ${toString cfg.sandboxPaths} ${optionalString (!isNix20) "/bin/sh=${sh} $(echo $extraPaths)"} - ${if isNix20 then "substituters" else "binary-caches"} = ${toString cfg.binaryCaches} - ${if isNix20 then "trusted-substituters" else "trusted-binary-caches"} = ${toString cfg.trustedBinaryCaches} - ${if isNix20 then "trusted-public-keys" else "binary-cache-public-keys"} = ${toString cfg.binaryCachePublicKeys} + max-jobs = ${toString (cfg.maxJobs)} + cores = ${toString (cfg.buildCores)} + sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox} + extra-sandbox-paths = ${toString cfg.sandboxPaths} + substituters = ${toString cfg.binaryCaches} + trusted-substituters = ${toString cfg.trustedBinaryCaches} + trusted-public-keys = ${toString cfg.binaryCachePublicKeys} auto-optimise-store = ${boolToString cfg.autoOptimiseStore} - ${if isNix20 then '' - require-sigs = ${if cfg.requireSignedBinaryCaches then "true" else "false"} - '' else '' - signed-binary-caches = ${if cfg.requireSignedBinaryCaches then "*" else ""} - ''} + require-sigs = ${if cfg.requireSignedBinaryCaches then "true" else "false"} trusted-users = ${toString cfg.trustedUsers} allowed-users = ${toString cfg.allowedUsers} - ${optionalString (isNix20 && !cfg.distributedBuilds) '' + ${optionalString (!cfg.distributedBuilds) '' builders = ''} system-features = ${toString cfg.systemFeatures} - ${optionalString (versionAtLeast nixVersion "2.3pre") '' + ${optionalString isNix23 '' sandbox-fallback = false ''} $extraOptions @@ -74,13 +63,17 @@ let '' else '' echo "Checking that Nix can read nix.conf..." ln -s $out ./nix.conf - NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config >/dev/null + NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config ${optionalString isNix23 "--no-net --option experimental-features nix-command"} >/dev/null '') ); in { + imports = [ + (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) + (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) + ]; ###### interface @@ -165,8 +158,8 @@ in type = types.lines; default = ""; example = '' - gc-keep-outputs = true - gc-keep-derivations = true + keep-outputs = true + keep-derivations = true ''; description = "Additional text appended to <filename>nix.conf</filename>."; }; @@ -421,8 +414,7 @@ in systemd.services.nix-daemon = { path = [ nix pkgs.utillinux config.programs.ssh.package ] - ++ optionals cfg.distributedBuilds [ pkgs.gzip ] - ++ optionals (!isNix20) [ pkgs.openssl.bin ]; + ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; environment = cfg.envVars // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; } @@ -439,34 +431,13 @@ in restartTriggers = [ nixConf ]; }; - nix.envVars = - optionalAttrs (!isNix20) { - NIX_CONF_DIR = "/etc/nix"; - - # Enable the copy-from-other-stores substituter, which allows - # builds to be sped up by copying build results from remote - # Nix stores. To do this, mount the remote file system on a - # subdirectory of /run/nix/remote-stores. - NIX_OTHER_STORES = "/run/nix/remote-stores/*/nix"; - } - - // optionalAttrs (cfg.distributedBuilds && !isNix20) { - NIX_BUILD_HOOK = "${nix}/libexec/nix/build-remote.pl"; - }; - # Set up the environment variables for running Nix. environment.sessionVariables = cfg.envVars // { NIX_PATH = cfg.nixPath; }; - environment.extraInit = optionalString (!isNix20) + environment.extraInit = '' - # Set up secure multi-user builds: non-root users build through the - # Nix daemon. - if [ "$USER" != root -o ! -w /nix/var/nix/db ]; then - export NIX_REMOTE=daemon - fi - '' + '' if [ -e "$HOME/.nix-defexpr/channels" ]; then export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" fi @@ -476,23 +447,17 @@ in users.users = nixbldUsers; - services.xserver.displayManager.hiddenUsers = map ({ name, ... }: name) nixbldUsers; + services.xserver.displayManager.hiddenUsers = attrNames nixbldUsers; - # FIXME: use systemd-tmpfiles to create Nix directories. system.activationScripts.nix = stringAfter [ "etc" "users" ] '' - # Nix initialisation. - install -m 0755 -d \ - /nix/var/nix/gcroots \ - /nix/var/nix/temproots \ - /nix/var/nix/userpool \ - /nix/var/nix/profiles \ - /nix/var/nix/db \ - /nix/var/log/nix/drvs - install -m 1777 -d \ - /nix/var/nix/gcroots/per-user \ - /nix/var/nix/profiles/per-user \ - /nix/var/nix/gcroots/tmp + # Create directories in /nix. + ${nix}/bin/nix ping-store --no-net + + # Subscribe the root user to the NixOS channel by default. + if [ ! -e "/root/.nix-channels" ]; then + echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels" + fi ''; nix.systemFeatures = mkDefault ( diff --git a/nixpkgs/nixos/modules/services/misc/nix-optimise.nix b/nixpkgs/nixos/modules/services/misc/nix-optimise.nix index 416529f690e0..e02026d5f76c 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-optimise.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-optimise.nix @@ -40,8 +40,8 @@ in systemd.services.nix-optimise = { description = "Nix Store Optimiser"; - # No point running it inside a nixos-container. It should be on the host instead. - unitConfig.ConditionVirtualization = "!container"; + # No point this if the nix daemon (and thus the nix store) is outside + unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket"; serviceConfig.ExecStart = "${config.nix.package}/bin/nix-store --optimise"; startAt = optionals cfg.automatic cfg.dates; }; diff --git a/nixpkgs/nixos/modules/services/misc/nixos-manual.nix b/nixpkgs/nixos/modules/services/misc/nixos-manual.nix index 20ba3d8ef0bc..ab73f49d4be5 100644 --- a/nixpkgs/nixos/modules/services/misc/nixos-manual.nix +++ b/nixpkgs/nixos/modules/services/misc/nixos-manual.nix @@ -52,7 +52,7 @@ in }; }) (mkIf (cfg.showManual && cfgd.enable && cfgd.nixos.enable) { - boot.extraTTYs = [ "tty${toString cfg.ttyNumber}" ]; + console.extraTTYs = [ "tty${toString cfg.ttyNumber}" ]; systemd.services.nixos-manual = { description = "NixOS Manual"; diff --git a/nixpkgs/nixos/modules/services/misc/nzbget.nix b/nixpkgs/nixos/modules/services/misc/nzbget.nix index eb7b4c05d82d..715ec891cd68 100644 --- a/nixpkgs/nixos/modules/services/misc/nzbget.nix +++ b/nixpkgs/nixos/modules/services/misc/nzbget.nix @@ -27,6 +27,12 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "misc" "nzbget" "configFile" ] "The configuration of nzbget is now managed by users through the web interface.") + (mkRemovedOptionModule [ "services" "misc" "nzbget" "dataDir" ] "The data directory for nzbget is now /var/lib/nzbget.") + (mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.") + ]; + # interface options = { diff --git a/nixpkgs/nixos/modules/services/misc/octoprint.nix b/nixpkgs/nixos/modules/services/misc/octoprint.nix index 8950010773cf..651ed3743884 100644 --- a/nixpkgs/nixos/modules/services/misc/octoprint.nix +++ b/nixpkgs/nixos/modules/services/misc/octoprint.nix @@ -86,16 +86,16 @@ in config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == "octoprint") (singleton - { name = "octoprint"; + users.users = optionalAttrs (cfg.user == "octoprint") { + octoprint = { group = cfg.group; uid = config.ids.uids.octoprint; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "octoprint") (singleton - { name = "octoprint"; - gid = config.ids.gids.octoprint; - }); + users.groups = optionalAttrs (cfg.group == "octoprint") { + octoprint.gid = config.ids.gids.octoprint; + }; systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" diff --git a/nixpkgs/nixos/modules/services/misc/osrm.nix b/nixpkgs/nixos/modules/services/misc/osrm.nix index f89f37ccd9df..79c347ab7e0e 100644 --- a/nixpkgs/nixos/modules/services/misc/osrm.nix +++ b/nixpkgs/nixos/modules/services/misc/osrm.nix @@ -59,6 +59,7 @@ in group = config.users.users.osrm.name; description = "OSRM user"; createHome = false; + isSystemUser = true; }; users.groups.osrm = { }; diff --git a/nixpkgs/nixos/modules/services/misc/parsoid.nix b/nixpkgs/nixos/modules/services/misc/parsoid.nix index c757093e5c1b..61626e78f8b3 100644 --- a/nixpkgs/nixos/modules/services/misc/parsoid.nix +++ b/nixpkgs/nixos/modules/services/misc/parsoid.nix @@ -26,6 +26,10 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] "Use services.parsoid.wikis instead") + ]; + ##### interface options = { diff --git a/nixpkgs/nixos/modules/services/misc/pykms.nix b/nixpkgs/nixos/modules/services/misc/pykms.nix index e2d1254602b0..25aa27ae7673 100644 --- a/nixpkgs/nixos/modules/services/misc/pykms.nix +++ b/nixpkgs/nixos/modules/services/misc/pykms.nix @@ -9,6 +9,10 @@ let in { meta.maintainers = with lib.maintainers; [ peterhoeg ]; + imports = [ + (mkRemovedOptionModule [ "services" "pykms" "verbose" ] "Use services.pykms.logLevel instead") + ]; + options = { services.pykms = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/misc/redmine.nix b/nixpkgs/nixos/modules/services/misc/redmine.nix index 24b9e27ac2da..3b8c14d196f8 100644 --- a/nixpkgs/nixos/modules/services/misc/redmine.nix +++ b/nixpkgs/nixos/modules/services/misc/redmine.nix @@ -62,20 +62,11 @@ in services.redmine = { enable = mkEnableOption "Redmine"; - # default to the 4.x series not forcing major version upgrade of those on the 3.x series package = mkOption { type = types.package; - default = if versionAtLeast config.system.stateVersion "19.03" - then pkgs.redmine_4 - else pkgs.redmine - ; - defaultText = "pkgs.redmine"; - description = '' - Which Redmine package to use. This defaults to version 3.x if - <literal>system.stateVersion < 19.03</literal> and version 4.x - otherwise. - ''; - example = "pkgs.redmine_4.override { ruby = pkgs.ruby_2_4; }"; + default = pkgs.redmine; + description = "Which Redmine package to use."; + example = "pkgs.redmine.override { ruby = pkgs.ruby_2_7; }"; }; user = mkOption { @@ -376,17 +367,17 @@ in }; - users.users = optionalAttrs (cfg.user == "redmine") (singleton - { name = "redmine"; + users.users = optionalAttrs (cfg.user == "redmine") { + redmine = { group = cfg.group; home = cfg.stateDir; uid = config.ids.uids.redmine; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "redmine") (singleton - { name = "redmine"; - gid = config.ids.gids.redmine; - }); + users.groups = optionalAttrs (cfg.group == "redmine") { + redmine.gid = config.ids.gids.redmine; + }; warnings = optional (cfg.database.password != "") ''config.services.redmine.database.password will be stored as plaintext diff --git a/nixpkgs/nixos/modules/services/misc/ripple-data-api.nix b/nixpkgs/nixos/modules/services/misc/ripple-data-api.nix index 042b496d35ee..9fab462f7e3b 100644 --- a/nixpkgs/nixos/modules/services/misc/ripple-data-api.nix +++ b/nixpkgs/nixos/modules/services/misc/ripple-data-api.nix @@ -185,9 +185,8 @@ in { ]; }; - users.users = singleton - { name = "ripple-data-api"; - description = "Ripple data api user"; + users.users.ripple-data-api = + { description = "Ripple data api user"; uid = config.ids.uids.ripple-data-api; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/rippled.nix b/nixpkgs/nixos/modules/services/misc/rippled.nix index cdf61730de33..ef34e3a779f0 100644 --- a/nixpkgs/nixos/modules/services/misc/rippled.nix +++ b/nixpkgs/nixos/modules/services/misc/rippled.nix @@ -406,9 +406,8 @@ in config = mkIf cfg.enable { - users.users = singleton - { name = "rippled"; - description = "Ripple server user"; + users.users.rippled = + { description = "Ripple server user"; uid = config.ids.uids.rippled; home = cfg.databasePath; createHome = true; diff --git a/nixpkgs/nixos/modules/services/misc/rogue.nix b/nixpkgs/nixos/modules/services/misc/rogue.nix index aae02e384c97..d56d103b5f34 100644 --- a/nixpkgs/nixos/modules/services/misc/rogue.nix +++ b/nixpkgs/nixos/modules/services/misc/rogue.nix @@ -40,7 +40,7 @@ in config = mkIf cfg.enable { - boot.extraTTYs = [ cfg.tty ]; + console.extraTTYs = [ cfg.tty ]; systemd.services.rogue = { description = "Rogue dungeon crawling game"; diff --git a/nixpkgs/nixos/modules/services/misc/serviio.nix b/nixpkgs/nixos/modules/services/misc/serviio.nix index 9868192724b5..0ead6a816918 100644 --- a/nixpkgs/nixos/modules/services/misc/serviio.nix +++ b/nixpkgs/nixos/modules/services/misc/serviio.nix @@ -63,20 +63,15 @@ in { }; }; - users.users = [ - { - name = "serviio"; - group = "serviio"; + users.users.serviio = + { group = "serviio"; home = cfg.dataDir; description = "Serviio Media Server User"; createHome = true; isSystemUser = true; - } - ]; + }; - users.groups = [ - { name = "serviio";} - ]; + users.groups.serviio = { }; networking.firewall = { allowedTCPPorts = [ diff --git a/nixpkgs/nixos/modules/services/misc/sickbeard.nix b/nixpkgs/nixos/modules/services/misc/sickbeard.nix index 5cfbbe516ae1..a32dbfa3108f 100644 --- a/nixpkgs/nixos/modules/services/misc/sickbeard.nix +++ b/nixpkgs/nixos/modules/services/misc/sickbeard.nix @@ -63,19 +63,19 @@ in config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == name) (singleton { - name = name; - uid = config.ids.uids.sickbeard; - group = cfg.group; - description = "sickbeard user"; - home = cfg.dataDir; - createHome = true; - }); + users.users = optionalAttrs (cfg.user == name) { + ${name} = { + uid = config.ids.uids.sickbeard; + group = cfg.group; + description = "sickbeard user"; + home = cfg.dataDir; + createHome = true; + }; + }; - users.groups = optionalAttrs (cfg.group == name) (singleton { - name = name; - gid = config.ids.gids.sickbeard; - }); + users.groups = optionalAttrs (cfg.group == name) { + ${name}.gid = config.ids.gids.sickbeard; + }; systemd.services.sickbeard = { description = "Sickbeard Server"; diff --git a/nixpkgs/nixos/modules/services/misc/siproxd.nix b/nixpkgs/nixos/modules/services/misc/siproxd.nix index dcaf73aca448..ae7b27de8e70 100644 --- a/nixpkgs/nixos/modules/services/misc/siproxd.nix +++ b/nixpkgs/nixos/modules/services/misc/siproxd.nix @@ -161,8 +161,7 @@ in config = mkIf cfg.enable { - users.users = singleton { - name = "siproxyd"; + users.users.siproxyd = { uid = config.ids.uids.siproxd; }; diff --git a/nixpkgs/nixos/modules/services/misc/taskserver/default.nix b/nixpkgs/nixos/modules/services/misc/taskserver/default.nix index 8a57277fafe7..a894caed1a34 100644 --- a/nixpkgs/nixos/modules/services/misc/taskserver/default.nix +++ b/nixpkgs/nixos/modules/services/misc/taskserver/default.nix @@ -368,16 +368,16 @@ in { (mkIf cfg.enable { environment.systemPackages = [ nixos-taskserver ]; - users.users = optional (cfg.user == "taskd") { - name = "taskd"; - uid = config.ids.uids.taskd; - description = "Taskserver user"; - group = cfg.group; + users.users = optionalAttrs (cfg.user == "taskd") { + taskd = { + uid = config.ids.uids.taskd; + description = "Taskserver user"; + group = cfg.group; + }; }; - users.groups = optional (cfg.group == "taskd") { - name = "taskd"; - gid = config.ids.gids.taskd; + users.groups = optionalAttrs (cfg.group == "taskd") { + taskd.gid = config.ids.gids.taskd; }; services.taskserver.config = { diff --git a/nixpkgs/nixos/modules/services/misc/tautulli.nix b/nixpkgs/nixos/modules/services/misc/tautulli.nix index 50e450366478..aded33629f1c 100644 --- a/nixpkgs/nixos/modules/services/misc/tautulli.nix +++ b/nixpkgs/nixos/modules/services/misc/tautulli.nix @@ -6,6 +6,10 @@ let cfg = config.services.tautulli; in { + imports = [ + (mkRenamedOptionModule [ "services" "plexpy" ] [ "services" "tautulli" ]) + ]; + options = { services.tautulli = { enable = mkEnableOption "Tautulli Plex Monitor"; diff --git a/nixpkgs/nixos/modules/services/misc/uhub.nix b/nixpkgs/nixos/modules/services/misc/uhub.nix index 753580c3e404..d1b388310280 100644 --- a/nixpkgs/nixos/modules/services/misc/uhub.nix +++ b/nixpkgs/nixos/modules/services/misc/uhub.nix @@ -41,31 +41,31 @@ in enable = mkOption { type = types.bool; default = false; - description = "Whether to enable the uhub ADC hub."; + description = "Whether to enable the uhub ADC hub."; }; port = mkOption { type = types.int; default = 1511; - description = "TCP port to bind the hub to."; + description = "TCP port to bind the hub to."; }; address = mkOption { type = types.str; default = "any"; - description = "Address to bind the hub to."; + description = "Address to bind the hub to."; }; enableTLS = mkOption { type = types.bool; default = false; - description = "Whether to enable TLS support."; + description = "Whether to enable TLS support."; }; hubConfig = mkOption { type = types.lines; default = ""; - description = "Contents of uhub configuration file."; + description = "Contents of uhub configuration file."; }; aclConfig = mkOption { @@ -77,11 +77,11 @@ in plugins = { authSqlite = { - enable = mkOption { + enable = mkOption { type = types.bool; default = false; description = "Whether to enable the Sqlite authentication database plugin"; - }; + }; file = mkOption { type = types.path; example = "/var/db/uhub-users"; @@ -161,14 +161,8 @@ in config = mkIf cfg.enable { users = { - users = singleton { - name = "uhub"; - uid = config.ids.uids.uhub; - }; - groups = singleton { - name = "uhub"; - gid = config.ids.gids.uhub; - }; + users.uhub.uid = config.ids.uids.uhub; + groups.uhub.gid = config.ids.gids.uhub; }; systemd.services.uhub = { diff --git a/nixpkgs/nixos/modules/services/misc/zoneminder.nix b/nixpkgs/nixos/modules/services/misc/zoneminder.nix index 3bff04e7127d..d7f7324580c0 100644 --- a/nixpkgs/nixos/modules/services/misc/zoneminder.nix +++ b/nixpkgs/nixos/modules/services/misc/zoneminder.nix @@ -265,7 +265,7 @@ in { } location /cache/ { - alias /var/cache/${dirName}; + alias /var/cache/${dirName}/; } location ~ \.php$ { diff --git a/nixpkgs/nixos/modules/services/misc/zookeeper.nix b/nixpkgs/nixos/modules/services/misc/zookeeper.nix index 5d91e44a199d..f6af7c75ebae 100644 --- a/nixpkgs/nixos/modules/services/misc/zookeeper.nix +++ b/nixpkgs/nixos/modules/services/misc/zookeeper.nix @@ -146,8 +146,7 @@ in { ''; }; - users.users = singleton { - name = "zookeeper"; + users.users.zookeeper = { uid = config.ids.uids.zookeeper; description = "Zookeeper daemon user"; home = cfg.dataDir; diff --git a/nixpkgs/nixos/modules/services/monitoring/collectd.nix b/nixpkgs/nixos/modules/services/monitoring/collectd.nix index 6a4c678eb21f..ef3663c62e04 100644 --- a/nixpkgs/nixos/modules/services/monitoring/collectd.nix +++ b/nixpkgs/nixos/modules/services/monitoring/collectd.nix @@ -16,13 +16,29 @@ let NotifyLevel "OKAY" </Plugin> + ${concatStrings (mapAttrsToList (plugin: pluginConfig: '' + LoadPlugin ${plugin} + <Plugin "${plugin}"> + ${pluginConfig} + </Plugin> + '') cfg.plugins)} + ${concatMapStrings (f: '' - Include "${f}" + Include "${f}" '') cfg.include} ${cfg.extraConfig} ''; + package = + if cfg.buildMinimalPackage + then minimalPackage + else cfg.package; + + minimalPackage = cfg.package.override { + enabledPlugins = [ "syslog" ] ++ builtins.attrNames cfg.plugins; + }; + in { options.services.collectd = with types; { enable = mkEnableOption "collectd agent"; @@ -33,7 +49,15 @@ in { description = '' Which collectd package to use. ''; - type = package; + type = types.package; + }; + + buildMinimalPackage = mkOption { + default = false; + description = '' + Build a minimal collectd package with only the configured `services.collectd.plugins` + ''; + type = types.bool; }; user = mkOption { @@ -68,6 +92,15 @@ in { type = listOf str; }; + plugins = mkOption { + default = {}; + example = { cpu = ""; memory = ""; network = "Server 192.168.1.1 25826"; }; + description = '' + Attribute set of plugin names to plugin config segments + ''; + type = types.attrsOf types.str; + }; + extraConfig = mkOption { default = ""; description = '' @@ -89,15 +122,17 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${cfg.package}/sbin/collectd -C ${conf} -f"; + ExecStart = "${package}/sbin/collectd -C ${conf} -f"; User = cfg.user; Restart = "on-failure"; RestartSec = 3; }; }; - users.users = optional (cfg.user == "collectd") { - name = "collectd"; + users.users = optionalAttrs (cfg.user == "collectd") { + collectd = { + isSystemUser = true; + }; }; }; } diff --git a/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix b/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix index 02a9f316fc32..2c5fe47242e7 100644 --- a/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix +++ b/nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix @@ -22,9 +22,9 @@ let # Generate Datadog configuration files for each configured checks. # This works because check configurations have predictable paths, # and because JSON is a valid subset of YAML. - makeCheckConfigs = entries: mapAttrsToList (name: conf: { - source = pkgs.writeText "${name}-check-conf.yaml" (builtins.toJSON conf); - target = "datadog-agent/conf.d/${name}.d/conf.yaml"; + makeCheckConfigs = entries: mapAttrs' (name: conf: { + name = "datadog-agent/conf.d/${name}.d/conf.yaml"; + value.source = pkgs.writeText "${name}-check-conf.yaml" (builtins.toJSON conf); }) entries; defaultChecks = { @@ -34,10 +34,11 @@ let # Assemble all check configurations and the top-level agent # configuration. - etcfiles = with pkgs; with builtins; [{ - source = writeText "datadog.yaml" (toJSON ddConf); - target = "datadog-agent/datadog.yaml"; - }] ++ makeCheckConfigs (cfg.checks // defaultChecks); + etcfiles = with pkgs; with builtins; + { "datadog-agent/datadog.yaml" = { + source = writeText "datadog.yaml" (toJSON ddConf); + }; + } // makeCheckConfigs (cfg.checks // defaultChecks); # Apply the configured extraIntegrations to the provided agent # package. See the documentation of `dd-agent/integrations-core.nix` @@ -204,7 +205,7 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ datadogPkg pkgs.sysstat pkgs.procps pkgs.iproute ]; - users.extraUsers.datadog = { + users.users.datadog = { description = "Datadog Agent User"; uid = config.ids.uids.datadog; group = "datadog"; @@ -212,7 +213,7 @@ in { createHome = true; }; - users.extraGroups.datadog.gid = config.ids.gids.datadog; + users.groups.datadog.gid = config.ids.gids.datadog; systemd.services = let makeService = attrs: recursiveUpdate { @@ -224,7 +225,7 @@ in { Restart = "always"; RestartSec = 2; }; - restartTriggers = [ datadogPkg ] ++ map (etc: etc.source) etcfiles; + restartTriggers = [ datadogPkg ] ++ attrNames etcfiles; } attrs; in { datadog-agent = makeService { diff --git a/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix b/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix index 5ee6b092a6a4..e91717fb2054 100644 --- a/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix +++ b/nixpkgs/nixos/modules/services/monitoring/dd-agent/dd-agent.nix @@ -78,37 +78,35 @@ let etcfiles = let defaultConfd = import ./dd-agent-defaults.nix; - in (map (f: { source = "${pkgs.dd-agent}/agent/conf.d-system/${f}"; - target = "dd-agent/conf.d/${f}"; - }) defaultConfd) ++ [ - { source = ddConf; - target = "dd-agent/datadog.conf"; - } - { source = diskConfig; - target = "dd-agent/conf.d/disk.yaml"; - } - { source = networkConfig; - target = "dd-agent/conf.d/network.yaml"; - } ] ++ - (optional (cfg.postgresqlConfig != null) - { source = postgresqlConfig; - target = "dd-agent/conf.d/postgres.yaml"; - }) ++ - (optional (cfg.nginxConfig != null) - { source = nginxConfig; - target = "dd-agent/conf.d/nginx.yaml"; - }) ++ - (optional (cfg.mongoConfig != null) - { source = mongoConfig; - target = "dd-agent/conf.d/mongo.yaml"; - }) ++ - (optional (cfg.processConfig != null) - { source = processConfig; - target = "dd-agent/conf.d/process.yaml"; - }) ++ - (optional (cfg.jmxConfig != null) - { source = jmxConfig; - target = "dd-agent/conf.d/jmx.yaml"; + in + listToAttrs (map (f: { + name = "dd-agent/conf.d/${f}"; + value.source = "${pkgs.dd-agent}/agent/conf.d-system/${f}"; + }) defaultConfd) // + { + "dd-agent/datadog.conf".source = ddConf; + "dd-agent/conf.d/disk.yaml".source = diskConfig; + "dd-agent/conf.d/network.yaml".source = networkConfig; + } // + (optionalAttrs (cfg.postgresqlConfig != null) + { + "dd-agent/conf.d/postgres.yaml".source = postgresqlConfig; + }) // + (optionalAttrs (cfg.nginxConfig != null) + { + "dd-agent/conf.d/nginx.yaml".source = nginxConfig; + }) // + (optionalAttrs (cfg.mongoConfig != null) + { + "dd-agent/conf.d/mongo.yaml".source = mongoConfig; + }) // + (optionalAttrs (cfg.processConfig != null) + { + "dd-agent/conf.d/process.yaml".source = processConfig; + }) // + (optionalAttrs (cfg.jmxConfig != null) + { + "dd-agent/conf.d/jmx.yaml".source = jmxConfig; }); in { diff --git a/nixpkgs/nixos/modules/services/monitoring/do-agent.nix b/nixpkgs/nixos/modules/services/monitoring/do-agent.nix new file mode 100644 index 000000000000..2d3fe2f79768 --- /dev/null +++ b/nixpkgs/nixos/modules/services/monitoring/do-agent.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.do-agent; +in +{ + options.services.do-agent = { + enable = mkEnableOption "do-agent, the DigitalOcean droplet metrics agent"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.do-agent ]; + + systemd.services.do-agent = { + description = "DigitalOcean Droplet Metrics Agent"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + ExecStart = "${pkgs.do-agent}/bin/do-agent --syslog"; + Restart = "always"; + OOMScoreAdjust = -900; + SyslogIdentifier = "DigitalOceanAgent"; + PrivateTmp = "yes"; + ProtectSystem = "full"; + ProtectHome = "yes"; + NoNewPrivileges = "yes"; + DynamicUser = "yes"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix b/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix index b90579bb70c7..9b65c76ce02e 100644 --- a/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix +++ b/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix @@ -46,9 +46,9 @@ in { config = mkIf cfg.enable { - users.users = singleton { - name = "fusion-inventory"; + users.users.fusion-inventory = { description = "FusionInventory user"; + isSystemUser = true; }; systemd.services.fusion-inventory = { diff --git a/nixpkgs/nixos/modules/services/monitoring/grafana.nix b/nixpkgs/nixos/modules/services/monitoring/grafana.nix index bf1084eecc3a..0f8bc2471e33 100644 --- a/nixpkgs/nixos/modules/services/monitoring/grafana.nix +++ b/nixpkgs/nixos/modules/services/monitoring/grafana.nix @@ -43,7 +43,7 @@ let ANALYTICS_REPORTING_ENABLED = boolToString cfg.analytics.reporting.enable; - SMTP_ENABLE = boolToString cfg.smtp.enable; + SMTP_ENABLED = boolToString cfg.smtp.enable; SMTP_HOST = cfg.smtp.host; SMTP_USER = cfg.smtp.user; SMTP_PASSWORD = cfg.smtp.password; diff --git a/nixpkgs/nixos/modules/services/monitoring/graphite.nix b/nixpkgs/nixos/modules/services/monitoring/graphite.nix index f7874af3df29..dd147bb37930 100644 --- a/nixpkgs/nixos/modules/services/monitoring/graphite.nix +++ b/nixpkgs/nixos/modules/services/monitoring/graphite.nix @@ -632,8 +632,7 @@ in { cfg.web.enable || cfg.api.enable || cfg.seyren.enable || cfg.pager.enable || cfg.beacon.enable ) { - users.users = singleton { - name = "graphite"; + users.users.graphite = { uid = config.ids.uids.graphite; description = "Graphite daemon user"; home = dataDir; diff --git a/nixpkgs/nixos/modules/services/monitoring/heapster.nix b/nixpkgs/nixos/modules/services/monitoring/heapster.nix index 6da0831b4c5f..585632943fdc 100644 --- a/nixpkgs/nixos/modules/services/monitoring/heapster.nix +++ b/nixpkgs/nixos/modules/services/monitoring/heapster.nix @@ -49,8 +49,7 @@ in { }; }; - users.users = singleton { - name = "heapster"; + users.users.heapsterrs = { uid = config.ids.uids.heapster; description = "Heapster user"; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/munin.nix b/nixpkgs/nixos/modules/services/monitoring/munin.nix index 8af0650c7380..1ebf7ee6a761 100644 --- a/nixpkgs/nixos/modules/services/monitoring/munin.nix +++ b/nixpkgs/nixos/modules/services/monitoring/munin.nix @@ -317,18 +317,16 @@ in environment.systemPackages = [ pkgs.munin ]; - users.users = [{ - name = "munin"; + users.users.munin = { description = "Munin monitoring user"; group = "munin"; uid = config.ids.uids.munin; home = "/var/lib/munin"; - }]; + }; - users.groups = [{ - name = "munin"; + users.groups.munin = { gid = config.ids.gids.munin; - }]; + }; }) (mkIf nodeCfg.enable { diff --git a/nixpkgs/nixos/modules/services/monitoring/nagios.nix b/nixpkgs/nixos/modules/services/monitoring/nagios.nix index 6a3b97769462..3ca79dddaf57 100644 --- a/nixpkgs/nixos/modules/services/monitoring/nagios.nix +++ b/nixpkgs/nixos/modules/services/monitoring/nagios.nix @@ -8,6 +8,7 @@ let nagiosState = "/var/lib/nagios"; nagiosLogDir = "/var/log/nagios"; + urlPath = "/nagios"; nagiosObjectDefs = cfg.objectDefs; @@ -16,32 +17,39 @@ let preferLocalBuild = true; } "mkdir -p $out; ln -s $nagiosObjectDefs $out/"; - nagiosCfgFile = pkgs.writeText "nagios.cfg" - '' - # Paths for state and logs. - log_file=${nagiosLogDir}/current - log_archive_path=${nagiosLogDir}/archive - status_file=${nagiosState}/status.dat - object_cache_file=${nagiosState}/objects.cache - temp_file=${nagiosState}/nagios.tmp - lock_file=/run/nagios.lock # Not used I think. - state_retention_file=${nagiosState}/retention.dat - query_socket=${nagiosState}/nagios.qh - check_result_path=${nagiosState} - command_file=${nagiosState}/nagios.cmd - - # Configuration files. - #resource_file=resource.cfg - cfg_dir=${nagiosObjectDefsDir} - - # Uid/gid that the daemon runs under. - nagios_user=nagios - nagios_group=nagios - - # Misc. options. - illegal_macro_output_chars=`~$&|'"<> - retain_state_information=1 - ''; # " + nagiosCfgFile = let + default = { + log_file="${nagiosLogDir}/current"; + log_archive_path="${nagiosLogDir}/archive"; + status_file="${nagiosState}/status.dat"; + object_cache_file="${nagiosState}/objects.cache"; + temp_file="${nagiosState}/nagios.tmp"; + lock_file="/run/nagios.lock"; + state_retention_file="${nagiosState}/retention.dat"; + query_socket="${nagiosState}/nagios.qh"; + check_result_path="${nagiosState}"; + command_file="${nagiosState}/nagios.cmd"; + cfg_dir="${nagiosObjectDefsDir}"; + nagios_user="nagios"; + nagios_group="nagios"; + illegal_macro_output_chars="`~$&|'\"<>"; + retain_state_information="1"; + }; + lines = mapAttrsToList (key: value: "${key}=${value}") (default // cfg.extraConfig); + content = concatStringsSep "\n" lines; + file = pkgs.writeText "nagios.cfg" content; + validated = pkgs.runCommand "nagios-checked.cfg" {preferLocalBuild=true;} '' + cp ${file} nagios.cfg + # nagios checks the existence of /var/lib/nagios, but + # it does not exists in the build sandbox, so we fake it + mkdir lib + lib=$(readlink -f lib) + sed -i s@=${nagiosState}@=$lib@ nagios.cfg + ${pkgs.nagios}/bin/nagios -v nagios.cfg && cp ${file} $out + ''; + defaultCfgFile = if cfg.validateConfig then validated else file; + in + if cfg.mainConfigFile == null then defaultCfgFile else cfg.mainConfigFile; # Plain configuration for the Nagios web-interface with no # authentication. @@ -49,12 +57,12 @@ let '' main_config_file=${cfg.mainConfigFile} use_authentication=0 - url_html_path=${cfg.urlPath} + url_html_path=${urlPath} ''; extraHttpdConfig = '' - ScriptAlias ${cfg.urlPath}/cgi-bin ${pkgs.nagios}/sbin + ScriptAlias ${urlPath}/cgi-bin ${pkgs.nagios}/sbin <Directory "${pkgs.nagios}/sbin"> Options ExecCGI @@ -62,7 +70,7 @@ let SetEnv NAGIOS_CGI_CONFIG ${cfg.cgiConfigFile} </Directory> - Alias ${cfg.urlPath} ${pkgs.nagios}/share + Alias ${urlPath} ${pkgs.nagios}/share <Directory "${pkgs.nagios}/share"> Options None @@ -72,16 +80,15 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "nagios" "urlPath" ] "The urlPath option has been removed as it is hard coded to /nagios in the nagios package.") + ]; + + meta.maintainers = with lib.maintainers; [ symphorien ]; + options = { services.nagios = { - enable = mkOption { - default = false; - description = " - Whether to use <link - xlink:href='http://www.nagios.org/'>Nagios</link> to monitor - your system or network. - "; - }; + enable = mkEnableOption "<link xlink:href='http://www.nagios.org/'>Nagios</link> to monitor your system or network."; objectDefs = mkOption { description = " @@ -89,12 +96,14 @@ in the hosts, host groups, services and contacts for the network that you want Nagios to monitor. "; + type = types.listOf types.path; + example = literalExample "[ ./objects.cfg ]"; }; plugins = mkOption { type = types.listOf types.package; - default = [pkgs.nagiosPluginsOfficial pkgs.ssmtp]; - defaultText = "[pkgs.nagiosPluginsOfficial pkgs.ssmtp]"; + default = with pkgs; [ nagiosPluginsOfficial ssmtp mailutils ]; + defaultText = "[pkgs.nagiosPluginsOfficial pkgs.ssmtp pkgs.mailutils]"; description = " Packages to be added to the Nagios <envar>PATH</envar>. Typically used to add plugins, but can be anything. @@ -102,14 +111,29 @@ in }; mainConfigFile = mkOption { - type = types.package; - default = nagiosCfgFile; - defaultText = "nagiosCfgFile"; + type = types.nullOr types.package; + default = null; description = " - Derivation for the main configuration file of Nagios. + If non-null, overrides the main configuration file of Nagios. "; }; + extraConfig = mkOption { + type = types.attrsOf types.str; + example = { + debug_level = "-1"; + debug_file = "/var/log/nagios/debug.log"; + }; + default = {}; + description = "Configuration to add to /etc/nagios.cfg"; + }; + + validateConfig = mkOption { + type = types.bool; + default = pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform; + description = "if true, the syntax of the nagios configuration file is checked at build time"; + }; + cgiConfigFile = mkOption { type = types.package; default = nagiosCGICfgFile; @@ -121,6 +145,7 @@ in }; enableWebInterface = mkOption { + type = types.bool; default = false; description = " Whether to enable the Nagios web interface. You should also @@ -128,13 +153,20 @@ in "; }; - urlPath = mkOption { - default = "/nagios"; - description = " - The URL path under which the Nagios web interface appears. - That is, you can access the Nagios web interface through - <literal>http://<replaceable>server</replaceable>/<replaceable>urlPath</replaceable></literal>. - "; + virtualHost = mkOption { + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { hostName = "example.org"; + adminAddr = "webmaster@example.org"; + enableSSL = true; + sslServerCert = "/var/lib/acme/example.org/full.pem"; + sslServerKey = "/var/lib/acme/example.org/key.pem"; + } + ''; + description = '' + Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>. + See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. + ''; }; }; }; @@ -152,16 +184,12 @@ in # This isn't needed, it's just so that the user can type "nagiostats # -c /etc/nagios.cfg". - environment.etc = [ - { source = cfg.mainConfigFile; - target = "nagios.cfg"; - } - ]; + environment.etc."nagios.cfg".source = nagiosCfgFile; environment.systemPackages = [ pkgs.nagios ]; systemd.services.nagios = { description = "Nagios monitoring daemon"; - path = [ pkgs.nagios ]; + path = [ pkgs.nagios ] ++ cfg.plugins; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -172,16 +200,13 @@ in RestartSec = 2; LogsDirectory = "nagios"; StateDirectory = "nagios"; + ExecStart = "${pkgs.nagios}/bin/nagios /etc/nagios.cfg"; + X-ReloadIfChanged = nagiosCfgFile; }; - - script = '' - for i in ${toString cfg.plugins}; do - export PATH=$i/bin:$i/sbin:$i/libexec:$PATH - done - exec ${pkgs.nagios}/bin/nagios ${cfg.mainConfigFile} - ''; }; - services.httpd.extraConfig = optionalString cfg.enableWebInterface extraHttpdConfig; + services.httpd.virtualHosts = optionalAttrs cfg.enableWebInterface { + ${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { extraConfig = extraHttpdConfig; } ]; + }; }; } diff --git a/nixpkgs/nixos/modules/services/monitoring/netdata.nix b/nixpkgs/nixos/modules/services/monitoring/netdata.nix index 463b1b882acf..f8225af20428 100644 --- a/nixpkgs/nixos/modules/services/monitoring/netdata.nix +++ b/nixpkgs/nixos/modules/services/monitoring/netdata.nix @@ -138,7 +138,7 @@ in { description = "Real time performance monitoring"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = (with pkgs; [ gawk curl ]) ++ lib.optional cfg.python.enable + path = (with pkgs; [ curl gawk which ]) ++ lib.optional cfg.python.enable (pkgs.python3.withPackages cfg.python.extraPackages); serviceConfig = { Environment="PYTHONPATH=${pkgs.netdata}/libexec/netdata/python.d/python_modules"; @@ -179,12 +179,14 @@ in { { domain = "netdata"; type = "hard"; item = "nofile"; value = "30000"; } ]; - users.users = optional (cfg.user == defaultUser) { - name = defaultUser; + users.users = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = { + isSystemUser = true; + }; }; - users.groups = optional (cfg.group == defaultUser) { - name = defaultUser; + users.groups = optionalAttrs (cfg.group == defaultUser) { + ${defaultUser} = { }; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/osquery.nix b/nixpkgs/nixos/modules/services/monitoring/osquery.nix deleted file mode 100644 index c8c625577d39..000000000000 --- a/nixpkgs/nixos/modules/services/monitoring/osquery.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; - -let - cfg = config.services.osquery; - -in - -{ - - options = { - - services.osquery = { - - enable = mkEnableOption "osquery"; - - loggerPath = mkOption { - type = types.path; - description = "Base directory used for logging."; - default = "/var/log/osquery"; - }; - - pidfile = mkOption { - type = types.path; - description = "Path used for pid file."; - default = "/var/osquery/osqueryd.pidfile"; - }; - - utc = mkOption { - type = types.bool; - description = "Attempt to convert all UNIX calendar times to UTC."; - default = true; - }; - - databasePath = mkOption { - type = types.path; - description = "Path used for database file."; - default = "/var/osquery/osquery.db"; - }; - - extraConfig = mkOption { - type = types.attrs // { - merge = loc: foldl' (res: def: recursiveUpdate res def.value) {}; - }; - description = "Extra config to be recursively merged into the JSON config file."; - default = { }; - }; - }; - - }; - - config = mkIf cfg.enable { - - environment.systemPackages = [ pkgs.osquery ]; - - environment.etc."osquery/osquery.conf".text = toJSON ( - recursiveUpdate { - options = { - config_plugin = "filesystem"; - logger_plugin = "filesystem"; - logger_path = cfg.loggerPath; - database_path = cfg.databasePath; - utc = cfg.utc; - }; - } cfg.extraConfig - ); - - systemd.services.osqueryd = { - description = "The osquery Daemon"; - after = [ "network.target" "syslog.service" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.osquery ]; - preStart = '' - mkdir -p ${escapeShellArg cfg.loggerPath} - mkdir -p "$(dirname ${escapeShellArg cfg.pidfile})" - mkdir -p "$(dirname ${escapeShellArg cfg.databasePath})" - ''; - serviceConfig = { - TimeoutStartSec = "infinity"; - ExecStart = "${pkgs.osquery}/bin/osqueryd --logger_path ${escapeShellArg cfg.loggerPath} --pidfile ${escapeShellArg cfg.pidfile} --database_path ${escapeShellArg cfg.databasePath}"; - KillMode = "process"; - KillSignal = "SIGTERM"; - Restart = "on-failure"; - }; - }; - - }; - -} diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix index 11d85e9c4fc3..9af6b1d94f37 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix @@ -27,6 +27,15 @@ let "--log.format ${cfg.logFormat}" ); in { + imports = [ + (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.") + (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.") + (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerURL" ] '' + Due to incompatibility, the alertmanagerURL option has been removed, + please use 'services.prometheus2.alertmanagers' instead. + '') + ]; + options = { services.prometheus.alertmanager = { enable = mkEnableOption "Prometheus Alertmanager"; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix index 191c0bff9c84..b67f697ca0de 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix @@ -464,6 +464,11 @@ let }; in { + + imports = [ + (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) + ]; + options.services.prometheus = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix index 84486aa98a40..36ebffa44636 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -30,6 +30,7 @@ let "json" "mail" "minio" + "nextcloud" "nginx" "node" "postfix" @@ -159,6 +160,24 @@ let }; in { + + imports = (lib.forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" + "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" + "snmpExporter" "unifiExporter" "varnishExporter" ] + (opt: lib.mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' + The prometheus exporters are now configured using `services.prometheus.exporters'. + See the 18.03 release notes for more information. + '' )) + + ++ (lib.forEach [ "enable" "substitutions" "preset" ] + (opt: lib.mkRemovedOptionModule [ "fonts" "fontconfig" "ultimate" "${opt}" ] '' + The fonts.fontconfig.ultimate module and configuration is obsolete. + The repository has since been archived and activity has ceased. + https://github.com/bohoomil/fontconfig-ultimate/issues/171. + No action should be needed for font configuration, as the fonts.fontconfig + module is already used by default. + '' )); + options.services.prometheus.exporters = mkOption { type = types.submodule { options = (mkSubModules); @@ -196,6 +215,9 @@ in services.prometheus.exporters.minio.minioAccessSecret = mkDefault config.services.minio.secretKey; })] ++ [(mkIf config.services.rspamd.enable { services.prometheus.exporters.rspamd.url = mkDefault "http://localhost:11334/stat"; + })] ++ [(mkIf config.services.nginx.enable { + systemd.services.prometheus-nginx-exporter.after = [ "nginx.service" ]; + systemd.services.prometheus-nginx-exporter.requires = [ "nginx.service" ]; })] ++ (mapAttrsToList (name: conf: mkExporterConf { inherit name; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix index ca4366121e12..8a90afa99842 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix @@ -3,16 +3,34 @@ with lib; let + logPrefix = "services.prometheus.exporter.blackbox"; cfg = config.services.prometheus.exporters.blackbox; - checkConfig = file: pkgs.runCommand "checked-blackbox-exporter.conf" { - preferLocalBuild = true; - buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; } '' - ln -s ${file} $out - blackbox_exporter --config.check --config.file $out - ''; -in -{ + # This ensures that we can deal with string paths, path types and + # store-path strings with context. + coerceConfigFile = file: + if (builtins.isPath file) || (lib.isStorePath file) then + file + else + (lib.warn '' + ${logPrefix}: configuration file "${file}" is being copied to the nix-store. + If you would like to avoid that, please set enableConfigCheck to false. + '' /. + file); + checkConfigLocation = file: + if lib.hasPrefix "/tmp/" file then + throw + "${logPrefix}: configuration file must not reside within /tmp - it won't be visible to the systemd service." + else + true; + checkConfig = file: + pkgs.runCommand "checked-blackbox-exporter.conf" { + preferLocalBuild = true; + buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; + } '' + ln -s ${coerceConfigFile file} $out + blackbox_exporter --config.check --config.file $out + ''; +in { port = 9115; extraOpts = { configFile = mkOption { @@ -21,14 +39,29 @@ in Path to configuration file. ''; }; + enableConfigCheck = mkOption { + type = types.bool; + default = true; + description = '' + Whether to run a correctness check for the configuration file. This depends + on the configuration file residing in the nix-store. Paths passed as string will + be copied to the store. + ''; + }; }; - serviceOpts = { + + serviceOpts = let + adjustedConfigFile = if cfg.enableConfigCheck then + checkConfig cfg.configFile + else + checkConfigLocation cfg.configFile; + in { serviceConfig = { AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes ExecStart = '' ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - --config.file ${checkConfig cfg.configFile} \ + --config.file ${adjustedConfigFile} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix new file mode 100644 index 000000000000..5f9a52053f79 --- /dev/null +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, options }: + +with lib; + +let + cfg = config.services.prometheus.exporters.nextcloud; +in +{ + port = 9205; + extraOpts = { + url = mkOption { + type = types.str; + example = "https://domain.tld"; + description = '' + URL to the Nextcloud serverinfo page. + Adding the path to the serverinfo API is optional, it defaults + to <literal>/ocs/v2.php/apps/serverinfo/api/v1/info</literal>. + ''; + }; + username = mkOption { + type = types.str; + default = "nextcloud-exporter"; + description = '' + Username for connecting to Nextcloud. + Note that this account needs to have admin privileges in Nextcloud. + ''; + }; + passwordFile = mkOption { + type = types.path; + example = "/path/to/password-file"; + description = '' + File containing the password for connecting to Nextcloud. + Make sure that this file is readable by the exporter user. + ''; + }; + timeout = mkOption { + type = types.str; + default = "5s"; + description = '' + Timeout for getting server info document. + ''; + }; + }; + serviceOpts = { + serviceConfig = { + DynamicUser = false; + ExecStart = '' + ${pkgs.prometheus-nextcloud-exporter}/bin/nextcloud-exporter \ + -a ${cfg.listenAddress}:${toString cfg.port} \ + -u ${cfg.username} \ + -t ${cfg.timeout} \ + -l ${cfg.url} \ + -p @${cfg.passwordFile} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix index 554377df37ba..ba852fea4336 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix @@ -49,6 +49,6 @@ in (mkRemovedOptionModule [ "insecure" ] '' This option was replaced by 'prometheus.exporters.nginx.sslVerify'. '') - ({ options.warnings = options.warnings; }) + ({ options.warnings = options.warnings; options.assertions = options.assertions; }) ]; } diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix index 8ae2c927b58c..374f83a2939d 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix @@ -6,6 +6,10 @@ let cfg = config.services.prometheus.exporters.wireguard; in { port = 9586; + imports = [ + (mkRenamedOptionModule [ "addr" ] [ "listenAddress" ]) + ({ options.warnings = options.warnings; options.assertions = options.assertions; }) + ]; extraOpts = { verbose = mkEnableOption "Verbose logging mode for prometheus-wireguard-exporter"; @@ -51,6 +55,7 @@ in { ExecStart = '' ${pkgs.prometheus-wireguard-exporter}/bin/prometheus_wireguard_exporter \ -p ${toString cfg.port} \ + -l ${cfg.listenAddress} \ ${optionalString cfg.verbose "-v"} \ ${optionalString cfg.singleSubnetPerField "-s"} \ ${optionalString cfg.withRemoteIp "-r"} \ diff --git a/nixpkgs/nixos/modules/services/monitoring/statsd.nix b/nixpkgs/nixos/modules/services/monitoring/statsd.nix index ea155821ecc9..17836e95a6f8 100644 --- a/nixpkgs/nixos/modules/services/monitoring/statsd.nix +++ b/nixpkgs/nixos/modules/services/monitoring/statsd.nix @@ -125,8 +125,7 @@ in message = "Only builtin backends (graphite, console, repeater) or backends enumerated in `pkgs.nodePackages` are allowed!"; }) cfg.backends; - users.users = singleton { - name = "statsd"; + users.use.statsdrs = { uid = config.ids.uids.statsd; description = "Statsd daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/sysstat.nix b/nixpkgs/nixos/modules/services/monitoring/sysstat.nix index d668faa53cc3..ca2cff827232 100644 --- a/nixpkgs/nixos/modules/services/monitoring/sysstat.nix +++ b/nixpkgs/nixos/modules/services/monitoring/sysstat.nix @@ -5,15 +5,10 @@ let in { options = { services.sysstat = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable sar system activity collection. - ''; - }; + enable = mkEnableOption "sar system activity collection"; collect-frequency = mkOption { + type = types.str; default = "*:00/10"; description = '' OnCalendar specification for sysstat-collect @@ -21,6 +16,7 @@ in { }; collect-args = mkOption { + type = types.str; default = "1 1"; description = '' Arguments to pass sa1 when collecting statistics @@ -33,13 +29,13 @@ in { systemd.services.sysstat = { description = "Resets System Activity Logs"; wantedBy = [ "multi-user.target" ]; - preStart = "test -d /var/log/sa || mkdir -p /var/log/sa"; serviceConfig = { User = "root"; RemainAfterExit = true; Type = "oneshot"; ExecStart = "${pkgs.sysstat}/lib/sa/sa1 --boot"; + LogsDirectory = "sa"; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/telegraf.nix b/nixpkgs/nixos/modules/services/monitoring/telegraf.nix index d87867326682..5d131557e8be 100644 --- a/nixpkgs/nixos/modules/services/monitoring/telegraf.nix +++ b/nixpkgs/nixos/modules/services/monitoring/telegraf.nix @@ -63,10 +63,9 @@ in { }; }; - users.users = [{ - name = "telegraf"; + users.users.telegraf = { uid = config.ids.uids.telegraf; description = "telegraf daemon user"; - }]; + }; }; } diff --git a/nixpkgs/nixos/modules/services/monitoring/thanos.nix b/nixpkgs/nixos/modules/services/monitoring/thanos.nix index 215cd43fd864..52dab28cf72f 100644 --- a/nixpkgs/nixos/modules/services/monitoring/thanos.nix +++ b/nixpkgs/nixos/modules/services/monitoring/thanos.nix @@ -126,6 +126,8 @@ let ''; description = '' Path to YAML file that contains tracing configuration. + + See format details: <link xlink:href="https://thanos.io/tracing.md/#configuration"/> ''; }; }; @@ -141,6 +143,8 @@ let <option>tracing.config-file</option> will default to its path. If <option>tracing.config-file</option> is set this option has no effect. + + See format details: <link xlink:href="https://thanos.io/tracing.md/#configuration"/> ''; }; }; @@ -187,6 +191,8 @@ let ''; description = '' Path to YAML file that contains object store configuration. + + See format details: <link xlink:href="https://thanos.io/storage.md/#configuration"/> ''; }; }; @@ -202,6 +208,8 @@ let <option>objstore.config-file</option> will default to its path. If <option>objstore.config-file</option> is set this option has no effect. + + See format details: <link xlink:href="https://thanos.io/storage.md/#configuration"/> ''; }; }; @@ -276,6 +284,24 @@ let block-sync-concurrency = mkParamDef types.int 20 '' Number of goroutines to use when syncing blocks from object storage. ''; + + min-time = mkParamDef types.str "0000-01-01T00:00:00Z" '' + Start of time range limit to serve. + + Thanos Store serves only metrics, which happened later than this + value. Option can be a constant time in RFC3339 format or time duration + relative to current time, such as -1d or 2h45m. Valid duration units are + ms, s, m, h, d, w, y. + ''; + + max-time = mkParamDef types.str "9999-12-31T23:59:59Z" '' + End of time range limit to serve. + + Thanos Store serves only blocks, which happened eariler than this + value. Option can be a constant time in RFC3339 format or time duration + relative to current time, such as -1d or 2h45m. Valid duration units are + ms, s, m, h, d, w, y. + ''; }; query = params.common cfg.query // { @@ -560,6 +586,14 @@ let ''; }; + downsampling.disable = mkFlagParam '' + Disables downsampling. + + This is not recommended as querying long time ranges without + non-downsampled data is not efficient and useful e.g it is not possible + to render all samples for a human eye anyway + ''; + block-sync-concurrency = mkParamDef types.int 20 '' Number of goroutines to use when syncing block metadata from object storage. ''; diff --git a/nixpkgs/nixos/modules/services/monitoring/ups.nix b/nixpkgs/nixos/modules/services/monitoring/ups.nix index 1bdc4e4410f1..a45e806d4ad8 100644 --- a/nixpkgs/nixos/modules/services/monitoring/ups.nix +++ b/nixpkgs/nixos/modules/services/monitoring/ups.nix @@ -214,14 +214,12 @@ in environment.NUT_STATEPATH = "/var/lib/nut/"; }; - environment.etc = [ - { source = pkgs.writeText "nut.conf" + environment.etc = { + "nut/nut.conf".source = pkgs.writeText "nut.conf" '' MODE = ${cfg.mode} ''; - target = "nut/nut.conf"; - } - { source = pkgs.writeText "ups.conf" + "nut/ups.conf".source = pkgs.writeText "ups.conf" '' maxstartdelay = ${toString cfg.maxStartDelay} @@ -229,25 +227,15 @@ in "} ''; - target = "nut/ups.conf"; - } - { source = cfg.schedulerRules; - target = "nut/upssched.conf"; - } + "nut/upssched.conf".source = cfg.schedulerRules; # These file are containing private informations and thus should not # be stored inside the Nix store. /* - { source = ; - target = "nut/upsd.conf"; - } - { source = ; - target = "nut/upsd.users"; - } - { source = ; - target = "nut/upsmon.conf; - } + "nut/upsd.conf".source = ""; + "nut/upsd.users".source = ""; + "nut/upsmon.conf".source = ""; */ - ]; + }; power.ups.schedulerRules = mkDefault "${pkgs.nut}/etc/upssched.conf.sample"; @@ -259,21 +247,16 @@ in /* - users.users = [ - { name = "nut"; - uid = 84; + users.users.nut = + { uid = 84; home = "/var/lib/nut"; createHome = true; group = "nut"; description = "UPnP A/V Media Server user"; - } - ]; - - users.groups = [ - { name = "nut"; - gid = 84; - } - ]; + }; + + users.groups."nut" = + { gid = 84; }; */ }; diff --git a/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix b/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix index 856b9432892b..b3383ed628b2 100644 --- a/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix +++ b/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix @@ -131,6 +131,7 @@ in users.users.${user} = { description = "Zabbix Agent daemon user"; inherit group; + isSystemUser = true; }; users.groups.${group} = { }; diff --git a/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix b/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix index 4b4049ed360e..b4e4378ce1e7 100644 --- a/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix +++ b/nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix @@ -30,6 +30,7 @@ let DBUser = ${cfg.database.user} ${optionalString (cfg.database.passwordFile != null) "Include ${passwordFile}"} ${optionalString (mysqlLocal && cfg.database.socket != null) "DBSocket = ${cfg.database.socket}"} + PidFile = ${runtimeDir}/zabbix_server.pid SocketDir = ${runtimeDir} FpingLocation = /run/wrappers/bin/fping ${optionalString (cfg.modules != {}) "LoadModulePath = ${moduleEnv}/lib"} @@ -43,6 +44,11 @@ let in { + imports = [ + (lib.mkRenamedOptionModule [ "services" "zabbixServer" "dbServer" ] [ "services" "zabbixServer" "database" "host" ]) + (lib.mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") + ]; + # interface options = { diff --git a/nixpkgs/nixos/modules/services/network-filesystems/beegfs.nix b/nixpkgs/nixos/modules/services/network-filesystems/beegfs.nix deleted file mode 100644 index 2e03a422665a..000000000000 --- a/nixpkgs/nixos/modules/services/network-filesystems/beegfs.nix +++ /dev/null @@ -1,357 +0,0 @@ -{ config, lib, pkgs, ...} : - -with lib; - -let - cfg = config.services.beegfs; - - # functions for the generations of config files - - configMgmtd = name: cfg: pkgs.writeText "mgmt-${name}.conf" '' - storeMgmtdDirectory = ${cfg.mgmtd.storeDir} - storeAllowFirstRunInit = false - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.mgmtd.extraConfig} - ''; - - configAdmon = name: cfg: pkgs.writeText "admon-${name}.conf" '' - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.admon.extraConfig} - ''; - - configMeta = name: cfg: pkgs.writeText "meta-${name}.conf" '' - storeMetaDirectory = ${cfg.meta.storeDir} - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - storeAllowFirstRunInit = false - - ${cfg.meta.extraConfig} - ''; - - configStorage = name: cfg: pkgs.writeText "storage-${name}.conf" '' - storeStorageDirectory = ${cfg.storage.storeDir} - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - storeAllowFirstRunInit = false - - ${cfg.storage.extraConfig} - ''; - - configHelperd = name: cfg: pkgs.writeText "helperd-${name}.conf" '' - connAuthFile = ${cfg.connAuthFile} - ${cfg.helperd.extraConfig} - ''; - - configClientFilename = name : "/etc/beegfs/client-${name}.conf"; - - configClient = name: cfg: '' - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.client.extraConfig} - ''; - - serviceList = [ - { service = "admon"; cfgFile = configAdmon; } - { service = "meta"; cfgFile = configMeta; } - { service = "mgmtd"; cfgFile = configMgmtd; } - { service = "storage"; cfgFile = configStorage; } - ]; - - # functions to generate systemd.service entries - - systemdEntry = service: cfgFile: (mapAttrs' ( name: cfg: - (nameValuePair "beegfs-${service}-${name}" (mkIf cfg.${service}.enable { - wantedBy = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = rec { - ExecStart = '' - ${pkgs.beegfs}/bin/beegfs-${service} \ - cfgFile=${cfgFile name cfg} \ - pidFile=${PIDFile} - ''; - PIDFile = "/run/beegfs-${service}-${name}.pid"; - TimeoutStopSec = "300"; - }; - }))) cfg); - - systemdHelperd = mapAttrs' ( name: cfg: - (nameValuePair "beegfs-helperd-${name}" (mkIf cfg.client.enable { - wantedBy = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = rec { - ExecStart = '' - ${pkgs.beegfs}/bin/beegfs-helperd \ - cfgFile=${configHelperd name cfg} \ - pidFile=${PIDFile} - ''; - PIDFile = "/run/beegfs-helperd-${name}.pid"; - TimeoutStopSec = "300"; - }; - }))) cfg; - - # wrappers to beegfs tools. Avoid typing path of config files - utilWrappers = mapAttrsToList ( name: cfg: - ( pkgs.runCommand "beegfs-utils-${name}" { - nativeBuildInputs = [ pkgs.makeWrapper ]; - preferLocalBuild = true; - } '' - mkdir -p $out/bin - - makeWrapper ${pkgs.beegfs}/bin/beegfs-check-servers \ - $out/bin/beegfs-check-servers-${name} \ - --add-flags "-c ${configClientFilename name}" \ - --prefix PATH : ${lib.makeBinPath [ pkgs.beegfs ]} - - makeWrapper ${pkgs.beegfs}/bin/beegfs-ctl \ - $out/bin/beegfs-ctl-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" - - makeWrapper ${pkgs.beegfs}/bin/beegfs-ctl \ - $out/bin/beegfs-df-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" \ - --add-flags --listtargets \ - --add-flags --hidenodeid \ - --add-flags --pools \ - --add-flags --spaceinfo - - makeWrapper ${pkgs.beegfs}/bin/beegfs-fsck \ - $out/bin/beegfs-fsck-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" - '' - )) cfg; -in -{ - ###### interface - - options = { - services.beegfsEnable = mkEnableOption "BeeGFS"; - - services.beegfs = mkOption { - default = {}; - description = '' - BeeGFS configurations. Every mount point requires a separate configuration. - ''; - type = with types; attrsOf (submodule ({ ... } : { - options = { - mgmtdHost = mkOption { - type = types.str; - default = null; - example = "master"; - description = ''Hostname of managament host.''; - }; - - connAuthFile = mkOption { - type = types.str; - default = ""; - example = "/etc/my.key"; - description = "File containing shared secret authentication."; - }; - - connPortShift = mkOption { - type = types.int; - default = 0; - example = 5; - description = '' - For each additional beegfs configuration shift all - service TCP/UDP ports by at least 5. - ''; - }; - - client = { - enable = mkEnableOption "BeeGFS client"; - - mount = mkOption { - type = types.bool; - default = true; - description = "Create fstab entry automatically"; - }; - - mountPoint = mkOption { - type = types.str; - default = "/run/beegfs"; - description = '' - Mount point under which the beegfs filesytem should be mounted. - If mounted manually the mount option specifing the config file is needed: - cfgFile=/etc/beegfs/beegfs-client-<name>.conf - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-client.conf. - See documentation for further details. - ''; - }; - }; - - helperd = { - enable = mkOption { - type = types.bool; - default = true; - description = '' - Enable the BeeGFS helperd. - The helpered is need for logging purposes on the client. - Disabling <literal>helperd</literal> allows for runing the client - with <literal>allowUnfree = false</literal>. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-helperd.conf. See documentation - for further details. - ''; - }; - }; - - mgmtd = { - enable = mkEnableOption "BeeGFS mgmtd daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-mgmtd"; - description = '' - Data directory for mgmtd. - Must not be shared with other beegfs daemons. - This directory must exist and it must be initialized - with beegfs-setup-mgmtd, e.g. "beegfs-setup-mgmtd -C -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-mgmtd.conf. See documentation - for further details. - ''; - }; - }; - - admon = { - enable = mkEnableOption "BeeGFS admon daemon"; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-admon.conf. See documentation - for further details. - ''; - }; - }; - - meta = { - enable = mkEnableOption "BeeGFS meta data daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-meta"; - description = '' - Data directory for meta data service. - Must not be shared with other beegfs daemons. - The underlying filesystem must be mounted with xattr turned on. - This directory must exist and it must be initialized - with beegfs-setup-meta, e.g. - "beegfs-setup-meta -C -s <serviceID> -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Additional lines for beegfs-meta.conf. See documentation - for further details. - ''; - }; - }; - - storage = { - enable = mkEnableOption "BeeGFS storage daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-storage"; - description = '' - Data directories for storage service. - Must not be shared with other beegfs daemons. - The underlying filesystem must be mounted with xattr turned on. - This directory must exist and it must be initialized - with beegfs-setup-storage, e.g. - "beegfs-setup-storage -C -s <serviceID> -i <storageTargetID> -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Addional lines for beegfs-storage.conf. See documentation - for further details. - ''; - }; - }; - }; - })); - }; - }; - - ###### implementation - - config = - mkIf config.services.beegfsEnable { - - environment.systemPackages = utilWrappers; - - # Put the client.conf files in /etc since they are needed - # by the commandline tools - environment.etc = mapAttrs' ( name: cfg: - (nameValuePair "beegfs/client-${name}.conf" (mkIf (cfg.client.enable) - { - enable = true; - text = configClient name cfg; - }))) cfg; - - # Kernel module, we need it only once per host. - boot = mkIf ( - foldr (a: b: a || b) false - (map (x: x.client.enable) (collect (x: x ? client) cfg))) - { - kernelModules = [ "beegfs" ]; - extraModulePackages = [ pkgs.linuxPackages.beegfs-module ]; - }; - - # generate fstab entries - fileSystems = mapAttrs' (name: cfg: - (nameValuePair cfg.client.mountPoint (optionalAttrs cfg.client.mount (mkIf cfg.client.enable { - device = "beegfs_nodev"; - fsType = "beegfs"; - mountPoint = cfg.client.mountPoint; - options = [ "cfgFile=${configClientFilename name}" "_netdev" ]; - })))) cfg; - - # generate systemd services - systemd.services = systemdHelperd // - foldr (a: b: a // b) {} - (map (x: systemdEntry x.service x.cfgFile) serviceList); - }; -} diff --git a/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix b/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix index 656a2d21b868..d17959a6a305 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix @@ -9,12 +9,14 @@ let expandCamelCase = replaceStrings upperChars (map (s: " ${s}") lowerChars); expandCamelCaseAttrs = mapAttrs' (name: value: nameValuePair (expandCamelCase name) value); - makeServices = (daemonType: daemonIds: extraServiceConfig: + makeServices = (daemonType: daemonIds: mkMerge (map (daemonId: - { "ceph-${daemonType}-${daemonId}" = makeService daemonType daemonId cfg.global.clusterName pkgs.ceph extraServiceConfig; }) + { "ceph-${daemonType}-${daemonId}" = makeService daemonType daemonId cfg.global.clusterName pkgs.ceph; }) daemonIds)); - makeService = (daemonType: daemonId: clusterName: ceph: extraServiceConfig: { + makeService = (daemonType: daemonId: clusterName: ceph: + let + stateDirectory = "ceph/${if daemonType == "rgw" then "radosgw" else daemonType}/${clusterName}-${daemonId}"; in { enable = true; description = "Ceph ${builtins.replaceStrings lowerChars upperChars daemonType} daemon ${daemonId}"; after = [ "network-online.target" "time-sync.target" ] ++ optional (daemonType == "osd") "ceph-mon.target"; @@ -22,6 +24,11 @@ let partOf = [ "ceph-${daemonType}.target" ]; wantedBy = [ "ceph-${daemonType}.target" ]; + path = [ pkgs.getopt ]; + + # Don't start services that are not yet initialized + unitConfig.ConditionPathExists = "/var/lib/${stateDirectory}/keyring"; + serviceConfig = { LimitNOFILE = 1048576; LimitNPROC = 1048576; @@ -34,22 +41,22 @@ let Restart = "on-failure"; StartLimitBurst = "5"; StartLimitInterval = "30min"; + StateDirectory = stateDirectory; + User = "ceph"; + Group = if daemonType == "osd" then "disk" else "ceph"; ExecStart = ''${ceph.out}/bin/${if daemonType == "rgw" then "radosgw" else "ceph-${daemonType}"} \ - -f --cluster ${clusterName} --id ${daemonId} --setuser ceph \ - --setgroup ${if daemonType == "osd" then "disk" else "ceph"}''; - } // extraServiceConfig - // optionalAttrs (daemonType == "osd") { ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh \ - --id ${daemonId} --cluster ${clusterName}''; }; - } // optionalAttrs (builtins.elem daemonType [ "mds" "mon" "rgw" "mgr" ]) { - preStart = '' - daemonPath="/var/lib/ceph/${if daemonType == "rgw" then "radosgw" else daemonType}/${clusterName}-${daemonId}" - if [ ! -d $daemonPath ]; then - mkdir -m 755 -p $daemonPath - chown -R ceph:ceph $daemonPath - fi - ''; - } // optionalAttrs (daemonType == "osd") { path = [ pkgs.getopt ]; } - ); + -f --cluster ${clusterName} --id ${daemonId}''; + } // optionalAttrs (daemonType == "osd") { + ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}''; + StartLimitBurst = "30"; + RestartSec = "20s"; + PrivateDevices = "no"; # osd needs disk access + } // optionalAttrs ( daemonType == "mon") { + RestartSec = "10"; + } // optionalAttrs (lib.elem daemonType ["mgr" "mds"]) { + StartLimitBurst = "3"; + }; + }); makeTarget = (daemonType: { @@ -58,6 +65,7 @@ let partOf = [ "ceph.target" ]; wantedBy = [ "ceph.target" ]; before = [ "ceph.target" ]; + unitConfig.StopWhenUnneeded = true; }; } ); @@ -363,36 +371,35 @@ in in generators.toINI {} totalConfig; - users.users = singleton { - name = "ceph"; + users.users.ceph = { uid = config.ids.uids.ceph; description = "Ceph daemon user"; group = "ceph"; extraGroups = [ "disk" ]; }; - users.groups = singleton { - name = "ceph"; + + users.groups.ceph = { gid = config.ids.gids.ceph; }; systemd.services = let services = [] - ++ optional cfg.mon.enable (makeServices "mon" cfg.mon.daemons { RestartSec = "10"; }) - ++ optional cfg.mds.enable (makeServices "mds" cfg.mds.daemons { StartLimitBurst = "3"; }) - ++ optional cfg.osd.enable (makeServices "osd" cfg.osd.daemons { StartLimitBurst = "30"; - RestartSec = "20s"; - PrivateDevices = "no"; # osd needs disk access - }) - ++ optional cfg.rgw.enable (makeServices "rgw" cfg.rgw.daemons { }) - ++ optional cfg.mgr.enable (makeServices "mgr" cfg.mgr.daemons { StartLimitBurst = "3"; }); + ++ optional cfg.mon.enable (makeServices "mon" cfg.mon.daemons) + ++ optional cfg.mds.enable (makeServices "mds" cfg.mds.daemons) + ++ optional cfg.osd.enable (makeServices "osd" cfg.osd.daemons) + ++ optional cfg.rgw.enable (makeServices "rgw" cfg.rgw.daemons) + ++ optional cfg.mgr.enable (makeServices "mgr" cfg.mgr.daemons); in mkMerge services; systemd.targets = let targets = [ - { ceph = { description = "Ceph target allowing to start/stop all ceph service instances at once"; - wantedBy = [ "multi-user.target" ]; }; } - ] ++ optional cfg.mon.enable (makeTarget "mon") + { ceph = { + description = "Ceph target allowing to start/stop all ceph service instances at once"; + wantedBy = [ "multi-user.target" ]; + unitConfig.StopWhenUnneeded = true; + }; } ] + ++ optional cfg.mon.enable (makeTarget "mon") ++ optional cfg.mds.enable (makeTarget "mds") ++ optional cfg.osd.enable (makeTarget "osd") ++ optional cfg.rgw.enable (makeTarget "rgw") @@ -401,7 +408,11 @@ in mkMerge targets; systemd.tmpfiles.rules = [ + "d /etc/ceph - ceph ceph - -" "d /run/ceph 0770 ceph ceph -" - ]; + "d /var/lib/ceph - ceph ceph - -"] + ++ optionals cfg.mgr.enable [ "d /var/lib/ceph/mgr - ceph ceph - -"] + ++ optionals cfg.mon.enable [ "d /var/lib/ceph/mon - ceph ceph - -"] + ++ optionals cfg.osd.enable [ "d /var/lib/ceph/osd - ceph ceph - -"]; }; } diff --git a/nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix b/nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix index 100d458d536c..4b6f85e4a2c9 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix @@ -57,18 +57,19 @@ in environment.systemPackages = [ pkgs.davfs2 ]; environment.etc."davfs2/davfs2.conf".source = cfgFile; - users.groups = optionalAttrs (cfg.davGroup == "davfs2") (singleton { - name = "davfs2"; - gid = config.ids.gids.davfs2; - }); + users.groups = optionalAttrs (cfg.davGroup == "davfs2") { + davfs2.gid = config.ids.gids.davfs2; + }; + + users.users = optionalAttrs (cfg.davUser == "davfs2") { + davfs2 = { + createHome = false; + group = cfg.davGroup; + uid = config.ids.uids.davfs2; + description = "davfs2 user"; + }; + }; - users.users = optionalAttrs (cfg.davUser == "davfs2") (singleton { - name = "davfs2"; - createHome = false; - group = cfg.davGroup; - uid = config.ids.uids.davfs2; - description = "davfs2 user"; - }); }; } diff --git a/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix b/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix index 4ab74ed8e1c0..916e7eaaaa94 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/drbd.nix @@ -47,10 +47,8 @@ let cfg = config.services.drbd; in options drbd usermode_helper=/run/current-system/sw/bin/drbdadm ''; - environment.etc = singleton - { source = pkgs.writeText "drbd.conf" cfg.config; - target = "drbd.conf"; - }; + environment.etc.drbd.conf = + { source = pkgs.writeText "drbd.conf" cfg.config; }; systemd.services.drbd = { after = [ "systemd-udev.settle.service" "network.target" ]; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix b/nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix index 1a78f9a76a33..1b62bfa82035 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix @@ -11,6 +11,10 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ]) + (mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ]) + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix b/nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix new file mode 100644 index 000000000000..b69d9e713c3d --- /dev/null +++ b/nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ...} : + +with lib; + +let + cfg = config.services.orangefs.client; + +in { + ###### interface + + options = { + services.orangefs.client = { + enable = mkEnableOption "OrangeFS client daemon"; + + extraOptions = mkOption { + type = with types; listOf str; + default = []; + description = "Extra command line options for pvfs2-client."; + }; + + fileSystems = mkOption { + description = '' + The orangefs file systems to be mounted. + This option is prefered over using <option>fileSystems</option> directly since + the pvfs client service needs to be running for it to be mounted. + ''; + + example = [{ + mountPoint = "/orangefs"; + target = "tcp://server:3334/orangefs"; + }]; + + type = with types; listOf (submodule ({ ... } : { + options = { + + mountPoint = mkOption { + type = types.str; + default = "/orangefs"; + description = "Mount point."; + }; + + options = mkOption { + type = with types; listOf str; + default = []; + description = "Mount options"; + }; + + target = mkOption { + type = types.str; + default = null; + example = "tcp://server:3334/orangefs"; + description = "Target URL"; + }; + }; + })); + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.orangefs ]; + + boot.supportedFilesystems = [ "pvfs2" ]; + boot.kernelModules = [ "orangefs" ]; + + systemd.services.orangefs-client = { + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + Type = "simple"; + + ExecStart = '' + ${pkgs.orangefs}/bin/pvfs2-client-core \ + --logtype=syslog ${concatStringsSep " " cfg.extraOptions} + ''; + + TimeoutStopSec = "120"; + }; + }; + + systemd.mounts = map (fs: { + requires = [ "orangefs-client.service" ]; + after = [ "orangefs-client.service" ]; + bindsTo = [ "orangefs-client.service" ]; + wantedBy = [ "remote-fs.target" ]; + type = "pvfs2"; + options = concatStringsSep "," fs.options; + what = fs.target; + where = fs.mountPoint; + }) cfg.fileSystems; + }; +} + diff --git a/nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix b/nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix new file mode 100644 index 000000000000..74ebdc134024 --- /dev/null +++ b/nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix @@ -0,0 +1,225 @@ +{ config, lib, pkgs, ...} : + +with lib; + +let + cfg = config.services.orangefs.server; + + aliases = mapAttrsToList (alias: url: alias) cfg.servers; + + # Maximum handle number is 2^63 + maxHandle = 9223372036854775806; + + # One range of handles for each meta/data instance + handleStep = maxHandle / (length aliases) / 2; + + fileSystems = mapAttrsToList (name: fs: '' + <FileSystem> + Name ${name} + ID ${toString fs.id} + RootHandle ${toString fs.rootHandle} + + ${fs.extraConfig} + + <MetaHandleRanges> + ${concatStringsSep "\n" ( + imap0 (i: alias: + let + begin = i * handleStep + 3; + end = begin + handleStep - 1; + in "Range ${alias} ${toString begin}-${toString end}") aliases + )} + </MetaHandleRanges> + + <DataHandleRanges> + ${concatStringsSep "\n" ( + imap0 (i: alias: + let + begin = i * handleStep + 3 + (length aliases) * handleStep; + end = begin + handleStep - 1; + in "Range ${alias} ${toString begin}-${toString end}") aliases + )} + </DataHandleRanges> + + <StorageHints> + TroveSyncMeta ${if fs.troveSyncMeta then "yes" else "no"} + TroveSyncData ${if fs.troveSyncData then "yes" else "no"} + ${fs.extraStorageHints} + </StorageHints> + + </FileSystem> + '') cfg.fileSystems; + + configFile = '' + <Defaults> + LogType ${cfg.logType} + DataStorageSpace ${cfg.dataStorageSpace} + MetaDataStorageSpace ${cfg.metadataStorageSpace} + + BMIModules ${concatStringsSep "," cfg.BMIModules} + ${cfg.extraDefaults} + </Defaults> + + ${cfg.extraConfig} + + <Aliases> + ${concatStringsSep "\n" (mapAttrsToList (alias: url: "Alias ${alias} ${url}") cfg.servers)} + </Aliases> + + ${concatStringsSep "\n" fileSystems} + ''; + +in { + ###### interface + + options = { + services.orangefs.server = { + enable = mkEnableOption "OrangeFS server"; + + logType = mkOption { + type = with types; enum [ "file" "syslog" ]; + default = "syslog"; + description = "Destination for log messages."; + }; + + dataStorageSpace = mkOption { + type = types.str; + default = null; + example = "/data/storage"; + description = "Directory for data storage."; + }; + + metadataStorageSpace = mkOption { + type = types.str; + default = null; + example = "/data/meta"; + description = "Directory for meta data storage."; + }; + + BMIModules = mkOption { + type = with types; listOf str; + default = [ "bmi_tcp" ]; + example = [ "bmi_tcp" "bmi_ib"]; + description = "List of BMI modules to load."; + }; + + extraDefaults = mkOption { + type = types.lines; + default = ""; + description = "Extra config for <literal><Defaults></literal> section."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Extra config for the global section."; + }; + + servers = mkOption { + type = with types; attrsOf types.str; + default = {}; + example = '' + { + node1="tcp://node1:3334"; + node2="tcp://node2:3334"; + } + ''; + description = "URLs for storage server including port. The attribute names define the server alias."; + }; + + fileSystems = mkOption { + description = '' + These options will create the <literal><FileSystem></literal> sections of config file. + ''; + default = { orangefs = {}; }; + defaultText = literalExample "{ orangefs = {}; }"; + example = literalExample '' + { + fs1 = { + id = 101; + }; + + fs2 = { + id = 102; + }; + } + ''; + type = with types; attrsOf (submodule ({ ... } : { + options = { + id = mkOption { + type = types.int; + default = 1; + description = "File system ID (must be unique within configuration)."; + }; + + rootHandle = mkOption { + type = types.int; + default = 3; + description = "File system root ID."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Extra config for <literal><FileSystem></literal> section."; + }; + + troveSyncMeta = mkOption { + type = types.bool; + default = true; + description = "Sync meta data."; + }; + + troveSyncData = mkOption { + type = types.bool; + default = false; + description = "Sync data."; + }; + + extraStorageHints = mkOption { + type = types.lines; + default = ""; + description = "Extra config for <literal><StorageHints></literal> section."; + }; + }; + })); + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.orangefs ]; + + # orangefs daemon will run as user + users.users.orangefs.isSystemUser = true; + users.groups.orangefs = {}; + + # To format the file system the config file is needed. + environment.etc."orangefs/server.conf" = { + text = configFile; + user = "orangefs"; + group = "orangefs"; + }; + + systemd.services.orangefs-server = { + wantedBy = [ "multi-user.target" ]; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + # Run as "simple" in forground mode. + # This is more reliable + ExecStart = '' + ${pkgs.orangefs}/bin/pvfs2-server -d \ + /etc/orangefs/server.conf + ''; + TimeoutStopSec = "120"; + User = "orangefs"; + Group = "orangefs"; + }; + }; + }; + +} diff --git a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix index 055508a32244..a3c22ce69484 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix @@ -12,11 +12,6 @@ let samba = cfg.package; - setupScript = - '' - mkdir -p /var/lock/samba /var/log/samba /var/cache/samba /var/lib/samba/private - ''; - shareConfig = name: let share = getAttr name cfg.shares; in "[${name}]\n " + (smbToString ( @@ -45,6 +40,7 @@ let daemonService = appName: args: { description = "Samba Service Daemon ${appName}"; + after = [ (mkIf (cfg.enableNmbd && "${appName}" == "smbd") "samba-nmbd.service") ]; requiredBy = [ "samba.target" ]; partOf = [ "samba.target" ]; @@ -61,6 +57,7 @@ let Type = "notify"; NotifyAccess = "all"; #may not do anything... }; + unitConfig.RequiresMountsFor = "/var/lib/samba"; restartTriggers = [ configFile ]; }; @@ -68,6 +65,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "") + ]; ###### interface @@ -118,7 +118,7 @@ in type = types.package; default = pkgs.samba; defaultText = "pkgs.samba"; - example = literalExample "pkgs.samba3"; + example = literalExample "pkgs.samba4Full"; description = '' Defines which package should be used for the samba server. ''; @@ -227,8 +227,7 @@ in systemd = { targets.samba = { description = "Samba Server"; - requires = [ "samba-setup.service" ]; - after = [ "samba-setup.service" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; }; # Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd @@ -237,12 +236,13 @@ in samba-smbd = daemonService "smbd" ""; samba-nmbd = mkIf cfg.enableNmbd (daemonService "nmbd" ""); samba-winbindd = mkIf cfg.enableWinbindd (daemonService "winbindd" ""); - samba-setup = { - description = "Samba Setup Task"; - script = setupScript; - unitConfig.RequiresMountsFor = "/var/lib/samba"; - }; }; + tmpfiles.rules = [ + "d /var/lock/samba - - - - -" + "d /var/log/samba - - - - -" + "d /var/cache/samba - - - - -" + "d /var/lib/samba/private - - - - -" + ]; }; security.pam.services.samba = {}; diff --git a/nixpkgs/nixos/modules/services/networking/3proxy.nix b/nixpkgs/nixos/modules/services/networking/3proxy.nix new file mode 100644 index 000000000000..26aa16679467 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/3proxy.nix @@ -0,0 +1,424 @@ +{ config, lib, pkgs, ... }: +with lib; +let + pkg = pkgs._3proxy; + cfg = config.services._3proxy; + optionalList = list: if list == [ ] then "*" else concatMapStringsSep "," toString list; +in { + options.services._3proxy = { + enable = mkEnableOption "3proxy"; + confFile = mkOption { + type = types.path; + example = "/var/lib/3proxy/3proxy.conf"; + description = '' + Ignore all other 3proxy options and load configuration from this file. + ''; + }; + usersFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/3proxy/3proxy.passwd"; + description = '' + Load users and passwords from this file. + + Example users file with plain-text passwords: + + <literal> + test1:CL:password1 + test2:CL:password2 + </literal> + + Example users file with md5-crypted passwords: + + <literal> + test1:CR:$1$tFkisVd2$1GA8JXkRmTXdLDytM/i3a1 + test2:CR:$1$rkpibm5J$Aq1.9VtYAn0JrqZ8M.1ME. + </literal> + + You can generate md5-crypted passwords via https://unix4lyfe.org/crypt/ + Note that htpasswd tool generates incompatible md5-crypted passwords. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/How-To-(incomplete)#USERS">documentation</link> for more information. + ''; + }; + services = mkOption { + type = types.listOf (types.submodule { + options = { + type = mkOption { + type = types.enum [ + "proxy" + "socks" + "pop3p" + "ftppr" + "admin" + "dnspr" + "tcppm" + "udppm" + ]; + example = "proxy"; + description = '' + Service type. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"proxy"</literal>: HTTP/HTTPS proxy (default port 3128). + </para></listitem> + <listitem><para> + <literal>"socks"</literal>: SOCKS 4/4.5/5 proxy (default port 1080). + </para></listitem> + <listitem><para> + <literal>"pop3p"</literal>: POP3 proxy (default port 110). + </para></listitem> + <listitem><para> + <literal>"ftppr"</literal>: FTP proxy (default port 21). + </para></listitem> + <listitem><para> + <literal>"admin"</literal>: Web interface (default port 80). + </para></listitem> + <listitem><para> + <literal>"dnspr"</literal>: Caching DNS proxy (default port 53). + </para></listitem> + <listitem><para> + <literal>"tcppm"</literal>: TCP portmapper. + </para></listitem> + <listitem><para> + <literal>"udppm"</literal>: UDP portmapper. + </para></listitem> + </itemizedlist> + ''; + }; + bindAddress = mkOption { + type = types.str; + default = "[::]"; + example = "127.0.0.1"; + description = '' + Address used for service. + ''; + }; + bindPort = mkOption { + type = types.nullOr types.int; + default = null; + example = 3128; + description = '' + Override default port used for service. + ''; + }; + maxConnections = mkOption { + type = types.int; + default = 100; + example = 1000; + description = '' + Maximum number of simulationeous connections to this service. + ''; + }; + auth = mkOption { + type = types.listOf (types.enum [ "none" "iponly" "strong" ]); + example = [ "iponly" "strong" ]; + description = '' + Authentication type. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"none"</literal>: disables both authentication and authorization. You can not use ACLs. + </para></listitem> + <listitem><para> + <literal>"iponly"</literal>: specifies no authentication. ACLs authorization is used. + </para></listitem> + <listitem><para> + <literal>"strong"</literal>: authentication by username/password. If user is not registered his access is denied regardless of ACLs. + </para></listitem> + </itemizedlist> + + Double authentication is possible, e.g. + + <literal> + { + auth = [ "iponly" "strong" ]; + acl = [ + { + rule = "allow"; + targets = [ "192.168.0.0/16" ]; + } + { + rule = "allow" + users = [ "user1" "user2" ]; + } + ]; + } + </literal> + In this example strong username authentication is not required to access 192.168.0.0/16. + ''; + }; + acl = mkOption { + type = types.listOf (types.submodule { + options = { + rule = mkOption { + type = types.enum [ "allow" "deny" ]; + example = "allow"; + description = '' + ACL rule. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"allow"</literal>: connections allowed. + </para></listitem> + <listitem><para> + <literal>"deny"</literal>: connections not allowed. + </para></listitem> + </itemizedlist> + ''; + }; + users = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "user1" "user2" "user3" ]; + description = '' + List of users, use empty list for any. + ''; + }; + sources = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.1" "192.168.1.0/24" ]; + description = '' + List of source IP range, use empty list for any. + ''; + }; + targets = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.1" "192.168.1.0/24" ]; + description = '' + List of target IP ranges, use empty list for any. + May also contain host names instead of addresses. + It's possible to use wildmask in the begginning and in the the end of hostname, e.g. *badsite.com or *badcontent*. + Hostname is only checked if hostname presents in request. + ''; + }; + targetPorts = mkOption { + type = types.listOf types.int; + default = [ ]; + example = [ 80 443 ]; + description = '' + List of target ports, use empty list for any. + ''; + }; + }; + }); + default = [ ]; + example = literalExample '' + [ + { + rule = "allow"; + users = [ "user1" ]; + } + { + rule = "allow"; + sources = [ "192.168.1.0/24" ]; + } + { + rule = "deny"; + } + ] + ''; + description = '' + Use this option to limit user access to resources. + ''; + }; + extraArguments = mkOption { + type = types.nullOr types.str; + default = null; + example = "-46"; + description = '' + Extra arguments for service. + Consult "Options" section in <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available arguments. + ''; + }; + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Extra configuration for service. Use this to configure things like bandwidth limiter or ACL-based redirection. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available options. + ''; + }; + }; + }); + default = [ ]; + example = literalExample '' + [ + { + type = "proxy"; + bindAddress = "192.168.1.24"; + bindPort = 3128; + auth = [ "none" ]; + } + { + type = "proxy"; + bindAddress = "10.10.1.20"; + bindPort = 3128; + auth = [ "iponly" ]; + } + { + type = "socks"; + bindAddress = "172.17.0.1"; + bindPort = 1080; + auth = [ "strong" ]; + } + ] + ''; + description = '' + Use this option to define 3proxy services. + ''; + }; + denyPrivate = mkOption { + type = types.bool; + default = true; + description = '' + Whether to deny access to private IP ranges including loopback. + ''; + }; + privateRanges = mkOption { + type = types.listOf types.str; + default = [ + "0.0.0.0/8" + "127.0.0.0/8" + "10.0.0.0/8" + "100.64.0.0/10" + "172.16.0.0/12" + "192.168.0.0/16" + "::" + "::1" + "fc00::/7" + ]; + example = [ + "0.0.0.0/8" + "127.0.0.0/8" + "10.0.0.0/8" + "100.64.0.0/10" + "172.16.0.0/12" + "192.168.0.0/16" + "::" + "::1" + "fc00::/7" + ]; + description = '' + What IP ranges to deny access when denyPrivate is set tu true. + ''; + }; + resolution = mkOption { + type = types.submodule { + options = { + nserver = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.53" "192.168.1.3:5353/tcp" ]; + description = '' + List of nameservers to use. + + Up to 5 nservers may be specified. If no nserver is configured, + default system name resolution functions are used. + ''; + }; + nscache = mkOption { + type = types.int; + default = 65535; + example = 65535; + description = "Set name cache size for IPv4."; + }; + nscache6 = mkOption { + type = types.int; + default = 65535; + example = 65535; + description = "Set name cache size for IPv6."; + }; + nsrecord = mkOption { + type = types.attrsOf types.str; + default = { }; + example = { + "files.local" = "192.168.1.12"; + "site.local" = "192.168.1.43"; + }; + description = "Adds static nsrecords."; + }; + }; + }; + default = { }; + description = '' + Use this option to configure name resolution and DNS caching. + ''; + }; + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Extra configuration, appended to the 3proxy configuration file. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available options. + ''; + }; + }; + + config = mkIf cfg.enable { + services._3proxy.confFile = mkDefault (pkgs.writeText "3proxy.conf" '' + # log to stdout + log + + ${concatMapStringsSep "\n" (x: "nserver " + x) cfg.resolution.nserver} + + nscache ${toString cfg.resolution.nscache} + nscache6 ${toString cfg.resolution.nscache6} + + ${concatMapStringsSep "\n" (x: "nsrecord " + x) + (mapAttrsToList (name: value: "${name} ${value}") + cfg.resolution.nsrecord)} + + ${optionalString (cfg.usersFile != null) + ''users $"${cfg.usersFile}"'' + } + + ${concatMapStringsSep "\n" (service: '' + auth ${concatStringsSep " " service.auth} + + ${optionalString (cfg.denyPrivate) + "deny * * ${optionalList cfg.privateRanges}"} + + ${concatMapStringsSep "\n" (acl: + "${acl.rule} ${ + concatMapStringsSep " " optionalList [ + acl.users + acl.sources + acl.targets + acl.targetPorts + ] + }") service.acl} + + maxconn ${toString service.maxConnections} + + ${optionalString (service.extraConfig != null) service.extraConfig} + + ${service.type} -i${toString service.bindAddress} ${ + optionalString (service.bindPort != null) + "-p${toString service.bindPort}" + } ${ + optionalString (service.extraArguments != null) service.extraArguments + } + + flush + '') cfg.services} + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} + ''); + systemd.services."3proxy" = { + description = "Tiny free proxy server"; + documentation = [ "https://github.com/z3APA3A/3proxy/wiki" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = "3proxy"; + ExecStart = "${pkg}/bin/3proxy ${cfg.confFile}"; + Restart = "on-failure"; + }; + }; + }; + + meta.maintainers = with maintainers; [ misuzu ]; +} diff --git a/nixpkgs/nixos/modules/services/networking/bind.nix b/nixpkgs/nixos/modules/services/networking/bind.nix index 06af4dbcca4e..e3b95afb3d86 100644 --- a/nixpkgs/nixos/modules/services/networking/bind.nix +++ b/nixpkgs/nixos/modules/services/networking/bind.nix @@ -78,7 +78,11 @@ in cacheNetworks = mkOption { default = ["127.0.0.0/24"]; description = " - What networks are allowed to use us as a resolver. + What networks are allowed to use us as a resolver. Note + that this is for recursive queries -- all networks are + allowed to query zones configured with the `zones` option. + It is recommended that you limit cacheNetworks to avoid your + server being used for DNS amplification attacks. "; }; @@ -174,9 +178,8 @@ in networking.resolvconf.useLocalResolver = mkDefault true; - users.users = singleton - { name = bindUser; - uid = config.ids.uids.bind; + users.users.${bindUser} = + { uid = config.ids.uids.bind; description = "BIND daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/networking/bitcoind.nix b/nixpkgs/nixos/modules/services/networking/bitcoind.nix index 1439d739da9d..4e00a8865474 100644 --- a/nixpkgs/nixos/modules/services/networking/bitcoind.nix +++ b/nixpkgs/nixos/modules/services/networking/bitcoind.nix @@ -177,9 +177,6 @@ in { NoNewPrivileges = "true"; PrivateDevices = "true"; MemoryDenyWriteExecute = "true"; - - # Permission for preStart - PermissionsStartOnly = "true"; }; }; users.users.${cfg.user} = { @@ -187,6 +184,7 @@ in { group = cfg.group; description = "Bitcoin daemon user"; home = cfg.dataDir; + isSystemUser = true; }; users.groups.${cfg.group} = { name = cfg.group; diff --git a/nixpkgs/nixos/modules/services/networking/bitlbee.nix b/nixpkgs/nixos/modules/services/networking/bitlbee.nix index 274b36171608..54fe70f7ccc0 100644 --- a/nixpkgs/nixos/modules/services/networking/bitlbee.nix +++ b/nixpkgs/nixos/modules/services/networking/bitlbee.nix @@ -161,8 +161,7 @@ in config = mkMerge [ (mkIf config.services.bitlbee.enable { - users.users = singleton { - name = "bitlbee"; + users.users.bitlbee = { uid = bitlbeeUid; description = "BitlBee user"; home = "/var/lib/bitlbee"; diff --git a/nixpkgs/nixos/modules/services/networking/charybdis.nix b/nixpkgs/nixos/modules/services/networking/charybdis.nix index da26246e703e..43829d36e417 100644 --- a/nixpkgs/nixos/modules/services/networking/charybdis.nix +++ b/nixpkgs/nixos/modules/services/networking/charybdis.nix @@ -71,15 +71,13 @@ in config = mkIf cfg.enable (lib.mkMerge [ { - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { description = "Charybdis IRC daemon user"; uid = config.ids.uids.ircd; group = cfg.group; }; - users.groups = singleton { - name = cfg.group; + users.groups.${cfg.group} = { gid = config.ids.gids.ircd; }; diff --git a/nixpkgs/nixos/modules/services/networking/connman.nix b/nixpkgs/nixos/modules/services/networking/connman.nix index 31127f790499..e8eadc4e187d 100644 --- a/nixpkgs/nixos/modules/services/networking/connman.nix +++ b/nixpkgs/nixos/modules/services/networking/connman.nix @@ -4,20 +4,25 @@ with pkgs; with lib; let - cfg = config.networking.connman; + cfg = config.services.connman; configFile = pkgs.writeText "connman.conf" '' [General] NetworkInterfaceBlacklist=${concatStringsSep "," cfg.networkInterfaceBlacklist} ${cfg.extraConfig} ''; + enableIwd = cfg.wifi.backend == "iwd"; in { + imports = [ + (mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ]) + ]; + ###### interface options = { - networking.connman = { + services.connman = { enable = mkOption { type = types.bool; @@ -52,6 +57,17 @@ in { ''; }; + wifi = { + backend = mkOption { + type = types.enum [ "wpa_supplicant" "iwd" ]; + default = "wpa_supplicant"; + description = '' + Specify the Wi-Fi backend used. + Currently supported are <option>wpa_supplicant</option> or <option>iwd</option>. + ''; + }; + }; + extraFlags = mkOption { type = with types; listOf str; default = [ ]; @@ -71,13 +87,10 @@ in { assertions = [{ assertion = !config.networking.useDHCP; - message = "You can not use services.networking.connman with services.networking.useDHCP"; - }{ - assertion = config.networking.wireless.enable; - message = "You must use services.networking.connman with services.networking.wireless"; + message = "You can not use services.connman with networking.useDHCP"; }{ assertion = !config.networking.networkmanager.enable; - message = "You can not use services.networking.connman with services.networking.networkmanager"; + message = "You can not use services.connman with networking.networkmanager"; }]; environment.systemPackages = [ connman ]; @@ -85,12 +98,18 @@ in { systemd.services.connman = { description = "Connection service"; wantedBy = [ "multi-user.target" ]; - after = [ "syslog.target" ]; + after = [ "syslog.target" ] ++ optional enableIwd "iwd.service"; + requires = optional enableIwd "iwd.service"; serviceConfig = { Type = "dbus"; BusName = "net.connman"; Restart = "on-failure"; - ExecStart = "${pkgs.connman}/sbin/connmand --config=${configFile} --nodaemon ${toString cfg.extraFlags}"; + ExecStart = toString ([ + "${pkgs.connman}/sbin/connmand" + "--config=${configFile}" + "--nodaemon" + ] ++ optional enableIwd "--wifi=iwd_agent" + ++ cfg.extraFlags); StandardOutput = "null"; }; }; @@ -121,7 +140,12 @@ in { networking = { useDHCP = false; - wireless.enable = true; + wireless = { + enable = mkIf (!enableIwd) true; + iwd = mkIf enableIwd { + enable = true; + }; + }; networkmanager.enable = false; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/coturn.nix b/nixpkgs/nixos/modules/services/networking/coturn.nix index c430ce5af92a..1bfbc307c59d 100644 --- a/nixpkgs/nixos/modules/services/networking/coturn.nix +++ b/nixpkgs/nixos/modules/services/networking/coturn.nix @@ -294,16 +294,14 @@ in { }; config = mkIf cfg.enable { - users.users = [ - { name = "turnserver"; - uid = config.ids.uids.turnserver; + users.users.turnserver = + { uid = config.ids.uids.turnserver; description = "coturn TURN server user"; - } ]; - users.groups = [ - { name = "turnserver"; - gid = config.ids.gids.turnserver; + }; + users.groups.turnserver = + { gid = config.ids.gids.turnserver; members = [ "turnserver" ]; - } ]; + }; systemd.services.coturn = { description = "coturn TURN server"; diff --git a/nixpkgs/nixos/modules/services/networking/ddclient.nix b/nixpkgs/nixos/modules/services/networking/ddclient.nix index 04ce5ca3a874..053efe712709 100644 --- a/nixpkgs/nixos/modules/services/networking/ddclient.nix +++ b/nixpkgs/nixos/modules/services/networking/ddclient.nix @@ -30,6 +30,14 @@ with lib; { + imports = [ + (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ] + (config: + let value = getAttrFromPath [ "services" "ddclient" "domain" ] config; + in if value != "" then [ value ] else [])) + (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "") + ]; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/networking/dhcpcd.nix b/nixpkgs/nixos/modules/services/networking/dhcpcd.nix index 7b2786034552..6fbc014db718 100644 --- a/nixpkgs/nixos/modules/services/networking/dhcpcd.nix +++ b/nixpkgs/nixos/modules/services/networking/dhcpcd.nix @@ -185,11 +185,7 @@ in environment.systemPackages = [ dhcpcd ]; - environment.etc = - [ { source = exitHook; - target = "dhcpcd.exit-hook"; - } - ]; + environment.etc."dhcpcd.exit-hook".source = exitHook; powerManagement.resumeCommands = mkIf config.systemd.services.dhcpcd.enable '' diff --git a/nixpkgs/nixos/modules/services/networking/dhcpd.nix b/nixpkgs/nixos/modules/services/networking/dhcpd.nix index 0b2063bc4246..67f7d8118870 100644 --- a/nixpkgs/nixos/modules/services/networking/dhcpd.nix +++ b/nixpkgs/nixos/modules/services/networking/dhcpd.nix @@ -182,6 +182,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ]) + ]; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/networking/dnscache.nix b/nixpkgs/nixos/modules/services/networking/dnscache.nix index 5051fc916d96..d123bca93219 100644 --- a/nixpkgs/nixos/modules/services/networking/dnscache.nix +++ b/nixpkgs/nixos/modules/services/networking/dnscache.nix @@ -84,7 +84,7 @@ in { config = mkIf config.services.dnscache.enable { environment.systemPackages = [ pkgs.djbdns ]; - users.users.dnscache = {}; + users.users.dnscache.isSystemUser = true; systemd.services.dnscache = { description = "djbdns dnscache server"; diff --git a/nixpkgs/nixos/modules/services/networking/dnschain.nix b/nixpkgs/nixos/modules/services/networking/dnschain.nix index 5b58ea9b0c91..003609ea7054 100644 --- a/nixpkgs/nixos/modules/services/networking/dnschain.nix +++ b/nixpkgs/nixos/modules/services/networking/dnschain.nix @@ -137,7 +137,7 @@ in ]; services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveDNSChainQueries { - forwardZones = + forwardZonesRecurse = { bit = "127.0.0.1:${toString cfg.dns.port}"; dns = "127.0.0.1:${toString cfg.dns.port}"; }; @@ -147,8 +147,7 @@ in ''; }; - users.users = singleton { - name = username; + users.users.${username} = { description = "DNSChain daemon user"; home = dataDir; createHome = true; @@ -180,4 +179,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix index bf13d5c6f5fe..e53fb7a15782 100644 --- a/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -142,6 +142,7 @@ in { description = "dnscrypt-wrapper daemon user"; home = "${dataDir}"; createHome = true; + isSystemUser = true; }; users.groups.dnscrypt-wrapper = { }; @@ -196,4 +197,7 @@ in { }; }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/dnsdist.nix b/nixpkgs/nixos/modules/services/networking/dnsdist.nix index 12eee136e639..8249da69bc1a 100644 --- a/nixpkgs/nixos/modules/services/networking/dnsdist.nix +++ b/nixpkgs/nixos/modules/services/networking/dnsdist.nix @@ -46,11 +46,10 @@ in { RestartSec="1"; DynamicUser = true; StartLimitInterval="0"; - PrivateTmp=true; PrivateDevices=true; - CapabilityBoundingSet="CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; + AmbientCapabilities="CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet="CAP_NET_BIND_SERVICE"; ExecStart = "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}"; - ProtectSystem="full"; ProtectHome=true; RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6"; LimitNOFILE="16384"; diff --git a/nixpkgs/nixos/modules/services/networking/dnsmasq.nix b/nixpkgs/nixos/modules/services/networking/dnsmasq.nix index 714a5903bff1..377d7bc57058 100644 --- a/nixpkgs/nixos/modules/services/networking/dnsmasq.nix +++ b/nixpkgs/nixos/modules/services/networking/dnsmasq.nix @@ -86,8 +86,7 @@ in services.dbus.packages = [ dnsmasq ]; - users.users = singleton { - name = "dnsmasq"; + users.users.dnsmasq = { uid = config.ids.uids.dnsmasq; description = "Dnsmasq daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/networking/ejabberd.nix b/nixpkgs/nixos/modules/services/networking/ejabberd.nix index 6a38f85c48a2..a5af25b983b9 100644 --- a/nixpkgs/nixos/modules/services/networking/ejabberd.nix +++ b/nixpkgs/nixos/modules/services/networking/ejabberd.nix @@ -94,18 +94,18 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - users.users = optionalAttrs (cfg.user == "ejabberd") (singleton - { name = "ejabberd"; + users.users = optionalAttrs (cfg.user == "ejabberd") { + ejabberd = { group = cfg.group; home = cfg.spoolDir; createHome = true; uid = config.ids.uids.ejabberd; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "ejabberd") (singleton - { name = "ejabberd"; - gid = config.ids.gids.ejabberd; - }); + users.groups = optionalAttrs (cfg.group == "ejabberd") { + ejabberd.gid = config.ids.gids.ejabberd; + }; systemd.services.ejabberd = { description = "ejabberd server"; diff --git a/nixpkgs/nixos/modules/services/networking/eternal-terminal.nix b/nixpkgs/nixos/modules/services/networking/eternal-terminal.nix index be7337ece7e4..a2e5b30dc0f0 100644 --- a/nixpkgs/nixos/modules/services/networking/eternal-terminal.nix +++ b/nixpkgs/nixos/modules/services/networking/eternal-terminal.nix @@ -23,6 +23,8 @@ in type = types.int; description = '' The port the server should listen on. Will use the server's default (2022) if not specified. + + Make sure to open this port in the firewall if necessary. ''; }; @@ -86,4 +88,8 @@ in }; }; }; + + meta = { + maintainers = with lib.maintainers; [ pingiun ]; + }; } diff --git a/nixpkgs/nixos/modules/services/networking/fakeroute.nix b/nixpkgs/nixos/modules/services/networking/fakeroute.nix index 82a9fb729d84..7916ad4098a7 100644 --- a/nixpkgs/nixos/modules/services/networking/fakeroute.nix +++ b/nixpkgs/nixos/modules/services/networking/fakeroute.nix @@ -60,4 +60,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/firewall.nix b/nixpkgs/nixos/modules/services/networking/firewall.nix index 5b3aa19af3bb..15aaf7410674 100644 --- a/nixpkgs/nixos/modules/services/networking/firewall.nix +++ b/nixpkgs/nixos/modules/services/networking/firewall.nix @@ -42,16 +42,7 @@ let kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false); - helpers = - '' - # Helper command to manipulate both the IPv4 and IPv6 tables. - ip46tables() { - iptables -w "$@" - ${optionalString config.networking.enableIPv6 '' - ip6tables -w "$@" - ''} - } - ''; + helpers = import ./helpers.nix { inherit config lib; }; writeShScript = name: text: let dir = pkgs.writeScriptBin name '' #! ${pkgs.runtimeShell} -e @@ -271,7 +262,7 @@ let apply = canonicalizePortList; example = [ 22 80 ]; description = - '' + '' List of TCP ports on which incoming connections are accepted. ''; @@ -282,7 +273,7 @@ let default = [ ]; example = [ { from = 8999; to = 9003; } ]; description = - '' + '' A range of TCP ports on which incoming connections are accepted. ''; @@ -331,6 +322,17 @@ in ''; }; + package = mkOption { + type = types.package; + default = pkgs.iptables; + defaultText = "pkgs.iptables"; + example = literalExample "pkgs.iptables-nftables-compat"; + description = + '' + The iptables package to use for running the firewall service." + ''; + }; + logRefusedConnections = mkOption { type = types.bool; default = true; @@ -536,7 +538,7 @@ in networking.firewall.trustedInterfaces = [ "lo" ]; - environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; + environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; @@ -555,7 +557,7 @@ in before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; - path = [ pkgs.iptables ] ++ cfg.extraPackages; + path = [ cfg.package ] ++ cfg.extraPackages; # FIXME: this module may also try to load kernel modules, but # containers don't have CAP_SYS_MODULE. So the host system had diff --git a/nixpkgs/nixos/modules/services/networking/gale.nix b/nixpkgs/nixos/modules/services/networking/gale.nix index 7083d87c4073..cb954fd836bc 100644 --- a/nixpkgs/nixos/modules/services/networking/gale.nix +++ b/nixpkgs/nixos/modules/services/networking/gale.nix @@ -104,14 +104,13 @@ in systemPackages = [ pkgs.gale ]; }; - users.users = [{ - name = cfg.user; + users.users.${cfg.user} = { description = "Gale daemon"; uid = config.ids.uids.gale; group = cfg.group; home = home; createHome = true; - }]; + }; users.groups = [{ name = cfg.group; diff --git a/nixpkgs/nixos/modules/services/networking/git-daemon.nix b/nixpkgs/nixos/modules/services/networking/git-daemon.nix index a638a3083fba..6f2e149433f3 100644 --- a/nixpkgs/nixos/modules/services/networking/git-daemon.nix +++ b/nixpkgs/nixos/modules/services/networking/git-daemon.nix @@ -104,16 +104,16 @@ in config = mkIf cfg.enable { - users.users = if cfg.user != "git" then {} else singleton - { name = "git"; + users.users = optionalAttrs (cfg.user != "git") { + git = { uid = config.ids.uids.git; description = "Git daemon user"; }; + }; - users.groups = if cfg.group != "git" then {} else singleton - { name = "git"; - gid = config.ids.gids.git; - }; + users.groups = optionalAttrs (cfg.group != "git") { + git.gid = config.ids.gids.git; + }; systemd.services.git-daemon = { after = [ "network.target" ]; diff --git a/nixpkgs/nixos/modules/services/networking/gnunet.nix b/nixpkgs/nixos/modules/services/networking/gnunet.nix index 178a832c166e..69d4ed047756 100644 --- a/nixpkgs/nixos/modules/services/networking/gnunet.nix +++ b/nixpkgs/nixos/modules/services/networking/gnunet.nix @@ -42,6 +42,7 @@ in services.gnunet = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to run the GNUnet daemon. GNUnet is GNU's anonymous @@ -51,6 +52,7 @@ in fileSharing = { quota = mkOption { + type = types.int; default = 1024; description = '' Maximum file system usage (in MiB) for file sharing. @@ -60,6 +62,7 @@ in udp = { port = mkOption { + type = types.port; default = 2086; # assigned by IANA description = '' The UDP port for use by GNUnet. @@ -69,6 +72,7 @@ in tcp = { port = mkOption { + type = types.port; default = 2086; # assigned by IANA description = '' The TCP port for use by GNUnet. @@ -78,6 +82,7 @@ in load = { maxNetDownBandwidth = mkOption { + type = types.int; default = 50000; description = '' Maximum bandwidth usage (in bits per second) for GNUnet @@ -86,6 +91,7 @@ in }; maxNetUpBandwidth = mkOption { + type = types.int; default = 50000; description = '' Maximum bandwidth usage (in bits per second) for GNUnet @@ -94,6 +100,7 @@ in }; hardNetUpBandwidth = mkOption { + type = types.int; default = 0; description = '' Hard bandwidth limit (in bits per second) when uploading @@ -111,6 +118,7 @@ in }; extraOptions = mkOption { + type = types.lines; default = ""; description = '' Additional options that will be copied verbatim in `gnunet.conf'. diff --git a/nixpkgs/nixos/modules/services/networking/go-shadowsocks2.nix b/nixpkgs/nixos/modules/services/networking/go-shadowsocks2.nix new file mode 100644 index 000000000000..afbd7ea27c65 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/go-shadowsocks2.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.go-shadowsocks2.server; +in { + options.services.go-shadowsocks2.server = { + enable = mkEnableOption "go-shadowsocks2 server"; + + listenAddress = mkOption { + type = types.str; + description = "Server listen address or URL"; + example = "ss://AEAD_CHACHA20_POLY1305:your-password@:8488"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.go-shadowsocks2-server = { + description = "go-shadowsocks2 server"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.go-shadowsocks2}/bin/go-shadowsocks2 -s '${cfg.listenAddress}'"; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/hans.nix b/nixpkgs/nixos/modules/services/networking/hans.nix index 20e57e4626ef..8334dc68d623 100644 --- a/nixpkgs/nixos/modules/services/networking/hans.nix +++ b/nixpkgs/nixos/modules/services/networking/hans.nix @@ -135,9 +135,9 @@ in }; }; - users.users = singleton { - name = hansUser; + users.users.${hansUser} = { description = "Hans daemon user"; + isSystemUser = true; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/haproxy.nix b/nixpkgs/nixos/modules/services/networking/haproxy.nix index 0438d0bf8d86..aff71e5e97da 100644 --- a/nixpkgs/nixos/modules/services/networking/haproxy.nix +++ b/nixpkgs/nixos/modules/services/networking/haproxy.nix @@ -1,7 +1,16 @@ { config, lib, pkgs, ... }: + let cfg = config.services.haproxy; - haproxyCfg = pkgs.writeText "haproxy.conf" cfg.config; + + haproxyCfg = pkgs.writeText "haproxy.conf" '' + global + # needed for hot-reload to work without dropping packets in multi-worker mode + stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level user + + ${cfg.config} + ''; + in with lib; { @@ -25,9 +34,7 @@ with lib; <filename>haproxy.conf</filename>. ''; }; - }; - }; config = mkIf cfg.enable { @@ -42,21 +49,16 @@ with lib; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "forking"; - PIDFile = "/run/haproxy.pid"; - ExecStartPre = "${pkgs.haproxy}/sbin/haproxy -c -q -f ${haproxyCfg}"; - ExecStart = "${pkgs.haproxy}/sbin/haproxy -D -f ${haproxyCfg} -p /run/haproxy.pid"; - ExecReload = "-${pkgs.bash}/bin/bash -c \"exec ${pkgs.haproxy}/sbin/haproxy -D -f ${haproxyCfg} -p /run/haproxy.pid -sf $MAINPID\""; + DynamicUser = true; + Type = "notify"; + # when running the config test, don't be quiet so we can see what goes wrong + ExecStartPre = "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}"; + ExecStart = "${pkgs.haproxy}/sbin/haproxy -Ws -f ${haproxyCfg}"; + Restart = "on-failure"; + RuntimeDirectory = "haproxy"; + # needed in case we bind to port < 1024 + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; }; - - environment.systemPackages = [ pkgs.haproxy ]; - - users.users.haproxy = { - group = "haproxy"; - uid = config.ids.uids.haproxy; - }; - - users.groups.haproxy.gid = config.ids.uids.haproxy; }; } diff --git a/nixpkgs/nixos/modules/services/networking/helpers.nix b/nixpkgs/nixos/modules/services/networking/helpers.nix new file mode 100644 index 000000000000..d7d42de0e3a8 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/helpers.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: '' + # Helper command to manipulate both the IPv4 and IPv6 tables. + ip46tables() { + iptables -w "$@" + ${ + lib.optionalString config.networking.enableIPv6 '' + ip6tables -w "$@" + '' + } + } +'' diff --git a/nixpkgs/nixos/modules/services/networking/i2pd.nix b/nixpkgs/nixos/modules/services/networking/i2pd.nix index f2be417738ee..326d34f6ca92 100644 --- a/nixpkgs/nixos/modules/services/networking/i2pd.nix +++ b/nixpkgs/nixos/modules/services/networking/i2pd.nix @@ -158,10 +158,10 @@ let (sec "addressbook") (strOpt "defaulturl" cfg.addressbook.defaulturl) ] ++ (optionalEmptyList "subscriptions" cfg.addressbook.subscriptions) - ++ (flip map - (collect (proto: proto ? port && proto ? address && proto ? name) cfg.proto) + ++ (flip mapAttrs + (collect (name: proto: proto ? port && proto ? address && proto ? name) cfg.proto) (proto: let protoOpts = [ - (sec proto.name) + (sec name) (boolOpt "enabled" proto.enable) (strOpt "address" proto.address) (intOpt "port" proto.port) @@ -181,10 +181,10 @@ let tunnelConf = let opts = [ notice - (flip map - (collect (tun: tun ? port && tun ? destination) cfg.outTunnels) + (flip mapAttrs + (collect (name: tun: tun ? port && tun ? destination) cfg.outTunnels) (tun: let outTunOpts = [ - (sec tun.name) + (sec name) "type = client" (intOpt "port" tun.port) (strOpt "destination" tun.destination) @@ -204,10 +204,10 @@ let ++ (if tun ? crypto.tagsToSend then optionalNullInt "crypto.tagstosend" tun.crypto.tagsToSend else []); in concatStringsSep "\n" outTunOpts)) - (flip map - (collect (tun: tun ? port && tun ? address) cfg.inTunnels) + (flip mapAttrs + (collect (name: tun: tun ? port && tun ? address) cfg.inTunnels) (tun: let inTunOpts = [ - (sec tun.name) + (sec name) "type = server" (intOpt "port" tun.port) (strOpt "host" tun.address) @@ -235,6 +235,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ]) + ]; + ###### interface options = { diff --git a/nixpkgs/nixos/modules/services/networking/iodine.nix b/nixpkgs/nixos/modules/services/networking/iodine.nix index 344f84374bbd..f9ca26c27960 100644 --- a/nixpkgs/nixos/modules/services/networking/iodine.nix +++ b/nixpkgs/nixos/modules/services/networking/iodine.nix @@ -11,6 +11,13 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "iodined" "enable" ] [ "services" "iodine" "server" "enable" ]) + (mkRenamedOptionModule [ "services" "iodined" "domain" ] [ "services" "iodine" "server" "domain" ]) + (mkRenamedOptionModule [ "services" "iodined" "ip" ] [ "services" "iodine" "server" "ip" ]) + (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) + (mkRemovedOptionModule [ "services" "iodined" "client" ] "") + ]; ### configuration @@ -140,8 +147,7 @@ in }; }; - users.users = singleton { - name = iodinedUser; + users.users.${iodinedUser} = { uid = config.ids.uids.iodined; description = "Iodine daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix index f5abe61a1baf..b236552eb653 100644 --- a/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix +++ b/nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -112,9 +112,8 @@ in config = mkIf config.services.ircdHybrid.enable { - users.users = singleton - { name = "ircd"; - description = "IRCD owner"; + users.users.ircd = + { description = "IRCD owner"; group = "ircd"; uid = config.ids.uids.ircd; }; diff --git a/nixpkgs/nixos/modules/services/networking/jormungandr.nix b/nixpkgs/nixos/modules/services/networking/jormungandr.nix deleted file mode 100644 index 152cceb4bf91..000000000000 --- a/nixpkgs/nixos/modules/services/networking/jormungandr.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - cfg = config.services.jormungandr; - - inherit (lib) mkEnableOption mkIf mkOption; - inherit (lib) optionalString types; - - dataDir = "/var/lib/jormungandr"; - - # Default settings so far, as the service matures we will - # move these out as separate settings - configSettings = { - storage = dataDir; - p2p = { - public_address = "/ip4/127.0.0.1/tcp/8299"; - topics_of_interest = { - messages = "high"; - blocks = "high"; - }; - }; - rest = { - listen = "127.0.0.1:8607"; - }; - }; - - configFile = if cfg.configFile == null then - pkgs.writeText "jormungandr.yaml" (builtins.toJSON configSettings) - else cfg.configFile; - -in { - - options = { - - services.jormungandr = { - enable = mkEnableOption "jormungandr service"; - - configFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/lib/jormungandr/node.yaml"; - description = '' - The path of the jormungandr blockchain configuration file in YAML format. - If no file is specified, a file is generated using the other options. - ''; - }; - - secretFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/etc/secret/jormungandr.yaml"; - description = '' - The path of the jormungandr blockchain secret node configuration file in - YAML format. Do not store this in nix store! - ''; - }; - - genesisBlockHash = mkOption { - type = types.nullOr types.str; - default = null; - example = "d70495af81ae8600aca3e642b2427327cb6001ec4d7a0037e96a00dabed163f9"; - description = '' - Set the genesis block hash (the hash of the block0) so we can retrieve - the genesis block (and the blockchain configuration) from the existing - storage or from the network. - ''; - }; - - genesisBlockFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/lib/jormungandr/block-0.bin"; - description = '' - The path of the genesis block file if we are hosting it locally. - ''; - }; - - }; - }; - - config = mkIf cfg.enable { - - systemd.services.jormungandr = { - description = "jormungandr server"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - environment = { - RUST_BACKTRACE = "full"; - }; - serviceConfig = { - DynamicUser = true; - StateDirectory = baseNameOf dataDir; - ExecStart = '' - ${pkgs.jormungandr}/bin/jormungandr --config ${configFile} \ - ${optionalString (cfg.secretFile != null) " --secret ${cfg.secretFile}"} \ - ${optionalString (cfg.genesisBlockHash != null) " --genesis-block-hash ${cfg.genesisBlockHash}"} \ - ${optionalString (cfg.genesisBlockFile != null) " --genesis-block ${cfg.genesisBlockFile}"} - ''; - }; - }; - }; -} diff --git a/nixpkgs/nixos/modules/services/networking/kippo.nix b/nixpkgs/nixos/modules/services/networking/kippo.nix index bdea6a1d1caa..553415a2f329 100644 --- a/nixpkgs/nixos/modules/services/networking/kippo.nix +++ b/nixpkgs/nixos/modules/services/networking/kippo.nix @@ -73,12 +73,11 @@ in ${cfg.extraConfig} ''; - users.users = singleton { - name = "kippo"; + users.users.kippo = { description = "kippo web server privilege separation user"; uid = 108; # why does config.ids.uids.kippo give an error? }; - users.groups = singleton { name = "kippo";gid=108; }; + users.groups.kippo.gid = 108; systemd.services.kippo = with pkgs; { description = "Kippo Web Server"; diff --git a/nixpkgs/nixos/modules/services/networking/kresd.nix b/nixpkgs/nixos/modules/services/networking/kresd.nix index fc516c01230a..5eb50a13ca9a 100644 --- a/nixpkgs/nixos/modules/services/networking/kresd.nix +++ b/nixpkgs/nixos/modules/services/networking/kresd.nix @@ -13,6 +13,17 @@ in { meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; + imports = [ + (mkChangedOptionModule [ "services" "kresd" "interfaces" ] [ "services" "kresd" "listenPlain" ] + (config: + let value = getAttrFromPath [ "services" "kresd" "interfaces" ] config; + in map + (iface: if elem ":" (stringToCharacters iface) then "[${iface}]:53" else "${iface}:53") # Syntax depends on being IPv6 or IPv4. + value + ) + ) + ]; + ###### interface options.services.kresd = { enable = mkOption { @@ -39,11 +50,12 @@ in Directory for caches. They are intended to survive reboots. ''; }; - interfaces = mkOption { + listenPlain = mkOption { type = with types; listOf str; - default = [ "::1" "127.0.0.1" ]; + default = [ "[::1]:53" "127.0.0.1:53" ]; description = '' - What addresses the server should listen on. (UDP+TCP 53) + What addresses and ports the server should listen on. + For detailed syntax see ListenStream in man systemd.socket. ''; }; listenTLS = mkOption { @@ -51,7 +63,7 @@ in default = []; example = [ "198.51.100.1:853" "[2001:db8::1]:853" "853" ]; description = '' - Addresses on which kresd should provide DNS over TLS (see RFC 7858). + Addresses and ports on which kresd should provide DNS over TLS (see RFC 7858). For detailed syntax see ListenStream in man systemd.socket. ''; }; @@ -62,24 +74,17 @@ in config = mkIf cfg.enable { environment.etc."kresd.conf".source = configFile; # not required - users.users = singleton - { name = "kresd"; - uid = config.ids.uids.kresd; + users.users.kresd = + { uid = config.ids.uids.kresd; group = "kresd"; description = "Knot-resolver daemon user"; }; - users.groups = singleton - { name = "kresd"; - gid = config.ids.gids.kresd; - }; + users.groups.kresd.gid = config.ids.gids.kresd; systemd.sockets.kresd = rec { wantedBy = [ "sockets.target" ]; before = wantedBy; - listenStreams = map - # Syntax depends on being IPv6 or IPv4. - (iface: if elem ":" (stringToCharacters iface) then "[${iface}]:53" else "${iface}:53") - cfg.interfaces; + listenStreams = cfg.listenPlain; socketConfig = { ListenDatagram = listenStreams; FreeBind = true; diff --git a/nixpkgs/nixos/modules/services/networking/matterbridge.nix b/nixpkgs/nixos/modules/services/networking/matterbridge.nix index 1fd63348c16c..bad35133459a 100644 --- a/nixpkgs/nixos/modules/services/networking/matterbridge.nix +++ b/nixpkgs/nixos/modules/services/networking/matterbridge.nix @@ -92,13 +92,15 @@ in warnings = optional options.services.matterbridge.configFile.isDefined "The option services.matterbridge.configFile is insecure and should be replaced with services.matterbridge.configPath"; - users.users = optional (cfg.user == "matterbridge") - { name = "matterbridge"; - group = "matterbridge"; + users.users = optionalAttrs (cfg.user == "matterbridge") + { matterbridge = { + group = "matterbridge"; + isSystemUser = true; + }; }; - users.groups = optional (cfg.group == "matterbridge") - { name = "matterbridge"; + users.groups = optionalAttrs (cfg.group == "matterbridge") + { matterbridge = { }; }; systemd.services.matterbridge = { diff --git a/nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix b/nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix index e0a6c112e3cb..dbc35e2e71c0 100644 --- a/nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix +++ b/nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix @@ -49,10 +49,11 @@ in { config = mkIf cfg.enable { - users.users = optional (cfg.user == "mjpg-streamer") { - name = "mjpg-streamer"; - uid = config.ids.uids.mjpg-streamer; - group = cfg.group; + users.users = optionalAttrs (cfg.user == "mjpg-streamer") { + mjpg-streamer = { + uid = config.ids.uids.mjpg-streamer; + group = cfg.group; + }; }; systemd.services.mjpg-streamer = { diff --git a/nixpkgs/nixos/modules/services/networking/monero.nix b/nixpkgs/nixos/modules/services/networking/monero.nix index 831e4d60d8da..b95364308682 100644 --- a/nixpkgs/nixos/modules/services/networking/monero.nix +++ b/nixpkgs/nixos/modules/services/networking/monero.nix @@ -197,17 +197,15 @@ in config = mkIf cfg.enable { - users.users = singleton { - name = "monero"; + users.users.monero = { uid = config.ids.uids.monero; description = "Monero daemon user"; home = dataDir; createHome = true; }; - users.groups = singleton { - name = "monero"; - gid = config.ids.gids.monero; + users.groups.monero = { + gid = config.ids.gids.monero; }; systemd.services.monero = { @@ -224,15 +222,17 @@ in }; }; - assertions = singleton { - assertion = cfg.mining.enable -> cfg.mining.address != ""; - message = '' + assertions = singleton { + assertion = cfg.mining.enable -> cfg.mining.address != ""; + message = '' You need a Monero address to receive mining rewards: specify one using option monero.mining.address. - ''; - }; + ''; + }; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/morty.nix b/nixpkgs/nixos/modules/services/networking/morty.nix index 1b3084fe9abb..e3a6444c1163 100644 --- a/nixpkgs/nixos/modules/services/networking/morty.nix +++ b/nixpkgs/nixos/modules/services/networking/morty.nix @@ -74,6 +74,7 @@ in { description = "Morty user"; createHome = true; home = "/var/lib/morty"; + isSystemUser = true; }; systemd.services.morty = diff --git a/nixpkgs/nixos/modules/services/networking/murmur.nix b/nixpkgs/nixos/modules/services/networking/murmur.nix index 082953d2f6ab..3054ae1b201f 100644 --- a/nixpkgs/nixos/modules/services/networking/murmur.nix +++ b/nixpkgs/nixos/modules/services/networking/murmur.nix @@ -46,6 +46,11 @@ let ''; in { + imports = [ + (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ]) + (mkRemovedOptionModule [ "services" "murmur" "pidfile" ] "Hardcoded to /run/murmur/murmurd.pid now") + ]; + options = { services.murmur = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/networking/mxisd.nix b/nixpkgs/nixos/modules/services/networking/mxisd.nix index 02e89f441b34..482d6ff456b1 100644 --- a/nixpkgs/nixos/modules/services/networking/mxisd.nix +++ b/nixpkgs/nixos/modules/services/networking/mxisd.nix @@ -3,6 +3,15 @@ with lib; let + + isMa1sd = + package: + lib.hasPrefix "ma1sd" package.name; + + isMxisd = + package: + lib.hasPrefix "mxisd" package.name; + cfg = config.services.mxisd; server = optionalAttrs (cfg.server.name != null) { inherit (cfg.server) name; } @@ -12,37 +21,41 @@ let matrix.domain = cfg.matrix.domain; key.path = "${cfg.dataDir}/signing.key"; storage = { - provider.sqlite.database = "${cfg.dataDir}/mxisd.db"; + provider.sqlite.database = if isMa1sd cfg.package + then "${cfg.dataDir}/ma1sd.db" + else "${cfg.dataDir}/mxisd.db"; }; } // optionalAttrs (server != {}) { inherit server; }; # merges baseConfig and extraConfig into a single file fullConfig = recursiveUpdate baseConfig cfg.extraConfig; - configFile = pkgs.writeText "mxisd-config.yaml" (builtins.toJSON fullConfig); + configFile = if isMa1sd cfg.package + then pkgs.writeText "ma1sd-config.yaml" (builtins.toJSON fullConfig) + else pkgs.writeText "mxisd-config.yaml" (builtins.toJSON fullConfig); in { options = { services.mxisd = { - enable = mkEnableOption "mxisd matrix federated identity server"; + enable = mkEnableOption "matrix federated identity server"; package = mkOption { type = types.package; default = pkgs.mxisd; defaultText = "pkgs.mxisd"; - description = "The mxisd package to use"; + description = "The mxisd/ma1sd package to use"; }; dataDir = mkOption { type = types.str; default = "/var/lib/mxisd"; - description = "Where data mxisd uses resides"; + description = "Where data mxisd/ma1sd uses resides"; }; extraConfig = mkOption { type = types.attrs; default = {}; - description = "Extra options merged into the mxisd configuration"; + description = "Extra options merged into the mxisd/ma1sd configuration"; }; matrix = { @@ -62,7 +75,7 @@ in { type = types.nullOr types.str; default = null; description = '' - Public hostname of mxisd, if different from the Matrix domain. + Public hostname of mxisd/ma1sd, if different from the Matrix domain. ''; }; @@ -80,34 +93,32 @@ in { }; config = mkIf cfg.enable { - users.users = [ + users.users.mxisd = { - name = "mxisd"; group = "mxisd"; home = cfg.dataDir; createHome = true; shell = "${pkgs.bash}/bin/bash"; uid = config.ids.uids.mxisd; - } - ]; + }; - users.groups = [ + users.groups.mxisd = { - name = "mxisd"; gid = config.ids.gids.mxisd; - } - ]; + }; systemd.services.mxisd = { description = "a federated identity server for the matrix ecosystem"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig = { + serviceConfig = let + executable = if isMa1sd cfg.package then "ma1sd" else "mxisd"; + in { Type = "simple"; User = "mxisd"; Group = "mxisd"; - ExecStart = "${cfg.package}/bin/mxisd -c ${configFile}"; + ExecStart = "${cfg.package}/bin/${executable} -c ${configFile}"; WorkingDirectory = cfg.dataDir; Restart = "on-failure"; }; diff --git a/nixpkgs/nixos/modules/services/networking/namecoind.nix b/nixpkgs/nixos/modules/services/networking/namecoind.nix index c8ee0a2f5647..ead7f0859434 100644 --- a/nixpkgs/nixos/modules/services/networking/namecoind.nix +++ b/nixpkgs/nixos/modules/services/networking/namecoind.nix @@ -154,16 +154,14 @@ in config = ${configFile} ''; - users.users = singleton { - name = "namecoin"; + users.users.namecoin = { uid = config.ids.uids.namecoin; description = "Namecoin daemon user"; home = dataDir; createHome = true; }; - users.groups = singleton { - name = "namecoin"; + users.groups.namecoin = { gid = config.ids.gids.namecoin; }; @@ -201,4 +199,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/nat.nix b/nixpkgs/nixos/modules/services/networking/nat.nix index 89d8590093dd..f1238bc6b168 100644 --- a/nixpkgs/nixos/modules/services/networking/nat.nix +++ b/nixpkgs/nixos/modules/services/networking/nat.nix @@ -7,29 +7,36 @@ with lib; let - cfg = config.networking.nat; dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"; + helpers = import ./helpers.nix { inherit config lib; }; + flushNat = '' - iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true - iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true - iptables -w -t nat -X nixos-nat-pre 2>/dev/null || true - iptables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true - iptables -w -t nat -F nixos-nat-post 2>/dev/null || true - iptables -w -t nat -X nixos-nat-post 2>/dev/null || true + ${helpers} + ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true + ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true + ip46tables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -F nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -D OUTPUT -j nixos-nat-out 2>/dev/null || true + ip46tables -w -t nat -F nixos-nat-out 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-out 2>/dev/null || true ${cfg.extraStopCommands} ''; setupNat = '' + ${helpers} # Create subchain where we store rules - iptables -w -t nat -N nixos-nat-pre - iptables -w -t nat -N nixos-nat-post + ip46tables -w -t nat -N nixos-nat-pre + ip46tables -w -t nat -N nixos-nat-post + ip46tables -w -t nat -N nixos-nat-out # We can't match on incoming interface in POSTROUTING, so - # mark packets coming from the external interfaces. + # mark packets coming from the internal interfaces. ${concatMapStrings (iface: '' iptables -w -t nat -A nixos-nat-pre \ -i '${iface}' -j MARK --set-mark 1 @@ -88,8 +95,9 @@ let ${cfg.extraCommands} # Append our chains to the nat tables - iptables -w -t nat -A PREROUTING -j nixos-nat-pre - iptables -w -t nat -A POSTROUTING -j nixos-nat-post + ip46tables -w -t nat -A PREROUTING -j nixos-nat-pre + ip46tables -w -t nat -A POSTROUTING -j nixos-nat-post + ip46tables -w -t nat -A OUTPUT -j nixos-nat-out ''; in diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index 887c89ddf3ab..e817f295a445 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -5,13 +5,21 @@ with lib; let cfg = config.networking.networkmanager; - dynamicHostsEnabled = - cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {}; + basePackages = with pkgs; [ + crda + modemmanager + networkmanager + networkmanager-fortisslvpn + networkmanager-iodine + networkmanager-l2tp + networkmanager-openconnect + networkmanager-openvpn + networkmanager-vpnc + ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; - # /var/lib/misc is for dnsmasq.leases. - stateDirs = "/var/lib/NetworkManager /var/lib/dhclient /var/lib/misc"; + enableIwd = cfg.wifi.backend == "iwd"; configFile = pkgs.writeText "NetworkManager.conf" '' [main] @@ -38,6 +46,7 @@ let [device] wifi.scan-rand-mac-address=${if cfg.wifi.scanRandMacAddress then "yes" else "no"} + wifi.backend=${cfg.wifi.backend} ${cfg.extraConfig} ''; @@ -176,30 +185,18 @@ in { ''; }; - # Ugly hack for using the correct gnome3 packageSet - basePackages = mkOption { - type = types.attrsOf types.package; - default = { inherit (pkgs) - networkmanager modemmanager crda - networkmanager-openvpn networkmanager-vpnc - networkmanager-openconnect networkmanager-fortisslvpn - networkmanager-l2tp networkmanager-iodine; } - // optionalAttrs (!delegateWireless) { inherit (pkgs) wpa_supplicant; }; - internal = true; - }; - packages = mkOption { - type = types.listOf types.path; + type = types.listOf types.package; default = [ ]; description = '' Extra packages that provide NetworkManager plugins. ''; - apply = list: (attrValues cfg.basePackages) ++ list; + apply = list: basePackages ++ list; }; dhcp = mkOption { type = types.enum [ "dhclient" "dhcpcd" "internal" ]; - default = "dhclient"; + default = "internal"; description = '' Which program (or internal library) should be used for DHCP. ''; @@ -236,6 +233,15 @@ in { wifi = { macAddress = macAddressOpt; + backend = mkOption { + type = types.enum [ "wpa_supplicant" "iwd" ]; + default = "wpa_supplicant"; + description = '' + Specify the Wi-Fi backend used for the device. + Currently supported are <option>wpa_supplicant</option> or <option>iwd</option> (experimental). + ''; + }; + powersave = mkOption { type = types.nullOr types.bool; default = null; @@ -302,6 +308,7 @@ in { if [ "$2" != "up" ]; then logger "exit: event $2 != up" + exit fi # coreutils and iproute are in PATH too @@ -326,55 +333,21 @@ in { so you don't need to to that yourself. ''; }; - - dynamicHosts = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enabling this option requires the - <option>networking.networkmanager.dns</option> option to be - set to <literal>dnsmasq</literal>. If enabled, the directories - defined by the - <option>networking.networkmanager.dynamicHosts.hostsDirs</option> - option will be set up when the service starts. The dnsmasq instance - managed by NetworkManager will then watch those directories for - hosts files (see the <literal>--hostsdir</literal> option of - dnsmasq). This way a non-privileged user can add or override DNS - entries on the local system (depending on what hosts directories - that are configured).. - ''; - }; - hostsDirs = mkOption { - type = with types; attrsOf (submodule { - options = { - user = mkOption { - type = types.str; - default = "root"; - description = '' - The user that will own the hosts directory. - ''; - }; - group = mkOption { - type = types.str; - default = "root"; - description = '' - The group that will own the hosts directory. - ''; - }; - }; - }); - default = {}; - description = '' - Defines a set of directories (relative to - <literal>/run/NetworkManager/hostdirs</literal>) that dnsmasq will - watch for hosts files. - ''; - }; - }; }; }; + imports = [ + (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) + (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' + This option was removed because allowing (multiple) regular users to + override host entries affecting the whole system opens up a huge attack + vector. There seem to be very rare cases where this might be useful. + Consider setting system-wide host entries using networking.hosts, provide + them via the DNS server in your network, or use environment.etc + to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir. + '') + ]; + ###### implementation @@ -387,108 +360,90 @@ in { Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager. ''; } - { assertion = !dynamicHostsEnabled || (dynamicHostsEnabled && cfg.dns == "dnsmasq"); - message = '' - To use networking.networkmanager.dynamicHosts you also need to set - networking.networkmanager.dns = "dnsmasq" - ''; - } ]; - environment.etc = with cfg.basePackages; [ - { source = configFile; - target = "NetworkManager/NetworkManager.conf"; - } - { source = "${networkmanager-openvpn}/lib/NetworkManager/VPN/nm-openvpn-service.name"; - target = "NetworkManager/VPN/nm-openvpn-service.name"; - } - { source = "${networkmanager-vpnc}/lib/NetworkManager/VPN/nm-vpnc-service.name"; - target = "NetworkManager/VPN/nm-vpnc-service.name"; - } - { source = "${networkmanager-openconnect}/lib/NetworkManager/VPN/nm-openconnect-service.name"; - target = "NetworkManager/VPN/nm-openconnect-service.name"; - } - { source = "${networkmanager-fortisslvpn}/lib/NetworkManager/VPN/nm-fortisslvpn-service.name"; - target = "NetworkManager/VPN/nm-fortisslvpn-service.name"; - } - { source = "${networkmanager-l2tp}/lib/NetworkManager/VPN/nm-l2tp-service.name"; - target = "NetworkManager/VPN/nm-l2tp-service.name"; - } - { source = "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; - target = "NetworkManager/VPN/nm-iodine-service.name"; + environment.etc = with pkgs; { + "NetworkManager/NetworkManager.conf".source = configFile; + + "NetworkManager/VPN/nm-openvpn-service.name".source = + "${networkmanager-openvpn}/lib/NetworkManager/VPN/nm-openvpn-service.name"; + + "NetworkManager/VPN/nm-vpnc-service.name".source = + "${networkmanager-vpnc}/lib/NetworkManager/VPN/nm-vpnc-service.name"; + + "NetworkManager/VPN/nm-openconnect-service.name".source = + "${networkmanager-openconnect}/lib/NetworkManager/VPN/nm-openconnect-service.name"; + + "NetworkManager/VPN/nm-fortisslvpn-service.name".source = + "${networkmanager-fortisslvpn}/lib/NetworkManager/VPN/nm-fortisslvpn-service.name"; + + "NetworkManager/VPN/nm-l2tp-service.name".source = + "${networkmanager-l2tp}/lib/NetworkManager/VPN/nm-l2tp-service.name"; + + "NetworkManager/VPN/nm-iodine-service.name".source = + "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; } - ] ++ optional (cfg.appendNameservers != [] || cfg.insertNameservers != []) - { source = overrideNameserversScript; - target = "NetworkManager/dispatcher.d/02overridedns"; - } - ++ lib.imap1 (i: s: { - inherit (s) source; - target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; - mode = "0544"; - }) cfg.dispatcherScripts - ++ optional dynamicHostsEnabled - { target = "NetworkManager/dnsmasq.d/dyndns.conf"; - text = concatMapStrings (n: '' - hostsdir=/run/NetworkManager/hostsdirs/${n} - '') (attrNames cfg.dynamicHosts.hostsDirs); - } - ++ optional cfg.enableStrongSwan - { source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; - target = "NetworkManager/VPN/nm-strongswan-service.name"; - }; + // optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != []) + { + "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; + } + // optionalAttrs cfg.enableStrongSwan + { + "NetworkManager/VPN/nm-strongswan-service.name".source = + "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; + } + // listToAttrs (lib.imap1 (i: s: + { + name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; + value = { mode = "0544"; inherit (s) source; }; + }) cfg.dispatcherScripts); environment.systemPackages = cfg.packages; - users.groups = [{ - name = "networkmanager"; - gid = config.ids.gids.networkmanager; - } - { - name = "nm-openvpn"; - gid = config.ids.gids.nm-openvpn; - }]; - users.users = [{ - name = "nm-openvpn"; - uid = config.ids.uids.nm-openvpn; - extraGroups = [ "networkmanager" ]; - } - { - name = "nm-iodine"; - isSystemUser = true; - group = "networkmanager"; - }]; + users.groups = { + networkmanager.gid = config.ids.gids.networkmanager; + nm-openvpn.gid = config.ids.gids.nm-openvpn; + }; + + users.users = { + nm-openvpn = { + uid = config.ids.uids.nm-openvpn; + extraGroups = [ "networkmanager" ]; + }; + nm-iodine = { + isSystemUser = true; + group = "networkmanager"; + }; + }; systemd.packages = cfg.packages; + systemd.tmpfiles.rules = [ + "d /etc/NetworkManager/system-connections 0700 root root -" + "d /etc/ipsec.d 0700 root root -" + "d /var/lib/NetworkManager-fortisslvpn 0700 root root -" + + "d /var/lib/dhclient 0755 root root -" + "d /var/lib/misc 0755 root root -" # for dnsmasq.leases + ]; + systemd.services.NetworkManager = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; - preStart = '' - mkdir -m 700 -p /etc/NetworkManager/system-connections - mkdir -m 700 -p /etc/ipsec.d - mkdir -m 755 -p ${stateDirs} - ''; + aliases = [ "dbus-org.freedesktop.NetworkManager.service" ]; + + serviceConfig = { + StateDirectory = "NetworkManager"; + StateDirectoryMode = 755; # not sure if this really needs to be 755 + }; }; systemd.services.NetworkManager-wait-online = { wantedBy = [ "network-online.target" ]; }; - systemd.services.nm-setup-hostsdirs = mkIf dynamicHostsEnabled { - wantedBy = [ "NetworkManager.service" ]; - before = [ "NetworkManager.service" ]; - partOf = [ "NetworkManager.service" ]; - script = concatStrings (mapAttrsToList (n: d: '' - mkdir -p "/run/NetworkManager/hostsdirs/${n}" - chown "${d.user}:${d.group}" "/run/NetworkManager/hostsdirs/${n}" - chmod 0775 "/run/NetworkManager/hostsdirs/${n}" - '') cfg.dynamicHosts.hostsDirs); - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - }; + systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; @@ -496,16 +451,23 @@ in { # useful binaries for user-specified hooks path = [ pkgs.iproute pkgs.utillinux pkgs.coreutils ]; + aliases = [ "dbus-org.freedesktop.nm-dispatcher.service" ]; }; # Turn off NixOS' network management when networking is managed entirely by NetworkManager - networking = (mkIf (!delegateWireless) { - useDHCP = false; - # Use mkDefault to trigger the assertion about the conflict above - wireless.enable = mkDefault false; - }) // (mkIf cfg.enableStrongSwan { - networkmanager.packages = [ pkgs.networkmanager_strongswan ]; - }); + networking = mkMerge [ + (mkIf (!delegateWireless) { + useDHCP = false; + }) + + (mkIf cfg.enableStrongSwan { + networkmanager.packages = [ pkgs.networkmanager_strongswan ]; + }) + + (mkIf enableIwd { + wireless.iwd.enable = true; + }) + ]; security.polkit.extraConfig = polkitConf; diff --git a/nixpkgs/nixos/modules/services/networking/nghttpx/default.nix b/nixpkgs/nixos/modules/services/networking/nghttpx/default.nix index d6e1906e3881..881a2670f5db 100644 --- a/nixpkgs/nixos/modules/services/networking/nghttpx/default.nix +++ b/nixpkgs/nixos/modules/services/networking/nghttpx/default.nix @@ -96,6 +96,7 @@ in users.groups.nghttpx = { }; users.users.nghttpx = { group = config.users.groups.nghttpx.name; + isSystemUser = true; }; diff --git a/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix b/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix index d24d6f77a491..cc061bf6e3b9 100644 --- a/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix +++ b/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix @@ -210,9 +210,8 @@ in config = mkIf cfg.enable { - users.users = singleton - { name = proxyUser; - uid = config.ids.uids.nntp-proxy; + users.users.${proxyUser} = + { uid = config.ids.uids.nntp-proxy; description = "NNTP-Proxy daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/networking/nsd.nix b/nixpkgs/nixos/modules/services/networking/nsd.nix index bc0966e6b8e6..344396638a6c 100644 --- a/nixpkgs/nixos/modules/services/networking/nsd.nix +++ b/nixpkgs/nixos/modules/services/networking/nsd.nix @@ -899,13 +899,9 @@ in environment.systemPackages = [ nsdPkg ]; - users.groups = singleton { - name = username; - gid = config.ids.gids.nsd; - }; + users.groups.${username}.gid = config.ids.gids.nsd; - users.users = singleton { - name = username; + users.users.${username} = { description = "NSD service user"; home = stateDir; createHome = true; diff --git a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix index c74476c7a155..da9d960cc142 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix @@ -79,14 +79,10 @@ in environment.systemPackages = [ pkgs.chrony ]; - users.groups = singleton - { name = "chrony"; - gid = config.ids.gids.chrony; - }; + users.groups.chrony.gid = config.ids.gids.chrony; - users.users = singleton - { name = "chrony"; - uid = config.ids.uids.chrony; + users.users.chrony = + { uid = config.ids.uids.chrony; group = "chrony"; description = "chrony daemon user"; home = stateDir; diff --git a/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix b/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix index 1197c84f0459..b5403cb747d0 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix @@ -104,9 +104,8 @@ in systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service"; }; - users.users = singleton - { name = ntpUser; - uid = config.ids.uids.ntp; + users.users.${ntpUser} = + { uid = config.ids.uids.ntp; description = "NTP daemon user"; home = stateDir; }; diff --git a/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix b/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix index 471d15b1687b..67a04d48d308 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix @@ -60,8 +60,7 @@ in environment.etc."ntpd.conf".text = configFile; - users.users = singleton { - name = "ntp"; + users.users.ntp = { uid = config.ids.uids.ntp; description = "OpenNTP daemon user"; home = "/var/empty"; diff --git a/nixpkgs/nixos/modules/services/networking/openvpn.nix b/nixpkgs/nixos/modules/services/networking/openvpn.nix index 05be97e66a3d..dcd7e9e5fa4c 100644 --- a/nixpkgs/nixos/modules/services/networking/openvpn.nix +++ b/nixpkgs/nixos/modules/services/networking/openvpn.nix @@ -73,6 +73,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "openvpn" "enable" ] "") + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/networking/owamp.nix b/nixpkgs/nixos/modules/services/networking/owamp.nix index 821a0258f4be..637ed618b893 100644 --- a/nixpkgs/nixos/modules/services/networking/owamp.nix +++ b/nixpkgs/nixos/modules/services/networking/owamp.nix @@ -17,15 +17,13 @@ in ###### implementation config = mkIf cfg.enable { - users.users = singleton { - name = "owamp"; + users.users.owamp = { group = "owamp"; description = "Owamp daemon"; + isSystemUser = true; }; - users.groups = singleton { - name = "owamp"; - }; + users.groups.owamp = { }; systemd.services.owamp = { description = "Owamp server"; diff --git a/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix b/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix index ebfdd9f35b72..6ff181377fcc 100644 --- a/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix @@ -91,10 +91,18 @@ in { forwardZones = mkOption { type = types.attrs; + default = {}; + description = '' + DNS zones to be forwarded to other authoritative servers. + ''; + }; + + forwardZonesRecurse = mkOption { + type = types.attrs; example = { eth = "127.0.0.1:5353"; }; default = {}; description = '' - DNS zones to be forwarded to other servers. + DNS zones to be forwarded to other recursive servers. ''; }; @@ -158,7 +166,8 @@ in { webserver-port = cfg.api.port; webserver-allow-from = cfg.api.allowFrom; - forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + forward-zones-recurse = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZonesRecurse; export-etc-hosts = cfg.exportHosts; dnssec = cfg.dnssecValidation; serve-rfc1918 = cfg.serveRFC1918; @@ -210,4 +219,6 @@ in { "To change extra Recursor settings use services.pdns-recursor.settings instead.") ]; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/pdnsd.nix b/nixpkgs/nixos/modules/services/networking/pdnsd.nix index f5b174dd7b7b..24b5bbc5104e 100644 --- a/nixpkgs/nixos/modules/services/networking/pdnsd.nix +++ b/nixpkgs/nixos/modules/services/networking/pdnsd.nix @@ -62,15 +62,13 @@ in }; config = mkIf cfg.enable { - users.users = singleton { - name = pdnsdUser; + users.users.${pdnsdUser} = { uid = config.ids.uids.pdnsd; group = pdnsdGroup; description = "pdnsd user"; }; - users.groups = singleton { - name = pdnsdGroup; + users.groups.${pdnsdGroup} = { gid = config.ids.gids.pdnsd; }; diff --git a/nixpkgs/nixos/modules/services/networking/polipo.nix b/nixpkgs/nixos/modules/services/networking/polipo.nix index dbe3b7380970..1ff9388346b6 100644 --- a/nixpkgs/nixos/modules/services/networking/polipo.nix +++ b/nixpkgs/nixos/modules/services/networking/polipo.nix @@ -85,17 +85,15 @@ in config = mkIf cfg.enable { - users.users = singleton - { name = "polipo"; - uid = config.ids.uids.polipo; + users.users.polipo = + { uid = config.ids.uids.polipo; description = "Polipo caching proxy user"; home = "/var/cache/polipo"; createHome = true; }; - users.groups = singleton - { name = "polipo"; - gid = config.ids.gids.polipo; + users.groups.polipo = + { gid = config.ids.gids.polipo; members = [ "polipo" ]; }; diff --git a/nixpkgs/nixos/modules/services/networking/pppd.nix b/nixpkgs/nixos/modules/services/networking/pppd.nix new file mode 100644 index 000000000000..b31bfa642358 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/pppd.nix @@ -0,0 +1,136 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.pppd; +in +{ + meta = { + maintainers = with maintainers; [ danderson ]; + }; + + options = { + services.pppd = { + enable = mkEnableOption "pppd"; + + package = mkOption { + default = pkgs.ppp; + defaultText = "pkgs.ppp"; + type = types.package; + description = "pppd package to use."; + }; + + peers = mkOption { + default = {}; + description = "pppd peers."; + type = types.attrsOf (types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "dialup"; + description = "Name of the PPP peer."; + }; + + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = "Whether to enable this PPP peer."; + }; + + autostart = mkOption { + type = types.bool; + default = true; + example = false; + description = "Whether the PPP session is automatically started at boot time."; + }; + + config = mkOption { + type = types.lines; + default = ""; + description = "pppd configuration for this peer, see the pppd(8) man page."; + }; + }; + })); + }; + }; + }; + + config = let + enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); + + mkEtc = peerCfg: { + name = "ppp/peers/${peerCfg.name}"; + value.text = peerCfg.config; + }; + + mkSystemd = peerCfg: { + name = "pppd-${peerCfg.name}"; + value = { + restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; + before = [ "network.target" ]; + wants = [ "network.target" ]; + after = [ "network-pre.target" ]; + environment = { + # pppd likes to write directly into /var/run. This is rude + # on a modern system, so we use libredirect to transparently + # move those files into /run/pppd. + LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; + NIX_REDIRECTS = "/var/run=/run/pppd"; + }; + serviceConfig = { + ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; + Restart = "always"; + RestartSec = 5; + + AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + # pppd can be configured to tweak kernel settings. + ProtectKernelTunables = false; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SecureBits = "no-setuid-fixup-locked noroot-locked"; + SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; + + # All pppd instances on a system must share a runtime + # directory in order for PPP multilink to work correctly. So + # we give all instances the same /run/pppd directory to store + # things in. + # + # For the same reason, we can't set PrivateUsers=true, because + # all instances need to run as the same user to access the + # multilink database. + RuntimeDirectory = "pppd"; + RuntimeDirectoryPreserve = true; + }; + wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; + }; + }; + + etcFiles = listToAttrs (map mkEtc enabledConfigs); + systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); + + in mkIf cfg.enable { + environment.etc = mkMerge etcFiles; + systemd.services = mkMerge systemdConfigs; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/prayer.nix b/nixpkgs/nixos/modules/services/networking/prayer.nix index c936417e68cb..9c9eeba23da2 100644 --- a/nixpkgs/nixos/modules/services/networking/prayer.nix +++ b/nixpkgs/nixos/modules/services/networking/prayer.nix @@ -72,17 +72,14 @@ in config = mkIf config.services.prayer.enable { environment.systemPackages = [ prayer ]; - users.users = singleton - { name = prayerUser; - uid = config.ids.uids.prayer; + users.users.${prayerUser} = + { uid = config.ids.uids.prayer; description = "Prayer daemon user"; home = stateDir; }; - users.groups = singleton - { name = prayerGroup; - gid = config.ids.gids.prayer; - }; + users.groups.${prayerGroup} = + { gid = config.ids.gids.prayer; }; systemd.services.prayer = { wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/networking/privoxy.nix b/nixpkgs/nixos/modules/services/networking/privoxy.nix index 49ca839a2c37..1f41c720adf5 100644 --- a/nixpkgs/nixos/modules/services/networking/privoxy.nix +++ b/nixpkgs/nixos/modules/services/networking/privoxy.nix @@ -109,4 +109,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/quassel.nix b/nixpkgs/nixos/modules/services/networking/quassel.nix index b495b3948fb5..52ecd90b7c69 100644 --- a/nixpkgs/nixos/modules/services/networking/quassel.nix +++ b/nixpkgs/nixos/modules/services/networking/quassel.nix @@ -92,17 +92,21 @@ in message = "Quassel needs a certificate file in order to require SSL"; }]; - users.users = mkIf (cfg.user == null) [ - { name = "quassel"; + users.users = optionalAttrs (cfg.user == null) { + quassel = { + name = "quassel"; description = "Quassel IRC client daemon"; group = "quassel"; uid = config.ids.uids.quassel; - }]; + }; + }; - users.groups = mkIf (cfg.user == null) [ - { name = "quassel"; + users.groups = optionalAttrs (cfg.user == null) { + quassel = { + name = "quassel"; gid = config.ids.gids.quassel; - }]; + }; + }; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' - ${user} - - -" diff --git a/nixpkgs/nixos/modules/services/networking/radicale.nix b/nixpkgs/nixos/modules/services/networking/radicale.nix index 1daced4a6c70..30bf22586f86 100644 --- a/nixpkgs/nixos/modules/services/networking/radicale.nix +++ b/nixpkgs/nixos/modules/services/networking/radicale.nix @@ -59,18 +59,15 @@ in config = mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - users.users = singleton - { name = "radicale"; - uid = config.ids.uids.radicale; + users.users.radicale = + { uid = config.ids.uids.radicale; description = "radicale user"; home = "/var/lib/radicale"; createHome = true; }; - users.groups = singleton - { name = "radicale"; - gid = config.ids.gids.radicale; - }; + users.groups.radicale = + { gid = config.ids.gids.radicale; }; systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; diff --git a/nixpkgs/nixos/modules/services/networking/searx.nix b/nixpkgs/nixos/modules/services/networking/searx.nix index 9412d0ef8a62..60fb3d5d6d44 100644 --- a/nixpkgs/nixos/modules/services/networking/searx.nix +++ b/nixpkgs/nixos/modules/services/networking/searx.nix @@ -75,4 +75,6 @@ in }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/networking/shairport-sync.nix b/nixpkgs/nixos/modules/services/networking/shairport-sync.nix index 68e005ab81da..2e988e0ca2e0 100644 --- a/nixpkgs/nixos/modules/services/networking/shairport-sync.nix +++ b/nixpkgs/nixos/modules/services/networking/shairport-sync.nix @@ -55,9 +55,8 @@ in services.avahi.publish.enable = true; services.avahi.publish.userServices = true; - users.users = singleton - { name = cfg.user; - description = "Shairport user"; + users.users.${cfg.user} = + { description = "Shairport user"; isSystemUser = true; createHome = true; home = "/var/lib/shairport-sync"; diff --git a/nixpkgs/nixos/modules/services/networking/shorewall.nix b/nixpkgs/nixos/modules/services/networking/shorewall.nix new file mode 100644 index 000000000000..0f94d414fcf7 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/shorewall.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: +let + types = lib.types; + cfg = config.services.shorewall; +in { + options = { + services.shorewall = { + enable = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Shorewall IPv4 Firewall. + <warning> + <para> + Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + </para> + </warning> + ''; + }; + package = lib.mkOption { + type = types.package; + default = pkgs.shorewall; + defaultText = "pkgs.shorewall"; + description = "The shorewall package to use."; + }; + configs = lib.mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + This option defines the Shorewall configs. + The attribute name defines the name of the config, + and the attribute value defines the content of the config. + ''; + apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.shorewall = { + description = "Shorewall IPv4 Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = lib.attrValues cfg.configs; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/shorewall start"; + ExecReload = "${cfg.package}/bin/shorewall reload"; + ExecStop = "${cfg.package}/bin/shorewall stop"; + }; + preStart = '' + install -D -d -m 750 /var/lib/shorewall + install -D -d -m 755 /var/lock/subsys + touch /var/log/shorewall.log + chown 750 /var/log/shorewall.log + ''; + }; + environment = { + etc = lib.mapAttrsToList + (name: file: + { source = file; + target = "shorewall/${name}"; + }) + cfg.configs; + systemPackages = [ cfg.package ]; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/shorewall6.nix b/nixpkgs/nixos/modules/services/networking/shorewall6.nix new file mode 100644 index 000000000000..9c22a037c0b4 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/shorewall6.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: +let + types = lib.types; + cfg = config.services.shorewall6; +in { + options = { + services.shorewall6 = { + enable = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Shorewall IPv6 Firewall. + <warning> + <para> + Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + </para> + </warning> + ''; + }; + package = lib.mkOption { + type = types.package; + default = pkgs.shorewall; + defaultText = "pkgs.shorewall"; + description = "The shorewall package to use."; + }; + configs = lib.mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + This option defines the Shorewall configs. + The attribute name defines the name of the config, + and the attribute value defines the content of the config. + ''; + apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.shorewall6 = { + description = "Shorewall IPv6 Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = lib.attrValues cfg.configs; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/shorewall6 start"; + ExecReload = "${cfg.package}/bin/shorewall6 reload"; + ExecStop = "${cfg.package}/bin/shorewall6 stop"; + }; + preStart = '' + install -D -d -m 750 /var/lib/shorewall6 + install -D -d -m 755 /var/lock/subsys + touch /var/log/shorewall6.log + chown 750 /var/log/shorewall6.log + ''; + }; + environment = { + etc = lib.mapAttrsToList + (name: file: + { source = file; + target = "shorewall6/${name}"; + }) + cfg.configs; + systemPackages = [ cfg.package ]; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/shout.nix b/nixpkgs/nixos/modules/services/networking/shout.nix index e548ec66962a..a808a7f39d05 100644 --- a/nixpkgs/nixos/modules/services/networking/shout.nix +++ b/nixpkgs/nixos/modules/services/networking/shout.nix @@ -82,8 +82,7 @@ in { }; config = mkIf cfg.enable { - users.users = singleton { - name = "shout"; + users.users.shout = { uid = config.ids.uids.shout; description = "Shout daemon user"; home = shoutHome; diff --git a/nixpkgs/nixos/modules/services/networking/smokeping.nix b/nixpkgs/nixos/modules/services/networking/smokeping.nix index d4d0594a9cdd..37ee2a803890 100644 --- a/nixpkgs/nixos/modules/services/networking/smokeping.nix +++ b/nixpkgs/nixos/modules/services/networking/smokeping.nix @@ -280,8 +280,7 @@ in fping6.source = "${pkgs.fping}/bin/fping6"; }; environment.systemPackages = [ pkgs.fping ]; - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { isNormalUser = false; isSystemUser = true; uid = config.ids.uids.smokeping; @@ -299,7 +298,8 @@ in mkdir -m 0755 -p ${smokepingHome}/cache ${smokepingHome}/data rm -f ${smokepingHome}/cropper ln -s ${cfg.package}/htdocs/cropper ${smokepingHome}/cropper - cp ${cgiHome} ${smokepingHome}/smokeping.fcgi + rm -f ${smokepingHome}/smokeping.fcgi + ln -s ${cgiHome} ${smokepingHome}/smokeping.fcgi ${cfg.package}/bin/smokeping --check --config=${configPath} ${cfg.package}/bin/smokeping --static --config=${configPath} ''; @@ -314,5 +314,7 @@ in serviceConfig.Restart = "always"; }; }; + + meta.maintainers = with lib.maintainers; [ erictapen ]; } diff --git a/nixpkgs/nixos/modules/services/networking/spacecookie.nix b/nixpkgs/nixos/modules/services/networking/spacecookie.nix new file mode 100644 index 000000000000..c4d06df6ad4a --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/spacecookie.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.spacecookie; + configFile = pkgs.writeText "spacecookie.json" (lib.generators.toJSON {} { + inherit (cfg) hostname port root; + }); +in { + + options = { + + services.spacecookie = { + + enable = mkEnableOption "spacecookie"; + + hostname = mkOption { + type = types.str; + default = "localhost"; + description = "The hostname the service is reachable via. Clients will use this hostname for further requests after loading the initial gopher menu."; + }; + + port = mkOption { + type = types.port; + default = 70; + description = "Port the gopher service should be exposed on."; + }; + + root = mkOption { + type = types.path; + default = "/srv/gopher"; + description = "The root directory spacecookie serves via gopher."; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.sockets.spacecookie = { + description = "Socket for the Spacecookie Gopher Server"; + wantedBy = [ "sockets.target" ]; + listenStreams = [ "[::]:${toString cfg.port}" ]; + socketConfig = { + BindIPv6Only = "both"; + }; + }; + + systemd.services.spacecookie = { + description = "Spacecookie Gopher Server"; + wantedBy = [ "multi-user.target" ]; + requires = [ "spacecookie.socket" ]; + + serviceConfig = { + Type = "notify"; + ExecStart = "${pkgs.haskellPackages.spacecookie}/bin/spacecookie ${configFile}"; + FileDescriptorStoreMax = 1; + + DynamicUser = true; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + + # AF_UNIX for communication with systemd + # AF_INET replaced by BindIPv6Only=both + RestrictAddressFamilies = "AF_UNIX AF_INET6"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index df4fed46d34a..5d5302f76fb4 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -74,6 +74,10 @@ let in { + imports = [ + (mkAliasOptionModule [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ]) + (mkAliasOptionModule [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ]) + ]; ###### interface diff --git a/nixpkgs/nixos/modules/services/networking/stunnel.nix b/nixpkgs/nixos/modules/services/networking/stunnel.nix index cbc899f2b4d7..ab51bba2f6ac 100644 --- a/nixpkgs/nixos/modules/services/networking/stunnel.nix +++ b/nixpkgs/nixos/modules/services/networking/stunnel.nix @@ -57,7 +57,13 @@ let }; CAPath = mkOption { - type = types.path; + type = types.nullOr types.path; + default = null; + description = "Path to a directory containing certificates to validate against."; + }; + + CAFile = mkOption { + type = types.nullOr types.path; default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; description = "Path to a file containing certificates to validate against."; }; @@ -196,6 +202,7 @@ in verifyChain = ${yesNo v.verifyChain} verifyPeer = ${yesNo v.verifyPeer} ${optionalString (v.CAPath != null) "CApath = ${v.CAPath}"} + ${optionalString (v.CAFile != null) "CAFile = ${v.CAFile}"} ${optionalString (v.verifyHostname != null) "checkHost = ${v.verifyHostname}"} OCSPaia = yes @@ -216,6 +223,12 @@ in }; }; + meta.maintainers = with maintainers; [ + # Server side + lschuermann + # Client side + das_j + ]; }; } diff --git a/nixpkgs/nixos/modules/services/networking/supybot.nix b/nixpkgs/nixos/modules/services/networking/supybot.nix index 64eb11068329..92c84bd0e1e2 100644 --- a/nixpkgs/nixos/modules/services/networking/supybot.nix +++ b/nixpkgs/nixos/modules/services/networking/supybot.nix @@ -45,8 +45,7 @@ in environment.systemPackages = [ pkgs.pythonPackages.limnoria ]; - users.users = singleton { - name = "supybot"; + users.users.supybotrs = { uid = config.ids.uids.supybot; group = "supybot"; description = "Supybot IRC bot user"; @@ -55,7 +54,6 @@ in }; users.groups.supybot = { - name = "supybot"; gid = config.ids.gids.supybot; }; diff --git a/nixpkgs/nixos/modules/services/networking/syncthing.nix b/nixpkgs/nixos/modules/services/networking/syncthing.nix index 165fd5970cf8..47b10e408c02 100644 --- a/nixpkgs/nixos/modules/services/networking/syncthing.nix +++ b/nixpkgs/nixos/modules/services/networking/syncthing.nix @@ -18,6 +18,7 @@ let fsWatcherEnabled = folder.watch; fsWatcherDelayS = folder.watchDelay; ignorePerms = folder.ignorePerms; + versioning = folder.versioning; }) (filterAttrs ( _: folder: folder.enable @@ -111,12 +112,12 @@ in { addresses = [ "tcp://192.168.0.10:51820" ]; }; }; - type = types.attrsOf (types.submodule ({ config, ... }: { + type = types.attrsOf (types.submodule ({ name, ... }: { options = { name = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' Name of the device ''; @@ -174,7 +175,7 @@ in { devices = [ "bigbox" ]; }; }; - type = types.attrsOf (types.submodule ({ config, ... }: { + type = types.attrsOf (types.submodule ({ name, ... }: { options = { enable = mkOption { @@ -189,7 +190,7 @@ in { path = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' The path to the folder which should be shared. ''; @@ -197,7 +198,7 @@ in { id = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' The id of the folder. Must be the same on all devices. ''; @@ -205,7 +206,7 @@ in { label = mkOption { type = types.str; - default = config._module.args.name; + default = name; description = '' The label of the folder. ''; @@ -220,6 +221,69 @@ in { ''; }; + versioning = mkOption { + default = null; + description = '' + How to keep changed/deleted files with syncthing. + There are 4 different types of versioning with different parameters. + See https://docs.syncthing.net/users/versioning.html + ''; + example = [ + { + versioning = { + type = "simple"; + params.keep = "10"; + }; + } + { + versioning = { + type = "trashcan"; + params.cleanoutDays = "1000"; + }; + } + { + versioning = { + type = "staggered"; + params = { + cleanInterval = "3600"; + maxAge = "31536000"; + versionsPath = "/syncthing/backup"; + }; + }; + } + { + versioning = { + type = "external"; + params.versionsPath = pkgs.writers.writeBash "backup" '' + folderpath="$1" + filepath="$2" + rm -rf "$folderpath/$filepath" + ''; + }; + } + ]; + type = with types; nullOr (submodule { + options = { + type = mkOption { + type = enum [ "external" "simple" "staggered" "trashcan" ]; + description = '' + Type of versioning. + See https://docs.syncthing.net/users/versioning.html + ''; + }; + params = mkOption { + type = attrsOf (either str path); + description = '' + Parameters for versioning. Structure depends on versioning.type. + See https://docs.syncthing.net/users/versioning.html + ''; + }; + }; + }); + }; + + + rescanInterval = mkOption { type = types.int; default = 3600; diff --git a/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix b/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix index a0ccb9950094..18f2e135124b 100644 --- a/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix +++ b/nixpkgs/nixos/modules/services/networking/tcpcrypt.nix @@ -29,8 +29,7 @@ in config = mkIf cfg.enable { - users.users = singleton { - name = "tcpcryptd"; + users.users.tcpcryptd = { uid = config.ids.uids.tcpcryptd; description = "tcpcrypt daemon user"; }; diff --git a/nixpkgs/nixos/modules/services/networking/thelounge.nix b/nixpkgs/nixos/modules/services/networking/thelounge.nix index b1d23372955e..875d8f661697 100644 --- a/nixpkgs/nixos/modules/services/networking/thelounge.nix +++ b/nixpkgs/nixos/modules/services/networking/thelounge.nix @@ -56,6 +56,7 @@ in { users.users.thelounge = { description = "thelounge service user"; group = "thelounge"; + isSystemUser = true; }; users.groups.thelounge = {}; systemd.services.thelounge = { diff --git a/nixpkgs/nixos/modules/services/networking/tinydns.nix b/nixpkgs/nixos/modules/services/networking/tinydns.nix index 7d5db71601ef..79507b2ebcdd 100644 --- a/nixpkgs/nixos/modules/services/networking/tinydns.nix +++ b/nixpkgs/nixos/modules/services/networking/tinydns.nix @@ -32,11 +32,12 @@ with lib; config = mkIf config.services.tinydns.enable { environment.systemPackages = [ pkgs.djbdns ]; - users.users.tinydns = {}; + users.users.tinydns.isSystemUser = true; systemd.services.tinydns = { description = "djbdns tinydns server"; wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; path = with pkgs; [ daemontools djbdns ]; preStart = '' rm -rf /var/lib/tinydns diff --git a/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix b/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix index 1d3492151690..f88e34827d00 100644 --- a/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix +++ b/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix @@ -56,9 +56,8 @@ in config = mkIf config.services.toxBootstrapd.enable { - users.users = singleton - { name = "tox-bootstrapd"; - uid = config.ids.uids.tox-bootstrapd; + users.users.tox-bootstrapd = + { uid = config.ids.uids.tox-bootstrapd; description = "Tox bootstrap daemon user"; inherit home; createHome = true; diff --git a/nixpkgs/nixos/modules/services/networking/trickster.nix b/nixpkgs/nixos/modules/services/networking/trickster.nix new file mode 100644 index 000000000000..8760dd5a9382 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/trickster.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.trickster; +in +{ + + options = { + services.trickster = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable Trickster. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.trickster; + defaultText = "pkgs.trickster"; + description = '' + Package that should be used for trickster. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to configuration file. + ''; + }; + + instance-id = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Instance ID for when running multiple processes (default null). + ''; + }; + + log-level = mkOption { + type = types.str; + default = "info"; + description = '' + Level of Logging to use (debug, info, warn, error) (default "info"). + ''; + }; + + metrics-port = mkOption { + type = types.port; + default = 8082; + description = '' + Port that the /metrics endpoint will listen on. + ''; + }; + + origin = mkOption { + type = types.str; + default = "http://prometheus:9090"; + description = '' + URL to the Prometheus Origin. Enter it like you would in grafana, e.g., http://prometheus:9090 (default http://prometheus:9090). + ''; + }; + + profiler-port = mkOption { + type = types.nullOr types.port; + default = null; + description = '' + Port that the /debug/pprof endpoint will listen on. + ''; + }; + + proxy-port = mkOption { + type = types.port; + default = 9090; + description = '' + Port that the Proxy server will listen on. + ''; + }; + + }; + }; + + config = mkIf cfg.enable { + systemd.services.trickster = { + description = "Dashboard Accelerator for Prometheus"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${cfg.package}/bin/trickster \ + -log-level ${cfg.log-level} \ + -metrics-port ${toString cfg.metrics-port} \ + -origin ${cfg.origin} \ + -proxy-port ${toString cfg.proxy-port} \ + ${optionalString (cfg.configFile != null) "-config ${cfg.configFile}"} \ + ${optionalString (cfg.profiler-port != null) "-profiler-port ${cfg.profiler-port}"} \ + ${optionalString (cfg.instance-id != null) "-instance-id ${cfg.instance-id}"} + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + }; + }; + + }; +} + diff --git a/nixpkgs/nixos/modules/services/networking/unbound.nix b/nixpkgs/nixos/modules/services/networking/unbound.nix index 3cf82e8839bb..baed83591e1e 100644 --- a/nixpkgs/nixos/modules/services/networking/unbound.nix +++ b/nixpkgs/nixos/modules/services/networking/unbound.nix @@ -53,6 +53,13 @@ in enable = mkEnableOption "Unbound domain name server"; + package = mkOption { + type = types.package; + default = pkgs.unbound; + defaultText = "pkgs.unbound"; + description = "The unbound package to use"; + }; + allowedAccess = mkOption { default = [ "127.0.0.0/24" ]; type = types.listOf types.str; @@ -94,7 +101,7 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.unbound ]; + environment.systemPackages = [ cfg.package ]; users.users.unbound = { description = "unbound daemon user"; @@ -114,7 +121,7 @@ in mkdir -m 0755 -p ${stateDir}/dev/ cp ${confFile} ${stateDir}/unbound.conf ${optionalString cfg.enableRootTrustAnchor '' - ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" chown unbound ${stateDir} ${rootTrustAnchorFile} ''} touch ${stateDir}/dev/random @@ -122,7 +129,7 @@ in ''; serviceConfig = { - ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf"; + ExecStart = "${cfg.package}/bin/unbound -d -c ${stateDir}/unbound.conf"; ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random"; ProtectSystem = true; diff --git a/nixpkgs/nixos/modules/services/networking/v2ray.nix b/nixpkgs/nixos/modules/services/networking/v2ray.nix new file mode 100644 index 000000000000..a1774cdffbb9 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/v2ray.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + options = { + + services.v2ray = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run v2ray server. + + Either <literal>configFile</literal> or <literal>config</literal> must be specified. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/etc/v2ray/config.json"; + description = '' + The absolute path to the configuration file. + + Either <literal>configFile</literal> or <literal>config</literal> must be specified. + + See <link xlink:href="https://v2ray.com/en/configuration/overview.html"/>. + ''; + }; + + config = mkOption { + type = types.nullOr (types.attrsOf types.unspecified); + default = null; + example = { + inbounds = [{ + port = 1080; + listen = "127.0.0.1"; + protocol = "http"; + }]; + outbounds = [{ + protocol = "freedom"; + }]; + }; + description = '' + The configuration object. + + Either `configFile` or `config` must be specified. + + See <link xlink:href="https://v2ray.com/en/configuration/overview.html"/>. + ''; + }; + }; + + }; + + config = let + cfg = config.services.v2ray; + configFile = if cfg.configFile != null + then cfg.configFile + else (pkgs.writeText "v2ray.json" (builtins.toJSON cfg.config)); + + in mkIf cfg.enable { + assertions = [ + { + assertion = (cfg.configFile == null) != (cfg.config == null); + message = "Either but not both `configFile` and `config` should be specified for v2ray."; + } + ]; + + systemd.services.v2ray = { + description = "v2ray Daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.v2ray ]; + script = '' + exec v2ray -config ${configFile} + ''; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/vsftpd.nix b/nixpkgs/nixos/modules/services/networking/vsftpd.nix index 67be60da5673..47990dbb3772 100644 --- a/nixpkgs/nixos/modules/services/networking/vsftpd.nix +++ b/nixpkgs/nixos/modules/services/networking/vsftpd.nix @@ -34,6 +34,15 @@ let }; optionDescription = [ + (yesNoOption "allowWriteableChroot" "allow_writeable_chroot" false '' + Allow the use of writeable root inside chroot(). + '') + (yesNoOption "virtualUseLocalPrivs" "virtual_use_local_privs" false '' + If enabled, virtual users will use the same privileges as local + users. By default, virtual users will use the same privileges as + anonymous users, which tends to be more restrictive (especially + in terms of write access). + '') (yesNoOption "anonymousUser" "anonymous_enable" false '' Whether to enable the anonymous FTP user. '') @@ -76,9 +85,21 @@ let outgoing data connections can only connect to the client. Only enable if you know what you are doing! '') - (yesNoOption "ssl_tlsv1" "ssl_tlsv1" true '' '') - (yesNoOption "ssl_sslv2" "ssl_sslv2" false '' '') - (yesNoOption "ssl_sslv3" "ssl_sslv3" false '' '') + (yesNoOption "ssl_tlsv1" "ssl_tlsv1" true '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit TLS v1 protocol connections. + TLS v1 connections are preferred. + '') + (yesNoOption "ssl_sslv2" "ssl_sslv2" false '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit SSL v2 protocol connections. + TLS v1 connections are preferred. + '') + (yesNoOption "ssl_sslv3" "ssl_sslv3" false '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit SSL v3 protocol connections. + TLS v1 connections are preferred. + '') ]; configFile = pkgs.writeText "vsftpd.conf" @@ -98,6 +119,9 @@ let listen=YES nopriv_user=vsftpd secure_chroot_dir=/var/empty + ${optionalString (cfg.localRoot != null) '' + local_root=${cfg.localRoot} + ''} syslog_enable=YES ${optionalString (pkgs.stdenv.hostPlatform.system == "x86_64-linux") '' seccomp_sandbox=NO @@ -106,6 +130,11 @@ let ${optionalString cfg.anonymousUser '' anon_root=${cfg.anonymousUserHome} ''} + ${optionalString cfg.enableVirtualUsers '' + guest_enable=YES + guest_username=vsftpd + pam_service_name=vsftpd + ''} ${cfg.extraConfig} ''; @@ -119,10 +148,7 @@ in services.vsftpd = { - enable = mkOption { - default = false; - description = "Whether to enable the vsftpd FTP server."; - }; + enable = mkEnableOption "vsftpd"; userlist = mkOption { default = []; @@ -143,6 +169,61 @@ in ''; }; + enableVirtualUsers = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the <literal>pam_userdb</literal>-based + virtual user system + ''; + }; + + userDbPath = mkOption { + type = types.nullOr types.str; + example = "/etc/vsftpd/userDb"; + default = null; + description = '' + Only applies if <option>enableVirtualUsers</option> is true. + Path pointing to the <literal>pam_userdb</literal> user + database used by vsftpd to authenticate the virtual users. + + This user list should be stored in the Berkeley DB database + format. + + To generate a new user database, create a text file, add + your users using the following format: + <programlisting> + user1 + password1 + user2 + password2 + </programlisting> + + You can then install <literal>pkgs.db</literal> to generate + the Berkeley DB using + <programlisting> + db_load -T -t hash -f logins.txt userDb.db + </programlisting> + + Caution: <literal>pam_userdb</literal> will automatically + append a <literal>.db</literal> suffix to the filename you + provide though this option. This option shouldn't include + this filetype suffix. + ''; + }; + + localRoot = mkOption { + type = types.nullOr types.str; + default = null; + example = "/var/www/$USER"; + description = '' + This option represents a directory which vsftpd will try to + change into after a local (i.e. non- anonymous) login. + + Failure is silently ignored. + ''; + }; + anonymousUserHome = mkOption { type = types.path; default = "/home/ftp/"; @@ -186,26 +267,34 @@ in config = mkIf cfg.enable { - assertions = singleton + assertions = [ { assertion = (cfg.forceLocalLoginsSSL -> cfg.rsaCertFile != null) && (cfg.forceLocalDataSSL -> cfg.rsaCertFile != null); message = "vsftpd: If forceLocalLoginsSSL or forceLocalDataSSL is true then a rsaCertFile must be provided!"; + } + { + assertion = (cfg.enableVirtualUsers -> cfg.userDbPath != null) + && (cfg.enableVirtualUsers -> cfg.localUsers != null); + message = "vsftpd: If enableVirtualUsers is true, you need to setup both the userDbPath and localUsers options."; + }]; + + users.users = { + "vsftpd" = { + uid = config.ids.uids.vsftpd; + description = "VSFTPD user"; + home = if cfg.localRoot != null + then cfg.localRoot # <= Necessary for virtual users. + else "/homeless-shelter"; }; - - users.users = - [ { name = "vsftpd"; - uid = config.ids.uids.vsftpd; - description = "VSFTPD user"; - home = "/homeless-shelter"; - } - ] ++ optional cfg.anonymousUser - { name = "ftp"; + } // optionalAttrs cfg.anonymousUser { + "ftp" = { name = "ftp"; uid = config.ids.uids.ftp; group = "ftp"; description = "Anonymous FTP user"; home = cfg.anonymousUserHome; }; + }; users.groups.ftp.gid = config.ids.gids.ftp; @@ -213,23 +302,24 @@ in # = false and whitelist root services.vsftpd.userlist = if cfg.userlistDeny then ["root"] else []; - systemd.services.vsftpd = - { description = "Vsftpd Server"; + systemd = { + tmpfiles.rules = optional cfg.anonymousUser + #Type Path Mode User Gr Age Arg + "d '${builtins.toString cfg.anonymousUserHome}' 0555 'ftp' 'ftp' - -"; + services.vsftpd = { + description = "Vsftpd Server"; wantedBy = [ "multi-user.target" ]; - preStart = - optionalString cfg.anonymousUser - '' - mkdir -p -m 555 ${cfg.anonymousUserHome} - chown -R ftp:ftp ${cfg.anonymousUserHome} - ''; - serviceConfig.ExecStart = "@${vsftpd}/sbin/vsftpd vsftpd ${configFile}"; serviceConfig.Restart = "always"; serviceConfig.Type = "forking"; }; + }; + security.pam.services.vsftpd.text = mkIf (cfg.enableVirtualUsers && cfg.userDbPath != null)'' + auth required pam_userdb.so db=${cfg.userDbPath} + account required pam_userdb.so db=${cfg.userDbPath} + ''; }; - } diff --git a/nixpkgs/nixos/modules/services/networking/wireguard.nix b/nixpkgs/nixos/modules/services/networking/wireguard.nix index 4176da2c8cb8..980961225c9e 100644 --- a/nixpkgs/nixos/modules/services/networking/wireguard.nix +++ b/nixpkgs/nixos/modules/services/networking/wireguard.nix @@ -112,6 +112,32 @@ let Determines whether to add allowed IPs as routes or not. ''; }; + + socketNamespace = mkOption { + default = null; + type = with types; nullOr str; + example = "container"; + description = ''The pre-existing network namespace in which the + WireGuard interface is created, and which retains the socket even if the + interface is moved via <option>interfaceNamespace</option>. When + <literal>null</literal>, the interface is created in the init namespace. + See <link + xlink:href="https://www.wireguard.com/netns/">documentation</link>. + ''; + }; + + interfaceNamespace = mkOption { + default = null; + type = with types; nullOr str; + example = "init"; + description = ''The pre-existing network namespace the WireGuard + interface is moved to. The special value <literal>init</literal> means + the init namespace. When <literal>null</literal>, the interface is not + moved. + See <link + xlink:href="https://www.wireguard.com/netns/">documentation</link>. + ''; + }; }; }; @@ -239,6 +265,10 @@ let if peer.presharedKey != null then pkgs.writeText "wg-psk" peer.presharedKey else peer.presharedKeyFile; + src = interfaceCfg.socketNamespace; + dst = interfaceCfg.interfaceNamespace; + ip = nsWrap "ip" src dst; + wg = nsWrap "wg" src dst; in nameValuePair "wireguard-${interfaceName}-peer-${unitName}" { description = "WireGuard Peer - ${interfaceName} - ${peer.publicKey}"; @@ -255,16 +285,16 @@ let }; script = let - wg_setup = "wg set ${interfaceName} peer ${peer.publicKey}" + + wg_setup = "${wg} set ${interfaceName} peer ${peer.publicKey}" + optionalString (psk != null) " preshared-key ${psk}" + optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" + optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" + optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}"; route_setup = - optionalString (interfaceCfg.allowedIPsAsRoutes != false) + optionalString interfaceCfg.allowedIPsAsRoutes (concatMapStringsSep "\n" (allowedIP: - "ip route replace ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" + "${ip} route replace ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" ) peer.allowedIPs); in '' ${wg_setup} @@ -272,13 +302,13 @@ let ''; postStop = let - route_destroy = optionalString (interfaceCfg.allowedIPsAsRoutes != false) + route_destroy = optionalString interfaceCfg.allowedIPsAsRoutes (concatMapStringsSep "\n" (allowedIP: - "ip route delete ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" + "${ip} route delete ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" ) peer.allowedIPs); in '' - wg set ${interfaceName} peer ${peer.publicKey} remove + ${wg} set ${interfaceName} peer ${peer.publicKey} remove ${route_destroy} ''; }; @@ -287,6 +317,13 @@ let # exactly one way to specify the private key must be set #assert (values.privateKey != null) != (values.privateKeyFile != null); let privKey = if values.privateKeyFile != null then values.privateKeyFile else pkgs.writeText "wg-key" values.privateKey; + src = values.socketNamespace; + dst = values.interfaceNamespace; + ipPreMove = nsWrap "ip" src null; + ipPostMove = nsWrap "ip" src dst; + wg = nsWrap "wg" src dst; + ns = if dst == "init" then "1" else dst; + in nameValuePair "wireguard-${name}" { @@ -307,26 +344,33 @@ let ${values.preSetup} - ip link add dev ${name} type wireguard + ${ipPreMove} link add dev ${name} type wireguard + ${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) "${ipPreMove} link set ${name} netns ${ns}"} ${concatMapStringsSep "\n" (ip: - "ip address add ${ip} dev ${name}" + "${ipPostMove} address add ${ip} dev ${name}" ) values.ips} - wg set ${name} private-key ${privKey} ${ + ${wg} set ${name} private-key ${privKey} ${ optionalString (values.listenPort != null) " listen-port ${toString values.listenPort}"} - ip link set up dev ${name} + ${ipPostMove} link set up dev ${name} ${values.postSetup} ''; postStop = '' - ip link del dev ${name} + ${ipPostMove} link del dev ${name} ${values.postShutdown} ''; }; + nsWrap = cmd: src: dst: + let + nsList = filter (ns: ns != null) [ src dst ]; + ns = last nsList; + in + if (length nsList > 0 && ns != "init") then "ip netns exec ${ns} ${cmd}" else cmd; in { diff --git a/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix b/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix index 63e59e7c8fac..8f05c3949fba 100644 --- a/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix @@ -103,6 +103,13 @@ in { description = '' Set this to <literal>true</literal> if the SSID of the network is hidden. ''; + example = literalExample '' + { echelon = { + hidden = true; + psk = "abcdefgh"; + }; + } + ''; }; priority = mkOption { @@ -146,10 +153,13 @@ in { ''; default = {}; example = literalExample '' - { echelon = { + { echelon = { # SSID with no spaces or special characters psk = "abcdefgh"; }; - "free.wifi" = {}; + "echelon's AP" = { # SSID with spaces and/or special characters + psk = "ijklmnop"; + }; + "free.wifi" = {}; # Public wireless network } ''; }; @@ -226,9 +236,12 @@ in { ${if ifaces == [] then '' for i in $(cd /sys/class/net && echo *); do DEVTYPE= - source /sys/class/net/$i/uevent - if [ "$DEVTYPE" = "wlan" -o -e /sys/class/net/$i/wireless ]; then - ifaces="$ifaces''${ifaces:+ -N} -i$i" + UEVENT_PATH=/sys/class/net/$i/uevent + if [ -e "$UEVENT_PATH" ]; then + source "$UEVENT_PATH" + if [ "$DEVTYPE" = "wlan" -o -e /sys/class/net/$i/wireless ]; then + ifaces="$ifaces''${ifaces:+ -N} -i$i" + fi fi done '' else '' diff --git a/nixpkgs/nixos/modules/services/networking/yggdrasil.nix b/nixpkgs/nixos/modules/services/networking/yggdrasil.nix new file mode 100644 index 000000000000..9e675ecd6f4b --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/yggdrasil.nix @@ -0,0 +1,187 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.yggdrasil; + configProvided = (cfg.config != {}); + configAsFile = (if configProvided then + toString (pkgs.writeTextFile { + name = "yggdrasil-conf"; + text = builtins.toJSON cfg.config; + }) + else null); + configFileProvided = (cfg.configFile != null); + generateConfig = ( + if configProvided && configFileProvided then + "${pkgs.jq}/bin/jq -s add ${configAsFile} ${cfg.configFile}" + else if configProvided then + "cat ${configAsFile}" + else if configFileProvided then + "cat ${cfg.configFile}" + else + "${cfg.package}/bin/yggdrasil -genconf" + ); + +in { + options = with types; { + services.yggdrasil = { + enable = mkEnableOption "the yggdrasil system service"; + + configFile = mkOption { + type = nullOr str; + default = null; + example = "/run/keys/yggdrasil.conf"; + description = '' + A file which contains JSON configuration for yggdrasil. + + You do not have to supply a complete configuration, as + yggdrasil will use default values for anything which is + omitted. If the encryption and signing keys are omitted, + yggdrasil will generate new ones each time the service is + started, resulting in a random IPv6 address on the yggdrasil + network each time. + + If both this option and <option>config</option> are + supplied, they will be combined, with values from + <option>config</option> taking precedence. + + You can use the command <code>nix-shell -p yggdrasil --run + "yggdrasil -genconf -json"</code> to generate a default + JSON configuration. + ''; + }; + + config = mkOption { + type = attrs; + default = {}; + example = { + Peers = [ + "tcp://aa.bb.cc.dd:eeeee" + "tcp://[aaaa:bbbb:cccc:dddd::eeee]:fffff" + ]; + Listen = [ + "tcp://0.0.0.0:xxxxx" + ]; + }; + description = '' + Configuration for yggdrasil, as a Nix attribute set. + + Warning: this is stored in the WORLD-READABLE Nix store! + Therefore, it is not appropriate for private keys. If you + do not specify the keys, yggdrasil will generate a new set + each time the service is started, creating a random IPv6 + address on the yggdrasil network each time. + + If you wish to specify the keys, use + <option>configFile</option>. If both + <option>configFile</option> and <option>config</option> are + supplied, they will be combined, with values from + <option>config</option> taking precedence. + + You can use the command <code>nix-shell -p yggdrasil --run + "yggdrasil -genconf"</code> to generate default + configuration values with documentation. + ''; + }; + + openMulticastPort = mkOption { + type = bool; + default = false; + description = '' + Whether to open the UDP port used for multicast peer + discovery. The NixOS firewall blocks link-local + communication, so in order to make local peering work you + will also need to set <code>LinkLocalTCPPort</code> in your + yggdrasil configuration (<option>config</option> or + <option>configFile</option>) to a port number other than 0, + and then add that port to + <option>networking.firewall.allowedTCPPorts</option>. + ''; + }; + + denyDhcpcdInterfaces = mkOption { + type = listOf str; + default = []; + example = [ "tap*" ]; + description = '' + Disable the DHCP client for any interface whose name matches + any of the shell glob patterns in this list. Use this + option to prevent the DHCP client from broadcasting requests + on the yggdrasil network. It is only necessary to do so + when yggdrasil is running in TAP mode, because TUN + interfaces do not support broadcasting. + ''; + }; + + package = mkOption { + type = package; + default = pkgs.yggdrasil; + defaultText = "pkgs.yggdrasil"; + description = "Yggdrasil package to use."; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { assertion = config.networking.enableIPv6; + message = "networking.enableIPv6 must be true for yggdrasil to work"; + } + ]; + + systemd.services.yggdrasil = { + description = "Yggdrasil Network Service"; + path = [ cfg.package ] ++ optional (configProvided && configFileProvided) pkgs.jq; + bindsTo = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + ${generateConfig} | yggdrasil -normaliseconf -useconf > /run/yggdrasil/yggdrasil.conf + ''; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/yggdrasil -useconffile /run/yggdrasil/yggdrasil.conf"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + + RuntimeDirectory = "yggdrasil"; + RuntimeDirectoryMode = "0700"; + BindReadOnlyPaths = mkIf configFileProvided + [ "${cfg.configFile}" ]; + + # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails + # to set up the network adapter when DynamicUser is set. See + # github.com/yggdrasil-network/yggdrasil-go/issues/557. The + # following options are implied by DynamicUser according to + # the systemd.exec documentation, and can be removed if the + # upstream issue is fixed and DynamicUser is set to true: + PrivateTmp = true; + RemoveIPC = true; + NoNewPrivileges = true; + ProtectSystem = "strict"; + RestrictSUIDSGID = true; + # End of list of options implied by DynamicUser. + + AmbientCapabilities = "CAP_NET_ADMIN"; + CapabilityBoundingSet = "CAP_NET_ADMIN"; + MemoryDenyWriteExecute = true; + ProtectControlGroups = true; + ProtectHome = "tmpfs"; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources"; + }; + }; + + networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces; + networking.firewall.allowedUDPPorts = mkIf cfg.openMulticastPort [ 9001 ]; + + # Make yggdrasilctl available on the command line. + environment.systemPackages = [ cfg.package ]; + }; + meta.maintainers = with lib.maintainers; [ gazally ]; +} diff --git a/nixpkgs/nixos/modules/services/networking/zeronet.nix b/nixpkgs/nixos/modules/services/networking/zeronet.nix index f4988a902685..f354a9d42c79 100644 --- a/nixpkgs/nixos/modules/services/networking/zeronet.nix +++ b/nixpkgs/nixos/modules/services/networking/zeronet.nix @@ -1,44 +1,39 @@ { config, lib, pkgs, ... }: let + inherit (lib) generators literalExample mkEnableOption mkIf mkOption recursiveUpdate types; cfg = config.services.zeronet; - - zConfFile = pkgs.writeTextFile { - name = "zeronet.conf"; - - text = '' - [global] - data_dir = ${cfg.dataDir} - log_dir = ${cfg.logDir} - '' + lib.optionalString (cfg.port != null) '' - ui_port = ${toString cfg.port} - '' + lib.optionalString (cfg.fileserverPort != null) '' - fileserver_port = ${toString cfg.fileserverPort} - '' + lib.optionalString (cfg.torAlways) '' - tor = always - '' + cfg.extraConfig; + dataDir = "/var/lib/zeronet"; + configFile = pkgs.writeText "zeronet.conf" (generators.toINI {} (recursiveUpdate defaultSettings cfg.settings)); + + defaultSettings = { + global = { + data_dir = dataDir; + log_dir = dataDir; + ui_port = cfg.port; + fileserver_port = cfg.fileserverPort; + tor = if !cfg.tor then "disable" else if cfg.torAlways then "always" else "enable"; + }; }; in with lib; { options.services.zeronet = { enable = mkEnableOption "zeronet"; - dataDir = mkOption { - type = types.path; - default = "/var/lib/zeronet"; - example = "/home/okina/zeronet"; - description = "Path to the zeronet data directory."; - }; + settings = mkOption { + type = with types; attrsOf (oneOf [ str int bool (listOf str) ]); + default = {}; + example = literalExample "global.tor = enable;"; - logDir = mkOption { - type = types.path; - default = "/var/log/zeronet"; - example = "/home/okina/zeronet/log"; - description = "Path to the zeronet log directory."; + description = '' + <filename>zeronet.conf</filename> configuration. Refer to + <link xlink:href="https://zeronet.readthedocs.io/en/latest/faq/#is-it-possible-to-use-a-configuration-file"/> + for details on supported values; + ''; }; port = mkOption { - type = types.nullOr types.int; - default = null; + type = types.int; + default = 43110; example = 43110; description = "Optional zeronet web UI port."; }; @@ -63,22 +58,13 @@ in with lib; { default = false; description = "Use TOR for all zeronet traffic."; }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - - description = '' - Extra configuration. Contents will be added verbatim to the - configuration file at the end. - ''; - }; }; config = mkIf cfg.enable { services.tor = mkIf cfg.tor { enable = true; controlPort = 9051; + extraConfig = '' CacheDirectoryGroupReadable 1 CookieAuthentication 1 @@ -86,37 +72,25 @@ in with lib; { ''; }; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 750 zeronet zeronet - -" - "d '${cfg.logDir}' 750 zeronet zeronet - -" - ]; - systemd.services.zeronet = { description = "zeronet"; after = [ "network.target" (optionalString cfg.tor "tor.service") ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - PrivateTmp = "yes"; User = "zeronet"; - Group = "zeronet"; - ExecStart = "${pkgs.zeronet}/bin/zeronet --config_file ${zConfFile}"; - }; - }; - - users = { - groups.zeronet.gid = config.ids.gids.zeronet; - - users.zeronet = { - description = "zeronet service user"; - home = cfg.dataDir; - createHome = true; - group = "zeronet"; - extraGroups = mkIf cfg.tor [ "tor" ]; - uid = config.ids.uids.zeronet; + DynamicUser = true; + StateDirectory = "zeronet"; + SupplementaryGroups = mkIf cfg.tor [ "tor" ]; + ExecStart = "${pkgs.zeronet}/bin/zeronet --config_file ${configFile}"; }; }; }; + imports = [ + (mkRemovedOptionModule [ "services" "zeronet" "dataDir" ] "Zeronet will store data by default in /var/lib/zeronet") + (mkRemovedOptionModule [ "services" "zeronet" "logDir" ] "Zeronet will log by default in /var/lib/zeronet") + ]; + meta.maintainers = with maintainers; [ chiiruno ]; } diff --git a/nixpkgs/nixos/modules/services/networking/znc/default.nix b/nixpkgs/nixos/modules/services/networking/znc/default.nix index 05f97bfa539f..a7315896c506 100644 --- a/nixpkgs/nixos/modules/services/networking/znc/default.nix +++ b/nixpkgs/nixos/modules/services/networking/znc/default.nix @@ -239,7 +239,7 @@ in services.znc = { configFile = mkDefault (pkgs.writeText "znc-generated.conf" semanticString); config = { - Version = (builtins.parseDrvName pkgs.znc.name).version; + Version = lib.getVersion pkgs.znc; Listener.l.Port = mkDefault 5000; Listener.l.SSL = mkDefault true; }; @@ -287,20 +287,22 @@ in ''; }; - users.users = optional (cfg.user == defaultUser) - { name = defaultUser; - description = "ZNC server daemon owner"; - group = defaultUser; - uid = config.ids.uids.znc; - home = cfg.dataDir; - createHome = true; + users.users = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = + { description = "ZNC server daemon owner"; + group = defaultUser; + uid = config.ids.uids.znc; + home = cfg.dataDir; + createHome = true; + }; }; - users.groups = optional (cfg.user == defaultUser) - { name = defaultUser; - gid = config.ids.gids.znc; - members = [ defaultUser ]; - }; + users.groups = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = + { gid = config.ids.gids.znc; + members = [ defaultUser ]; + }; + }; }; } diff --git a/nixpkgs/nixos/modules/services/printing/cupsd.nix b/nixpkgs/nixos/modules/services/printing/cupsd.nix index 3fcae611dc79..59306d625e6b 100644 --- a/nixpkgs/nixos/modules/services/printing/cupsd.nix +++ b/nixpkgs/nixos/modules/services/printing/cupsd.nix @@ -31,7 +31,7 @@ let # part of CUPS itself, e.g. the SMB backend is part of Samba. Since # we can't update ${cups.out}/lib/cups itself, we create a symlink tree # here and add the additional programs. The ServerBin directive in - # cupsd.conf tells cupsd to use this tree. + # cups-files.conf tells cupsd to use this tree. bindir = pkgs.buildEnv { name = "cups-progs"; paths = @@ -112,6 +112,15 @@ in { + imports = [ + (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ] + (config: + let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config; + in if enabled then [ pkgs.gutenprint ] else [ ])) + (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "") + (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "") + ]; + ###### interface options = { @@ -279,9 +288,8 @@ in config = mkIf config.services.printing.enable { - users.users = singleton - { name = "cups"; - uid = config.ids.uids.cups; + users.users.cups = + { uid = config.ids.uids.cups; group = "lp"; description = "CUPS printing services"; }; diff --git a/nixpkgs/nixos/modules/services/scheduling/atd.nix b/nixpkgs/nixos/modules/services/scheduling/atd.nix index a32907647a0d..93ed9231d3c5 100644 --- a/nixpkgs/nixos/modules/services/scheduling/atd.nix +++ b/nixpkgs/nixos/modules/services/scheduling/atd.nix @@ -57,17 +57,13 @@ in security.pam.services.atd = {}; - users.users = singleton - { name = "atd"; - uid = config.ids.uids.atd; + users.users.atd = + { uid = config.ids.uids.atd; description = "atd user"; home = "/var/empty"; }; - users.groups = singleton - { name = "atd"; - gid = config.ids.gids.atd; - }; + users.groups.atd.gid = config.ids.gids.atd; systemd.services.atd = { description = "Job Execution Daemon (atd)"; diff --git a/nixpkgs/nixos/modules/services/scheduling/fcron.nix b/nixpkgs/nixos/modules/services/scheduling/fcron.nix index e43ca014e148..42bed21bf25b 100644 --- a/nixpkgs/nixos/modules/services/scheduling/fcron.nix +++ b/nixpkgs/nixos/modules/services/scheduling/fcron.nix @@ -86,7 +86,8 @@ in services.fcron.systab = systemCronJobs; - environment.etc = + environment.etc = listToAttrs + (map (x: { name = x.target; value = x; }) [ (allowdeny "allow" (cfg.allow)) (allowdeny "deny" cfg.deny) # see man 5 fcron.conf @@ -112,7 +113,7 @@ in gid = config.ids.gids.fcron; mode = "0644"; } - ]; + ]); environment.systemPackages = [ pkgs.fcron ]; users.users.fcron = { diff --git a/nixpkgs/nixos/modules/services/scheduling/marathon.nix b/nixpkgs/nixos/modules/services/scheduling/marathon.nix index 0961a67770e1..2e0d20c64b23 100644 --- a/nixpkgs/nixos/modules/services/scheduling/marathon.nix +++ b/nixpkgs/nixos/modules/services/scheduling/marathon.nix @@ -93,6 +93,6 @@ in { }; }; - users.users.${cfg.user} = { }; + users.users.${cfg.user}.isSystemUser = true; }; } diff --git a/nixpkgs/nixos/modules/services/search/hound.nix b/nixpkgs/nixos/modules/services/search/hound.nix index 6740928db9a7..7a44489efe61 100644 --- a/nixpkgs/nixos/modules/services/search/hound.nix +++ b/nixpkgs/nixos/modules/services/search/hound.nix @@ -88,19 +88,19 @@ in { }; config = mkIf cfg.enable { - users.groups = optional (cfg.group == "hound") { - name = "hound"; - gid = config.ids.gids.hound; + users.groups = optionalAttrs (cfg.group == "hound") { + hound.gid = config.ids.gids.hound; }; - users.users = optional (cfg.user == "hound") { - name = "hound"; - description = "hound code search"; - createHome = true; - home = cfg.home; - group = cfg.group; - extraGroups = cfg.extraGroups; - uid = config.ids.uids.hound; + users.users = optionalAttrs (cfg.user == "hound") { + hound = { + description = "hound code search"; + createHome = true; + home = cfg.home; + group = cfg.group; + extraGroups = cfg.extraGroups; + uid = config.ids.uids.hound; + }; }; systemd.services.hound = { diff --git a/nixpkgs/nixos/modules/services/search/kibana.nix b/nixpkgs/nixos/modules/services/search/kibana.nix index 43a63aa8fdc2..2beb265ee5d1 100644 --- a/nixpkgs/nixos/modules/services/search/kibana.nix +++ b/nixpkgs/nixos/modules/services/search/kibana.nix @@ -198,8 +198,7 @@ in { environment.systemPackages = [ cfg.package ]; - users.users = singleton { - name = "kibana"; + users.users.kibana = { uid = config.ids.uids.kibana; description = "Kibana service user"; home = cfg.dataDir; diff --git a/nixpkgs/nixos/modules/services/search/solr.nix b/nixpkgs/nixos/modules/services/search/solr.nix index 5ef7d9893a49..b2176225493e 100644 --- a/nixpkgs/nixos/modules/services/search/solr.nix +++ b/nixpkgs/nixos/modules/services/search/solr.nix @@ -100,18 +100,18 @@ in }; }; - users.users = optionalAttrs (cfg.user == "solr") (singleton - { name = "solr"; + users.users = optionalAttrs (cfg.user == "solr") { + solr = { group = cfg.group; home = cfg.stateDir; createHome = true; uid = config.ids.uids.solr; - }); + }; + }; - users.groups = optionalAttrs (cfg.group == "solr") (singleton - { name = "solr"; - gid = config.ids.gids.solr; - }); + users.groups = optionalAttrs (cfg.group == "solr") { + solr.gid = config.ids.gids.solr; + }; }; diff --git a/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix b/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix index 80fd65891ff8..d1817db07555 100644 --- a/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix @@ -74,7 +74,10 @@ in { webVaultEnabled = mkDefault true; }; - users.users.bitwarden_rs = { inherit group; }; + users.users.bitwarden_rs = { + inherit group; + isSystemUser = true; + }; users.groups.bitwarden_rs = { }; systemd.services.bitwarden_rs = { diff --git a/nixpkgs/nixos/modules/services/security/clamav.nix b/nixpkgs/nixos/modules/services/security/clamav.nix index 04b433f8f2bf..aaf6fb0479ba 100644 --- a/nixpkgs/nixos/modules/services/security/clamav.nix +++ b/nixpkgs/nixos/modules/services/security/clamav.nix @@ -30,6 +30,10 @@ let ''; in { + imports = [ + (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ]) + ]; + options = { services.clamav = { daemon = { @@ -79,18 +83,15 @@ in config = mkIf (cfg.updater.enable || cfg.daemon.enable) { environment.systemPackages = [ pkg ]; - users.users = singleton { - name = clamavUser; + users.users.${clamavUser} = { uid = config.ids.uids.clamav; group = clamavGroup; description = "ClamAV daemon user"; home = stateDir; }; - users.groups = singleton { - name = clamavGroup; - gid = config.ids.gids.clamav; - }; + users.groups.${clamavGroup} = + { gid = config.ids.gids.clamav; }; environment.etc."clamav/freshclam.conf".source = freshclamConfigFile; environment.etc."clamav/clamd.conf".source = clamdConfigFile; diff --git a/nixpkgs/nixos/modules/services/security/fprintd.nix b/nixpkgs/nixos/modules/services/security/fprintd.nix index 5662ebc61d20..8ece1ca19013 100644 --- a/nixpkgs/nixos/modules/services/security/fprintd.nix +++ b/nixpkgs/nixos/modules/services/security/fprintd.nix @@ -50,13 +50,6 @@ in systemd.packages = [ cfg.package ]; - - # The upstream unit does not use StateDirectory, and will - # fail if the directory it needs is not present. Should be - # fixed when https://gitlab.freedesktop.org/libfprint/fprintd/merge_requests/5 - # is merged. - systemd.services.fprintd.serviceConfig.StateDirectory = "fprint"; - }; } diff --git a/nixpkgs/nixos/modules/services/security/fprot.nix b/nixpkgs/nixos/modules/services/security/fprot.nix index 474490391463..f203f2abc033 100644 --- a/nixpkgs/nixos/modules/services/security/fprot.nix +++ b/nixpkgs/nixos/modules/services/security/fprot.nix @@ -48,22 +48,18 @@ in { services.fprot.updater.licenseKeyfile = mkDefault "${pkgs.fprot}/opt/f-prot/license.key"; environment.systemPackages = [ pkgs.fprot ]; - environment.etc = singleton { + environment.etc."f-prot.conf" = { source = "${pkgs.fprot}/opt/f-prot/f-prot.conf"; - target = "f-prot.conf"; }; - users.users = singleton - { name = fprotUser; - uid = config.ids.uids.fprot; + users.users.${fprotUser} = + { uid = config.ids.uids.fprot; description = "F-Prot daemon user"; home = stateDir; }; - users.groups = singleton - { name = fprotGroup; - gid = config.ids.gids.fprot; - }; + users.groups.${fprotGroup} = + { gid = config.ids.gids.fprot; }; services.cron.systemCronJobs = [ "*/${toString cfg.updater.frequency} * * * * root start fprot-updater" ]; diff --git a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix index bb03f7fc9e43..2abb9ec32aca 100644 --- a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix @@ -546,6 +546,7 @@ in users.users.oauth2_proxy = { description = "OAuth2 Proxy"; + isSystemUser = true; }; systemd.services.oauth2_proxy = { diff --git a/nixpkgs/nixos/modules/services/security/tor.nix b/nixpkgs/nixos/modules/services/security/tor.nix index ed862387cce1..18c105b2f576 100644 --- a/nixpkgs/nixos/modules/services/security/tor.nix +++ b/nixpkgs/nixos/modules/services/security/tor.nix @@ -106,6 +106,12 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ]) + (mkRemovedOptionModule [ "services" "tor" "relay" "isBridge" ] "Use services.tor.relay.role instead.") + (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.") + ]; + options = { services.tor = { enable = mkOption { diff --git a/nixpkgs/nixos/modules/services/security/torify.nix b/nixpkgs/nixos/modules/services/security/torify.nix index 08da726437ea..39551190dd33 100644 --- a/nixpkgs/nixos/modules/services/security/torify.nix +++ b/nixpkgs/nixos/modules/services/security/torify.nix @@ -25,6 +25,7 @@ in services.tor.tsocks = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to build tsocks wrapper script to relay application traffic via Tor. @@ -40,6 +41,7 @@ in }; server = mkOption { + type = types.str; default = "localhost:9050"; example = "192.168.0.20"; description = '' @@ -48,6 +50,7 @@ in }; config = mkOption { + type = types.lines; default = ""; description = '' Extra configuration. Contents will be added verbatim to TSocks diff --git a/nixpkgs/nixos/modules/services/security/torsocks.nix b/nixpkgs/nixos/modules/services/security/torsocks.nix index c60c745443bc..47ac95c4626e 100644 --- a/nixpkgs/nixos/modules/services/security/torsocks.nix +++ b/nixpkgs/nixos/modules/services/security/torsocks.nix @@ -112,10 +112,9 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ]; - environment.etc = - [ { source = pkgs.writeText "torsocks.conf" (configFile cfg.server); - target = "tor/torsocks.conf"; - } - ]; + environment.etc."tor/torsocks.conf" = + { + source = pkgs.writeText "torsocks.conf" (configFile cfg.server); + }; }; } diff --git a/nixpkgs/nixos/modules/services/security/vault.nix b/nixpkgs/nixos/modules/services/security/vault.nix index d5962ba9af90..b0ab8fadcbec 100644 --- a/nixpkgs/nixos/modules/services/security/vault.nix +++ b/nixpkgs/nixos/modules/services/security/vault.nix @@ -119,9 +119,8 @@ in }; users.groups.vault.gid = config.ids.gids.vault; - systemd.tmpfiles.rules = optional (cfg.storagePath != null) [ - "d '${cfg.storagePath}' 0700 vault vault - -" - ]; + systemd.tmpfiles.rules = optional (cfg.storagePath != null) + "d '${cfg.storagePath}' 0700 vault vault - -"; systemd.services.vault = { description = "Vault server daemon"; diff --git a/nixpkgs/nixos/modules/services/system/dbus.nix b/nixpkgs/nixos/modules/services/system/dbus.nix index 936646a5fd78..4a60fec1ca80 100644 --- a/nixpkgs/nixos/modules/services/system/dbus.nix +++ b/nixpkgs/nixos/modules/services/system/dbus.nix @@ -68,10 +68,7 @@ in environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus ]; - environment.etc = singleton - { source = configDir; - target = "dbus-1"; - }; + environment.etc."dbus-1".source = configDir; users.users.messagebus = { uid = config.ids.uids.messagebus; diff --git a/nixpkgs/nixos/modules/services/system/localtime.nix b/nixpkgs/nixos/modules/services/system/localtime.nix index c3c0b432b494..74925c5e2c47 100644 --- a/nixpkgs/nixos/modules/services/system/localtime.nix +++ b/nixpkgs/nixos/modules/services/system/localtime.nix @@ -35,6 +35,10 @@ in { # Install the systemd unit. systemd.packages = [ pkgs.localtime.out ]; + users.users.localtimed = { + description = "Taskserver user"; + }; + systemd.services.localtime = { wantedBy = [ "multi-user.target" ]; serviceConfig.Restart = "on-failure"; diff --git a/nixpkgs/nixos/modules/services/torrent/magnetico.nix b/nixpkgs/nixos/modules/services/torrent/magnetico.nix index 02fa2ac0750a..7465c10e002c 100644 --- a/nixpkgs/nixos/modules/services/torrent/magnetico.nix +++ b/nixpkgs/nixos/modules/services/torrent/magnetico.nix @@ -35,6 +35,7 @@ let (if (cfg.web.credentialsFile != null || cfg.web.credentials != { }) then "--credentials=${toString credFile}" else "--no-auth") + "--addr=${address}:${toString port}" ] ++ extraOptions); in { @@ -171,12 +172,13 @@ in { users.users.magnetico = { description = "Magnetico daemons user"; + isSystemUser = true; }; systemd.services.magneticod = { description = "Magnetico DHT crawler"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; + after = [ "network.target" ]; serviceConfig = { User = "magnetico"; @@ -188,7 +190,7 @@ in { systemd.services.magneticow = { description = "Magnetico web interface"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" "magneticod.service"]; + after = [ "network.target" "magneticod.service"]; serviceConfig = { User = "magnetico"; @@ -201,7 +203,7 @@ in { assertions = [ { - assertion = cfg.web.credentialsFile != null || cfg.web.credentials != { }; + assertion = cfg.web.credentialsFile == null || cfg.web.credentials == { }; message = '' The options services.magnetico.web.credentialsFile and services.magnetico.web.credentials are mutually exclusives. @@ -211,4 +213,6 @@ in { }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/torrent/transmission.nix b/nixpkgs/nixos/modules/services/torrent/transmission.nix index 7409eb8cdcbe..aa1acdf7d20b 100644 --- a/nixpkgs/nixos/modules/services/torrent/transmission.nix +++ b/nixpkgs/nixos/modules/services/torrent/transmission.nix @@ -7,6 +7,7 @@ let apparmor = config.security.apparmor.enable; homeDir = cfg.home; + downloadDirPermissions = cfg.downloadDirPermissions; downloadDir = "${homeDir}/Downloads"; incompleteDir = "${homeDir}/.incomplete"; @@ -16,16 +17,14 @@ let # for users in group "transmission" to have access to torrents fullSettings = { umask = 2; download-dir = downloadDir; incomplete-dir = incompleteDir; } // cfg.settings; - # Directories transmission expects to exist and be ug+rwx. - directoriesToManage = [ homeDir settingsDir fullSettings.download-dir fullSettings.incomplete-dir ]; - preStart = pkgs.writeScript "transmission-pre-start" '' #!${pkgs.runtimeShell} set -ex - for DIR in ${escapeShellArgs directoriesToManage}; do + for DIR in "${homeDir}" "${settingsDir}" "${fullSettings.download-dir}" "${fullSettings.incomplete-dir}"; do mkdir -p "$DIR" - chmod 770 "$DIR" done + chmod 700 "${homeDir}" "${settingsDir}" + chmod ${downloadDirPermissions} "${fullSettings.download-dir}" "${fullSettings.incomplete-dir}" cp -f ${settingsFile} ${settingsDir}/settings.json ''; in @@ -71,6 +70,16 @@ in ''; }; + downloadDirPermissions = mkOption { + type = types.str; + default = "770"; + example = "775"; + description = '' + The permissions to set for download-dir and incomplete-dir. + They will be applied on every service start. + ''; + }; + port = mkOption { type = types.int; default = 9091; @@ -109,7 +118,7 @@ in # 1) Only the "transmission" user and group have access to torrents. # 2) Optionally update/force specific fields into the configuration file. serviceConfig.ExecStartPre = preStart; - serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port}"; + serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port} --config-dir ${settingsDir}"; serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; serviceConfig.User = cfg.user; serviceConfig.Group = cfg.group; diff --git a/nixpkgs/nixos/modules/services/ttys/agetty.nix b/nixpkgs/nixos/modules/services/ttys/agetty.nix index 47eb3ab8206a..996925134524 100644 --- a/nixpkgs/nixos/modules/services/ttys/agetty.nix +++ b/nixpkgs/nixos/modules/services/ttys/agetty.nix @@ -124,7 +124,7 @@ in enable = mkDefault config.boot.isContainer; }; - environment.etc = singleton + environment.etc.issue = { # Friendly greeting on the virtual consoles. source = pkgs.writeText "issue" '' @@ -132,7 +132,6 @@ in ${config.services.mingetty.helpLine} ''; - target = "issue"; }; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/codimd.nix b/nixpkgs/nixos/modules/services/web-apps/codimd.nix index 7ae7cd9c52d8..5f56f8ed5a09 100644 --- a/nixpkgs/nixos/modules/services/web-apps/codimd.nix +++ b/nixpkgs/nixos/modules/services/web-apps/codimd.nix @@ -893,6 +893,7 @@ in extraGroups = cfg.groups; home = cfg.workDir; createHome = true; + isSystemUser = true; }; systemd.services.codimd = { diff --git a/nixpkgs/nixos/modules/services/web-apps/documize.nix b/nixpkgs/nixos/modules/services/web-apps/documize.nix index 37359869cb64..1b90299aa23c 100644 --- a/nixpkgs/nixos/modules/services/web-apps/documize.nix +++ b/nixpkgs/nixos/modules/services/web-apps/documize.nix @@ -14,6 +14,15 @@ in { options.services.documize = { enable = mkEnableOption "Documize Wiki"; + stateDirectoryName = mkOption { + type = types.str; + default = "documize"; + description = '' + The name of the directory below <filename>/var/lib/private</filename> + where documize runs in and stores, for example, backups. + ''; + }; + package = mkOption { type = types.package; default = pkgs.documize-community; @@ -132,6 +141,8 @@ in { ]; Restart = "always"; DynamicUser = "yes"; + StateDirectory = cfg.stateDirectoryName; + WorkingDirectory = "/var/lib/${cfg.stateDirectoryName}"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/frab.nix b/nixpkgs/nixos/modules/services/web-apps/frab.nix index 7914e5cc0ee1..1b5890d6b0c7 100644 --- a/nixpkgs/nixos/modules/services/web-apps/frab.nix +++ b/nixpkgs/nixos/modules/services/web-apps/frab.nix @@ -173,14 +173,13 @@ in config = mkIf cfg.enable { environment.systemPackages = [ frab-rake ]; - users.users = [ - { name = cfg.user; - group = cfg.group; + users.users.${cfg.user} = + { group = cfg.group; home = "${cfg.statePath}"; - } - ]; + isSystemUser = true; + }; - users.groups = [ { name = cfg.group; } ]; + users.groups.${cfg.group} = { }; systemd.tmpfiles.rules = [ "d '${cfg.statePath}/system/attachments' - ${cfg.user} ${cfg.group} - -" diff --git a/nixpkgs/nixos/modules/services/web-apps/gotify-server.nix b/nixpkgs/nixos/modules/services/web-apps/gotify-server.nix new file mode 100644 index 000000000000..03e01f46a944 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/gotify-server.nix @@ -0,0 +1,49 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + cfg = config.services.gotify; +in { + options = { + services.gotify = { + enable = mkEnableOption "Gotify webserver"; + + port = mkOption { + type = types.port; + description = '' + Port the server listens to. + ''; + }; + + stateDirectoryName = mkOption { + type = types.str; + default = "gotify-server"; + description = '' + The name of the directory below <filename>/var/lib</filename> where + gotify stores its runtime data. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.gotify-server = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "Simple server for sending and receiving messages"; + + environment = { + GOTIFY_SERVER_PORT = toString cfg.port; + }; + + serviceConfig = { + WorkingDirectory = "/var/lib/${cfg.stateDirectoryName}"; + StateDirectory = cfg.stateDirectoryName; + Restart = "always"; + DynamicUser = "yes"; + ExecStart = "${pkgs.gotify-server}/bin/server"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/ihatemoney/default.nix b/nixpkgs/nixos/modules/services/web-apps/ihatemoney/default.nix new file mode 100644 index 000000000000..68769ac8c031 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/ihatemoney/default.nix @@ -0,0 +1,141 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.services.ihatemoney; + user = "ihatemoney"; + group = "ihatemoney"; + db = "ihatemoney"; + python3 = config.services.uwsgi.package.python3; + pkg = python3.pkgs.ihatemoney; + toBool = x: if x then "True" else "False"; + configFile = pkgs.writeText "ihatemoney.cfg" '' + from secrets import token_hex + # load a persistent secret key + SECRET_KEY_FILE = "/var/lib/ihatemoney/secret_key" + SECRET_KEY = "" + try: + with open(SECRET_KEY_FILE) as f: + SECRET_KEY = f.read() + except FileNotFoundError: + pass + if not SECRET_KEY: + print("ihatemoney: generating a new secret key") + SECRET_KEY = token_hex(50) + with open(SECRET_KEY_FILE, "w") as f: + f.write(SECRET_KEY) + del token_hex + del SECRET_KEY_FILE + + # "normal" configuration + DEBUG = False + SQLALCHEMY_DATABASE_URI = '${ + if cfg.backend == "sqlite" + then "sqlite:////var/lib/ihatemoney/ihatemoney.sqlite" + else "postgresql:///${db}"}' + SQLALCHEMY_TRACK_MODIFICATIONS = False + MAIL_DEFAULT_SENDER = ("${cfg.defaultSender.name}", "${cfg.defaultSender.email}") + ACTIVATE_DEMO_PROJECT = ${toBool cfg.enableDemoProject} + ADMIN_PASSWORD = "${toString cfg.adminHashedPassword /*toString null == ""*/}" + ALLOW_PUBLIC_PROJECT_CREATION = ${toBool cfg.enablePublicProjectCreation} + ACTIVATE_ADMIN_DASHBOARD = ${toBool cfg.enableAdminDashboard} + + ${cfg.extraConfig} + ''; +in + { + options.services.ihatemoney = { + enable = mkEnableOption "ihatemoney webapp. Note that this will set uwsgi to emperor mode running as root"; + backend = mkOption { + type = types.enum [ "sqlite" "postgresql" ]; + default = "sqlite"; + description = '' + The database engine to use for ihatemoney. + If <literal>postgresql</literal> is selected, then a database called + <literal>${db}</literal> will be created. If you disable this option, + it will however not be removed. + ''; + }; + adminHashedPassword = mkOption { + type = types.nullOr types.str; + default = null; + description = "The hashed password of the administrator. To obtain it, run <literal>ihatemoney generate_password_hash</literal>"; + }; + uwsgiConfig = mkOption { + type = types.attrs; + example = { + http = ":8000"; + }; + description = "Additionnal configuration of the UWSGI vassal running ihatemoney. It should notably specify on which interfaces and ports the vassal should listen."; + }; + defaultSender = { + name = mkOption { + type = types.str; + default = "Budget manager"; + description = "The display name of the sender of ihatemoney emails"; + }; + email = mkOption { + type = types.str; + default = "ihatemoney@${config.networking.hostName}"; + description = "The email of the sender of ihatemoney emails"; + }; + }; + enableDemoProject = mkEnableOption "access to the demo project in ihatemoney"; + enablePublicProjectCreation = mkEnableOption "permission to create projects in ihatemoney by anyone"; + enableAdminDashboard = mkEnableOption "ihatemoney admin dashboard"; + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Extra configuration appended to ihatemoney's configuration file. It is a python file, so pay attention to indentation."; + }; + }; + config = mkIf cfg.enable { + services.postgresql = mkIf (cfg.backend == "postgresql") { + enable = true; + ensureDatabases = [ db ]; + ensureUsers = [ { + name = user; + ensurePermissions = { + "DATABASE ${db}" = "ALL PRIVILEGES"; + }; + } ]; + }; + systemd.services.postgresql = mkIf (cfg.backend == "postgresql") { + wantedBy = [ "uwsgi.service" ]; + before = [ "uwsgi.service" ]; + }; + systemd.tmpfiles.rules = [ + "d /var/lib/ihatemoney 770 ${user} ${group}" + ]; + users = { + users.${user} = { + isSystemUser = true; + inherit group; + }; + groups.${group} = {}; + }; + services.uwsgi = { + enable = true; + plugins = [ "python3" ]; + # the vassal needs to be able to setuid + user = "root"; + group = "root"; + instance = { + type = "emperor"; + vassals.ihatemoney = { + type = "normal"; + strict = true; + uid = user; + gid = group; + # apparently flask uses threads: https://github.com/spiral-project/ihatemoney/commit/c7815e48781b6d3a457eaff1808d179402558f8c + enable-threads = true; + module = "wsgi:application"; + chdir = "${pkg}/${pkg.pythonModule.sitePackages}/ihatemoney"; + env = [ "IHATEMONEY_SETTINGS_FILE_PATH=${configFile}" ]; + pythonPackages = self: [ self.ihatemoney ]; + } // cfg.uwsgiConfig; + }; + }; + }; + } + + diff --git a/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix b/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix index 68b57a9b90dd..e00a47191c6f 100644 --- a/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix @@ -3,7 +3,7 @@ let inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption; - inherit (lib) mapAttrs optional optionalString types; + inherit (lib) literalExample mapAttrs optional optionalString types; cfg = config.services.limesurvey; fpm = config.services.phpfpm.pools.limesurvey; @@ -100,19 +100,15 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); - example = { - hostName = "survey.example.org"; - enableSSL = true; - adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/survey.example.org/full.pem"; - sslServerKey = "/var/lib/acme/survey.example.org/key.pem"; - }; + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { + hostName = "survey.example.org"; + adminAddr = "webmaster@example.org"; + forceSSL = true; + enableACME = true; + } + ''; description = '' Apache configuration can be done by adapting <literal>services.httpd.virtualHosts.<name></literal>. See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. @@ -184,7 +180,7 @@ in config = { tempdir = "${stateDir}/tmp"; uploaddir = "${stateDir}/upload"; - force_ssl = mkIf cfg.virtualHost.enableSSL "on"; + force_ssl = mkIf (cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL) "on"; config.defaultlang = "en"; }; }; @@ -215,38 +211,36 @@ in enable = true; adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${pkg}/share/limesurvey"; - extraConfig = '' - Alias "/tmp" "${stateDir}/tmp" - <Directory "${stateDir}"> - AllowOverride all - Require all granted - Options -Indexes +FollowSymlinks - </Directory> - - Alias "/upload" "${stateDir}/upload" - <Directory "${stateDir}/upload"> - AllowOverride all - Require all granted - Options -Indexes - </Directory> - - <Directory "${pkg}/share/limesurvey"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - - AllowOverride all - Options -Indexes - DirectoryIndex index.php - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${pkg}/share/limesurvey"; + extraConfig = '' + Alias "/tmp" "${stateDir}/tmp" + <Directory "${stateDir}"> + AllowOverride all + Require all granted + Options -Indexes +FollowSymlinks + </Directory> + + Alias "/upload" "${stateDir}/upload" + <Directory "${stateDir}/upload"> + AllowOverride all + Require all granted + Options -Indexes + </Directory> + + <Directory "${pkg}/share/limesurvey"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + + AllowOverride all + Options -Indexes + DirectoryIndex index.php + </Directory> + ''; + } ]; }; systemd.tmpfiles.rules = [ @@ -277,7 +271,10 @@ in systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixpkgs/nixos/modules/services/web-apps/matomo-doc.xml b/nixpkgs/nixos/modules/services/web-apps/matomo-doc.xml index 8485492c51c7..69d1170e4523 100644 --- a/nixpkgs/nixos/modules/services/web-apps/matomo-doc.xml +++ b/nixpkgs/nixos/modules/services/web-apps/matomo-doc.xml @@ -86,12 +86,6 @@ GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; <itemizedlist> <listitem> <para> - Matomo's file integrity check will warn you. This is due to the patches - necessary for NixOS, you can safely ignore this. - </para> - </listitem> - <listitem> - <para> Matomo will warn you that the JavaScript tracker is not writable. This is because it's located in the read-only nix store. You can safely ignore this, unless you need a plugin that needs JavaScript tracker access. @@ -105,7 +99,7 @@ GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; <para> You can use other web servers by forwarding calls for <filename>index.php</filename> and <filename>piwik.php</filename> to the - <literal>/run/phpfpm-matomo.sock</literal> fastcgi unix socket. You can use + <literal><link linkend="opt-services.phpfpm.pools._name_.socket">services.phpfpm.pools.<name>.socket</link></literal> fastcgi unix socket. You can use the nginx configuration in the module code as a reference to what else should be configured. </para> diff --git a/nixpkgs/nixos/modules/services/web-apps/matomo.nix b/nixpkgs/nixos/modules/services/web-apps/matomo.nix index 1e34aff8d171..75da474dc446 100644 --- a/nixpkgs/nixos/modules/services/web-apps/matomo.nix +++ b/nixpkgs/nixos/modules/services/web-apps/matomo.nix @@ -2,15 +2,13 @@ with lib; let cfg = config.services.matomo; + fpm = config.services.phpfpm.pools.${pool}; user = "matomo"; dataDir = "/var/lib/${user}"; deprecatedDataDir = "/var/lib/piwik"; pool = user; - # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, - # and therefore is not accessible by the web server. - phpSocket = "/run/phpfpm-${pool}.sock"; phpExecutionUnit = "phpfpm-${pool}"; databaseService = "mysql.service"; @@ -20,6 +18,14 @@ let in join config.networking.hostName config.networking.domain; in { + imports = [ + (mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ]) + (mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ]) + (mkRemovedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") + (mkRemovedOptionModule [ "services" "matomo" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") + (mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ]) + ]; + options = { services.matomo = { # NixOS PR for database setup: https://github.com/NixOS/nixpkgs/pull/6963 @@ -50,7 +56,7 @@ in { default = null; example = "lighttpd"; description = '' - Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for Matomo if the nginx + Name of the web server user that forwards requests to <option>services.phpfpm.pools.<name>.socket</option> the fastcgi socket for Matomo if the nginx option is not used. Either this option or the nginx option is mandatory. If you want to use another webserver than nginx, you need to set this to that server's user and pass fastcgi requests to `index.php`, `matomo.php` and `piwik.php` (legacy name) to this socket. @@ -71,25 +77,6 @@ in { ''; }; - phpfpmProcessManagerConfig = mkOption { - type = types.str; - default = '' - ; default phpfpm process manager settings - pm = dynamic - pm.max_children = 75 - pm.start_servers = 10 - pm.min_spare_servers = 5 - pm.max_spare_servers = 20 - pm.max_requests = 500 - - ; log worker's stdout, but this has a performance hit - catch_workers_output = yes - ''; - description = '' - Settings for phpfpm's process manager. You might need to change this depending on the load for Matomo. - ''; - }; - nginx = mkOption { type = types.nullOr (types.submodule ( recursiveUpdate @@ -233,15 +220,24 @@ in { else if (cfg.webServerUser != null) then cfg.webServerUser else ""; in { ${pool} = { - listen = phpSocket; - extraConfig = '' - listen.owner = ${socketOwner} - listen.group = root - listen.mode = 0600 - user = ${user} - env[PIWIK_USER_PATH] = ${dataDir} - ${cfg.phpfpmProcessManagerConfig} + inherit user; + phpOptions = '' + error_log = 'stderr' + log_errors = on ''; + settings = mapAttrs (name: mkDefault) { + "listen.owner" = socketOwner; + "listen.group" = "root"; + "listen.mode" = "0660"; + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + "catch_workers_output" = true; + }; + phpEnv.PIWIK_USER_PATH = dataDir; }; }; @@ -264,15 +260,15 @@ in { }; # allow index.php for webinterface locations."= /index.php".extraConfig = '' - fastcgi_pass unix:${phpSocket}; + fastcgi_pass unix:${fpm.socket}; ''; # allow matomo.php for tracking locations."= /matomo.php".extraConfig = '' - fastcgi_pass unix:${phpSocket}; + fastcgi_pass unix:${fpm.socket}; ''; # allow piwik.php for tracking (deprecated name) locations."= /piwik.php".extraConfig = '' - fastcgi_pass unix:${phpSocket}; + fastcgi_pass unix:${fpm.socket}; ''; # Any other attempt to access any php files is forbidden locations."~* ^.+\\.php$".extraConfig = '' diff --git a/nixpkgs/nixos/modules/services/web-apps/mattermost.nix b/nixpkgs/nixos/modules/services/web-apps/mattermost.nix index 8c7fc4056adc..41c52b9653bf 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mattermost.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mattermost.nix @@ -146,17 +146,17 @@ in config = mkMerge [ (mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == "mattermost") (singleton { - name = "mattermost"; - group = cfg.group; - uid = config.ids.uids.mattermost; - home = cfg.statePath; - }); - - users.groups = optionalAttrs (cfg.group == "mattermost") (singleton { - name = "mattermost"; - gid = config.ids.gids.mattermost; - }); + users.users = optionalAttrs (cfg.user == "mattermost") { + mattermost = { + group = cfg.group; + uid = config.ids.uids.mattermost; + home = cfg.statePath; + }; + }; + + users.groups = optionalAttrs (cfg.group == "mattermost") { + mattermost.gid = config.ids.gids.mattermost; + }; services.postgresql.enable = cfg.localDatabaseCreate; diff --git a/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix b/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix index ec2568bf952d..8a109b39bb57 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix @@ -64,7 +64,7 @@ let $wgScriptPath = ""; ## The protocol and server name to use in fully-qualified URLs - $wgServer = "${if cfg.virtualHost.enableSSL then "https" else "http"}://${cfg.virtualHost.hostName}"; + $wgServer = "${if cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL then "https" else "http"}://${cfg.virtualHost.hostName}"; ## The URL path to static resources (images, scripts, etc.) $wgResourceBasePath = $wgScriptPath; @@ -290,19 +290,13 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); example = literalExample '' { hostName = "mediawiki.example.org"; - enableSSL = true; adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/mediawiki.example.org/full.pem"; - sslServerKey = "/var/lib/acme/mediawiki.example.org/key.pem"; + forceSSL = true; + enableACME = true; } ''; description = '' @@ -389,31 +383,28 @@ in services.httpd = { enable = true; - adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${pkg}/share/mediawiki"; - extraConfig = '' - <Directory "${pkg}/share/mediawiki"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - - Require all granted - DirectoryIndex index.php - AllowOverride All - </Directory> - '' + optionalString (cfg.uploadsDir != null) '' - Alias "/images" "${cfg.uploadsDir}" - <Directory "${cfg.uploadsDir}"> - Require all granted - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${pkg}/share/mediawiki"; + extraConfig = '' + <Directory "${pkg}/share/mediawiki"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + + Require all granted + DirectoryIndex index.php + AllowOverride All + </Directory> + '' + optionalString (cfg.uploadsDir != null) '' + Alias "/images" "${cfg.uploadsDir}" + <Directory "${cfg.uploadsDir}"> + Require all granted + </Directory> + ''; + } ]; }; systemd.tmpfiles.rules = [ @@ -461,7 +452,10 @@ in systemd.services.httpd.after = optional (cfg.database.createLocally && cfg.database.type == "mysql") "mysql.service"; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; environment.systemPackages = [ mediawikiScripts ]; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/moinmoin.nix b/nixpkgs/nixos/modules/services/web-apps/moinmoin.nix new file mode 100644 index 000000000000..0fee64be0bb2 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/moinmoin.nix @@ -0,0 +1,303 @@ +{ config, lib, pkgs, ... }: +with lib; + +let + cfg = config.services.moinmoin; + python = pkgs.python27; + pkg = python.pkgs.moinmoin; + dataDir = "/var/lib/moin"; + usingGunicorn = cfg.webServer == "nginx-gunicorn" || cfg.webServer == "gunicorn"; + usingNginx = cfg.webServer == "nginx-gunicorn"; + user = "moin"; + group = "moin"; + + uLit = s: ''u"${s}"''; + indentLines = n: str: concatMapStrings (line: "${fixedWidthString n " " " "}${line}\n") (splitString "\n" str); + + moinCliWrapper = wikiIdent: pkgs.writeShellScriptBin "moin-${wikiIdent}" '' + ${pkgs.su}/bin/su -s ${pkgs.runtimeShell} -c "${pkg}/bin/moin --config-dir=/var/lib/moin/${wikiIdent}/config $*" ${user} + ''; + + wikiConfig = wikiIdent: w: '' + # -*- coding: utf-8 -*- + + from MoinMoin.config import multiconfig, url_prefix_static + + class Config(multiconfig.DefaultConfig): + ${optionalString (w.webLocation != "/") '' + url_prefix_static = '${w.webLocation}' + url_prefix_static + ''} + + sitename = u'${w.siteName}' + page_front_page = u'${w.frontPage}' + + data_dir = '${dataDir}/${wikiIdent}/data' + data_underlay_dir = '${dataDir}/${wikiIdent}/underlay' + + language_default = u'${w.languageDefault}' + ${optionalString (w.superUsers != []) '' + superuser = [${concatMapStringsSep ", " uLit w.superUsers}] + ''} + + ${indentLines 4 w.extraConfig} + ''; + wikiConfigFile = name: wiki: pkgs.writeText "${name}.py" (wikiConfig name wiki); + +in +{ + options.services.moinmoin = with types; { + enable = mkEnableOption "MoinMoin Wiki Engine"; + + webServer = mkOption { + type = enum [ "nginx-gunicorn" "gunicorn" "none" ]; + default = "nginx-gunicorn"; + example = "none"; + description = '' + Which web server to use to serve the wiki. + Use <literal>none</literal> if you want to configure this yourself. + ''; + }; + + gunicorn.workers = mkOption { + type = ints.positive; + default = 3; + example = 10; + description = '' + The number of worker processes for handling requests. + ''; + }; + + wikis = mkOption { + type = attrsOf (submodule ({ name, ... }: { + options = { + siteName = mkOption { + type = str; + default = "Untitled Wiki"; + example = "ExampleWiki"; + description = '' + Short description of your wiki site, displayed below the logo on each page, and + used in RSS documents as the channel title. + ''; + }; + + webHost = mkOption { + type = str; + description = "Host part of the wiki URL. If undefined, the name of the attribute set will be used."; + example = "wiki.example.org"; + }; + + webLocation = mkOption { + type = str; + default = "/"; + example = "/moin"; + description = "Location part of the wiki URL."; + }; + + frontPage = mkOption { + type = str; + default = "LanguageSetup"; + example = "FrontPage"; + description = '' + Front page name. Set this to something like <literal>FrontPage</literal> once languages are + configured. + ''; + }; + + superUsers = mkOption { + type = listOf str; + default = []; + example = [ "elvis" ]; + description = '' + List of trusted user names with wiki system administration super powers. + + Please note that accounts for these users need to be created using the <command>moin</command> command-line utility, e.g.: + <command>moin-<replaceable>WIKINAME</replaceable> account create --name=<replaceable>NAME</replaceable> --email=<replaceable>EMAIL</replaceable> --password=<replaceable>PASSWORD</replaceable></command>. + ''; + }; + + languageDefault = mkOption { + type = str; + default = "en"; + example = "de"; + description = "The ISO-639-1 name of the main wiki language. Languages that MoinMoin does not support are ignored."; + }; + + extraConfig = mkOption { + type = lines; + default = ""; + example = '' + show_hosts = True + search_results_per_page = 100 + acl_rights_default = u"Known:read,write,delete,revert All:read" + logo_string = u"<h2>\U0001f639</h2>" + theme_default = u"modernized" + + user_checkbox_defaults = {'show_page_trail': 0, 'edit_on_doubleclick': 0} + navi_bar = [u'SomePage'] + multiconfig.DefaultConfig.navi_bar + actions_excluded = multiconfig.DefaultConfig.actions_excluded + ['newaccount'] + + mail_smarthost = "mail.example.org" + mail_from = u"Example.Org Wiki <wiki@example.org>" + ''; + description = '' + Additional configuration to be appended verbatim to this wiki's config. + + See <link xlink:href='http://moinmo.in/HelpOnConfiguration' /> for documentation. + ''; + }; + + }; + config = { + webHost = mkDefault name; + }; + })); + example = literalExample '' + { + "mywiki" = { + siteName = "Example Wiki"; + webHost = "wiki.example.org"; + superUsers = [ "admin" ]; + frontPage = "Index"; + extraConfig = "page_category_regex = ur'(?P<all>(Category|Kategorie)(?P<key>(?!Template)\S+))'" + }; + } + ''; + description = '' + Configurations of the individual wikis. Attribute names must be valid Python + identifiers of the form <literal>[A-Za-z_][A-Za-z0-9_]*</literal>. + + For every attribute <replaceable>WIKINAME</replaceable>, a helper script + moin-<replaceable>WIKINAME</replaceable> is created which runs the + <command>moin</command> command under the <literal>moin</literal> user (to avoid + file ownership issues) and with the right configuration directory passed to it. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = forEach (attrNames cfg.wikis) (wname: + { assertion = builtins.match "[A-Za-z_][A-Za-z0-9_]*" wname != null; + message = "${wname} is not valid Python identifier"; + } + ); + + users.users = { + moin = { + description = "MoinMoin wiki"; + home = dataDir; + group = group; + isSystemUser = true; + }; + }; + + users.groups = { + moin = { + members = mkIf usingNginx [ config.services.nginx.user ]; + }; + }; + + environment.systemPackages = [ pkg ] ++ map moinCliWrapper (attrNames cfg.wikis); + + systemd.services = mkIf usingGunicorn + (flip mapAttrs' cfg.wikis (wikiIdent: wiki: + nameValuePair "moin-${wikiIdent}" + { + description = "MoinMoin wiki ${wikiIdent} - gunicorn process"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + restartIfChanged = true; + restartTriggers = [ (wikiConfigFile wikiIdent wiki) ]; + + environment = let + penv = python.buildEnv.override { + # setuptools: https://github.com/benoitc/gunicorn/issues/1716 + extraLibs = [ python.pkgs.gevent python.pkgs.setuptools pkg ]; + }; + in { + PYTHONPATH = "${dataDir}/${wikiIdent}/config:${penv}/${python.sitePackages}"; + }; + + preStart = '' + umask 0007 + rm -rf ${dataDir}/${wikiIdent}/underlay + cp -r ${pkg}/share/moin/underlay ${dataDir}/${wikiIdent}/ + chmod -R u+w ${dataDir}/${wikiIdent}/underlay + ''; + + serviceConfig = { + User = user; + Group = group; + WorkingDirectory = "${dataDir}/${wikiIdent}"; + ExecStart = ''${python.pkgs.gunicorn}/bin/gunicorn moin_wsgi \ + --name gunicorn-${wikiIdent} \ + --workers ${toString cfg.gunicorn.workers} \ + --worker-class gevent \ + --bind unix:/run/moin/${wikiIdent}/gunicorn.sock + ''; + + Restart = "on-failure"; + RestartSec = "2s"; + StartLimitIntervalSec = "30s"; + + StateDirectory = "moin/${wikiIdent}"; + StateDirectoryMode = "0750"; + RuntimeDirectory = "moin/${wikiIdent}"; + RuntimeDirectoryMode = "0750"; + + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateNetwork = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + }; + } + )); + + services.nginx = mkIf usingNginx { + enable = true; + virtualHosts = flip mapAttrs' cfg.wikis (name: w: nameValuePair w.webHost { + forceSSL = mkDefault true; + enableACME = mkDefault true; + locations."${w.webLocation}" = { + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + + proxy_pass http://unix:/run/moin/${name}/gunicorn.sock; + ''; + }; + }); + }; + + systemd.tmpfiles.rules = [ + "d /run/moin 0750 ${user} ${group} - -" + "d ${dataDir} 0550 ${user} ${group} - -" + ] + ++ (concatLists (flip mapAttrsToList cfg.wikis (wikiIdent: wiki: [ + "d ${dataDir}/${wikiIdent} 0750 ${user} ${group} - -" + "d ${dataDir}/${wikiIdent}/config 0550 ${user} ${group} - -" + "L+ ${dataDir}/${wikiIdent}/config/wikiconfig.py - - - - ${wikiConfigFile wikiIdent wiki}" + # needed in order to pass module name to gunicorn + "L+ ${dataDir}/${wikiIdent}/config/moin_wsgi.py - - - - ${pkg}/share/moin/server/moin.wsgi" + # seed data files + "C ${dataDir}/${wikiIdent}/data 0770 ${user} ${group} - ${pkg}/share/moin/data" + # fix nix store permissions + "Z ${dataDir}/${wikiIdent}/data 0770 ${user} ${group} - -" + ]))); + }; + + meta.maintainers = with lib.maintainers; [ b42 ]; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/moodle.nix b/nixpkgs/nixos/modules/services/web-apps/moodle.nix index 211bc17ee192..595d070d940a 100644 --- a/nixpkgs/nixos/modules/services/web-apps/moodle.nix +++ b/nixpkgs/nixos/modules/services/web-apps/moodle.nix @@ -32,7 +32,7 @@ let 'dbcollation' => 'utf8mb4_unicode_ci', ); - $CFG->wwwroot = '${if cfg.virtualHost.enableSSL then "https" else "http"}://${cfg.virtualHost.hostName}'; + $CFG->wwwroot = '${if cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL then "https" else "http"}://${cfg.virtualHost.hostName}'; $CFG->dataroot = '${stateDir}'; $CFG->admin = 'admin'; @@ -140,19 +140,15 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); - example = { - hostName = "moodle.example.org"; - enableSSL = true; - adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/moodle.example.org/full.pem"; - sslServerKey = "/var/lib/acme/moodle.example.org/key.pem"; - }; + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { + hostName = "moodle.example.org"; + adminAddr = "webmaster@example.org"; + forceSSL = true; + enableACME = true; + } + ''; description = '' Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>. See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. @@ -241,22 +237,20 @@ in enable = true; adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${cfg.package}/share/moodle"; - extraConfig = '' - <Directory "${cfg.package}/share/moodle"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - Options -Indexes - DirectoryIndex index.php - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${cfg.package}/share/moodle"; + extraConfig = '' + <Directory "${cfg.package}/share/moodle"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + Options -Indexes + DirectoryIndex index.php + </Directory> + ''; + } ]; }; systemd.tmpfiles.rules = [ @@ -309,7 +303,9 @@ in systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; - users.users.${user}.group = group; - + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix index db5dc915c89f..f1dabadc119a 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix @@ -31,8 +31,12 @@ let occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.stdenv.shell} cd ${pkgs.nextcloud} - exec /run/wrappers/bin/sudo -u nextcloud \ - NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" \ + sudo=exec + if [[ "$USER" != nextcloud ]]; then + sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR' + fi + export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" + $sudo \ ${phpPackage}/bin/php \ -c ${pkgs.writeText "php.ini" phpOptionsStr}\ occ $* @@ -58,7 +62,7 @@ in { https = mkOption { type = types.bool; default = false; - description = "Enable if there is a TLS terminating proxy in front of nextcloud."; + description = "Use https for generated links."; }; maxUploadSize = mkOption { @@ -390,6 +394,7 @@ in { in { wantedBy = [ "multi-user.target" ]; before = [ "phpfpm-nextcloud.service" ]; + path = [ occ ]; script = '' chmod og+x ${cfg.home} ln -sf ${pkgs.nextcloud}/apps ${cfg.home}/ @@ -419,6 +424,7 @@ in { nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { serviceConfig.Type = "oneshot"; serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all"; + serviceConfig.User = "nextcloud"; startAt = cfg.autoUpdateApps.startAt; }; }; @@ -467,7 +473,7 @@ in { }; "/" = { priority = 200; - extraConfig = "rewrite ^ /index.php$request_uri;"; + extraConfig = "rewrite ^ /index.php;"; }; "~ ^/store-apps" = { priority = 201; @@ -494,6 +500,7 @@ in { extraConfig = '' include ${config.services.nginx.package}/conf/fastcgi.conf; fastcgi_split_path_info ^(.+\.php)(\\/.*)$; + try_files $fastcgi_script_name =404; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; fastcgi_param modHeadersAvailable true; @@ -531,6 +538,7 @@ in { add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; client_max_body_size ${cfg.maxUploadSize}; diff --git a/nixpkgs/nixos/modules/services/web-apps/nexus.nix b/nixpkgs/nixos/modules/services/web-apps/nexus.nix index 3af97e146d0a..d4d507362c97 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nexus.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nexus.nix @@ -68,6 +68,7 @@ in -Dkaraf.data=${cfg.home}/nexus3 -Djava.io.tmpdir=${cfg.home}/nexus3/tmp -Dkaraf.startLocalConsole=false + -Djava.endorsed.dirs=${cfg.package}/lib/endorsed ''; description = '' diff --git a/nixpkgs/nixos/modules/services/web-apps/restya-board.nix b/nixpkgs/nixos/modules/services/web-apps/restya-board.nix index 2c2f36ac598a..9d0a3f65253e 100644 --- a/nixpkgs/nixos/modules/services/web-apps/restya-board.nix +++ b/nixpkgs/nixos/modules/services/web-apps/restya-board.nix @@ -116,7 +116,7 @@ in }; passwordFile = mkOption { - type = types.nullOr types.str; + type = types.nullOr types.path; default = null; description = '' The database user's password. 'null' if no password is set. @@ -285,7 +285,7 @@ in sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', 'restya');/g" "${runDir}/server/php/config.inc.php" '' else '' sed -i "s/^.*'R_DB_HOST'.*$/define('R_DB_HOST', '${cfg.database.host}');/g" "${runDir}/server/php/config.inc.php" - sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', '$(<${cfg.database.dbPassFile})');/g" "${runDir}/server/php/config.inc.php" + sed -i "s/^.*'R_DB_PASSWORD'.*$/define('R_DB_PASSWORD', ${if cfg.database.passwordFile == null then "''" else "'file_get_contents(${cfg.database.passwordFile})'"});/g" "${runDir}/server/php/config.inc.php ''} sed -i "s/^.*'R_DB_PORT'.*$/define('R_DB_PORT', '${toString cfg.database.port}');/g" "${runDir}/server/php/config.inc.php" sed -i "s/^.*'R_DB_NAME'.*$/define('R_DB_NAME', '${cfg.database.name}');/g" "${runDir}/server/php/config.inc.php" diff --git a/nixpkgs/nixos/modules/services/web-apps/shiori.nix b/nixpkgs/nixos/modules/services/web-apps/shiori.nix new file mode 100644 index 000000000000..1817a2039352 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/shiori.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.shiori; +in { + options = { + services.shiori = { + enable = mkEnableOption "Shiori simple bookmarks manager"; + + package = mkOption { + type = types.package; + default = pkgs.shiori; + defaultText = "pkgs.shiori"; + description = "The Shiori package to use."; + }; + + address = mkOption { + type = types.str; + default = ""; + description = '' + The IP address on which Shiori will listen. + If empty, listens on all interfaces. + ''; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = "The port of the Shiori web application"; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.shiori = with cfg; { + description = "Shiori simple bookmarks manager"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${package}/bin/shiori serve --address '${address}' --port '${toString port}'"; + DynamicUser = true; + Environment = "SHIORI_DIR=/var/lib/shiori"; + StateDirectory = "shiori"; + }; + }; + }; + + meta.maintainers = with maintainers; [ minijackson ]; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/trac.nix b/nixpkgs/nixos/modules/services/web-apps/trac.nix new file mode 100644 index 000000000000..207fb857438a --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/trac.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.trac; + + inherit (lib) mkEnableOption mkIf mkOption types; + +in { + + options = { + + services.trac = { + enable = mkEnableOption "Trac service"; + + listen = { + ip = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + IP address that Trac should listen on. + ''; + }; + + port = mkOption { + type = types.port; + default = 8000; + description = '' + Listen port for Trac. + ''; + }; + }; + + dataDir = mkOption { + default = "/var/lib/trac"; + type = types.path; + description = '' + The directory for storing the Trac data. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open ports in the firewall for Trac. + ''; + }; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.trac = { + description = "Trac server"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = baseNameOf cfg.dataDir; + ExecStart = '' + ${pkgs.trac}/bin/tracd -s \ + -b ${toString cfg.listen.ip} \ + -p ${toString cfg.listen.port} \ + ${cfg.dataDir} + ''; + }; + preStart = '' + if [ ! -e ${cfg.dataDir}/VERSION ]; then + ${pkgs.trac}/bin/trac-admin ${cfg.dataDir} initenv Trac "sqlite:db/trac.db" + fi + ''; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.listen.port ]; + }; + + }; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/trilium.nix b/nixpkgs/nixos/modules/services/web-apps/trilium.nix new file mode 100644 index 000000000000..6f47193c62b9 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/trilium.nix @@ -0,0 +1,137 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.trilium-server; + configIni = pkgs.writeText "trilium-config.ini" '' + [General] + # Instance name can be used to distinguish between different instances + instanceName=${cfg.instanceName} + + # Disable automatically generating desktop icon + noDesktopIcon=true + + [Network] + # host setting is relevant only for web deployments - set the host on which the server will listen + host=${cfg.host} + # port setting is relevant only for web deployments, desktop builds run on random free port + port=${toString cfg.port} + # true for TLS/SSL/HTTPS (secure), false for HTTP (unsecure). + https=false + ''; +in +{ + + options.services.trilium-server = with lib; { + enable = mkEnableOption "trilium-server"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/trilium"; + description = '' + The directory storing the nodes database and the configuration. + ''; + }; + + instanceName = mkOption { + type = types.str; + default = "Trilium"; + description = '' + Instance name used to distinguish between different instances + ''; + }; + + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + The host address to bind to (defaults to localhost). + ''; + }; + + port = mkOption { + type = types.int; + default = 8080; + description = '' + The port number to bind to. + ''; + }; + + nginx = mkOption { + default = {}; + description = '' + Configuration for nginx reverse proxy. + ''; + + type = types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Configure the nginx reverse proxy settings. + ''; + }; + + hostName = mkOption { + type = types.str; + description = '' + The hostname use to setup the virtualhost configuration + ''; + }; + }; + }; + }; + }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + meta.maintainers = with lib.maintainers; [ kampka ]; + + users.groups.trilium = {}; + users.users.trilium = { + description = "Trilium User"; + group = "trilium"; + home = cfg.dataDir; + isSystemUser = true; + }; + + systemd.services.trilium-server = { + wantedBy = [ "multi-user.target" ]; + environment.TRILIUM_DATA_DIR = cfg.dataDir; + serviceConfig = { + ExecStart = "${pkgs.trilium-server}/bin/trilium-server"; + User = "trilium"; + Group = "trilium"; + PrivateTmp = "true"; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.dataDir} 0750 trilium trilium - -" + "L+ ${cfg.dataDir}/config.ini - - - - ${configIni}" + ]; + + } + + (lib.mkIf cfg.nginx.enable { + services.nginx = { + enable = true; + virtualHosts."${cfg.nginx.hostName}" = { + locations."/" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}/"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + ''; + }; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }) + ]); +} diff --git a/nixpkgs/nixos/modules/services/web-apps/virtlyst.nix b/nixpkgs/nixos/modules/services/web-apps/virtlyst.nix index e5c0bff2168a..37bdbb0e3b42 100644 --- a/nixpkgs/nixos/modules/services/web-apps/virtlyst.nix +++ b/nixpkgs/nixos/modules/services/web-apps/virtlyst.nix @@ -54,6 +54,7 @@ in home = stateDir; createHome = true; group = mkIf config.virtualisation.libvirtd.enable "libvirtd"; + isSystemUser = true; }; systemd.services.virtlyst = { diff --git a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix index e311dd917dd0..ad4f39fbf52c 100644 --- a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix +++ b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix @@ -3,7 +3,7 @@ let inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption types; inherit (lib) any attrValues concatMapStringsSep flatten literalExample; - inherit (lib) mapAttrs' mapAttrsToList nameValuePair optional optionalAttrs optionalString; + inherit (lib) mapAttrs mapAttrs' mapAttrsToList nameValuePair optional optionalAttrs optionalString; eachSite = config.services.wordpress; user = "wordpress"; @@ -127,7 +127,7 @@ let <note><para>These themes need to be packaged before use, see example.</para></note> ''; example = '' - # For shits and giggles, let's package the responsive theme + # Let's package the responsive theme responsiveTheme = pkgs.stdenv.mkDerivation { name = "responsive-theme"; # Download the theme from the wordpress site @@ -209,18 +209,12 @@ let }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); example = literalExample '' { - enableSSL = true; adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/wordpress.example.org/full.pem"; - sslServerKey = "/var/lib/acme/wordpress.example.org/key.pem"; + forceSSL = true; + enableACME = true; } ''; description = '' @@ -304,41 +298,37 @@ in services.httpd = { enable = true; extraModules = [ "proxy_fcgi" ]; - virtualHosts = mapAttrsToList (hostName: cfg: - (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${pkg hostName cfg}/share/wordpress"; - extraConfig = '' - <Directory "${pkg hostName cfg}/share/wordpress"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${config.services.phpfpm.pools."wordpress-${hostName}".socket}|fcgi://localhost/" - </If> - </FilesMatch> - - # standard wordpress .htaccess contents - <IfModule mod_rewrite.c> - RewriteEngine On - RewriteBase / - RewriteRule ^index\.php$ - [L] - RewriteCond %{REQUEST_FILENAME} !-f - RewriteCond %{REQUEST_FILENAME} !-d - RewriteRule . /index.php [L] - </IfModule> - - DirectoryIndex index.php - Require all granted - Options +FollowSymLinks - </Directory> - - # https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php - <Files wp-config.php> - Require all denied - </Files> - ''; - } - ]) - ) eachSite; + virtualHosts = mapAttrs (hostName: cfg: mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${pkg hostName cfg}/share/wordpress"; + extraConfig = '' + <Directory "${pkg hostName cfg}/share/wordpress"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${config.services.phpfpm.pools."wordpress-${hostName}".socket}|fcgi://localhost/" + </If> + </FilesMatch> + + # standard wordpress .htaccess contents + <IfModule mod_rewrite.c> + RewriteEngine On + RewriteBase / + RewriteRule ^index\.php$ - [L] + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule . /index.php [L] + </IfModule> + + DirectoryIndex index.php + Require all granted + Options +FollowSymLinks + </Directory> + + # https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php + <Files wp-config.php> + Require all denied + </Files> + ''; + } ]) eachSite; }; systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ @@ -367,7 +357,10 @@ in }) ]; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixpkgs/nixos/modules/services/web-apps/zabbix.nix b/nixpkgs/nixos/modules/services/web-apps/zabbix.nix index 09538726b7cd..ee8447810c6d 100644 --- a/nixpkgs/nixos/modules/services/web-apps/zabbix.nix +++ b/nixpkgs/nixos/modules/services/web-apps/zabbix.nix @@ -113,19 +113,15 @@ in }; virtualHost = mkOption { - type = types.submodule ({ - options = import ../web-servers/apache-httpd/per-server-options.nix { - inherit lib; - forMainServer = false; - }; - }); - example = { - hostName = "zabbix.example.org"; - enableSSL = true; - adminAddr = "webmaster@example.org"; - sslServerCert = "/var/lib/acme/zabbix.example.org/full.pem"; - sslServerKey = "/var/lib/acme/zabbix.example.org/key.pem"; - }; + type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix); + example = literalExample '' + { + hostName = "zabbix.example.org"; + adminAddr = "webmaster@example.org"; + forceSSL = true; + enableACME = true; + } + ''; description = '' Apache configuration can be done by adapting <literal>services.httpd.virtualHosts.<name></literal>. See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. @@ -190,23 +186,21 @@ in enable = true; adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; - virtualHosts = [ (mkMerge [ - cfg.virtualHost { - documentRoot = mkForce "${cfg.package}/share/zabbix"; - extraConfig = '' - <Directory "${cfg.package}/share/zabbix"> - <FilesMatch "\.php$"> - <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" - </If> - </FilesMatch> - AllowOverride all - Options -Indexes - DirectoryIndex index.php - </Directory> - ''; - } - ]) ]; + virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { + documentRoot = mkForce "${cfg.package}/share/zabbix"; + extraConfig = '' + <Directory "${cfg.package}/share/zabbix"> + <FilesMatch "\.php$"> + <If "-f %{REQUEST_FILENAME}"> + SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" + </If> + </FilesMatch> + AllowOverride all + Options -Indexes + DirectoryIndex index.php + </Directory> + ''; + } ]; }; users.users.${user} = mapAttrs (name: mkDefault) { diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix index 098160ee3692..4460f89ec5c1 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -6,124 +6,50 @@ let mainCfg = config.services.httpd; + runtimeDir = "/run/httpd"; + httpd = mainCfg.package.out; httpdConf = mainCfg.configFile; php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ }; - phpMajorVersion = head (splitString "." php.version); + phpMajorVersion = lib.versions.major (lib.getVersion php); mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = httpd; }; - defaultListen = cfg: if cfg.enableSSL - then [{ip = "*"; port = 443;}] - else [{ip = "*"; port = 80;}]; - - getListen = cfg: - if cfg.listen == [] - then defaultListen cfg - else cfg.listen; - - listenToString = l: "${l.ip}:${toString l.port}"; - - extraModules = attrByPath ["extraModules"] [] mainCfg; - extraForeignModules = filter isAttrs extraModules; - extraApacheModules = filter isString extraModules; - - - makeServerInfo = cfg: { - # Canonical name must not include a trailing slash. - canonicalNames = - let defaultPort = (head (defaultListen cfg)).port; in - map (port: - (if cfg.enableSSL then "https" else "http") + "://" + - cfg.hostName + - (if port != defaultPort then ":${toString port}" else "") - ) (map (x: x.port) (getListen cfg)); - - # Admin address: inherit from the main server if not specified for - # a virtual host. - adminAddr = if cfg.adminAddr != null then cfg.adminAddr else mainCfg.adminAddr; - - vhostConfig = cfg; - serverConfig = mainCfg; - fullConfig = config; # machine config - }; - - - allHosts = [mainCfg] ++ mainCfg.virtualHosts; - - - callSubservices = serverInfo: defs: - let f = svc: - let - svcFunction = - if svc ? function then svc.function - # instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix; - else if svc ? serviceExpression then import (toString svc.serviceExpression) - else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix"); - config = (evalModules - { modules = [ { options = res.options; config = svc.config or svc; } ]; - check = false; - }).config; - defaults = { - extraConfig = ""; - extraModules = []; - extraModulesPre = []; - extraPath = []; - extraServerPath = []; - globalEnvVars = []; - robotsEntries = ""; - startupScript = ""; - enablePHP = false; - enablePerl = false; - phpOptions = ""; - options = {}; - documentRoot = null; - }; - res = defaults // svcFunction { inherit config lib pkgs serverInfo php; }; - in res; - in map f defs; + vhosts = attrValues mainCfg.virtualHosts; + mkListenInfo = hostOpts: + if hostOpts.listen != [] then hostOpts.listen + else ( + optional (hostOpts.onlySSL || hostOpts.addSSL || hostOpts.forceSSL) { ip = "*"; port = 443; ssl = true; } ++ + optional (!hostOpts.onlySSL) { ip = "*"; port = 80; ssl = false; } + ); - # !!! callSubservices is expensive - subservicesFor = cfg: callSubservices (makeServerInfo cfg) cfg.extraSubservices; + listenInfo = unique (concatMap mkListenInfo vhosts); - mainSubservices = subservicesFor mainCfg; + enableSSL = any (listen: listen.ssl) listenInfo; - allSubservices = mainSubservices ++ concatMap subservicesFor mainCfg.virtualHosts; + enableUserDir = any (vhost: vhost.enableUserDir) vhosts; - - enableSSL = any (vhost: vhost.enableSSL) allHosts; - - - # Names of modules from ${httpd}/modules that we want to load. - apacheModules = - [ # HTTP authentication mechanisms: basic and digest. - "auth_basic" "auth_digest" - - # Authentication: is the user who he claims to be? - "authn_file" "authn_dbm" "authn_anon" "authn_core" - - # Authorization: is the user allowed access? - "authz_user" "authz_groupfile" "authz_host" "authz_core" - - # Other modules. - "ext_filter" "include" "log_config" "env" "mime_magic" - "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif" - "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs" - "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" - "userdir" "alias" "rewrite" "proxy" "proxy_http" - "unixd" "cache" "cache_disk" "slotmem_shm" "socache_shmcb" + # NOTE: generally speaking order of modules is very important + modules = + [ # required apache modules our httpd service cannot run without + "authn_core" "authz_core" + "log_config" + "mime" "autoindex" "negotiation" "dir" + "alias" "rewrite" + "unixd" "slotmem_shm" "socache_shmcb" "mpm_${mainCfg.multiProcessingModule}" - - # For compatibility with old configurations, the new module mod_access_compat is provided. - "access_compat" ] ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) ++ optional enableSSL "ssl" - ++ extraApacheModules; + ++ optional enableUserDir "userdir" + ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; } + ++ optional mainCfg.enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; } + ++ optional mainCfg.enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } + ++ mainCfg.extraModules; allDenied = "Require all denied"; @@ -147,20 +73,22 @@ let browserHacks = '' - BrowserMatch "Mozilla/2" nokeepalive - BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 - BrowserMatch "RealPlayer 4\.0" force-response-1.0 - BrowserMatch "Java/1\.0" force-response-1.0 - BrowserMatch "JDK/1\.0" force-response-1.0 - BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully - BrowserMatch "^WebDrive" redirect-carefully - BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully - BrowserMatch "^gnome-vfs" redirect-carefully + <IfModule mod_setenvif.c> + BrowserMatch "Mozilla/2" nokeepalive + BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "RealPlayer 4\.0" force-response-1.0 + BrowserMatch "Java/1\.0" force-response-1.0 + BrowserMatch "JDK/1\.0" force-response-1.0 + BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully + BrowserMatch "^WebDrive" redirect-carefully + BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully + BrowserMatch "^gnome-vfs" redirect-carefully + </IfModule> ''; sslConf = '' - SSLSessionCache shmcb:${mainCfg.stateDir}/ssl_scache(512000) + SSLSessionCache shmcb:${runtimeDir}/ssl_scache(512000) Mutex posixsem @@ -185,130 +113,144 @@ let </IfModule> ''; - - perServerConf = isMainServer: cfg: let - - serverInfo = makeServerInfo cfg; - - subservices = callSubservices serverInfo cfg.extraSubservices; - - maybeDocumentRoot = fold (svc: acc: - if acc == null then svc.documentRoot else assert svc.documentRoot == null; acc - ) null ([ cfg ] ++ subservices); - - documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else - pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out"; - - documentRootConf = '' - DocumentRoot "${documentRoot}" - - <Directory "${documentRoot}"> - Options Indexes FollowSymLinks - AllowOverride None - ${allGranted} - </Directory> - ''; - - robotsTxt = - concatStringsSep "\n" (filter (x: x != "") ( - # If this is a vhost, the include the entries for the main server as well. - (if isMainServer then [] else [mainCfg.robotsEntries] ++ map (svc: svc.robotsEntries) mainSubservices) - ++ [cfg.robotsEntries] - ++ (map (svc: svc.robotsEntries) subservices))); - - in '' - ${concatStringsSep "\n" (map (n: "ServerName ${n}") serverInfo.canonicalNames)} - - ${concatMapStrings (alias: "ServerAlias ${alias}\n") cfg.serverAliases} - - ${if cfg.sslServerCert != null then '' - SSLCertificateFile ${cfg.sslServerCert} - SSLCertificateKeyFile ${cfg.sslServerKey} - ${if cfg.sslServerChain != null then '' - SSLCertificateChainFile ${cfg.sslServerChain} - '' else ""} - '' else ""} - - ${if cfg.enableSSL then '' - SSLEngine on - '' else if enableSSL then /* i.e., SSL is enabled for some host, but not this one */ - '' - SSLEngine off - '' else ""} - - ${if isMainServer || cfg.adminAddr != null then '' - ServerAdmin ${cfg.adminAddr} - '' else ""} - - ${if !isMainServer && mainCfg.logPerVirtualHost then '' - ErrorLog ${mainCfg.logDir}/error-${cfg.hostName}.log - CustomLog ${mainCfg.logDir}/access-${cfg.hostName}.log ${cfg.logFormat} - '' else ""} - - ${optionalString (robotsTxt != "") '' - Alias /robots.txt ${pkgs.writeText "robots.txt" robotsTxt} - ''} - - ${if isMainServer || maybeDocumentRoot != null then documentRootConf else ""} - - ${if cfg.enableUserDir then '' - - UserDir public_html - UserDir disabled root - - <Directory "/home/*/public_html"> - AllowOverride FileInfo AuthConfig Limit Indexes - Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - <Limit GET POST OPTIONS> - ${allGranted} - </Limit> - <LimitExcept GET POST OPTIONS> - ${allDenied} - </LimitExcept> - </Directory> - - '' else ""} - - ${if cfg.globalRedirect != null && cfg.globalRedirect != "" then '' - RedirectPermanent / ${cfg.globalRedirect} - '' else ""} - - ${ - let makeFileConf = elem: '' - Alias ${elem.urlPath} ${elem.file} - ''; - in concatMapStrings makeFileConf cfg.servedFiles - } - - ${ - let makeDirConf = elem: '' - Alias ${elem.urlPath} ${elem.dir}/ - <Directory ${elem.dir}> - Options +Indexes - ${allGranted} - AllowOverride All - </Directory> - ''; - in concatMapStrings makeDirConf cfg.servedDirs - } - - ${concatMapStrings (svc: svc.extraConfig) subservices} - - ${cfg.extraConfig} - ''; + mkVHostConf = hostOpts: + let + adminAddr = if hostOpts.adminAddr != null then hostOpts.adminAddr else mainCfg.adminAddr; + listen = filter (listen: !listen.ssl) (mkListenInfo hostOpts); + listenSSL = filter (listen: listen.ssl) (mkListenInfo hostOpts); + + useACME = hostOpts.enableACME || hostOpts.useACMEHost != null; + sslCertDir = + if hostOpts.enableACME then config.security.acme.certs.${hostOpts.hostName}.directory + else if hostOpts.useACMEHost != null then config.security.acme.certs.${hostOpts.useACMEHost}.directory + else abort "This case should never happen."; + + sslServerCert = if useACME then "${sslCertDir}/full.pem" else hostOpts.sslServerCert; + sslServerKey = if useACME then "${sslCertDir}/key.pem" else hostOpts.sslServerKey; + sslServerChain = if useACME then "${sslCertDir}/fullchain.pem" else hostOpts.sslServerChain; + + acmeChallenge = optionalString useACME '' + Alias /.well-known/acme-challenge/ "${hostOpts.acmeRoot}/.well-known/acme-challenge/" + <Directory "${hostOpts.acmeRoot}"> + AllowOverride None + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + Require method GET POST OPTIONS + Require all granted + </Directory> + ''; + in + optionalString (listen != []) '' + <VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listen}> + ServerName ${hostOpts.hostName} + ${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases} + ServerAdmin ${adminAddr} + <IfModule mod_ssl.c> + SSLEngine off + </IfModule> + ${acmeChallenge} + ${if hostOpts.forceSSL then '' + <IfModule mod_rewrite.c> + RewriteEngine on + RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC] + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + </IfModule> + '' else mkVHostCommonConf hostOpts} + </VirtualHost> + '' + + optionalString (listenSSL != []) '' + <VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listenSSL}> + ServerName ${hostOpts.hostName} + ${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases} + ServerAdmin ${adminAddr} + SSLEngine on + SSLCertificateFile ${sslServerCert} + SSLCertificateKeyFile ${sslServerKey} + ${optionalString (sslServerChain != null) "SSLCertificateChainFile ${sslServerChain}"} + ${acmeChallenge} + ${mkVHostCommonConf hostOpts} + </VirtualHost> + '' + ; + + mkVHostCommonConf = hostOpts: + let + documentRoot = if hostOpts.documentRoot != null + then hostOpts.documentRoot + else pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out" + ; + in + '' + ${optionalString mainCfg.logPerVirtualHost '' + ErrorLog ${mainCfg.logDir}/error-${hostOpts.hostName}.log + CustomLog ${mainCfg.logDir}/access-${hostOpts.hostName}.log ${hostOpts.logFormat} + ''} + + ${optionalString (hostOpts.robotsEntries != "") '' + Alias /robots.txt ${pkgs.writeText "robots.txt" hostOpts.robotsEntries} + ''} + + DocumentRoot "${documentRoot}" + + <Directory "${documentRoot}"> + Options Indexes FollowSymLinks + AllowOverride None + ${allGranted} + </Directory> + + ${optionalString hostOpts.enableUserDir '' + UserDir public_html + UserDir disabled root + <Directory "/home/*/public_html"> + AllowOverride FileInfo AuthConfig Limit Indexes + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + <Limit GET POST OPTIONS> + Require all granted + </Limit> + <LimitExcept GET POST OPTIONS> + Require all denied + </LimitExcept> + </Directory> + ''} + + ${optionalString (hostOpts.globalRedirect != null && hostOpts.globalRedirect != "") '' + RedirectPermanent / ${hostOpts.globalRedirect} + ''} + + ${ + let makeFileConf = elem: '' + Alias ${elem.urlPath} ${elem.file} + ''; + in concatMapStrings makeFileConf hostOpts.servedFiles + } + ${ + let makeDirConf = elem: '' + Alias ${elem.urlPath} ${elem.dir}/ + <Directory ${elem.dir}> + Options +Indexes + ${allGranted} + AllowOverride All + </Directory> + ''; + in concatMapStrings makeDirConf hostOpts.servedDirs + } + + ${hostOpts.extraConfig} + '' + ; confFile = pkgs.writeText "httpd.conf" '' ServerRoot ${httpd} + ServerName ${config.networking.hostName} + DefaultRuntimeDir ${runtimeDir}/runtime - DefaultRuntimeDir ${mainCfg.stateDir}/runtime - - PidFile ${mainCfg.stateDir}/httpd.pid + PidFile ${runtimeDir}/httpd.pid ${optionalString (mainCfg.multiProcessingModule != "prefork") '' # mod_cgid requires this. - ScriptSock ${mainCfg.stateDir}/cgisock + ScriptSock ${runtimeDir}/cgisock ''} <IfModule prefork.c> @@ -317,26 +259,21 @@ let </IfModule> ${let - listen = concatMap getListen allHosts; - toStr = listen: "Listen ${listenToString listen}\n"; - uniqueListen = uniqList {inputList = map toStr listen;}; - in concatStrings uniqueListen + toStr = listen: "Listen ${listen.ip}:${toString listen.port} ${if listen.ssl then "https" else "http"}"; + uniqueListen = uniqList {inputList = map toStr listenInfo;}; + in concatStringsSep "\n" uniqueListen } User ${mainCfg.user} Group ${mainCfg.group} ${let - load = {name, path}: "LoadModule ${name}_module ${path}\n"; - allModules = - concatMap (svc: svc.extraModulesPre) allSubservices - ++ map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules - ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; } - ++ optional enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; } - ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } - ++ concatMap (svc: svc.extraModules) allSubservices - ++ extraForeignModules; - in concatMapStrings load (unique allModules) + mkModule = module: + if isString module then { name = module; path = "${httpd}/modules/mod_${module}.so"; } + else if isAttrs module then { inherit (module) name path; } + else throw "Expecting either a string or attribute set including a name and path."; + in + concatMapStringsSep "\n" (module: "LoadModule ${module.name}_module ${module.path}") (unique (map mkModule modules)) } AddHandler type-map var @@ -372,30 +309,15 @@ let ${allGranted} </Directory> - # Generate directives for the main server. - ${perServerConf true mainCfg} + ${mainCfg.extraConfig} - ${let - makeVirtualHost = vhost: '' - <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}> - ${perServerConf false vhost} - </VirtualHost> - ''; - in concatMapStrings makeVirtualHost mainCfg.virtualHosts - } + ${concatMapStringsSep "\n" mkVHostConf vhosts} ''; - - enablePHP = mainCfg.enablePHP || any (svc: svc.enablePHP) allSubservices; - - enablePerl = mainCfg.enablePerl || any (svc: svc.enablePerl) allSubservices; - - # Generate the PHP configuration file. Should probably be factored # out into a separate module. phpIni = pkgs.runCommand "php.ini" - { options = concatStringsSep "\n" - ([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices)); + { options = mainCfg.phpOptions; preferLocalBuild = true; } '' @@ -408,6 +330,26 @@ in { + imports = [ + (mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") + (mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.") + + # virtualHosts options + (mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "enableSSL" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "enableUserDir" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "globalRedirect" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "hostName" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "listen" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "robotsEntries" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "servedDirs" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "servedFiles" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "serverAliases" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerCert" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerChain" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerKey" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + ]; + ###### interface options = { @@ -444,7 +386,7 @@ in type = types.lines; default = ""; description = '' - Cnfiguration lines appended to the generated Apache + Configuration lines appended to the generated Apache configuration file. Note that this mechanism may not work when <option>configFile</option> is overridden. ''; @@ -453,7 +395,12 @@ in extraModules = mkOption { type = types.listOf types.unspecified; default = []; - example = literalExample ''[ "proxy_connect" { name = "php5"; path = "''${pkgs.php}/modules/libphp5.so"; } ]''; + example = literalExample '' + [ + "proxy_connect" + { name = "jk"; path = "''${pkgs.tomcat_connectors}/modules/mod_jk.so"; } + ] + ''; description = '' Additional Apache modules to be used. These can be specified as a string in the case of modules distributed @@ -463,9 +410,25 @@ in ''; }; + adminAddr = mkOption { + type = types.str; + example = "admin@example.org"; + description = "E-mail address of the server administrator."; + }; + + logFormat = mkOption { + type = types.str; + default = "common"; + example = "combined"; + description = '' + Log format for log files. Possible values are: combined, common, referer, agent. + See <link xlink:href="https://httpd.apache.org/docs/2.4/logs.html"/> for more details. + ''; + }; + logPerVirtualHost = mkOption { type = types.bool; - default = false; + default = true; description = '' If enabled, each virtual host gets its own <filename>access.log</filename> and @@ -500,37 +463,29 @@ in ''; }; - stateDir = mkOption { - type = types.path; - default = "/run/httpd"; - description = '' - Directory for Apache's transient runtime state (such as PID - files). It is created automatically. Note that the default, - <filename>/run/httpd</filename>, is deleted at boot time. - ''; - }; - virtualHosts = mkOption { - type = types.listOf (types.submodule ( - { options = import ./per-server-options.nix { - inherit lib; - forMainServer = false; + type = with types; attrsOf (submodule (import ./per-server-options.nix)); + default = { + localhost = { + documentRoot = "${httpd}/htdocs"; + }; + }; + example = literalExample '' + { + "foo.example.com" = { + forceSSL = true; + documentRoot = "/var/www/foo.example.com" + }; + "bar.example.com" = { + addSSL = true; + documentRoot = "/var/www/bar.example.com"; }; - })); - default = []; - example = [ - { hostName = "foo"; - documentRoot = "/data/webroot-foo"; - } - { hostName = "bar"; - documentRoot = "/data/webroot-bar"; } - ]; + ''; description = '' - Specification of the virtual hosts served by Apache. Each + Specification of the virtual hosts served by Apache. Each element should be an attribute set specifying the - configuration of the virtual host. The available options - are the non-global options permissible for the main host. + configuration of the virtual host. ''; }; @@ -612,17 +567,11 @@ in sslProtocols = mkOption { type = types.str; - default = "All -SSLv2 -SSLv3 -TLSv1"; + default = "All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"; example = "All -SSLv2 -SSLv3"; description = "Allowed SSL/TLS protocol versions."; }; - } - - # Include the options shared between the main server and virtual hosts. - // (import ./per-server-options.nix { - inherit lib; - forMainServer = true; - }); + }; }; @@ -631,27 +580,54 @@ in config = mkIf config.services.httpd.enable { - assertions = [ { assertion = mainCfg.enableSSL == true - -> mainCfg.sslServerCert != null - && mainCfg.sslServerKey != null; - message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } - ]; - - warnings = map (cfg: "apache-httpd's extraSubservices option is deprecated. Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (lib.filter (cfg: cfg.extraSubservices != []) allHosts); + assertions = [ + { + assertion = all (hostOpts: !hostOpts.enableSSL) vhosts; + message = '' + The option `services.httpd.virtualHosts.<name>.enableSSL` no longer has any effect; please remove it. + Select one of `services.httpd.virtualHosts.<name>.addSSL`, `services.httpd.virtualHosts.<name>.forceSSL`, + or `services.httpd.virtualHosts.<name>.onlySSL`. + ''; + } + { + assertion = all (hostOpts: with hostOpts; !(addSSL && onlySSL) && !(forceSSL && onlySSL) && !(addSSL && forceSSL)) vhosts; + message = '' + Options `services.httpd.virtualHosts.<name>.addSSL`, + `services.httpd.virtualHosts.<name>.onlySSL` and `services.httpd.virtualHosts.<name>.forceSSL` + are mutually exclusive. + ''; + } + { + assertion = all (hostOpts: !(hostOpts.enableACME && hostOpts.useACMEHost != null)) vhosts; + message = '' + Options `services.httpd.virtualHosts.<name>.enableACME` and + `services.httpd.virtualHosts.<name>.useACMEHost` are mutually exclusive. + ''; + } + ]; - users.users = optionalAttrs (mainCfg.user == "wwwrun") (singleton - { name = "wwwrun"; + users.users = optionalAttrs (mainCfg.user == "wwwrun") { + wwwrun = { group = mainCfg.group; description = "Apache httpd user"; uid = config.ids.uids.wwwrun; - }); + }; + }; - users.groups = optionalAttrs (mainCfg.group == "wwwrun") (singleton - { name = "wwwrun"; - gid = config.ids.gids.wwwrun; - }); + users.groups = optionalAttrs (mainCfg.group == "wwwrun") { + wwwrun.gid = config.ids.gids.wwwrun; + }; - environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices; + security.acme.certs = mapAttrs (name: hostOpts: { + user = mainCfg.user; + group = mkDefault mainCfg.group; + email = if hostOpts.adminAddr != null then hostOpts.adminAddr else mainCfg.adminAddr; + webroot = hostOpts.acmeRoot; + extraDomains = genAttrs hostOpts.serverAliases (alias: null); + postRun = "systemctl reload httpd.service"; + }) (filterAttrs (name: hostOpts: hostOpts.enableACME) mainCfg.virtualHosts); + + environment.systemPackages = [httpd]; services.httpd.phpOptions = '' @@ -666,30 +642,48 @@ in date.timezone = "${config.time.timeZone}" ''; + services.httpd.extraModules = mkBefore [ + # HTTP authentication mechanisms: basic and digest. + "auth_basic" "auth_digest" + + # Authentication: is the user who he claims to be? + "authn_file" "authn_dbm" "authn_anon" + + # Authorization: is the user allowed access? + "authz_user" "authz_groupfile" "authz_host" + + # Other modules. + "ext_filter" "include" "env" "mime_magic" + "cern_meta" "expires" "headers" "usertrack" "setenvif" + "dav" "status" "asis" "info" "dav_fs" + "vhost_alias" "imagemap" "actions" "speling" + "proxy" "proxy_http" + "cache" "cache_disk" + + # For compatibility with old configurations, the new module mod_access_compat is provided. + "access_compat" + ]; + systemd.services.httpd = + let + vhostsACME = filter (hostOpts: hostOpts.enableACME) vhosts; + in { description = "Apache HTTPD"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "fs.target" ]; + wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME); + after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME; path = [ httpd pkgs.coreutils pkgs.gnugrep ] - ++ optional enablePHP pkgs.system-sendmail # Needed for PHP's mail() function. - ++ concatMap (svc: svc.extraServerPath) allSubservices; + ++ optional mainCfg.enablePHP pkgs.system-sendmail; # Needed for PHP's mail() function. environment = - optionalAttrs enablePHP { PHPRC = phpIni; } - // optionalAttrs mainCfg.enableMellon { LD_LIBRARY_PATH = "${pkgs.xmlsec}/lib"; } - // (listToAttrs (concatMap (svc: svc.globalEnvVars) allSubservices)); + optionalAttrs mainCfg.enablePHP { PHPRC = phpIni; } + // optionalAttrs mainCfg.enableMellon { LD_LIBRARY_PATH = "${pkgs.xmlsec}/lib"; }; preStart = '' - mkdir -m 0750 -p ${mainCfg.stateDir} - [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir} - - mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" - [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" - mkdir -m 0700 -p ${mainCfg.logDir} # Get rid of old semaphores. These tend to accumulate across @@ -698,21 +692,18 @@ in for i in $(${pkgs.utillinux}/bin/ipcs -s | grep ' ${mainCfg.user} ' | cut -f2 -d ' '); do ${pkgs.utillinux}/bin/ipcrm -s $i done - - # Run the startup hooks for the subservices. - for i in ${toString (map (svn: svn.startupScript) allSubservices)}; do - echo Running Apache startup hook $i... - $i - done ''; serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}"; serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop"; serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful"; + serviceConfig.Group = mainCfg.group; serviceConfig.Type = "forking"; - serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid"; + serviceConfig.PIDFile = "${runtimeDir}/httpd.pid"; serviceConfig.Restart = "always"; serviceConfig.RestartSec = "5s"; + serviceConfig.RuntimeDirectory = "httpd httpd/runtime"; + serviceConfig.RuntimeDirectoryMode = "0750"; }; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix index 9d747549c274..f2e92cda05f6 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix @@ -1,180 +1,235 @@ -# This file defines the options that can be used both for the Apache -# main server configuration, and for the virtual hosts. (The latter -# has additional options that affect the web server as a whole, like -# the user/group to run under.) - -{ forMainServer, lib }: - -with lib; - +{ config, lib, name, ... }: +let + inherit (lib) mkOption types; +in { + options = { + + hostName = mkOption { + type = types.str; + default = name; + description = "Canonical hostname for the server."; + }; + + serverAliases = mkOption { + type = types.listOf types.str; + default = []; + example = ["www.example.org" "www.example.org:8080" "example.org"]; + description = '' + Additional names of virtual hosts served by this virtual host configuration. + ''; + }; + + listen = mkOption { + type = with types; listOf (submodule ({ + options = { + port = mkOption { + type = types.port; + description = "Port to listen on"; + }; + ip = mkOption { + type = types.str; + default = "*"; + description = "IP to listen on. 0.0.0.0 for IPv4 only, * for all."; + }; + ssl = mkOption { + type = types.bool; + default = false; + description = "Whether to enable SSL (https) support."; + }; + }; + })); + default = []; + example = [ + { ip = "195.154.1.1"; port = 443; ssl = true;} + { ip = "192.154.1.1"; port = 80; } + { ip = "*"; port = 8080; } + ]; + description = '' + Listen addresses and ports for this virtual host. + <note><para> + This option overrides <literal>addSSL</literal>, <literal>forceSSL</literal> and <literal>onlySSL</literal>. + </para></note> + ''; + }; + + enableSSL = mkOption { + type = types.bool; + visible = false; + default = false; + }; + + addSSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HTTPS in addition to plain HTTP. This will set defaults for + <literal>listen</literal> to listen on all interfaces on the respective default + ports (80, 443). + ''; + }; + + onlySSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HTTPS and reject plain HTTP connections. This will set + defaults for <literal>listen</literal> to listen on all interfaces on port 443. + ''; + }; + + forceSSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add a separate nginx server block that permanently redirects (301) + all plain HTTP traffic to HTTPS. This will set defaults for + <literal>listen</literal> to listen on all interfaces on the respective default + ports (80, 443), where the non-SSL listens are used for the redirect vhosts. + ''; + }; + + enableACME = mkOption { + type = types.bool; + default = false; + description = '' + Whether to ask Let's Encrypt to sign a certificate for this vhost. + Alternately, you can use an existing certificate through <option>useACMEHost</option>. + ''; + }; + + useACMEHost = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + A host of an existing Let's Encrypt certificate to use. + This is useful if you have many subdomains and want to avoid hitting the + <link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>. + Alternately, you can generate a certificate through <option>enableACME</option>. + <emphasis>Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using <xref linkend="opt-security.acme.certs"/>.</emphasis> + ''; + }; + + acmeRoot = mkOption { + type = types.str; + default = "/var/lib/acme/acme-challenges"; + description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here"; + }; + + sslServerCert = mkOption { + type = types.path; + example = "/var/host.cert"; + description = "Path to server SSL certificate."; + }; + + sslServerKey = mkOption { + type = types.path; + example = "/var/host.key"; + description = "Path to server SSL certificate key."; + }; + + sslServerChain = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/ca.pem"; + description = "Path to server SSL chain file."; + }; + + adminAddr = mkOption { + type = types.nullOr types.str; + default = null; + example = "admin@example.org"; + description = "E-mail address of the server administrator."; + }; + + documentRoot = mkOption { + type = types.nullOr types.path; + default = null; + example = "/data/webserver/docs"; + description = '' + The path of Apache's document root directory. If left undefined, + an empty directory in the Nix store will be used as root. + ''; + }; + + servedDirs = mkOption { + type = types.listOf types.attrs; + default = []; + example = [ + { urlPath = "/nix"; + dir = "/home/eelco/Dev/nix-homepage"; + } + ]; + description = '' + This option provides a simple way to serve static directories. + ''; + }; + + servedFiles = mkOption { + type = types.listOf types.attrs; + default = []; + example = [ + { urlPath = "/foo/bar.png"; + file = "/home/eelco/some-file.png"; + } + ]; + description = '' + This option provides a simple way to serve individual, static files. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + <Directory /home> + Options FollowSymlinks + AllowOverride All + </Directory> + ''; + description = '' + These lines go to httpd.conf verbatim. They will go after + directories and directory aliases defined by default. + ''; + }; + + enableUserDir = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable serving <filename>~/public_html</filename> as + <literal>/~<replaceable>username</replaceable></literal>. + ''; + }; + + globalRedirect = mkOption { + type = types.nullOr types.str; + default = null; + example = http://newserver.example.org/; + description = '' + If set, all requests for this host are redirected permanently to + the given URL. + ''; + }; + + logFormat = mkOption { + type = types.str; + default = "common"; + example = "combined"; + description = '' + Log format for Apache's log files. Possible values are: combined, common, referer, agent. + ''; + }; + + robotsEntries = mkOption { + type = types.lines; + default = ""; + example = "Disallow: /foo/"; + description = '' + Specification of pages to be ignored by web crawlers. See <link + xlink:href='http://www.robotstxt.org/'/> for details. + ''; + }; - hostName = mkOption { - type = types.str; - default = "localhost"; - description = "Canonical hostname for the server."; - }; - - serverAliases = mkOption { - type = types.listOf types.str; - default = []; - example = ["www.example.org" "www.example.org:8080" "example.org"]; - description = '' - Additional names of virtual hosts served by this virtual host configuration. - ''; - }; - - listen = mkOption { - type = types.listOf (types.submodule ( - { - options = { - port = mkOption { - type = types.int; - description = "port to listen on"; - }; - ip = mkOption { - type = types.str; - default = "*"; - description = "Ip to listen on. 0.0.0.0 for ipv4 only, * for all."; - }; - }; - } )); - description = '' - List of { /* ip: "*"; */ port = 80;} to listen on - ''; - - default = []; - }; - - enableSSL = mkOption { - type = types.bool; - default = false; - description = "Whether to enable SSL (https) support."; - }; - - # Note: sslServerCert and sslServerKey can be left empty, but this - # only makes sense for virtual hosts (they will inherit from the - # main server). - - sslServerCert = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/host.cert"; - description = "Path to server SSL certificate."; - }; - - sslServerKey = mkOption { - type = types.path; - example = "/var/host.key"; - description = "Path to server SSL certificate key."; - }; - - sslServerChain = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/ca.pem"; - description = "Path to server SSL chain file."; - }; - - adminAddr = mkOption ({ - type = types.nullOr types.str; - example = "admin@example.org"; - description = "E-mail address of the server administrator."; - } // (if forMainServer then {} else {default = null;})); - - documentRoot = mkOption { - type = types.nullOr types.path; - default = null; - example = "/data/webserver/docs"; - description = '' - The path of Apache's document root directory. If left undefined, - an empty directory in the Nix store will be used as root. - ''; }; - - servedDirs = mkOption { - type = types.listOf types.attrs; - default = []; - example = [ - { urlPath = "/nix"; - dir = "/home/eelco/Dev/nix-homepage"; - } - ]; - description = '' - This option provides a simple way to serve static directories. - ''; - }; - - servedFiles = mkOption { - type = types.listOf types.attrs; - default = []; - example = [ - { urlPath = "/foo/bar.png"; - file = "/home/eelco/some-file.png"; - } - ]; - description = '' - This option provides a simple way to serve individual, static files. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - example = '' - <Directory /home> - Options FollowSymlinks - AllowOverride All - </Directory> - ''; - description = '' - These lines go to httpd.conf verbatim. They will go after - directories and directory aliases defined by default. - ''; - }; - - extraSubservices = mkOption { - type = types.listOf types.unspecified; - default = []; - description = "Extra subservices to enable in the webserver."; - }; - - enableUserDir = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable serving <filename>~/public_html</filename> as - <literal>/~<replaceable>username</replaceable></literal>. - ''; - }; - - globalRedirect = mkOption { - type = types.nullOr types.str; - default = null; - example = http://newserver.example.org/; - description = '' - If set, all requests for this host are redirected permanently to - the given URL. - ''; - }; - - logFormat = mkOption { - type = types.str; - default = "common"; - example = "combined"; - description = '' - Log format for Apache's log files. Possible values are: combined, common, referer, agent. - ''; - }; - - robotsEntries = mkOption { - type = types.lines; - default = ""; - example = "Disallow: /foo/"; - description = '' - Specification of pages to be ignored by web crawlers. See <link - xlink:href='http://www.robotstxt.org/'/> for details. - ''; - }; - } diff --git a/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix b/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix index a6c4cbea1225..1812f225b74d 100644 --- a/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix @@ -102,7 +102,10 @@ with lib; environment.systemPackages = [ pkgs.hitch ]; - users.users.hitch.group = "hitch"; + users.users.hitch = { + group = "hitch"; + isSystemUser = true; + }; users.groups.hitch = {}; }; } diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix index e597f34700ae..c8602e5975b3 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix @@ -47,7 +47,7 @@ let '')); configFile = pkgs.writers.writeNginxConfig "nginx.conf" '' - user ${cfg.user} ${cfg.group}; + pid /run/nginx/nginx.pid; error_log ${cfg.logError}; daemon off; @@ -61,7 +61,10 @@ let ${optionalString (cfg.httpConfig == "" && cfg.config == "") '' http { - include ${cfg.package}/conf/mime.types; + # The mime type definitions included with nginx are very incomplete, so + # we use a list of mime types from the mailcap package, which is also + # used by most other Linux distributions by default. + include ${pkgs.mailcap}/etc/nginx/mime.types; include ${cfg.package}/conf/fastcgi.conf; include ${cfg.package}/conf/uwsgi_params; @@ -119,6 +122,14 @@ let include ${recommendedProxyConfig}; ''} + ${optionalString (cfg.mapHashBucketSize != null) '' + map_hash_bucket_size ${toString cfg.mapHashBucketSize}; + ''} + + ${optionalString (cfg.mapHashMaxSize != null) '' + map_hash_max_size ${toString cfg.mapHashMaxSize}; + ''} + # $connection_upgrade is used for websocket proxying map $http_upgrade $connection_upgrade { default upgrade; @@ -167,6 +178,8 @@ let then "/etc/nginx/nginx.conf" else configFile; + execCommand = "${cfg.package}/bin/nginx -c '${configPath}' -p '${cfg.stateDir}'"; + vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost: let onlySSL = vhost.onlySSL || vhost.enableSSL; @@ -355,12 +368,7 @@ in preStart = mkOption { type = types.lines; - default = '' - test -d ${cfg.stateDir}/logs || mkdir -m 750 -p ${cfg.stateDir}/logs - test `stat -c %a ${cfg.stateDir}` = "750" || chmod 750 ${cfg.stateDir} - test `stat -c %a ${cfg.stateDir}/logs` = "750" || chmod 750 ${cfg.stateDir}/logs - chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir} - ''; + default = ""; description = " Shell commands executed before the service's nginx is started. "; @@ -507,6 +515,23 @@ in ''; }; + mapHashBucketSize = mkOption { + type = types.nullOr (types.enum [ 32 64 128 ]); + default = null; + description = '' + Sets the bucket size for the map variables hash tables. Default + value depends on the processor’s cache line size. + ''; + }; + + mapHashMaxSize = mkOption { + type = types.nullOr types.ints.positive; + default = null; + description = '' + Sets the maximum size of the map variables hash tables. + ''; + }; + resolver = mkOption { type = types.submodule { options = { @@ -645,23 +670,36 @@ in } ]; + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/logs' 0750 ${cfg.user} ${cfg.group} - -" + "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.nginx = { description = "Nginx Web Server"; wantedBy = [ "multi-user.target" ]; wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts); after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts; stopIfChanged = false; - preStart = - '' + preStart = '' ${cfg.preStart} - ${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir} -t - ''; + ${execCommand} -t + ''; serviceConfig = { - ExecStart = "${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir}"; + ExecStart = execCommand; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "always"; RestartSec = "10s"; StartLimitInterval = "1min"; + # User and group + User = cfg.user; + Group = cfg.group; + # Runtime directory and mode + RuntimeDirectory = "nginx"; + RuntimeDirectoryMode = "0750"; + # Capabilities + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; }; }; @@ -670,11 +708,18 @@ in }; systemd.services.nginx-config-reload = mkIf cfg.enableReload { - wantedBy = [ "nginx.service" ]; + wants = [ "nginx.service" ]; + wantedBy = [ "multi-user.target" ]; restartTriggers = [ configFile ]; + # commented, because can cause extra delays during activate for this config: + # services.nginx.virtualHosts."_".locations."/".proxyPass = "http://blabla:3000"; + # stopIfChanged = false; + serviceConfig.Type = "oneshot"; + serviceConfig.TimeoutSec = 60; script = '' if ${pkgs.systemd}/bin/systemctl -q is-active nginx.service ; then - ${pkgs.systemd}/bin/systemctl reload nginx.service + ${execCommand} -t && \ + ${pkgs.systemd}/bin/systemctl reload nginx.service fi ''; serviceConfig.RemainAfterExit = true; @@ -695,15 +740,16 @@ in listToAttrs acmePairs ); - users.users = optionalAttrs (cfg.user == "nginx") (singleton - { name = "nginx"; + users.users = optionalAttrs (cfg.user == "nginx") { + nginx = { group = cfg.group; uid = config.ids.uids.nginx; - }); + }; + }; + + users.groups = optionalAttrs (cfg.group == "nginx") { + nginx.gid = config.ids.gids.nginx; + }; - users.groups = optionalAttrs (cfg.group == "nginx") (singleton - { name = "nginx"; - gid = config.ids.gids.nginx; - }); }; } diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix index aeb9b1dd79ef..3d9e391ecf20 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix @@ -1,4 +1,4 @@ -# This file defines the options that can be used both for the Apache +# This file defines the options that can be used both for the Nginx # main server configuration, and for the virtual hosts. (The latter # has additional options that affect the web server as a whole, like # the user/group to run under.) @@ -67,7 +67,7 @@ with lib; return = mkOption { type = types.nullOr types.str; default = null; - example = "301 http://example.com$request_uri;"; + example = "301 http://example.com$request_uri"; description = '' Adds a return directive, for e.g. redirections. ''; @@ -92,4 +92,3 @@ with lib; }; }; } - diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix index 15b933c984a6..455854e2a965 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -1,4 +1,4 @@ -# This file defines the options that can be used both for the Apache +# This file defines the options that can be used both for the Nginx # main server configuration, and for the virtual hosts. (The latter # has additional options that affect the web server as a whole, like # the user/group to run under.) @@ -207,6 +207,7 @@ with lib; default = null; description = '' Basic Auth password file for a vhost. + Can be created via: <command>htpasswd -c <filename> <username></command> ''; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix index 4ab7e3f0c0a9..2c73da103946 100644 --- a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix @@ -31,7 +31,7 @@ let ''; passAsFile = [ "nixDefaults" "phpOptions" ]; } '' - cat $phpPackage/etc/php.ini $nixDefaultsPath $phpOptionsPath > $out + cat ${poolOpts.phpPackage}/etc/php.ini $nixDefaultsPath $phpOptionsPath > $out ''; poolOpts = { name, ... }: @@ -69,8 +69,6 @@ let phpOptions = mkOption { type = types.lines; - default = cfg.phpOptions; - defaultText = "config.services.phpfpm.phpOptions"; description = '' "Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool." ''; @@ -137,6 +135,7 @@ let config = { socket = if poolOpts.listen == "" then "${runtimeDir}/${name}.sock" else poolOpts.listen; group = mkDefault poolOpts.user; + phpOptions = mkBefore cfg.phpOptions; settings = mapAttrs (name: mkDefault){ listen = poolOpts.socket; @@ -147,6 +146,10 @@ let }; in { + imports = [ + (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.") + (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "") + ]; options = { services.phpfpm = { @@ -263,6 +266,7 @@ in { in { Slice = "phpfpm.slice"; PrivateDevices = true; + PrivateTmp = true; ProtectSystem = "full"; ProtectHome = true; # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work diff --git a/nixpkgs/nixos/modules/services/web-servers/tomcat.nix b/nixpkgs/nixos/modules/services/web-servers/tomcat.nix index 68261c50324d..6d12925829f7 100644 --- a/nixpkgs/nixos/modules/services/web-servers/tomcat.nix +++ b/nixpkgs/nixos/modules/services/web-servers/tomcat.nix @@ -194,14 +194,10 @@ in config = mkIf config.services.tomcat.enable { - users.groups = singleton - { name = "tomcat"; - gid = config.ids.gids.tomcat; - }; + users.groups.tomcat.gid = config.ids.gids.tomcat; - users.users = singleton - { name = "tomcat"; - uid = config.ids.uids.tomcat; + users.users.tomcat = + { uid = config.ids.uids.tomcat; description = "Tomcat user"; home = "/homeless-shelter"; extraGroups = cfg.extraGroups; diff --git a/nixpkgs/nixos/modules/services/web-servers/traefik.nix b/nixpkgs/nixos/modules/services/web-servers/traefik.nix index 8de7df0d446c..5b0fc467ea46 100644 --- a/nixpkgs/nixos/modules/services/web-servers/traefik.nix +++ b/nixpkgs/nixos/modules/services/web-servers/traefik.nix @@ -117,6 +117,7 @@ in { group = "traefik"; home = cfg.dataDir; createHome = true; + isSystemUser = true; }; users.groups.traefik = {}; diff --git a/nixpkgs/nixos/modules/services/web-servers/ttyd.nix b/nixpkgs/nixos/modules/services/web-servers/ttyd.nix new file mode 100644 index 000000000000..01a01d97a234 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/ttyd.nix @@ -0,0 +1,196 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.ttyd; + + # Command line arguments for the ttyd daemon + args = [ "--port" (toString cfg.port) ] + ++ optionals (cfg.socket != null) [ "--interface" cfg.socket ] + ++ optionals (cfg.interface != null) [ "--interface" cfg.interface ] + ++ [ "--signal" (toString cfg.signal) ] + ++ (concatLists (mapAttrsToList (_k: _v: [ "--client-option" "${_k}=${_v}" ]) cfg.clientOptions)) + ++ [ "--terminal-type" cfg.terminalType ] + ++ optionals cfg.checkOrigin [ "--check-origin" ] + ++ [ "--max-clients" (toString cfg.maxClients) ] + ++ optionals (cfg.indexFile != null) [ "--index" cfg.indexFile ] + ++ optionals cfg.enableIPv6 [ "--ipv6" ] + ++ optionals cfg.enableSSL [ "--ssl-cert" cfg.certFile + "--ssl-key" cfg.keyFile + "--ssl-ca" cfg.caFile ] + ++ [ "--debug" (toString cfg.logLevel) ]; + +in + +{ + + ###### interface + + options = { + services.ttyd = { + enable = mkEnableOption "ttyd daemon"; + + port = mkOption { + type = types.int; + default = 7681; + description = "Port to listen on (use 0 for random port)"; + }; + + socket = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/run/ttyd.sock"; + description = "UNIX domain socket path to bind."; + }; + + interface = mkOption { + type = types.nullOr types.str; + default = null; + example = "eth0"; + description = "Network interface to bind."; + }; + + username = mkOption { + type = types.nullOr types.str; + default = null; + description = "Username for basic authentication."; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + apply = value: if value == null then null else toString value; + description = '' + File containing the password to use for basic authentication. + For insecurely putting the password in the globally readable store use + <literal>pkgs.writeText "ttydpw" "MyPassword"</literal>. + ''; + }; + + signal = mkOption { + type = types.ints.u8; + default = 1; + description = "Signal to send to the command on session close."; + }; + + clientOptions = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample ''{ + fontSize = "16"; + fontFamily = "Fira Code"; + + }''; + description = '' + Attribute set of client options for xtermjs. + <link xlink:href="https://xtermjs.org/docs/api/terminal/interfaces/iterminaloptions/"/> + ''; + }; + + terminalType = mkOption { + type = types.str; + default = "xterm-256color"; + description = "Terminal type to report."; + }; + + checkOrigin = mkOption { + type = types.bool; + default = false; + description = "Whether to allow a websocket connection from a different origin."; + }; + + maxClients = mkOption { + type = types.int; + default = 0; + description = "Maximum clients to support (0, no limit)"; + }; + + indexFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Custom index.html path"; + }; + + enableIPv6 = mkOption { + type = types.bool; + default = false; + description = "Whether or not to enable IPv6 support."; + }; + + enableSSL = mkOption { + type = types.bool; + default = false; + description = "Whether or not to enable SSL (https) support."; + }; + + certFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "SSL certificate file path."; + }; + + keyFile = mkOption { + type = types.nullOr types.path; + default = null; + apply = value: if value == null then null else toString value; + description = '' + SSL key file path. + For insecurely putting the keyFile in the globally readable store use + <literal>pkgs.writeText "ttydKeyFile" "SSLKEY"</literal>. + ''; + }; + + caFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "SSL CA file path for client certificate verification."; + }; + + logLevel = mkOption { + type = types.int; + default = 7; + description = "Set log level."; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + assertions = + [ { assertion = cfg.enableSSL + -> cfg.certFile != null && cfg.keyFile != null && cfg.caFile != null; + message = "SSL is enabled for ttyd, but no certFile, keyFile or caFile has been specefied."; } + { assertion = ! (cfg.interface != null && cfg.socket != null); + message = "Cannot set both interface and socket for ttyd."; } + { assertion = (cfg.username != null) == (cfg.passwordFile != null); + message = "Need to set both username and passwordFile for ttyd"; } + ]; + + systemd.services.ttyd = { + description = "ttyd Web Server Daemon"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + # Runs login which needs to be run as root + # login: Cannot possibly work without effective root + User = "root"; + }; + + script = if cfg.passwordFile != null then '' + PASSWORD=$(cat ${escapeShellArg cfg.passwordFile}) + ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ + --credential ${escapeShellArg cfg.username}:"$PASSWORD" \ + ${pkgs.shadow}/bin/login + '' + else '' + ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ + ${pkgs.shadow}/bin/login + ''; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix index a4a9d370d644..2303dfa95404 100644 --- a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix @@ -85,7 +85,7 @@ in { systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.logDir}' 0750 ${cfg.user} ${cfg.group} - -" - ]; + ]; systemd.services.unit = { description = "Unit App Server"; @@ -93,33 +93,50 @@ in { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ curl ]; preStart = '' - test -f '/run/unit/control.unit.sock' || rm -f '/run/unit/control.unit.sock' + test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json' ''; postStart = '' curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' ''; serviceConfig = { - User = cfg.user; - Group = cfg.group; - AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; ExecStart = '' ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \ --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \ --user ${cfg.user} --group ${cfg.group} ''; + # User and group + User = cfg.user; + Group = cfg.group; + # Capabilities + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + # Security + NoNewPrivileges = true; + # Sanboxing + ProtectSystem = "full"; + ProtectHome = true; RuntimeDirectory = "unit"; RuntimeDirectoryMode = "0750"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + PrivateMounts = true; }; }; - users.users = optionalAttrs (cfg.user == "unit") (singleton { - name = "unit"; - group = cfg.group; - }); + users.users = optionalAttrs (cfg.user == "unit") { + unit.group = cfg.group; + isSystemUser = true; + }; + + users.groups = optionalAttrs (cfg.group == "unit") { + unit = { }; + }; - users.groups = optionalAttrs (cfg.group == "unit") (singleton { - name = "unit"; - }); }; } diff --git a/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix b/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix index 0131ad30333e..a80e1f11f67c 100644 --- a/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix +++ b/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix @@ -5,10 +5,6 @@ with lib; let cfg = config.services.uwsgi; - uwsgi = pkgs.uwsgi.override { - plugins = cfg.plugins; - }; - buildCfg = name: c: let plugins = @@ -23,8 +19,8 @@ let python = if hasPython2 && hasPython3 then throw "`plugins` attribute in UWSGI configuration shouldn't contain both python2 and python3" - else if hasPython2 then uwsgi.python2 - else if hasPython3 then uwsgi.python3 + else if hasPython2 then cfg.package.python2 + else if hasPython3 then cfg.package.python3 else null; pythonEnv = python.withPackages (c.pythonPackages or (self: [])); @@ -77,6 +73,11 @@ in { description = "Where uWSGI communication sockets can live"; }; + package = mkOption { + type = types.package; + internal = true; + }; + instance = mkOption { type = types.attrs; default = { @@ -138,7 +139,7 @@ in { ''; serviceConfig = { Type = "notify"; - ExecStart = "${uwsgi}/bin/uwsgi --uid ${cfg.user} --gid ${cfg.group} --json ${buildCfg "server" cfg.instance}/server.json"; + ExecStart = "${cfg.package}/bin/uwsgi --uid ${cfg.user} --gid ${cfg.group} --json ${buildCfg "server" cfg.instance}/server.json"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; NotifyAccess = "main"; @@ -146,15 +147,19 @@ in { }; }; - users.users = optionalAttrs (cfg.user == "uwsgi") (singleton - { name = "uwsgi"; + users.users = optionalAttrs (cfg.user == "uwsgi") { + uwsgi = { group = cfg.group; uid = config.ids.uids.uwsgi; - }); + }; + }; + + users.groups = optionalAttrs (cfg.group == "uwsgi") { + uwsgi.gid = config.ids.gids.uwsgi; + }; - users.groups = optionalAttrs (cfg.group == "uwsgi") (singleton - { name = "uwsgi"; - gid = config.ids.gids.uwsgi; - }); + services.uwsgi.package = pkgs.uwsgi.override { + inherit (cfg) plugins; + }; }; } diff --git a/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix b/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix index 63f967185c2d..01fe3d12917a 100644 --- a/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix @@ -15,8 +15,8 @@ in package = mkOption { type = types.package; - default = pkgs.varnish5; - defaultText = "pkgs.varnish5"; + default = pkgs.varnish; + defaultText = "pkgs.varnish"; description = '' The package to use ''; @@ -48,7 +48,7 @@ in extraModules = mkOption { type = types.listOf types.package; default = []; - example = literalExample "[ pkgs.varnish5Packages.geoip ]"; + example = literalExample "[ pkgs.varnishPackages.geoip ]"; description = " Varnish modules (except 'std'). "; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/cde.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/cde.nix new file mode 100644 index 000000000000..c1b6d3bf064a --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/cde.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + xcfg = config.services.xserver; + cfg = xcfg.desktopManager.cde; +in { + options.services.xserver.desktopManager.cde = { + enable = mkEnableOption "Common Desktop Environment"; + }; + + config = mkIf (xcfg.enable && cfg.enable) { + services.rpcbind.enable = true; + + services.xinetd.enable = true; + services.xinetd.services = [ + { + name = "cmsd"; + protocol = "udp"; + user = "root"; + server = "${pkgs.cdesktopenv}/opt/dt/bin/rpc.cmsd"; + extraConfig = '' + type = RPC UNLISTED + rpc_number = 100068 + rpc_version = 2-5 + only_from = 127.0.0.1/0 + ''; + } + ]; + + users.groups.mail = {}; + security.wrappers = { + dtmail = { + source = "${pkgs.cdesktopenv}/bin/dtmail"; + group = "mail"; + setgid = true; + }; + }; + + system.activationScripts.setup-cde = '' + mkdir -p /var/dt/{tmp,appconfig/appmanager} + chmod a+w+t /var/dt/{tmp,appconfig/appmanager} + ''; + + services.xserver.desktopManager.session = [ + { name = "CDE"; + start = '' + exec ${pkgs.cdesktopenv}/opt/dt/bin/Xsession + ''; + }]; + }; + + meta.maintainers = [ maintainers.gnidorah ]; +} diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix index dfb84113e130..970fa620c6b6 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix @@ -18,9 +18,9 @@ in # determines the default: later modules (if enabled) are preferred. # E.g., if Plasma 5 is enabled, it supersedes xterm. imports = [ - ./none.nix ./xterm.nix ./xfce.nix ./xfce4-14.nix ./plasma5.nix ./lumina.nix + ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix - ./mate.nix ./pantheon.nix ./surf-display.nix + ./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix ]; options = { @@ -86,23 +86,14 @@ in }; default = mkOption { - type = types.str; - default = ""; + type = types.nullOr types.str; + default = null; example = "none"; - description = "Default desktop manager loaded if none have been chosen."; - apply = defaultDM: - if defaultDM == "" && cfg.session.list != [] then - (head cfg.session.list).name - else if any (w: w.name == defaultDM) cfg.session.list then - defaultDM - else - builtins.trace '' - Default desktop manager (${defaultDM}) not found at evaluation time. - These are the known valid session names: - ${concatMapStringsSep "\n " (w: "services.xserver.desktopManager.default = \"${w.name}\";") cfg.session.list} - It's also possible the default can be found in one of these packages: - ${concatMapStringsSep "\n " (p: p.name) config.services.xserver.displayManager.extraSessionFilePackages} - '' defaultDM; + description = '' + <emphasis role="strong">Deprecated</emphasis>, please use <xref linkend="opt-services.xserver.displayManager.defaultSession"/> instead. + + Default desktop manager loaded if none have been chosen. + ''; }; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 3745069f6eaf..26b662a2a643 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -16,6 +16,10 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "e19" "enable" ] [ "services" "xserver" "desktopManager" "enlightenment" "enable" ]) + ]; + options = { services.xserver.desktopManager.enlightenment.enable = mkOption { @@ -64,10 +68,7 @@ in security.wrappers = (import "${e.enlightenment}/e-wrappers.nix").security.wrappers; - environment.etc = singleton - { source = xcfg.xkbDir; - target = "X11/xkb"; - }; + environment.etc."X11/xkb".source = xcfg.xkbDir; fonts.fonts = [ pkgs.dejavu_fonts pkgs.ubuntu_font_family ]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix index 30c5250221c1..6d9bd284bc72 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -28,6 +28,12 @@ let (pkg: "cp -rf ${pkg}/share/gsettings-schemas/*/glib-2.0/schemas/*.xml $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas\n") (defaultPackages ++ cfg.extraGSettingsOverridePackages)} + cp -f ${pkgs.gnome3.gnome-shell}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas + + ${optionalString flashbackEnabled '' + cp -f ${pkgs.gnome3.gnome-flashback}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas + ''} + chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides cat - > $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/nixos-defaults.gschema.override <<- EOF [org.gnome.desktop.background] @@ -138,7 +144,7 @@ in services.gnome3.core-shell.enable = true; services.gnome3.core-utilities.enable = mkDefault true; - services.xserver.displayManager.extraSessionFilePackages = [ pkgs.gnome3.gnome-session ]; + services.xserver.displayManager.sessionPackages = [ pkgs.gnome3.gnome-session ]; environment.extraInit = '' ${concatMapStrings (p: '' @@ -155,17 +161,17 @@ in environment.systemPackages = cfg.sessionPath; - environment.variables.GNOME_SESSION_DEBUG = mkIf cfg.debug "1"; + environment.sessionVariables.GNOME_SESSION_DEBUG = mkIf cfg.debug "1"; # Override GSettings schemas - environment.variables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; + environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; # If gnome3 is installed, build vim for gtk3 too. nixpkgs.config.vim.gui = "gtk3"; }) (mkIf flashbackEnabled { - services.xserver.displayManager.extraSessionFilePackages = map + services.xserver.displayManager.sessionPackages = map (wm: pkgs.gnome3.gnome-flashback.mkSessionForWm { inherit (wm) wmName wmLabel wmCommand; }) (optional cfg.flashback.enableMetacity { @@ -178,6 +184,13 @@ in enableGnomeKeyring = true; }; + systemd.packages = with pkgs.gnome3; [ + gnome-flashback + ] ++ (map + (wm: gnome-flashback.mkSystemdTargetForWm { + inherit (wm) wmName; + }) cfg.flashback.customSessions); + services.dbus.packages = [ pkgs.gnome3.gnome-screensaver ]; @@ -209,16 +222,14 @@ in networking.networkmanager.enable = mkDefault true; - # Use the correct gnome3 packageSet - networking.networkmanager.basePackages = { - inherit (pkgs) networkmanager modemmanager wpa_supplicant crda; - inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc - networkmanager-openconnect networkmanager-fortisslvpn - networkmanager-iodine networkmanager-l2tp; - }; - services.xserver.updateDbusEnvironment = true; + # gnome has a custom alert theme but it still + # inherits from the freedesktop theme. + environment.systemPackages = with pkgs; [ + sound-theme-freedesktop + ]; + # Needed for themes and backgrounds environment.pathsToLink = [ "/share" # TODO: https://github.com/NixOS/nixpkgs/issues/47173 @@ -229,6 +240,7 @@ in services.colord.enable = mkDefault true; services.gnome3.chrome-gnome-shell.enable = mkDefault true; services.gnome3.glib-networking.enable = true; + services.gnome3.gnome-initial-setup.enable = mkDefault true; services.gnome3.gnome-remote-desktop.enable = mkDefault true; services.gnome3.gnome-settings-daemon.enable = true; services.gnome3.gnome-user-share.enable = mkDefault true; @@ -236,7 +248,8 @@ in services.gvfs.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.telepathy.enable = mkDefault true; - systemd.packages = [ pkgs.gnome3.vino ]; + + systemd.packages = with pkgs.gnome3; [ vino gnome-session ]; services.avahi.enable = mkDefault true; @@ -265,6 +278,26 @@ in source-sans-pro ]; + ## Enable soft realtime scheduling, only supported on wayland ## + + security.wrappers.".gnome-shell-wrapped" = { + source = "${pkgs.gnome3.gnome-shell}/bin/.gnome-shell-wrapped"; + capabilities = "cap_sys_nice=ep"; + }; + + systemd.user.services.gnome-shell-wayland = let + gnomeShellRT = with pkgs.gnome3; pkgs.runCommand "gnome-shell-rt" {} '' + mkdir -p $out/bin/ + cp ${gnome-shell}/bin/gnome-shell $out/bin + sed -i "s@${gnome-shell}/bin/@${config.security.wrapperDir}/@" $out/bin/gnome-shell + ''; + in { + # Note we need to clear ExecStart before overriding it + serviceConfig.ExecStart = ["" "${gnomeShellRT}/bin/gnome-shell"]; + # Do not use the default environment, it provides a broken PATH + environment = mkForce {}; + }; + # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-32/elements/core/meta-gnome-core-shell.bst environment.systemPackages = with pkgs.gnome3; [ adwaita-icon-theme @@ -276,7 +309,7 @@ in gnome-shell gnome-shell-extensions gnome-themes-extra - gnome-user-docs + pkgs.gnome-user-docs pkgs.orca pkgs.glib # for gsettings pkgs.gnome-menus @@ -329,10 +362,10 @@ in # Let nautilus find extensions # TODO: Create nautilus-with-extensions package - environment.variables.NAUTILUS_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-3.0"; + environment.sessionVariables.NAUTILUS_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-3.0"; # Override default mimeapps for nautilus - environment.variables.XDG_DATA_DIRS = [ "${mimeAppsList}/share" ]; + environment.sessionVariables.XDG_DATA_DIRS = [ "${mimeAppsList}/share" ]; environment.pathsToLink = [ "/share/nautilus-python/extensions" diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix index 4563583e0704..4a6f2ca727d9 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix @@ -85,6 +85,7 @@ in pkgs.gtk3.out pkgs.shared-mime-info pkgs.xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ + pkgs.mate.mate-settings-daemon ]; programs.dconf.enable = true; @@ -97,8 +98,7 @@ in services.gnome3.at-spi2-core.enable = true; services.gnome3.gnome-keyring.enable = true; - services.gnome3.gnome-settings-daemon.enable = true; - services.gnome3.gnome-settings-daemon.package = pkgs.mate.mate-settings-daemon; + services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; services.gvfs.enable = true; services.upower.enable = config.powerManagement.enable; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix index d80ea9a53e80..b46a2d189ef9 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.xserver.desktopManager.pantheon; + serviceCfg = config.services.pantheon; nixos-gsettings-desktop-schemas = pkgs.pantheon.elementary-gsettings-schemas.override { extraGSettingsOverridePackages = cfg.extraGSettingsOverridePackages; @@ -19,6 +20,16 @@ in options = { + services.pantheon = { + + contractor = { + enable = mkEnableOption "contractor, a desktop-wide extension service used by Pantheon"; + }; + + apps.enable = mkEnableOption "Pantheon default applications"; + + }; + services.xserver.desktopManager.pantheon = { enable = mkOption { type = types.bool; @@ -41,6 +52,18 @@ in ]; }; + extraWingpanelIndicators = mkOption { + default = null; + type = with types; nullOr (listOf package); + description = "Indicators to add to Wingpanel."; + }; + + extraSwitchboardPlugs = mkOption { + default = null; + type = with types; nullOr (listOf package); + description = "Plugs to add to Switchboard."; + }; + extraGSettingsOverrides = mkOption { default = ""; type = types.lines; @@ -67,128 +90,88 @@ in }; - config = mkIf cfg.enable { + config = mkMerge [ + (mkIf cfg.enable { - services.xserver.displayManager.extraSessionFilePackages = [ pkgs.pantheon.elementary-session-settings ]; + services.xserver.displayManager.sessionPackages = [ pkgs.pantheon.elementary-session-settings ]; - # Ensure lightdm is used when Pantheon is enabled - # Without it screen locking will be nonfunctional because of the use of lightlocker + # Ensure lightdm is used when Pantheon is enabled + # Without it screen locking will be nonfunctional because of the use of lightlocker + warnings = optional (config.services.xserver.displayManager.lightdm.enable != true) + '' + Using Pantheon without LightDM as a displayManager will break screenlocking from the UI. + ''; - warnings = optional (config.services.xserver.displayManager.lightdm.enable != true) - '' - Using Pantheon without LightDM as a displayManager will break screenlocking from the UI. + services.xserver.displayManager.lightdm.greeters.pantheon.enable = mkDefault true; + + # Without this, elementary LightDM greeter will pre-select non-existent `default` session + # https://github.com/elementary/greeter/issues/368 + services.xserver.displayManager.defaultSession = "pantheon"; + + services.xserver.displayManager.sessionCommands = '' + if test "$XDG_CURRENT_DESKTOP" = "Pantheon"; then + ${concatMapStrings (p: '' + if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then + export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} + fi + + if [ -d "${p}/lib/girepository-1.0" ]; then + export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib + fi + '') cfg.sessionPath} + fi ''; - services.xserver.displayManager.lightdm.greeters.pantheon.enable = mkDefault true; - - # If not set manually Pantheon session cannot be started - # Known issue of https://github.com/NixOS/nixpkgs/pull/43992 - services.xserver.desktopManager.default = mkForce "pantheon"; - - services.xserver.displayManager.sessionCommands = '' - if test "$XDG_CURRENT_DESKTOP" = "Pantheon"; then - ${concatMapStrings (p: '' - if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then - export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} - fi - - if [ -d "${p}/lib/girepository-1.0" ]; then - export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib - fi - '') cfg.sessionPath} - fi - ''; - - hardware.bluetooth.enable = mkDefault true; - hardware.pulseaudio.enable = mkDefault true; - security.polkit.enable = true; - services.accounts-daemon.enable = true; - services.bamf.enable = true; - services.colord.enable = mkDefault true; - services.pantheon.files.enable = mkDefault true; - services.tumbler.enable = mkDefault true; - services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.dbus.packages = [ - pkgs.pantheon.switchboard-plug-power - ]; - services.pantheon.contractor.enable = mkDefault true; - services.gnome3.at-spi2-core.enable = true; - services.gnome3.evolution-data-server.enable = true; - services.gnome3.glib-networking.enable = true; - # TODO: gnome-keyring's xdg autostarts will still be in the environment (from elementary-session-settings) if disabled forcefully - services.gnome3.gnome-keyring.enable = true; - services.gnome3.gnome-settings-daemon.enable = true; - services.gnome3.gnome-settings-daemon.package = pkgs.pantheon.elementary-settings-daemon; - services.gvfs.enable = true; - services.gnome3.rygel.enable = mkDefault true; - services.gsignond.enable = mkDefault true; - services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; - services.udisks2.enable = true; - services.upower.enable = config.powerManagement.enable; - services.xserver.libinput.enable = mkDefault true; - services.xserver.updateDbusEnvironment = true; - services.zeitgeist.enable = mkDefault true; - services.geoclue2.enable = mkDefault true; - # pantheon has pantheon-agent-geoclue2 - services.geoclue2.enableDemoAgent = false; - services.geoclue2.appConfig."io.elementary.desktop.agent-geoclue2" = { - isAllowed = true; - isSystem = true; - }; - - programs.dconf.enable = true; - programs.evince.enable = mkDefault true; - programs.file-roller.enable = mkDefault true; - # Otherwise you can't store NetworkManager Secrets with - # "Store the password only for this user" - programs.nm-applet.enable = true; - - # Shell integration for VTE terminals - programs.bash.vteIntegration = mkDefault true; - programs.zsh.vteIntegration = mkDefault true; - - # Harmonize Qt5 applications under Pantheon - qt5.enable = true; - qt5.platformTheme = "gnome"; - qt5.style = "adwaita"; - - networking.networkmanager.enable = mkDefault true; - networking.networkmanager.basePackages = - { inherit (pkgs) networkmanager modemmanager wpa_supplicant crda; - inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc - networkmanager-openconnect networkmanager-fortisslvpn - networkmanager-iodine networkmanager-l2tp; }; - - # Override GSettings schemas - environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; - - environment.sessionVariables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1"; - - # Settings from elementary-default-settings - environment.sessionVariables.GTK_CSD = "1"; - environment.sessionVariables.GTK_MODULES = "pantheon-filechooser-module"; - environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini"; - - environment.pathsToLink = [ - # FIXME: modules should link subdirs of `/share` rather than relying on this - "/share" - ]; - - environment.systemPackages = - pkgs.pantheon.artwork ++ pkgs.pantheon.desktop ++ pkgs.pantheon.services ++ cfg.sessionPath - ++ (with pkgs; gnome3.removePackagesByName - ([ - gnome3.geary - gnome3.epiphany - gnome3.gnome-font-viewer - ] ++ pantheon.apps) config.environment.pantheon.excludePackages) - ++ (with pkgs; - [ - adwaita-qt + # Default services + hardware.bluetooth.enable = mkDefault true; + hardware.pulseaudio.enable = mkDefault true; + security.polkit.enable = true; + services.accounts-daemon.enable = true; + services.bamf.enable = true; + services.colord.enable = mkDefault true; + services.tumbler.enable = mkDefault true; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.dbus.packages = with pkgs.pantheon; [ + switchboard-plug-power + elementary-default-settings # accountsservice extensions + ]; + services.pantheon.apps.enable = mkDefault true; + services.pantheon.contractor.enable = mkDefault true; + services.gnome3.at-spi2-core.enable = true; + services.gnome3.evolution-data-server.enable = true; + services.gnome3.glib-networking.enable = true; + services.gnome3.gnome-keyring.enable = true; + services.gvfs.enable = true; + services.gnome3.rygel.enable = mkDefault true; + services.gsignond.enable = mkDefault true; + services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ]; + services.udisks2.enable = true; + services.upower.enable = config.powerManagement.enable; + services.xserver.libinput.enable = mkDefault true; + services.xserver.updateDbusEnvironment = true; + services.zeitgeist.enable = mkDefault true; + services.geoclue2.enable = mkDefault true; + # pantheon has pantheon-agent-geoclue2 + services.geoclue2.enableDemoAgent = false; + services.geoclue2.appConfig."io.elementary.desktop.agent-geoclue2" = { + isAllowed = true; + isSystem = true; + }; + # Use gnome-settings-daemon fork + services.udev.packages = [ + pkgs.pantheon.elementary-settings-daemon + ]; + systemd.packages = [ + pkgs.pantheon.elementary-settings-daemon + ]; + programs.dconf.enable = true; + networking.networkmanager.enable = mkDefault true; + + # Global environment + environment.systemPackages = with pkgs; [ desktop-file-utils glib - glib-networking gnome-menus gnome3.adwaita-icon-theme gtk3.out @@ -200,19 +183,111 @@ in shared-mime-info sound-theme-freedesktop xdg-user-dirs - ]); + ] ++ (with pkgs.pantheon; [ + # Artwork + elementary-gtk-theme + elementary-icon-theme + elementary-sound-theme + elementary-wallpapers + + # Desktop + elementary-default-settings + elementary-session-settings + elementary-shortcut-overlay + gala + (switchboard-with-plugs.override { + plugs = cfg.extraSwitchboardPlugs; + }) + (wingpanel-with-indicators.override { + indicators = cfg.extraWingpanelIndicators; + }) + + # Services + cerbere + elementary-capnet-assist + elementary-dpms-helper + elementary-settings-daemon + pantheon-agent-geoclue2 + pantheon-agent-polkit + ]) ++ (gnome3.removePackagesByName [ + gnome3.geary + gnome3.epiphany + gnome3.gnome-font-viewer + ] config.environment.pantheon.excludePackages); - fonts.fonts = with pkgs; [ - open-sans - roboto-mono - pantheon.elementary-redacted-script # needed by screenshot-tool - ]; + programs.evince.enable = mkDefault true; + programs.file-roller.enable = mkDefault true; - fonts.fontconfig.defaultFonts = { - monospace = [ "Roboto Mono" ]; - sansSerif = [ "Open Sans" ]; - }; + # Settings from elementary-default-settings + environment.sessionVariables.GTK_CSD = "1"; + environment.sessionVariables.GTK3_MODULES = [ "pantheon-filechooser-module" ]; + environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini"; - }; + # Override GSettings schemas + environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas"; + environment.sessionVariables.GNOME_SESSION_DEBUG = mkIf cfg.debug "1"; + + environment.pathsToLink = [ + # FIXME: modules should link subdirs of `/share` rather than relying on this + "/share" + ]; + + # Otherwise you can't store NetworkManager Secrets with + # "Store the password only for this user" + programs.nm-applet.enable = true; + + # Shell integration for VTE terminals + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + + # Harmonize Qt5 applications under Pantheon + qt5.enable = true; + qt5.platformTheme = "gnome"; + qt5.style = "adwaita"; + + # Default Fonts + fonts.fonts = with pkgs; [ + open-sans + roboto-mono + ]; + + fonts.fontconfig.defaultFonts = { + monospace = [ "Roboto Mono" ]; + sansSerif = [ "Open Sans" ]; + }; + }) + + (mkIf serviceCfg.apps.enable { + environment.systemPackages = (with pkgs.pantheon; pkgs.gnome3.removePackagesByName [ + elementary-calculator + elementary-calendar + elementary-camera + elementary-code + elementary-files + elementary-music + elementary-photos + elementary-screenshot-tool + elementary-terminal + elementary-videos + ] config.environment.pantheon.excludePackages); + + # needed by screenshot-tool + fonts.fonts = [ + pkgs.pantheon.elementary-redacted-script + ]; + }) + + (mkIf serviceCfg.contractor.enable { + environment.systemPackages = with pkgs.pantheon; [ + contractor + extra-elementary-contracts + ]; + + environment.pathsToLink = [ + "/share/contractor" + ]; + }) + + ]; } diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix index b10755df4dc2..2538858ac0f7 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -27,20 +27,14 @@ in example = "vlc"; description = "Phonon audio backend to install."; }; - - enableQt4Support = mkOption { - type = types.bool; - default = true; - description = '' - Enable support for Qt 4-based applications. Particularly, install a - default backend for Phonon. - ''; - }; - }; }; + imports = [ + (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "plasma5" "enableQt4Support" ] "Phonon no longer supports Qt 4.") + (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "kde5" ] [ "services" "xserver" "desktopManager" "plasma5" ]) + ]; config = mkMerge [ (mkIf cfg.enable { @@ -173,27 +167,23 @@ in # Phonon audio backend ++ lib.optional (cfg.phononBackend == "gstreamer") libsForQt5.phonon-backend-gstreamer - ++ lib.optional (cfg.phononBackend == "gstreamer" && cfg.enableQt4Support) pkgs.phonon-backend-gstreamer ++ lib.optional (cfg.phononBackend == "vlc") libsForQt5.phonon-backend-vlc - ++ lib.optional (cfg.phononBackend == "vlc" && cfg.enableQt4Support) pkgs.phonon-backend-vlc # Optional hardware support features - ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt ] + ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt openobex obexftp ] ++ lib.optional config.networking.networkmanager.enable plasma-nm ++ lib.optional config.hardware.pulseaudio.enable plasma-pa ++ lib.optional config.powerManagement.enable powerdevil ++ lib.optional config.services.colord.enable colord-kde - ++ lib.optionals config.services.samba.enable [ kdenetwork-filesharing pkgs.samba ]; + ++ lib.optionals config.services.samba.enable [ kdenetwork-filesharing pkgs.samba ] + ++ lib.optional config.services.xserver.wacom.enable wacomtablet; environment.pathsToLink = [ # FIXME: modules should link subdirs of `/share` rather than relying on this "/share" ]; - environment.etc = singleton { - source = xcfg.xkbDir; - target = "X11/xkb"; - }; + environment.etc."X11/xkb".source = xcfg.xkbDir; # Enable GTK applications to load SVG icons services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; @@ -231,7 +221,6 @@ in security.pam.services.kdm.enableKwallet = true; security.pam.services.lightdm.enableKwallet = true; security.pam.services.sddm.enableKwallet = true; - security.pam.services.slim.enableKwallet = true; xdg.portal.enable = true; xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-kde ]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix index 140dde828daa..9aeb0bbd2a88 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix @@ -118,7 +118,7 @@ in { }; config = mkIf cfg.enable { - services.xserver.displayManager.extraSessionFilePackages = [ + services.xserver.displayManager.sessionPackages = [ pkgs.surf-display ]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix index 6965c6d26467..a08b1947f65b 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -7,6 +7,33 @@ let in { + + imports = [ + # added 2019-08-18 + # needed to preserve some semblance of UI familarity + # with original XFCE module + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "extraSessionCommands" ] + [ "services" "xserver" "displayManager" "sessionCommands" ]) + + # added 2019-11-04 + # xfce4-14 module removed and promoted to xfce. + # Needed for configs that used xfce4-14 module to migrate to this one. + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "enable" ] + [ "services" "xserver" "desktopManager" "xfce" "enable" ]) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "noDesktop" ] + [ "services" "xserver" "desktopManager" "xfce" "noDesktop" ]) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "enableXfwm" ] + [ "services" "xserver" "desktopManager" "xfce" "enableXfwm" ]) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce" "extraSessionCommands" ] + [ "services" "xserver" "displayManager" "sessionCommands" ]) + (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "xfce" "screenLock" ] "") + ]; + options = { services.xserver.desktopManager.xfce = { enable = mkOption { @@ -30,14 +57,6 @@ in description = "Don't install XFCE desktop components (xfdesktop, panel and notification daemon)."; }; - extraSessionCommands = mkOption { - default = ""; - type = types.lines; - description = '' - Shell commands executed just before XFCE is started. - ''; - }; - enableXfwm = mkOption { type = types.bool; default = true; @@ -48,76 +67,101 @@ in config = mkIf cfg.enable { environment.systemPackages = with pkgs.xfce // pkgs; [ - # Get GTK themes and gtk-update-icon-cache - gtk2.out + glib # for gsettings + gtk3.out # gtk-update-icon-cache - # Supplies some abstract icons such as: - # utilities-terminal, accessories-text-editor + gnome3.gnome-themes-extra gnome3.adwaita-icon-theme - hicolor-icon-theme tango-icon-theme xfce4-icon-theme + desktop-file-utils + shared-mime-info # for update-mime-database + + # For a polkit authentication agent + polkit_gnome + # Needed by Xfce's xinitrc script - # TODO: replace with command -v - which + xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ exo garcon - gtk-xfce-engine libxfce4ui - tumbler xfconf mousepad + parole ristretto xfce4-appfinder xfce4-screenshooter xfce4-session xfce4-settings + xfce4-taskmanager xfce4-terminal (thunar.override { thunarPlugins = cfg.thunarPlugins; }) - thunar-volman # TODO: drop - ] ++ (if config.hardware.pulseaudio.enable - then [ xfce4-mixer-pulse xfce4-volumed-pulse ] - else [ xfce4-mixer xfce4-volumed ]) - # TODO: NetworkManager doesn't belong here - ++ optionals config.networking.networkmanager.enable [ networkmanagerapplet ] - ++ optionals config.powerManagement.enable [ xfce4-power-manager ] - ++ optionals cfg.enableXfwm [ xfwm4 ] - ++ optionals (!cfg.noDesktop) [ - xfce4-panel + ] # TODO: NetworkManager doesn't belong here + ++ optional config.networking.networkmanager.enable networkmanagerapplet + ++ optional config.powerManagement.enable xfce4-power-manager + ++ optionals config.hardware.pulseaudio.enable [ + pavucontrol + # volume up/down keys support: + # xfce4-pulseaudio-plugin includes all the functionalities of xfce4-volumed-pulse + # but can only be used with xfce4-panel, so for no-desktop usage we still include + # xfce4-volumed-pulse + (if cfg.noDesktop then xfce4-volumed-pulse else xfce4-pulseaudio-plugin) + ] ++ optionals cfg.enableXfwm [ + xfwm4 + xfwm4-themes + ] ++ optionals (!cfg.noDesktop) [ xfce4-notifyd + xfce4-panel xfdesktop ]; environment.pathsToLink = [ "/share/xfce4" - "/share/themes" - "/share/gtksourceview-2.0" + "/lib/xfce4" + "/share/gtksourceview-3.0" + "/share/gtksourceview-4.0" ]; - services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; - services.xserver.desktopManager.session = [{ name = "xfce"; bgSupport = true; start = '' - ${cfg.extraSessionCommands} - - ${pkgs.runtimeShell} ${pkgs.xfce.xinitrc} & + ${pkgs.runtimeShell} ${pkgs.xfce.xfce4-session.xinitrc} & waitPID=$! ''; }]; services.xserver.updateDbusEnvironment = true; + services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; # Enable helpful DBus services. services.udisks2.enable = true; + security.polkit.enable = true; + services.accounts-daemon.enable = true; services.upower.enable = config.powerManagement.enable; + services.gnome3.glib-networking.enable = true; services.gvfs.enable = true; services.gvfs.package = pkgs.xfce.gvfs; + services.tumbler.enable = true; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager + + # Enable default programs + programs.dconf.enable = true; + + # Shell integration for VTE terminals + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + + # Systemd services + systemd.packages = with pkgs.xfce; [ + (thunar.override { thunarPlugins = cfg.thunarPlugins; }) + ] ++ optional (!cfg.noDesktop) xfce4-notifyd; + }; } diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce4-14.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce4-14.nix deleted file mode 100644 index 130e865a1fb4..000000000000 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce4-14.nix +++ /dev/null @@ -1,156 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.xserver.desktopManager.xfce4-14; -in - -{ - # added 2019-08-18 - # needed to preserve some semblance of UI familarity - # with original XFCE module - imports = [ - (mkRenamedOptionModule - [ "services" "xserver" "desktopManager" "xfce4-14" "extraSessionCommands" ] - [ "services" "xserver" "displayManager" "sessionCommands" ]) - ]; - - options = { - services.xserver.desktopManager.xfce4-14 = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable the Xfce desktop environment."; - }; - - # TODO: support thunar plugins - # thunarPlugins = mkOption { - # default = []; - # type = types.listOf types.package; - # example = literalExample "[ pkgs.xfce4-14.thunar-archive-plugin ]"; - # description = '' - # A list of plugin that should be installed with Thunar. - # ''; - # }; - - noDesktop = mkOption { - type = types.bool; - default = false; - description = "Don't install XFCE desktop components (xfdesktop, panel and notification daemon)."; - }; - - enableXfwm = mkOption { - type = types.bool; - default = true; - description = "Enable the XFWM (default) window manager."; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = with pkgs.xfce4-14 // pkgs; [ - glib # for gsettings - gtk3.out # gtk-update-icon-cache - - gnome3.gnome-themes-extra - gnome3.adwaita-icon-theme - hicolor-icon-theme - tango-icon-theme - xfce4-icon-theme - - desktop-file-utils - shared-mime-info # for update-mime-database - - # For a polkit authentication agent - polkit_gnome - - # Needed by Xfce's xinitrc script - xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ - - exo - garcon - libxfce4ui - xfconf - - mousepad - parole - ristretto - xfce4-appfinder - xfce4-screenshooter - xfce4-session - xfce4-settings - xfce4-taskmanager - xfce4-terminal - - # TODO: resync patch for plugins - #(thunar.override { thunarPlugins = cfg.thunarPlugins; }) - thunar - ] # TODO: NetworkManager doesn't belong here - ++ optional config.networking.networkmanager.enable networkmanagerapplet - ++ optional config.powerManagement.enable xfce4-power-manager - ++ optionals config.hardware.pulseaudio.enable [ - pavucontrol - xfce4-pulseaudio-plugin - ] ++ optionals cfg.enableXfwm [ - xfwm4 - xfwm4-themes - ] ++ optionals (!cfg.noDesktop) [ - xfce4-notifyd - xfce4-panel - xfdesktop - ]; - - environment.pathsToLink = [ - "/share/xfce4" - "/lib/xfce4" - "/share/gtksourceview-3.0" - "/share/gtksourceview-4.0" - ]; - - # Use the correct gnome3 packageSet - networking.networkmanager.basePackages = mkIf config.networking.networkmanager.enable { - inherit (pkgs) networkmanager modemmanager wpa_supplicant crda; - inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc - networkmanager-openconnect networkmanager-fortisslvpn - networkmanager-iodine networkmanager-l2tp; - }; - - services.xserver.desktopManager.session = [{ - name = "xfce4-14"; - bgSupport = true; - start = '' - ${pkgs.runtimeShell} ${pkgs.xfce4-14.xinitrc} & - waitPID=$! - ''; - }]; - - services.xserver.updateDbusEnvironment = true; - services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; - - # Enable helpful DBus services. - services.udisks2.enable = true; - security.polkit.enable = true; - services.accounts-daemon.enable = true; - services.upower.enable = config.powerManagement.enable; - services.gnome3.glib-networking.enable = true; - services.gvfs.enable = true; - services.gvfs.package = pkgs.xfce.gvfs; - services.tumbler.enable = true; - services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager - - # Enable default programs - programs.dconf.enable = true; - - # Shell integration for VTE terminals - programs.bash.vteIntegration = mkDefault true; - programs.zsh.vteIntegration = mkDefault true; - - # Systemd services - systemd.packages = with pkgs.xfce4-14; [ - thunar - ] ++ optional (!cfg.noDesktop) xfce4-notifyd; - - }; -} diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/account-service-util.nix b/nixpkgs/nixos/modules/services/x11/display-managers/account-service-util.nix new file mode 100644 index 000000000000..1dbe703b5662 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/display-managers/account-service-util.nix @@ -0,0 +1,39 @@ +{ accountsservice +, glib +, gobject-introspection +, python3 +, wrapGAppsHook +}: + +python3.pkgs.buildPythonApplication { + name = "set-session"; + + format = "other"; + + src = ./set-session.py; + + dontUnpack = true; + + strictDeps = false; + + nativeBuildInputs = [ + wrapGAppsHook + gobject-introspection + ]; + + buildInputs = [ + accountsservice + glib + ]; + + propagatedBuildInputs = with python3.pkgs; [ + pygobject3 + ordered-set + ]; + + installPhase = '' + mkdir -p $out/bin + cp $src $out/bin/set-session + chmod +x $out/bin/set-session + ''; +} diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix index bf6b048654b3..1efd07393765 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix @@ -1,9 +1,9 @@ # This module declares the options to define a *display manager*, the -# program responsible for handling X logins (such as xdm, gdb, or -# SLiM). The display manager allows the user to select a *session -# type*. When the user logs in, the display manager starts the +# program responsible for handling X logins (such as LightDM, GDM, or SDDM). +# The display manager allows the user to select a *session +# type*. When the user logs in, the display manager starts the # *session script* ("xsession" below) to launch the selected session -# type. The session type defines two things: the *desktop manager* +# type. The session type defines two things: the *desktop manager* # (e.g., KDE, Gnome or a plain xterm), and optionally the *window # manager* (e.g. kwin or twm). @@ -27,16 +27,7 @@ let Xft.hintstyle: hintslight ''; - mkCases = session: - concatStrings ( - mapAttrsToList (name: starts: '' - (${name}) - ${concatMapStringsSep "\n " (n: n.start) starts} - ;; - '') (lib.groupBy (n: n.name) session) - ); - - # file provided by services.xserver.displayManager.session.wrapper + # file provided by services.xserver.displayManager.sessionData.wrapper xsessionWrapper = pkgs.writeScript "xsession-wrapper" '' #! ${pkgs.bash}/bin/bash @@ -116,99 +107,47 @@ let # Run the supplied session command. Remove any double quotes with eval. eval exec "$@" else - # Fall back to the default window/desktopManager - exec ${cfg.displayManager.session.script} + # TODO: Do we need this? Should not the session always exist? + echo "error: unknown session $1" 1>&2 + exit 1 fi ''; - # file provided by services.xserver.displayManager.session.script - xsession = wm: dm: pkgs.writeScript "xsession" - '' - #! ${pkgs.bash}/bin/bash - - # Legacy session script used to construct .desktop files from - # `services.xserver.displayManager.session` entries. Called from - # `sessionWrapper`. - - # Expected parameters: - # $1 = <desktop-manager>+<window-manager> - - # The first argument of this script is the session type. - sessionType="$1" - if [ "$sessionType" = default ]; then sessionType=""; fi - - # The session type is "<desktop-manager>+<window-manager>", so - # extract those (see: - # http://wiki.bash-hackers.org/syntax/pe#substring_removal). - windowManager="''${sessionType##*+}" - : ''${windowManager:=${cfg.windowManager.default}} - desktopManager="''${sessionType%%+*}" - : ''${desktopManager:=${cfg.desktopManager.default}} - - # Start the window manager. - case "$windowManager" in - ${mkCases wm} - (*) echo "$0: Window manager '$windowManager' not found.";; - esac - - # Start the desktop manager. - case "$desktopManager" in - ${mkCases dm} - (*) echo "$0: Desktop manager '$desktopManager' not found.";; - esac - - ${optionalString cfg.updateDbusEnvironment '' - ${lib.getBin pkgs.dbus}/bin/dbus-update-activation-environment --systemd --all - ''} - - test -n "$waitPID" && wait "$waitPID" - - ${config.systemd.package}/bin/systemctl --user stop graphical-session.target - - exit 0 - ''; - - # Desktop Entry Specification: - # - https://standards.freedesktop.org/desktop-entry-spec/latest/ - # - https://standards.freedesktop.org/desktop-entry-spec/latest/ar01s06.html - mkDesktops = names: pkgs.runCommand "desktops" + installedSessions = pkgs.runCommand "desktops" { # trivial derivation preferLocalBuild = true; allowSubstitutes = false; } '' - mkdir -p "$out/share/xsessions" - ${concatMapStrings (n: '' - cat - > "$out/share/xsessions/${n}.desktop" << EODESKTOP - [Desktop Entry] - Version=1.0 - Type=XSession - TryExec=${cfg.displayManager.session.script} - Exec=${cfg.displayManager.session.script} "${n}" - Name=${n} - Comment= - EODESKTOP - '') names} + mkdir -p "$out/share/"{xsessions,wayland-sessions} ${concatMapStrings (pkg: '' + for n in ${concatStringsSep " " pkg.providedSessions}; do + if ! test -f ${pkg}/share/wayland-sessions/$n.desktop -o \ + -f ${pkg}/share/xsessions/$n.desktop; then + echo "Couldn't find provided session name, $n.desktop, in session package ${pkg.name}:" + echo " ${pkg}" + return 1 + fi + done + if test -d ${pkg}/share/xsessions; then ${xorg.lndir}/bin/lndir ${pkg}/share/xsessions $out/share/xsessions fi - '') cfg.displayManager.extraSessionFilePackages} - - - ${concatMapStrings (pkg: '' if test -d ${pkg}/share/wayland-sessions; then - mkdir -p "$out/share/wayland-sessions" ${xorg.lndir}/bin/lndir ${pkg}/share/wayland-sessions $out/share/wayland-sessions fi - '') cfg.displayManager.extraSessionFilePackages} + '') cfg.displayManager.sessionPackages} ''; + dmDefault = cfg.desktopManager.default; + wmDefault = cfg.windowManager.default; + + defaultSessionFromLegacyOptions = concatStringsSep "+" (filter (s: s != null) ([ dmDefault ] ++ optional (wmDefault != "none") wmDefault)); + in { - options = { services.xserver.displayManager = { @@ -263,11 +202,24 @@ in ''; }; - extraSessionFilePackages = mkOption { - type = types.listOf types.package; + sessionPackages = mkOption { + type = with types; listOf (package // { + description = "package with provided sessions"; + check = p: assertMsg + (package.check p && p ? providedSessions + && p.providedSessions != [] && all isString p.providedSessions) + '' + Package, '${p.name}', did not specify any session names, as strings, in + 'passthru.providedSessions'. This is required when used as a session package. + + The session names can be looked up in: + ${p}/share/xsessions + ${p}/share/wayland-sessions + ''; + }); default = []; description = '' - A list of packages containing xsession files to be passed to the display manager. + A list of packages containing x11 or wayland session files to be passed to the display manager. ''; }; @@ -298,18 +250,50 @@ in inside the display manager with the desktop manager name followed by the window manager name. ''; - apply = list: rec { - wm = filter (s: s.manage == "window") list; - dm = filter (s: s.manage == "desktop") list; - names = flip concatMap dm - (d: map (w: d.name + optionalString (w.name != "none") ("+" + w.name)) - (filter (w: d.name != "none" || w.name != "none") wm)); - desktops = mkDesktops names; - script = xsession wm dm; + }; + + sessionData = mkOption { + description = "Data exported for display managers’ convenience"; + internal = true; + default = {}; + apply = val: { wrapper = xsessionWrapper; + desktops = installedSessions; + sessionNames = concatMap (p: p.providedSessions) cfg.displayManager.sessionPackages; + # We do not want to force users to set defaultSession when they have only single DE. + autologinSession = + if cfg.displayManager.defaultSession != null then + cfg.displayManager.defaultSession + else if cfg.displayManager.sessionData.sessionNames != [] then + head cfg.displayManager.sessionData.sessionNames + else + null; }; }; + defaultSession = mkOption { + type = with types; nullOr str // { + description = "session name"; + check = d: + assertMsg (d != null -> (str.check d && elem d cfg.displayManager.sessionData.sessionNames)) '' + Default graphical session, '${d}', not found. + Valid names for 'services.xserver.displayManager.defaultSession' are: + ${concatStringsSep "\n " cfg.displayManager.sessionData.sessionNames} + ''; + }; + default = + if dmDefault != null || wmDefault != null then + defaultSessionFromLegacyOptions + else + null; + example = "gnome"; + description = '' + Graphical session to pre-select in the session chooser (only effective for GDM and LightDM). + + On GDM, LightDM and SDDM, it will also be used as a session for auto-login. + ''; + }; + job = { preStart = mkOption { @@ -322,7 +306,7 @@ in execCmd = mkOption { type = types.str; example = literalExample '' - "''${pkgs.slim}/bin/slim" + "''${pkgs.lightdm}/bin/lightdm" ''; description = "Command to start the display manager."; }; @@ -330,7 +314,6 @@ in environment = mkOption { type = types.attrsOf types.unspecified; default = {}; - example = { SLIM_CFGFILE = "/etc/slim.conf"; }; description = "Additional environment variables needed by the display manager."; }; @@ -359,6 +342,27 @@ in }; config = { + assertions = [ + { + assertion = cfg.desktopManager.default != null || cfg.windowManager.default != null -> cfg.displayManager.defaultSession == defaultSessionFromLegacyOptions; + message = "You cannot use both services.xserver.displayManager.defaultSession option and legacy options (services.xserver.desktopManager.default and services.xserver.windowManager.default)."; + } + ]; + + warnings = + mkIf (dmDefault != null || wmDefault != null) [ + '' + The following options are deprecated: + ${concatStringsSep "\n " (map ({c, t}: t) (filter ({c, t}: c != null) [ + { c = dmDefault; t = "- services.xserver.desktopManager.default"; } + { c = wmDefault; t = "- services.xserver.windowManager.default"; } + ]))} + Please use + services.xserver.displayManager.defaultSession = "${concatStringsSep "+" (filter (s: s != null) [ dmDefault wmDefault ])}"; + instead. + '' + ]; + services.xserver.displayManager.xserverBin = "${xorg.xorgserver.out}/bin/X"; systemd.user.targets.graphical-session = { @@ -367,11 +371,75 @@ in StopWhenUnneeded = false; }; }; + + # Create desktop files and scripts for starting sessions for WMs/DMs + # that do not have upstream session files (those defined using services.{display,desktop,window}Manager.session options). + services.xserver.displayManager.sessionPackages = + let + dms = filter (s: s.manage == "desktop") cfg.displayManager.session; + wms = filter (s: s.manage == "window") cfg.displayManager.session; + + # Script responsible for starting the window manager and the desktop manager. + xsession = dm: wm: pkgs.writeScript "xsession" '' + #! ${pkgs.bash}/bin/bash + + # Legacy session script used to construct .desktop files from + # `services.xserver.displayManager.session` entries. Called from + # `sessionWrapper`. + + # Start the window manager. + ${wm.start} + + # Start the desktop manager. + ${dm.start} + + ${optionalString cfg.updateDbusEnvironment '' + ${lib.getBin pkgs.dbus}/bin/dbus-update-activation-environment --systemd --all + ''} + + test -n "$waitPID" && wait "$waitPID" + + ${config.systemd.package}/bin/systemctl --user stop graphical-session.target + + exit 0 + ''; + in + # We will generate every possible pair of WM and DM. + concatLists ( + crossLists + (dm: wm: let + sessionName = "${dm.name}${optionalString (wm.name != "none") ("+" + wm.name)}"; + script = xsession dm wm; + in + optional (dm.name != "none" || wm.name != "none") + (pkgs.writeTextFile { + name = "${sessionName}-xsession"; + destination = "/share/xsessions/${sessionName}.desktop"; + # Desktop Entry Specification: + # - https://standards.freedesktop.org/desktop-entry-spec/latest/ + # - https://standards.freedesktop.org/desktop-entry-spec/latest/ar01s06.html + text = '' + [Desktop Entry] + Version=1.0 + Type=XSession + TryExec=${script} + Exec=${script} + Name=${sessionName} + ''; + } // { + providedSessions = [ sessionName ]; + }) + ) + [dms wms] + ); }; imports = [ - (mkRemovedOptionModule [ "services" "xserver" "displayManager" "desktopManagerHandlesLidAndPower" ] + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "desktopManagerHandlesLidAndPower" ] "The option is no longer necessary because all display managers have already delegated lid management to systemd.") + (mkRenamedOptionModule [ "services" "xserver" "displayManager" "job" "logsXsession" ] [ "services" "xserver" "displayManager" "job" "logToFile" ]) + (mkRenamedOptionModule [ "services" "xserver" "displayManager" "logToJournal" ] [ "services" "xserver" "displayManager" "job" "logToJournal" ]) + (mkRenamedOptionModule [ "services" "xserver" "displayManager" "extraSessionFilesPackages" ] [ "services" "xserver" "displayManager" "sessionPackages" ]) ]; } diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix index 0a5d52e319ec..2f8c8cc90137 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix @@ -31,6 +31,9 @@ let load-module module-position-event-sounds ''; + defaultSessionName = config.services.xserver.displayManager.defaultSession; + + setSessionScript = pkgs.callPackage ./account-service-util.nix { }; in { @@ -42,10 +45,7 @@ in services.xserver.displayManager.gdm = { enable = mkEnableOption '' - GDM as the display manager. - <emphasis>GDM in NixOS is not well-tested with desktops other - than GNOME, so use with caution, as it could render the - system unusable.</emphasis> + GDM, the GNOME Display Manager ''; debug = mkEnableOption '' @@ -91,11 +91,21 @@ in wayland = mkOption { default = true; description = '' - Allow GDM run on Wayland instead of Xserver + Allow GDM to run on Wayland instead of Xserver. + Note to enable Wayland with Nvidia you need to + enable the <option>nvidiaWayland</option>. ''; type = types.bool; }; + nvidiaWayland = mkOption { + default = false; + description = '' + Whether to allow wayland to be used with the proprietary + NVidia graphics driver. + ''; + }; + autoSuspend = mkOption { default = true; description = '' @@ -141,7 +151,7 @@ in environment = { GDM_X_SERVER_EXTRA_ARGS = toString (filter (arg: arg != "-terminate") cfg.xserverArgs); - XDG_DATA_DIRS = "${cfg.session.desktops}/share/"; + XDG_DATA_DIRS = "${cfg.sessionData.desktops}/share/"; } // optionalAttrs (xSessionWrapper != null) { # Make GDM use this wrapper before running the session, which runs the # configured setupCommands. This relies on a patched GDM which supports @@ -149,19 +159,43 @@ in GDM_X_SESSION_WRAPPER = "${xSessionWrapper}"; }; execCmd = "exec ${gdm}/bin/gdm"; - preStart = optionalString config.hardware.pulseaudio.enable '' - mkdir -p /run/gdm/.config/pulse - ln -sf ${pulseConfig} /run/gdm/.config/pulse/default.pa - chown -R gdm:gdm /run/gdm/.config + preStart = optionalString (defaultSessionName != null) '' + # Set default session in session chooser to a specified values – basically ignore session history. + ${setSessionScript}/bin/set-session ${cfg.sessionData.autologinSession} ''; }; - # Because sd_login_monitor_new requires /run/systemd/machines - systemd.services.display-manager.wants = [ "systemd-machined.service" ]; + systemd.tmpfiles.rules = [ + "d /run/gdm/.config 0711 gdm gdm -" + ] ++ optionals config.hardware.pulseaudio.enable [ + "L+ /run/gdm/.config/pulse - - - - ${pulseConfig}" + ] ++ optionals config.services.gnome3.gnome-initial-setup.enable [ + # Create stamp file for gnome-initial-setup to prevent it starting in GDM. + "f /run/gdm/.config/gnome-initial-setup-done 0711 gdm gdm - yes" + ]; + + systemd.services.display-manager.wants = [ + # Because sd_login_monitor_new requires /run/systemd/machines + "systemd-machined.service" + # setSessionScript wants AccountsService + "accounts-daemon.service" + ]; + systemd.services.display-manager.after = [ "rc-local.service" "systemd-machined.service" "systemd-user-sessions.service" + "getty@tty${gdm.initialVT}.service" + "plymouth-quit.service" + "plymouth-start.service" + ]; + systemd.services.display-manager.conflicts = [ + "getty@tty${gdm.initialVT}.service" + # TODO: Add "plymouth-quit.service" so GDM can control when plymouth quits. + # Currently this breaks switching configurations while using plymouth. + ]; + systemd.services.display-manager.onFailure = [ + "plymouth-quit.service" ]; systemd.services.display-manager.serviceConfig = { @@ -171,6 +205,9 @@ in BusName = "org.gnome.DisplayManager"; StandardOutput = "syslog"; StandardError = "inherit"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; + KeyringMode = "shared"; + EnvironmentFile = "-/etc/locale.conf"; }; systemd.services.display-manager.path = [ pkgs.gnome3.gnome-session ]; @@ -180,6 +217,19 @@ in services.dbus.packages = [ gdm ]; + # We duplicate upstream's udev rules manually to make wayland with nvidia configurable + services.udev.extraRules = '' + # disable Wayland on Cirrus chipsets + ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-disable-wayland" + # disable Wayland on Hi1710 chipsets + ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-disable-wayland" + ${optionalString (!cfg.gdm.nvidiaWayland) '' + DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-disable-wayland" + ''} + # disable Wayland when modesetting is disabled + IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-disable-wayland" + ''; + systemd.user.services.dbus.wantedBy = [ "default.target" ]; programs.dconf.profiles.gdm = @@ -201,7 +251,7 @@ in customDconfDb = pkgs.stdenv.mkDerivation { name = "gdm-dconf-db"; buildCommand = '' - ${pkgs.gnome3.dconf}/bin/dconf compile $out ${customDconf}/dconf + ${pkgs.dconf}/bin/dconf compile $out ${customDconf}/dconf ''; }; in pkgs.stdenv.mkDerivation { @@ -246,7 +296,7 @@ in ${optionalString cfg.gdm.debug "Enable=true"} ''; - environment.etc."gdm/Xsession".source = config.services.xserver.displayManager.session.wrapper; + environment.etc."gdm/Xsession".source = config.services.xserver.displayManager.sessionData.wrapper; # GDM LFS PAM modules, adapted somehow to NixOS security.pam.services = { diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix index fa9445af32e7..0025f9b36037 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix @@ -53,9 +53,8 @@ in Whether to enable lightdm-mini-greeter as the lightdm greeter. Note that this greeter starts only the default X session. - You can configure the default X session by - <option>services.xserver.desktopManager.default</option> and - <option>services.xserver.windowManager.default</option>. + You can configure the default X session using + <xref linkend="opt-services.xserver.displayManager.defaultSession"/>. ''; }; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix index 29cb6ccbc06b..77c94114e6d9 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix @@ -35,6 +35,9 @@ in name = "io.elementary.greeter"; }; + # Show manual login card. + services.xserver.displayManager.lightdm.extraSeatDefaults = "greeter-show-manual-login=true"; + environment.etc."lightdm/io.elementary.greeter.conf".source = "${pkgs.pantheon.elementary-greeter}/etc/lightdm/io.elementary.greeter.conf"; environment.etc."wingpanel.d/io.elementary.greeter.whitelist".source = "${pkgs.pantheon.elementary-default-settings}/etc/wingpanel.d/io.elementary.greeter.whitelist"; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix index f105cb496e68..f7face0adb7e 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix @@ -8,10 +8,9 @@ let dmcfg = xcfg.displayManager; xEnv = config.systemd.services.display-manager.environment; cfg = dmcfg.lightdm; + sessionData = dmcfg.sessionData; - dmDefault = xcfg.desktopManager.default; - wmDefault = xcfg.windowManager.default; - hasDefaultUserSession = dmDefault != "none" || wmDefault != "none"; + setSessionScript = pkgs.callPackage ./account-service-util.nix { }; inherit (pkgs) lightdm writeScript writeText; @@ -45,22 +44,19 @@ let greeter-user = ${config.users.users.lightdm.name} greeters-directory = ${cfg.greeter.package} ''} - sessions-directory = ${dmcfg.session.desktops}/share/xsessions + sessions-directory = ${dmcfg.sessionData.desktops}/share/xsessions:${dmcfg.sessionData.desktops}/share/wayland-sessions ${cfg.extraConfig} [Seat:*] xserver-command = ${xserverWrapper} - session-wrapper = ${dmcfg.session.wrapper} + session-wrapper = ${dmcfg.sessionData.wrapper} ${optionalString cfg.greeter.enable '' greeter-session = ${cfg.greeter.name} ''} ${optionalString cfg.autoLogin.enable '' autologin-user = ${cfg.autoLogin.user} autologin-user-timeout = ${toString cfg.autoLogin.timeout} - autologin-session = ${defaultSessionName} - ''} - ${optionalString hasDefaultUserSession '' - user-session=${defaultSessionName} + autologin-session = ${sessionData.autologinSession} ''} ${optionalString (dmcfg.setupCommands != "") '' display-setup-script=${pkgs.writeScript "lightdm-display-setup" '' @@ -71,7 +67,6 @@ let ${cfg.extraSeatDefaults} ''; - defaultSessionName = dmDefault + optionalString (wmDefault != "none") ("+" + wmDefault); in { # Note: the order in which lightdm greeter modules are imported @@ -199,11 +194,9 @@ in LightDM auto-login requires services.xserver.displayManager.lightdm.autoLogin.user to be set ''; } - { assertion = cfg.autoLogin.enable -> dmDefault != "none" || wmDefault != "none"; + { assertion = cfg.autoLogin.enable -> sessionData.autologinSession != null; message = '' - LightDM auto-login requires that services.xserver.desktopManager.default and - services.xserver.windowManager.default are set to valid values. The current - default session: ${defaultSessionName} is not valid. + LightDM auto-login requires that services.xserver.displayManager.defaultSession is set. ''; } { assertion = !cfg.greeter.enable -> (cfg.autoLogin.enable && cfg.autoLogin.timeout == 0); @@ -214,12 +207,63 @@ in } ]; + # Set default session in session chooser to a specified values – basically ignore session history. + # Auto-login is already covered by a config value. + services.xserver.displayManager.job.preStart = optionalString (!cfg.autoLogin.enable && dmcfg.defaultSession != null) '' + ${setSessionScript}/bin/set-session ${dmcfg.defaultSession} + ''; + + # setSessionScript needs session-files in XDG_DATA_DIRS + services.xserver.displayManager.job.environment.XDG_DATA_DIRS = "${dmcfg.sessionData.desktops}/share/"; + + # setSessionScript wants AccountsService + systemd.services.display-manager.wants = [ + "accounts-daemon.service" + ]; + # lightdm relaunches itself via just `lightdm`, so needs to be on the PATH services.xserver.displayManager.job.execCmd = '' export PATH=${lightdm}/sbin:$PATH exec ${lightdm}/sbin/lightdm ''; + # Replaces getty + systemd.services.display-manager.conflicts = [ + "getty@tty7.service" + # TODO: Add "plymouth-quit.service" so LightDM can control when plymouth + # quits. Currently this breaks switching to configurations with plymouth. + ]; + + # Pull in dependencies of services we replace. + systemd.services.display-manager.after = [ + "rc-local.service" + "systemd-machined.service" + "systemd-user-sessions.service" + "getty@tty7.service" + "user.slice" + ]; + + # user.slice needs to be present + systemd.services.display-manager.requires = [ + "user.slice" + ]; + + # lightdm stops plymouth so when it fails make sure plymouth stops. + systemd.services.display-manager.onFailure = [ + "plymouth-quit.service" + ]; + + systemd.services.display-manager.serviceConfig = { + BusName = "org.freedesktop.DisplayManager"; + IgnoreSIGPIPE = "no"; + # This allows lightdm to pass the LUKS password through to PAM. + # login keyring is unlocked automatic when autologin is used. + KeyringMode = "shared"; + KillMode = "mixed"; + StandardError = "inherit"; + StandardOutput = "syslog"; + }; + environment.etc."lightdm/lightdm.conf".source = lightdmConf; environment.etc."lightdm/users.conf".source = usersConf; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix index 8847acb0c604..4224c557ed63 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix @@ -14,7 +14,7 @@ let xserverWrapper = pkgs.writeScript "xserver-wrapper" '' #!/bin/sh ${concatMapStrings (n: "export ${n}=\"${getAttr n xEnv}\"\n") (attrNames xEnv)} - exec systemd-cat ${dmcfg.xserverBin} ${toString dmcfg.xserverArgs} "$@" + exec systemd-cat -t xserver-wrapper ${dmcfg.xserverBin} ${toString dmcfg.xserverArgs} "$@" ''; Xsetup = pkgs.writeScript "Xsetup" '' @@ -50,8 +50,8 @@ let MinimumVT=${toString (if xcfg.tty != null then xcfg.tty else 7)} ServerPath=${xserverWrapper} XephyrPath=${pkgs.xorg.xorgserver.out}/bin/Xephyr - SessionCommand=${dmcfg.session.wrapper} - SessionDir=${dmcfg.session.desktops}/share/xsessions + SessionCommand=${dmcfg.sessionData.wrapper} + SessionDir=${dmcfg.sessionData.desktops}/share/xsessions XauthPath=${pkgs.xorg.xauth}/bin/xauth DisplayCommand=${Xsetup} DisplayStopCommand=${Xstop} @@ -59,26 +59,27 @@ let [Wayland] EnableHidpi=${if cfg.enableHidpi then "true" else "false"} - SessionDir=${dmcfg.session.desktops}/share/wayland-sessions + SessionDir=${dmcfg.sessionData.desktops}/share/wayland-sessions ${optionalString cfg.autoLogin.enable '' [Autologin] User=${cfg.autoLogin.user} - Session=${defaultSessionName}.desktop + Session=${autoLoginSessionName}.desktop Relogin=${boolToString cfg.autoLogin.relogin} ''} ${cfg.extraConfig} ''; - defaultSessionName = - let - dm = xcfg.desktopManager.default; - wm = xcfg.windowManager.default; - in dm + optionalString (wm != "none") ("+" + wm); + autoLoginSessionName = dmcfg.sessionData.autologinSession; in { + imports = [ + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ] + "Set the option `services.xserver.displayManager.sddm.package' instead.") + ]; + options = { services.xserver.displayManager.sddm = { @@ -205,11 +206,9 @@ in SDDM auto-login requires services.xserver.displayManager.sddm.autoLogin.user to be set ''; } - { assertion = cfg.autoLogin.enable -> elem defaultSessionName dmcfg.session.names; + { assertion = cfg.autoLogin.enable -> autoLoginSessionName != null; message = '' - SDDM auto-login requires that services.xserver.desktopManager.default and - services.xserver.windowManager.default are set to valid values. The current - default session: ${defaultSessionName} is not valid. + SDDM auto-login requires that services.xserver.displayManager.defaultSession is set. ''; } ]; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/set-session.py b/nixpkgs/nixos/modules/services/x11/display-managers/set-session.py new file mode 100755 index 000000000000..0cca80af44e8 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/display-managers/set-session.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python + +import gi, argparse, os, logging, sys + +gi.require_version("AccountsService", "1.0") +from gi.repository import AccountsService, GLib +from ordered_set import OrderedSet + + +def get_session_file(session): + system_data_dirs = GLib.get_system_data_dirs() + + session_dirs = OrderedSet( + os.path.join(data_dir, session) + for data_dir in system_data_dirs + for session in {"wayland-sessions", "xsessions"} + ) + + session_files = OrderedSet( + os.path.join(dir, session + ".desktop") + for dir in session_dirs + if os.path.exists(os.path.join(dir, session + ".desktop")) + ) + + # Deal with duplicate wayland-sessions and xsessions. + # Needed for the situation in gnome-session, where there's + # a xsession named the same as a wayland session. + if any(map(is_session_wayland, session_files)): + session_files = OrderedSet( + session for session in session_files if is_session_wayland(session) + ) + else: + session_files = OrderedSet( + session for session in session_files if is_session_xsession(session) + ) + + if len(session_files) == 0: + logging.warning("No session files are found.") + sys.exit(0) + else: + return session_files[0] + + +def is_session_xsession(session_file): + return "/xsessions/" in session_file + + +def is_session_wayland(session_file): + return "/wayland-sessions/" in session_file + + +def main(): + parser = argparse.ArgumentParser( + description="Set session type for all normal users." + ) + parser.add_argument("session", help="Name of session to set.") + + args = parser.parse_args() + + session = getattr(args, "session") + session_file = get_session_file(session) + + user_manager = AccountsService.UserManager.get_default() + users = user_manager.list_users() + + for user in users: + if user.is_system_account(): + continue + else: + if is_session_wayland(session_file): + logging.debug( + f"Setting session name: {session}, as we found the existing wayland-session: {session_file}" + ) + user.set_session(session) + elif is_session_xsession(session_file): + logging.debug( + f"Setting session name: {session}, as we found the existing xsession: {session_file}" + ) + user.set_x_session(session) + else: + logging.error(f"Couldn't figure out session type for {session_file}") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/slim.nix b/nixpkgs/nixos/modules/services/x11/display-managers/slim.nix index 124660a43f07..4b0948a5b7a5 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/slim.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/slim.nix @@ -2,155 +2,15 @@ with lib; -let - - dmcfg = config.services.xserver.displayManager; - - cfg = dmcfg.slim; - - slimConfig = pkgs.writeText "slim.cfg" - '' - xauth_path ${dmcfg.xauthBin} - default_xserver ${dmcfg.xserverBin} - xserver_arguments ${toString dmcfg.xserverArgs} - sessiondir ${dmcfg.session.desktops}/share/xsessions - login_cmd exec ${pkgs.runtimeShell} ${dmcfg.session.wrapper} "%session" - halt_cmd ${config.systemd.package}/sbin/shutdown -h now - reboot_cmd ${config.systemd.package}/sbin/shutdown -r now - logfile /dev/stderr - ${optionalString (cfg.defaultUser != null) ("default_user " + cfg.defaultUser)} - ${optionalString (cfg.defaultUser != null) ("focus_password yes")} - ${optionalString cfg.autoLogin "auto_login yes"} - ${optionalString (cfg.consoleCmd != null) "console_cmd ${cfg.consoleCmd}"} - ${cfg.extraConfig} - ''; - - # Unpack the SLiM theme, or use the default. - slimThemesDir = - let - unpackedTheme = pkgs.runCommand "slim-theme" { preferLocalBuild = true; } - '' - mkdir -p $out - cd $out - unpackFile ${cfg.theme} - ln -s * default - ''; - in if cfg.theme == null then "${pkgs.slim}/share/slim/themes" else unpackedTheme; - -in - { - - ###### interface - - options = { - - services.xserver.displayManager.slim = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable SLiM as the display manager. - ''; - }; - - theme = mkOption { - type = types.nullOr types.path; - default = pkgs.fetchurl { - url = "https://github.com/jagajaga/nixos-slim-theme/archive/2.0.tar.gz"; - sha256 = "0lldizhigx7bjhxkipii87y432hlf5wdvamnfxrryf9z7zkfypc8"; - }; - defaultText = ''pkgs.fetchurl { - url = "https://github.com/jagajaga/nixos-slim-theme/archive/2.0.tar.gz"; - sha256 = "0lldizhigx7bjhxkipii87y432hlf5wdvamnfxrryf9z7zkfypc8"; - }''; - example = literalExample '' - pkgs.fetchurl { - url = "mirror://sourceforge/slim.berlios/slim-wave.tar.gz"; - sha256 = "0ndr419i5myzcylvxb89m9grl2xyq6fbnyc3lkd711mzlmnnfxdy"; - } - ''; - description = '' - The theme for the SLiM login manager. If not specified, SLiM's - default theme is used. See <link - xlink:href='http://slim.berlios.de/themes01.php'/> for a - collection of themes. TODO: berlios shut down. - ''; - }; - - defaultUser = mkOption { - type = types.nullOr types.str; - default = null; - example = "login"; - description = '' - The default user to load. If you put a username here you - get it automatically loaded into the username field, and - the focus is placed on the password. - ''; - }; - - autoLogin = mkOption { - type = types.bool; - default = false; - description = '' - Automatically log in as the default user. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Extra configuration options for SLiM login manager. Do not - add options that can be configured directly. - ''; - }; - - consoleCmd = mkOption { - type = types.nullOr types.str; - default = '' - ${pkgs.xterm}/bin/xterm -C -fg white -bg black +sb -T "Console login" -e ${pkgs.shadow}/bin/login - ''; - defaultText = '' - ''${pkgs.xterm}/bin/xterm -C -fg white -bg black +sb -T "Console login" -e ''${pkgs.shadow}/bin/login - ''; - description = '' - The command to run when "console" is given as the username. - ''; - }; - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - services.xserver.displayManager.job = - { environment = - { SLIM_CFGFILE = slimConfig; - SLIM_THEMESDIR = slimThemesDir; - }; - execCmd = "exec ${pkgs.slim}/bin/slim"; - }; - - services.xserver.displayManager.sessionCommands = - '' - # Export the config/themes for slimlock. - export SLIM_THEMESDIR=${slimThemesDir} - ''; - - # Allow null passwords so that the user can login as root on the - # installation CD. - security.pam.services.slim = { allowNullPassword = true; startSession = true; }; - - # Allow slimlock to work. - security.pam.services.slimlock = {}; - - environment.systemPackages = [ pkgs.slim ]; - - }; - + # added 2019-11-11 + imports = [ + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "slim" ] '' + The SLIM project is abandoned and their last release was in 2013. + Because of this it poses a security risk to your system. + Other issues include it not fully supporting systemd and logind sessions. + Please use a different display manager such as LightDM, SDDM, or GDM. + You can also use the startx module which uses Xinitrc. + '') + ]; } diff --git a/nixpkgs/nixos/modules/services/x11/extra-layouts.nix b/nixpkgs/nixos/modules/services/x11/extra-layouts.nix index 1af98a1318bb..f48216ff446f 100644 --- a/nixpkgs/nixos/modules/services/x11/extra-layouts.nix +++ b/nixpkgs/nixos/modules/services/x11/extra-layouts.nix @@ -141,7 +141,7 @@ in }); xkbcomp = super.xorg.xkbcomp.overrideAttrs (old: { - configureFlags = "--with-xkb-config-root=${self.xkb_patched}/share/X11/xkb"; + configureFlags = [ "--with-xkb-config-root=${self.xkb_patched}/share/X11/xkb" ]; }); }; @@ -158,6 +158,12 @@ in }); + environment.sessionVariables = { + # runtime override supported by multiple libraries e. g. libxkbcommon + # https://xkbcommon.org/doc/current/group__include-path.html + XKB_CONFIG_ROOT = "${pkgs.xkb_patched}/etc/X11/xkb"; + }; + services.xserver = { xkbDir = "${pkgs.xkb_patched}/etc/X11/xkb"; exportConfiguration = config.services.xserver.displayManager.startx.enable; diff --git a/nixpkgs/nixos/modules/services/x11/hardware/cmt.nix b/nixpkgs/nixos/modules/services/x11/hardware/cmt.nix index 95353e92098e..5ac824c5e419 100644 --- a/nixpkgs/nixos/modules/services/x11/hardware/cmt.nix +++ b/nixpkgs/nixos/modules/services/x11/hardware/cmt.nix @@ -47,7 +47,12 @@ in { assertions = [ { assertion = !config.services.xserver.libinput.enable; - message = "cmt and libinput are incompatible, you cannot enable both (in services.xserver)."; + message = '' + cmt and libinput are incompatible, meaning you cannot enable them both. + To use cmt you need to disable libinput with `services.xserver.libinput.enable = false` + If you haven't enabled it in configuration.nix, it's enabled by default on a + different xserver module. + ''; } ]; }; diff --git a/nixpkgs/nixos/modules/services/x11/hardware/digimend.nix b/nixpkgs/nixos/modules/services/x11/hardware/digimend.nix new file mode 100644 index 000000000000..a9f5640905aa --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/hardware/digimend.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.xserver.digimend; + + pkg = config.boot.kernelPackages.digimend; + +in + +{ + + options = { + + services.xserver.digimend = { + + enable = mkOption { + default = false; + description = '' + Whether to enable the digimend drivers for Huion/XP-Pen/etc. tablets. + ''; + }; + + }; + + }; + + + config = mkIf cfg.enable { + + # digimend drivers use xsetwacom and wacom X11 drivers + services.xserver.wacom.enable = true; + + boot.extraModulePackages = [ pkg ]; + + environment.etc."X11/xorg.conf.d/50-digimend.conf".source = + "${pkg}/usr/share/X11/xorg.conf.d/50-digimend.conf"; + + }; + +} diff --git a/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix b/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix index bd289976532b..f6b0e7c09f51 100644 --- a/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix +++ b/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix @@ -122,7 +122,7 @@ in { description = '' Specify the scrolling method: <literal>twofinger</literal>, <literal>edge</literal>, - or <literal>none</literal> + <literal>button</literal>, or <literal>none</literal> ''; }; @@ -198,23 +198,24 @@ in { environment.systemPackages = [ pkgs.xorg.xf86inputlibinput ]; - environment.etc = [ - (let cfgPath = "X11/xorg.conf.d/40-libinput.conf"; in { - source = pkgs.xorg.xf86inputlibinput.out + "/share/" + cfgPath; - target = cfgPath; - }) - ]; + environment.etc = + let cfgPath = "X11/xorg.conf.d/40-libinput.conf"; + in { + ${cfgPath} = { + source = pkgs.xorg.xf86inputlibinput.out + "/share/" + cfgPath; + }; + }; services.udev.packages = [ pkgs.libinput.out ]; services.xserver.config = '' - # Automatically enable the libinput driver for all touchpads. + # General libinput configuration. + # See CONFIGURATION DETAILS section of man:libinput(4). Section "InputClass" Identifier "libinputConfiguration" - MatchIsTouchpad "on" + MatchDriver "libinput" ${optionalString (cfg.dev != null) ''MatchDevicePath "${cfg.dev}"''} - Driver "libinput" Option "AccelProfile" "${cfg.accelProfile}" ${optionalString (cfg.accelSpeed != null) ''Option "AccelSpeed" "${cfg.accelSpeed}"''} ${optionalString (cfg.buttonMapping != null) ''Option "ButtonMapping" "${cfg.buttonMapping}"''} diff --git a/nixpkgs/nixos/modules/services/x11/imwheel.nix b/nixpkgs/nixos/modules/services/x11/imwheel.nix new file mode 100644 index 000000000000..3923df498e79 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/imwheel.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.xserver.imwheel; +in + { + options = { + services.xserver.imwheel = { + enable = mkEnableOption "IMWheel service"; + + extraOptions = mkOption { + type = types.listOf types.str; + default = [ "--buttons=45" ]; + example = [ "--debug" ]; + description = '' + Additional command-line arguments to pass to + <command>imwheel</command>. + ''; + }; + + rules = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample '' + ".*" = ''' + None, Up, Button4, 8 + None, Down, Button5, 8 + Shift_L, Up, Shift_L|Button4, 4 + Shift_L, Down, Shift_L|Button5, 4 + Control_L, Up, Control_L|Button4 + Control_L, Down, Control_L|Button5 + '''; + ''; + description = '' + Window class translation rules. + /etc/X11/imwheelrc is generated based on this config + which means this config is global for all users. + See <link xlink:href="http://imwheel.sourceforge.net/imwheel.1.html">offical man pages</link> + for more informations. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.imwheel ]; + + environment.etc."X11/imwheel/imwheelrc".source = + pkgs.writeText "imwheelrc" (concatStringsSep "\n\n" + (mapAttrsToList + (rule: conf: "\"${rule}\"\n${conf}") cfg.rules + )); + + systemd.user.services.imwheel = { + description = "imwheel service"; + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + serviceConfig = { + ExecStart = "${pkgs.imwheel}/bin/imwheel " + escapeShellArgs ([ + "--detach" + "--kill" + ] ++ cfg.extraOptions); + ExecStop = "${pkgs.procps}/bin/pkill imwheel"; + Restart = "on-failure"; + }; + }; + }; + } diff --git a/nixpkgs/nixos/modules/services/x11/compton.nix b/nixpkgs/nixos/modules/services/x11/picom.nix index a94a76ff0c0f..e3bd21be73e4 100644 --- a/nixpkgs/nixos/modules/services/x11/compton.nix +++ b/nixpkgs/nixos/modules/services/x11/picom.nix @@ -5,7 +5,7 @@ with builtins; let - cfg = config.services.compton; + cfg = config.services.picom; pairOf = x: with types; addCheck (listOf x) (y: length y == 2); @@ -31,20 +31,24 @@ let (key: value: "${toString key}=${mkValueString value};") v) + " }" - else abort "compton.mkValueString: unexpected type (v = ${v})"; + else abort "picom.mkValueString: unexpected type (v = ${v})"; in "${escape [ sep ] k}${sep}${mkValueString v};") attrs); - configFile = pkgs.writeText "compton.conf" (toConf cfg.settings); + configFile = pkgs.writeText "picom.conf" (toConf cfg.settings); in { - options.services.compton = { + imports = [ + (mkAliasOptionModule [ "services" "compton" ] [ "services" "picom" ]) + ]; + + options.services.picom = { enable = mkOption { type = types.bool; default = false; description = '' - Whether of not to enable Compton as the X.org composite manager. + Whether of not to enable Picom as the X.org composite manager. ''; }; @@ -85,7 +89,7 @@ in { ]; description = '' List of conditions of windows that should not be faded. - See <literal>compton(1)</literal> man page for more examples. + See <literal>picom(1)</literal> man page for more examples. ''; }; @@ -125,7 +129,7 @@ in { ]; description = '' List of conditions of windows that should have no shadow. - See <literal>compton(1)</literal> man page for more examples. + See <literal>picom(1)</literal> man page for more examples. ''; }; @@ -192,7 +196,7 @@ in { apply = x: let res = x != "none"; - msg = "The type of services.compton.vSync has changed to bool:" + msg = "The type of services.picom.vSync has changed to bool:" + " interpreting ${x} as ${boolToString res}"; in if isBool x then x @@ -222,13 +226,13 @@ in { type = loaOf (types.either configTypes (loaOf (types.either configTypes (loaOf configTypes)))); default = {}; description = '' - Additional Compton configuration. + Additional Picom configuration. ''; }; }; config = mkIf cfg.enable { - services.compton.settings = let + services.picom.settings = let # Hard conversion to float, literally lib.toInt but toFloat toFloat = str: let may_be_float = builtins.fromJSON str; @@ -264,8 +268,8 @@ in { refresh-rate = mkDefault cfg.refreshRate; }; - systemd.user.services.compton = { - description = "Compton composite manager"; + systemd.user.services.picom = { + description = "Picom composite manager"; wantedBy = [ "graphical-session.target" ]; partOf = [ "graphical-session.target" ]; @@ -275,13 +279,15 @@ in { }; serviceConfig = { - ExecStart = "${pkgs.compton}/bin/compton --config ${configFile}"; + ExecStart = "${pkgs.picom}/bin/picom --config ${configFile}"; RestartSec = 3; Restart = "always"; }; }; - environment.systemPackages = [ pkgs.compton ]; + environment.systemPackages = [ pkgs.picom ]; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/x11/unclutter.nix b/nixpkgs/nixos/modules/services/x11/unclutter.nix index 5f16a680050d..2478aaabb799 100644 --- a/nixpkgs/nixos/modules/services/x11/unclutter.nix +++ b/nixpkgs/nixos/modules/services/x11/unclutter.nix @@ -71,4 +71,7 @@ in { serviceConfig.Restart = "always"; }; }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/x11/urxvtd.nix b/nixpkgs/nixos/modules/services/x11/urxvtd.nix index d916fa5bb393..9bfcfa9b065d 100644 --- a/nixpkgs/nixos/modules/services/x11/urxvtd.nix +++ b/nixpkgs/nixos/modules/services/x11/urxvtd.nix @@ -45,4 +45,6 @@ in { environment.variables.RXVT_SOCKET = "/run/user/$(id -u)/urxvtd-socket"; }; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + } diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/cwm.nix b/nixpkgs/nixos/modules/services/x11/window-managers/cwm.nix new file mode 100644 index 000000000000..03375a226bb6 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/window-managers/cwm.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.cwm; +in +{ + options = { + services.xserver.windowManager.cwm.enable = mkEnableOption "cwm"; + }; + config = mkIf cfg.enable { + services.xserver.windowManager.session = singleton + { name = "cwm"; + start = + '' + cwm & + waitPID=$! + ''; + }; + environment.systemPackages = [ pkgs.cwm ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/default.nix b/nixpkgs/nixos/modules/services/x11/window-managers/default.nix index 2a1f22fa9a4c..04a9fc46628c 100644 --- a/nixpkgs/nixos/modules/services/x11/window-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/window-managers/default.nix @@ -11,6 +11,7 @@ in ./2bwm.nix ./afterstep.nix ./bspwm.nix + ./cwm.nix ./dwm.nix ./evilwm.nix ./exwm.nix @@ -58,15 +59,14 @@ in }; default = mkOption { - type = types.str; - default = "none"; + type = types.nullOr types.str; + default = null; example = "wmii"; - description = "Default window manager loaded if none have been chosen."; - apply = defaultWM: - if any (w: w.name == defaultWM) cfg.session then - defaultWM - else - throw "Default window manager (${defaultWM}) not found."; + description = '' + <emphasis role="strong">Deprecated</emphasis>, please use <xref linkend="opt-services.xserver.displayManager.defaultSession"/> instead. + + Default window manager loaded if none have been chosen. + ''; }; }; diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix b/nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix index 0e1314122767..30c59b88f82f 100644 --- a/nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix +++ b/nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix @@ -86,7 +86,7 @@ in ${xmonadBin} waitPID=$! '' else '' - ${xmonad}/bin/xmonad & + systemd-cat -t xmonad ${xmonad}/bin/xmonad & waitPID=$! ''; }]; diff --git a/nixpkgs/nixos/modules/services/x11/xserver.nix b/nixpkgs/nixos/modules/services/x11/xserver.nix index a8406544a72f..7029919170aa 100644 --- a/nixpkgs/nixos/modules/services/x11/xserver.nix +++ b/nixpkgs/nixos/modules/services/x11/xserver.nix @@ -149,6 +149,8 @@ in [ ./display-managers/default.nix ./window-managers/default.nix ./desktop-managers/default.nix + (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ] + "See the 16.09 release notes for more information.") ]; @@ -329,9 +331,9 @@ in }; xkbOptions = mkOption { - type = types.str; + type = types.commas; default = "terminate:ctrl_alt_bksp"; - example = "grp:caps_toggle, grp_led:scroll"; + example = "grp:caps_toggle,grp_led:scroll"; description = '' X keyboard options; layout switching goes here. ''; @@ -557,7 +559,6 @@ in default = !( dmconf.auto.enable || dmconf.gdm.enable || dmconf.sddm.enable - || dmconf.slim.enable || dmconf.xpra.enable ); in mkIf (default) true; @@ -589,19 +590,15 @@ in ]; environment.etc = - (optionals cfg.exportConfiguration - [ { source = "${configFile}"; - target = "X11/xorg.conf"; - } + (optionalAttrs cfg.exportConfiguration + { + "X11/xorg.conf".source = "${configFile}"; # -xkbdir command line option does not seems to be passed to xkbcomp. - { source = "${cfg.xkbDir}"; - target = "X11/xkb"; - } - ]) + "X11/xkb".source = "${cfg.xkbDir}"; + }) # localectl looks into 00-keyboard.conf - ++ [ - { - text = '' + //{ + "X11/xorg.conf.d/00-keyboard.conf".text = '' Section "InputClass" Identifier "Keyboard catchall" MatchIsKeyboard "on" @@ -611,16 +608,12 @@ in Option "XkbVariant" "${cfg.xkbVariant}" EndSection ''; - target = "X11/xorg.conf.d/00-keyboard.conf"; } - ] # Needed since 1.18; see https://bugs.freedesktop.org/show_bug.cgi?id=89023#c5 - ++ (let cfgPath = "/X11/xorg.conf.d/10-evdev.conf"; in - [{ - source = xorg.xf86inputevdev.out + "/share" + cfgPath; - target = cfgPath; - }] - ); + // (let cfgPath = "/X11/xorg.conf.d/10-evdev.conf"; in + { + ${cfgPath}.source = xorg.xf86inputevdev.out + "/share" + cfgPath; + }); environment.systemPackages = [ xorg.xorgserver.out diff --git a/nixpkgs/nixos/modules/system/boot/binfmt.nix b/nixpkgs/nixos/modules/system/boot/binfmt.nix index a32c9dc1f2b4..a677ab4cb71a 100644 --- a/nixpkgs/nixos/modules/system/boot/binfmt.nix +++ b/nixpkgs/nixos/modules/system/boot/binfmt.nix @@ -134,6 +134,10 @@ let }; in { + imports = [ + (lib.mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ]) + ]; + options = { boot.binfmt = { registrations = mkOption { diff --git a/nixpkgs/nixos/modules/system/boot/grow-partition.nix b/nixpkgs/nixos/modules/system/boot/grow-partition.nix index 8c9b1502558a..71a86c74772e 100644 --- a/nixpkgs/nixos/modules/system/boot/grow-partition.nix +++ b/nixpkgs/nixos/modules/system/boot/grow-partition.nix @@ -7,6 +7,9 @@ with lib; { + imports = [ + (mkRenamedOptionModule [ "virtualisation" "growPartition" ] [ "boot" "growPartition" ]) + ]; options = { boot.growPartition = mkEnableOption "grow the root partition on boot"; diff --git a/nixpkgs/nixos/modules/system/boot/kernel.nix b/nixpkgs/nixos/modules/system/boot/kernel.nix index 8a309f3bc5fe..6edb9082e75a 100644 --- a/nixpkgs/nixos/modules/system/boot/kernel.nix +++ b/nixpkgs/nixos/modules/system/boot/kernel.nix @@ -256,9 +256,8 @@ in # Create /etc/modules-load.d/nixos.conf, which is read by # systemd-modules-load.service to load required kernel modules. - environment.etc = singleton - { target = "modules-load.d/nixos.conf"; - source = kernelModulesConf; + environment.etc = + { "modules-load.d/nixos.conf".source = kernelModulesConf; }; systemd.services.systemd-modules-load = diff --git a/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix b/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix index e13f0421d38f..9a4db84f7b73 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix @@ -47,8 +47,8 @@ let grub = f grub; grubTarget = f (grub.grubTarget or ""); shell = "${pkgs.runtimeShell}"; - fullName = (builtins.parseDrvName realGrub.name).name; - fullVersion = (builtins.parseDrvName realGrub.name).version; + fullName = lib.getName realGrub; + fullVersion = lib.getVersion realGrub; grubEfi = f grubEfi; grubTargetEfi = if cfg.efiSupport && (cfg.version == 2) then f (grubEfi.grubTarget or "") else ""; bootPath = args.path; diff --git a/nixpkgs/nixos/modules/system/boot/loader/loader.nix b/nixpkgs/nixos/modules/system/boot/loader/loader.nix index 7fbda9ef0f57..01475f79b9c2 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/loader.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/loader.nix @@ -3,6 +3,11 @@ with lib; { + imports = [ + (mkRenamedOptionModule [ "boot" "loader" "grub" "timeout" ] [ "boot" "loader" "timeout" ]) + (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "timeout" ] [ "boot" "loader" "timeout" ]) + ]; + options = { boot.loader.timeout = mkOption { default = 5; @@ -12,4 +17,4 @@ with lib; ''; }; }; -} \ No newline at end of file +} diff --git a/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.sh b/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.sh index 0fb07de10c04..c8b5bf2e61af 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.sh +++ b/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi-builder.sh @@ -71,7 +71,7 @@ addEntry() { local kernel=$(readlink -f $path/kernel) local initrd=$(readlink -f $path/initrd) - local dtb_path=$(readlink -f $path/kernel-modules/dtbs) + local dtb_path=$(readlink -f $path/dtbs) if test -n "@copyKernels@"; then copyToKernelsDir $kernel; kernel=$result @@ -113,10 +113,18 @@ done fwdir=@firmware@/share/raspberrypi/boot/ copyForced $fwdir/bootcode.bin $target/bootcode.bin copyForced $fwdir/fixup.dat $target/fixup.dat +copyForced $fwdir/fixup4.dat $target/fixup4.dat +copyForced $fwdir/fixup4cd.dat $target/fixup4cd.dat +copyForced $fwdir/fixup4db.dat $target/fixup4db.dat +copyForced $fwdir/fixup4x.dat $target/fixup4x.dat copyForced $fwdir/fixup_cd.dat $target/fixup_cd.dat copyForced $fwdir/fixup_db.dat $target/fixup_db.dat copyForced $fwdir/fixup_x.dat $target/fixup_x.dat copyForced $fwdir/start.elf $target/start.elf +copyForced $fwdir/start4.elf $target/start4.elf +copyForced $fwdir/start4cd.elf $target/start4cd.elf +copyForced $fwdir/start4db.elf $target/start4db.elf +copyForced $fwdir/start4x.elf $target/start4x.elf copyForced $fwdir/start_cd.elf $target/start_cd.elf copyForced $fwdir/start_db.elf $target/start_db.elf copyForced $fwdir/start_x.elf $target/start_x.elf diff --git a/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix b/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix index 1c8354e52696..337afe9ef628 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix @@ -59,7 +59,7 @@ in version = mkOption { default = 2; - type = types.enum [ 0 1 2 3 ]; + type = types.enum [ 0 1 2 3 4 ]; description = '' ''; }; @@ -97,8 +97,8 @@ in config = mkIf cfg.enable { assertions = singleton { - assertion = !pkgs.stdenv.hostPlatform.isAarch64 || cfg.version == 3; - message = "Only Raspberry Pi 3 supports aarch64."; + assertion = !pkgs.stdenv.hostPlatform.isAarch64 || cfg.version >= 3; + message = "Only Raspberry Pi >= 3 supports aarch64."; }; system.build.installBootLoader = builder; diff --git a/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix b/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix index 9d4f8a93d282..1dc397e521b4 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix @@ -10,11 +10,13 @@ let pkgs.ubootRaspberryPi else if version == 2 then pkgs.ubootRaspberryPi2 - else + else if version == 3 then if isAarch64 then pkgs.ubootRaspberryPi3_64bit else - pkgs.ubootRaspberryPi3_32bit; + pkgs.ubootRaspberryPi3_32bit + else + throw "U-Boot is not yet supported on the raspberry pi 4."; extlinuxConfBuilder = import ../generic-extlinux-compatible/extlinux-conf-builder.nix { diff --git a/nixpkgs/nixos/modules/system/boot/luksroot.nix b/nixpkgs/nixos/modules/system/boot/luksroot.nix index a4029d766b05..0bb8396a44fc 100644 --- a/nixpkgs/nixos/modules/system/boot/luksroot.nix +++ b/nixpkgs/nixos/modules/system/boot/luksroot.nix @@ -126,7 +126,7 @@ let gpg-agent --daemon --scdaemon-program $out/bin/scdaemon > /dev/null 2> /dev/null ''} - + # Disable all input echo for the whole stage. We could use read -s # instead but that would ocasionally leak characters between read # invocations. @@ -417,6 +417,9 @@ let in { + imports = [ + (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "") + ]; options = { diff --git a/nixpkgs/nixos/modules/system/boot/networkd.nix b/nixpkgs/nixos/modules/system/boot/networkd.nix index f2060e21509c..3e289a63139f 100644 --- a/nixpkgs/nixos/modules/system/boot/networkd.nix +++ b/nixpkgs/nixos/modules/system/boot/networkd.nix @@ -10,8 +10,8 @@ let checkLink = checkUnitConfig "Link" [ (assertOnlyFields [ - "Description" "Alias" "MACAddressPolicy" "MACAddress" "NamePolicy" "OriginalName" - "MTUBytes" "BitsPerSecond" "Duplex" "AutoNegotiation" "WakeOnLan" "Port" + "Description" "Alias" "MACAddressPolicy" "MACAddress" "NamePolicy" "Name" "OriginalName" + "MTUBytes" "BitsPerSecond" "Duplex" "AutoNegotiation" "WakeOnLan" "Port" "Advertise" "TCPSegmentationOffload" "TCP6SegmentationOffload" "GenericSegmentationOffload" "GenericReceiveOffload" "LargeReceiveOffload" "RxChannels" "TxChannels" "OtherChannels" "CombinedChannels" @@ -187,7 +187,7 @@ let # Note: For DHCP the values both, none, v4, v6 are deprecated (assertValueOneOf "DHCP" ["yes" "no" "ipv4" "ipv6" "both" "none" "v4" "v6"]) (assertValueOneOf "DHCPServer" boolValues) - (assertValueOneOf "LinkLocalAddressing" ["yes" "no" "ipv4" "ipv6"]) + (assertValueOneOf "LinkLocalAddressing" ["yes" "no" "ipv4" "ipv6" "ipv4-fallback" "fallback"]) (assertValueOneOf "IPv4LLRoute" boolValues) (assertValueOneOf "LLMNR" ["yes" "resolve" "no"]) (assertValueOneOf "MulticastDNS" ["yes" "resolve" "no"]) @@ -201,7 +201,7 @@ let (assertValueOneOf "IPv6AcceptRA" boolValues) (assertValueOneOf "IPv4ProxyARP" boolValues) (assertValueOneOf "IPv6ProxyNDP" boolValues) - (assertValueOneOf "IPv6PrefixDelegation" boolValues) + (assertValueOneOf "IPv6PrefixDelegation" (boolValues ++ [ "dhcpv6" "static" ])) (assertValueOneOf "ActiveSlave" boolValues) (assertValueOneOf "PrimarySlave" boolValues) (assertValueOneOf "ConfigureWithoutCarrier" boolValues) @@ -276,7 +276,7 @@ let (assertValueOneOf "ARP" boolValues) (assertValueOneOf "Multicast" boolValues) (assertValueOneOf "Unmanaged" boolValues) - (assertValueOneOf "RequiredForOnline" boolValues) + (assertValueOneOf "RequiredForOnline" (boolValues ++ ["off" "no-carrier" "dormant" "degraded-carrier" "carrier" "degraded" "enslaved" "routable"])) ]; @@ -872,10 +872,10 @@ let ''; }; - unitFiles = map (name: { - target = "systemd/network/${name}"; - source = "${cfg.units.${name}.unit}/${name}"; - }) (attrNames cfg.units); + unitFiles = listToAttrs (map (name: { + name = "systemd/network/${name}"; + value.source = "${cfg.units.${name}.unit}/${name}"; + }) (attrNames cfg.units)); in { @@ -924,6 +924,8 @@ in config = mkIf config.systemd.network.enable { + users.users.systemd-network.group = "systemd-network"; + systemd.additionalUpstreamSystemUnits = [ "systemd-networkd.service" "systemd-networkd-wait-online.service" ]; @@ -936,7 +938,7 @@ in systemd.services.systemd-networkd = { wantedBy = [ "multi-user.target" ]; - restartTriggers = map (f: f.source) (unitFiles); + restartTriggers = attrNames unitFiles; # prevent race condition with interface renaming (#39069) requires = [ "systemd-udev-settle.service" ]; after = [ "systemd-udev-settle.service" ]; diff --git a/nixpkgs/nixos/modules/system/boot/plymouth.nix b/nixpkgs/nixos/modules/system/boot/plymouth.nix index e4223bae7d32..23fce22366d8 100644 --- a/nixpkgs/nixos/modules/system/boot/plymouth.nix +++ b/nixpkgs/nixos/modules/system/boot/plymouth.nix @@ -5,23 +5,27 @@ with lib; let inherit (pkgs) plymouth; + inherit (pkgs) nixos-icons; cfg = config.boot.plymouth; - breezePlymouth = pkgs.breeze-plymouth.override { - nixosBranding = true; - nixosVersion = config.system.nixos.release; + nixosBreezePlymouth = pkgs.breeze-plymouth.override { + logoFile = cfg.logo; + logoName = "nixos"; + osName = "NixOS"; + osVersion = config.system.nixos.release; }; themesEnv = pkgs.buildEnv { name = "plymouth-themes"; - paths = [ plymouth breezePlymouth ] ++ cfg.themePackages; + paths = [ plymouth ] ++ cfg.themePackages; }; configFile = pkgs.writeText "plymouthd.conf" '' [Daemon] ShowDelay=0 Theme=${cfg.theme} + ${cfg.extraConfig} ''; in @@ -35,7 +39,7 @@ in enable = mkEnableOption "Plymouth boot splash screen"; themePackages = mkOption { - default = []; + default = [ nixosBreezePlymouth ]; type = types.listOf types.package; description = '' Extra theme packages for plymouth. @@ -52,10 +56,7 @@ in logo = mkOption { type = types.path; - default = pkgs.fetchurl { - url = "https://nixos.org/logo/nixos-hires.png"; - sha256 = "1ivzgd7iz0i06y36p8m5w48fd8pjqwxhdaavc0pxs7w1g7mcy5si"; - }; + default = "${nixos-icons}/share/icons/hicolor/128x128/apps/nix-snowflake.png"; defaultText = ''pkgs.fetchurl { url = "https://nixos.org/logo/nixos-hires.png"; sha256 = "1ivzgd7iz0i06y36p8m5w48fd8pjqwxhdaavc0pxs7w1g7mcy5si"; @@ -65,6 +66,15 @@ in ''; }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Literal string to append to <literal>configFile</literal> + and the config file generated by the plymouth module. + ''; + }; + }; }; @@ -88,10 +98,7 @@ in systemd.services.plymouth-kexec.wantedBy = [ "kexec.target" ]; systemd.services.plymouth-halt.wantedBy = [ "halt.target" ]; systemd.services.plymouth-quit-wait.wantedBy = [ "multi-user.target" ]; - systemd.services.plymouth-quit = { - wantedBy = [ "multi-user.target" ]; - after = [ "display-manager.service" ]; - }; + systemd.services.plymouth-quit.wantedBy = [ "multi-user.target" ]; systemd.services.plymouth-poweroff.wantedBy = [ "poweroff.target" ]; systemd.services.plymouth-reboot.wantedBy = [ "reboot.target" ]; systemd.services.plymouth-read-write.wantedBy = [ "sysinit.target" ]; diff --git a/nixpkgs/nixos/modules/system/boot/resolved.nix b/nixpkgs/nixos/modules/system/boot/resolved.nix index 3ea96f8e4645..da61c64faf8b 100644 --- a/nixpkgs/nixos/modules/system/boot/resolved.nix +++ b/nixpkgs/nixos/modules/system/boot/resolved.nix @@ -136,6 +136,8 @@ in } ]; + users.users.resolved.group = "systemd-resolve"; + systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" ]; diff --git a/nixpkgs/nixos/modules/system/boot/stage-1-init.sh b/nixpkgs/nixos/modules/system/boot/stage-1-init.sh index b817a45deba3..f520bf54ad1b 100644 --- a/nixpkgs/nixos/modules/system/boot/stage-1-init.sh +++ b/nixpkgs/nixos/modules/system/boot/stage-1-init.sh @@ -183,6 +183,12 @@ for o in $(cat /proc/cmdline); do copytoram) copytoram=1 ;; + findiso=*) + # if an iso name is supplied, try to find the device where + # the iso resides on + set -- $(IFS==; echo $o) + isoPath=$2 + ;; esac done @@ -442,6 +448,27 @@ if test -e /sys/power/resume -a -e /sys/power/disk; then fi fi +# If we have a path to an iso file, find the iso and link it to /dev/root +if [ -n "$isoPath" ]; then + mkdir -p /findiso + + for delay in 5 10; do + blkid | while read -r line; do + device=$(echo "$line" | sed 's/:.*//') + type=$(echo "$line" | sed 's/.*TYPE="\([^"]*\)".*/\1/') + + mount -t "$type" "$device" /findiso + if [ -e "/findiso$isoPath" ]; then + ln -sf "/findiso$isoPath" /dev/root + break 2 + else + umount /findiso + fi + done + + sleep "$delay" + done +fi # Try to find and mount the root device. mkdir -p $targetRoot diff --git a/nixpkgs/nixos/modules/system/boot/stage-2-init.sh b/nixpkgs/nixos/modules/system/boot/stage-2-init.sh index 03daafa1ce4f..d1de7920df98 100644 --- a/nixpkgs/nixos/modules/system/boot/stage-2-init.sh +++ b/nixpkgs/nixos/modules/system/boot/stage-2-init.sh @@ -142,7 +142,7 @@ fi # Record the boot configuration. ln -sfn "$systemConfig" /run/booted-system -# Prevent the booted system form being garbage-collected If it weren't +# Prevent the booted system from being garbage-collected. If it weren't # a gcroot, if we were running a different kernel, switched system, # and garbage collected all, we could not load kernel modules anymore. ln -sfn /run/booted-system /nix/var/nix/gcroots/booted-system diff --git a/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix b/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix index db6e06b41072..1e2435e36f0c 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix @@ -113,11 +113,21 @@ in { config = let units = mapAttrs' (n: v: let nspawnFile = "${n}.nspawn"; in nameValuePair nspawnFile (instanceToUnit nspawnFile v)) cfg; - in mkIf (cfg != {}) { - - environment.etc."systemd/nspawn".source = generateUnits "nspawn" units [] []; - - systemd.targets.multi-user.wants = [ "machines.target" ]; - }; - + in + mkMerge [ + (mkIf (cfg != {}) { + environment.etc."systemd/nspawn".source = mkIf (cfg != {}) (generateUnits "nspawn" units [] []); + }) + { + systemd.targets.multi-user.wants = [ "machines.target" ]; + + # Workaround for https://github.com/NixOS/nixpkgs/pull/67232#issuecomment-531315437 and https://github.com/systemd/systemd/issues/13622 + # Once systemd fixes this upstream, we can re-enable -U + systemd.services."systemd-nspawn@".serviceConfig.ExecStart = [ + "" # deliberately empty. signals systemd to override the ExecStart + # Only difference between upstream is that we do not pass the -U flag + "${config.systemd.package}/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%i" + ]; + } + ]; } diff --git a/nixpkgs/nixos/modules/system/boot/systemd-unit-options.nix b/nixpkgs/nixos/modules/system/boot/systemd-unit-options.nix index c1f2c98afcd8..bee21f1a8f36 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd-unit-options.nix @@ -24,7 +24,7 @@ in rec { in if isList (head defs'') then concatLists defs'' - else mergeOneOption loc defs'; + else mergeEqualOption loc defs'; }; sharedOptions = { diff --git a/nixpkgs/nixos/modules/system/boot/systemd.nix b/nixpkgs/nixos/modules/system/boot/systemd.nix index 5cf437bfbcbe..c438bb216e70 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd.nix @@ -63,6 +63,7 @@ let "systemd-logind.service" "autovt@.service" "systemd-user-sessions.service" + "dbus-org.freedesktop.import1.service" "dbus-org.freedesktop.machine1.service" "user@.service" "user-runtime-dir@.service" @@ -145,6 +146,7 @@ let "user.slice" "machine.slice" "machines.target" + "systemd-importd.service" "systemd-machined.service" "systemd-nspawn@.service" @@ -238,7 +240,7 @@ let serviceConfig = { name, config, ... }: { config = mkMerge [ { # Default path for systemd services. Should be quite minimal. - path = + path = mkAfter [ pkgs.coreutils pkgs.findutils pkgs.gnugrep @@ -406,7 +408,6 @@ let in { - ###### interface options = { @@ -546,6 +547,16 @@ in ''; }; + systemd.coredump.enable = mkOption { + default = true; + type = types.bool; + description = '' + Whether core dumps should be processed by + <command>systemd-coredump</command>. If disabled, core dumps + appear in the current directory of the crashing process. + ''; + }; + systemd.coredump.extraConfig = mkOption { default = ""; type = types.lines; @@ -861,8 +872,8 @@ in "tmpfiles.d/journal-nocow.conf".source = "${systemd}/example/tmpfiles.d/journal-nocow.conf"; "tmpfiles.d/static-nodes-permissions.conf".source = "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf"; "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; - "tmpfiles.d/systemd-nspawn.conf".source = "${systemd}/example/tmpfiles.d/system-nspawn.conf"; - "tmpfiles.d/systemd-tmp.conf".source = "${systemd}/example/tmpfiles.d/system-tmp.conf"; + "tmpfiles.d/systemd-nspawn.conf".source = "${systemd}/example/tmpfiles.d/systemd-nspawn.conf"; + "tmpfiles.d/systemd-tmp.conf".source = "${systemd}/example/tmpfiles.d/systemd-tmp.conf"; "tmpfiles.d/var.conf".source = "${systemd}/example/tmpfiles.d/var.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; @@ -983,6 +994,10 @@ in # Don't bother with certain units in containers. systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; systemd.services.systemd-random-seed.unitConfig.ConditionVirtualization = "!container"; + + boot.kernel.sysctl = mkIf (!cfg.coredump.enable) { + "kernel.core_pattern" = "core"; + }; }; # FIXME: Remove these eventually. @@ -990,5 +1005,7 @@ in [ (mkRenamedOptionModule [ "boot" "systemd" "sockets" ] [ "systemd" "sockets" ]) (mkRenamedOptionModule [ "boot" "systemd" "targets" ] [ "systemd" "targets" ]) (mkRenamedOptionModule [ "boot" "systemd" "services" ] [ "systemd" "services" ]) + (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ]) + (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") ]; } diff --git a/nixpkgs/nixos/modules/system/boot/timesyncd.nix b/nixpkgs/nixos/modules/system/boot/timesyncd.nix index 8282cdd6f3aa..9e2f36ca01f8 100644 --- a/nixpkgs/nixos/modules/system/boot/timesyncd.nix +++ b/nixpkgs/nixos/modules/system/boot/timesyncd.nix @@ -20,6 +20,18 @@ with lib; The set of NTP servers from which to synchronise. ''; }; + extraConfig = mkOption { + default = ""; + type = types.lines; + example = '' + PollIntervalMaxSec=180 + ''; + description = '' + Extra config options for systemd-timesyncd. See + <link xlink:href="https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html"> + timesyncd.conf(5)</link> for available options. + ''; + }; }; }; @@ -35,9 +47,13 @@ with lib; environment.etc."systemd/timesyncd.conf".text = '' [Time] NTP=${concatStringsSep " " config.services.timesyncd.servers} + ${config.services.timesyncd.extraConfig} ''; - users.users.systemd-timesync.uid = config.ids.uids.systemd-timesync; + users.users.systemd-timesync = { + uid = config.ids.uids.systemd-timesync; + group = "systemd-timesync"; + }; users.groups.systemd-timesync.gid = config.ids.gids.systemd-timesync; system.activationScripts.systemd-timesyncd-migration = mkIf (versionOlder config.system.stateVersion "19.09") '' diff --git a/nixpkgs/nixos/modules/tasks/filesystems/nfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/nfs.nix index e0e8bb1f03de..ddcc0ed8f5a4 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/nfs.nix @@ -25,6 +25,9 @@ let ''; nfsConfFile = pkgs.writeText "nfs.conf" cfg.extraConfig; + requestKeyConfFile = pkgs.writeText "request-key.conf" '' + create id_resolver * * ${pkgs.nfs-utils}/bin/nfsidmap -t 600 %k %d + ''; cfg = config.services.nfs; @@ -57,9 +60,12 @@ in systemd.packages = [ pkgs.nfs-utils ]; + environment.systemPackages = [ pkgs.keyutils ]; + environment.etc = { "idmapd.conf".source = idmapdConfFile; "nfs.conf".source = nfsConfFile; + "request-key.conf".source = requestKeyConfFile; }; systemd.services.nfs-blkmap = diff --git a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix index 2ed8c5aa2927..d14ba98ec48b 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix @@ -12,13 +12,12 @@ let cfgSnapFlags = cfgSnapshots.flags; cfgScrub = config.services.zfs.autoScrub; cfgTrim = config.services.zfs.trim; + cfgZED = config.services.zfs.zed; inInitrd = any (fs: fs == "zfs") config.boot.initrd.supportedFilesystems; inSystem = any (fs: fs == "zfs") config.boot.supportedFilesystems; - enableAutoSnapshots = cfgSnapshots.enable; - enableAutoScrub = cfgScrub.enable; - enableZfs = inInitrd || inSystem || enableAutoSnapshots || enableAutoScrub; + enableZfs = inInitrd || inSystem; kernel = config.boot.kernelPackages; @@ -89,10 +88,25 @@ let } ''; + zedConf = generators.toKeyValue { + mkKeyValue = generators.mkKeyValueDefault { + mkValueString = v: + if isInt v then toString v + else if isString v then "\"${v}\"" + else if true == v then "1" + else if false == v then "0" + else if isList v then "\"" + (concatStringsSep " " v) + "\"" + else err "this value is" (toString v); + } "="; + } cfgZED.settings; in { + imports = [ + (mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.") + ]; + ###### interface options = { @@ -268,7 +282,12 @@ in }; services.zfs.trim = { - enable = mkEnableOption "Enables periodic TRIM on all ZFS pools."; + enable = mkOption { + description = "Whether to enable periodic TRIM on all ZFS pools."; + default = true; + example = false; + type = types.bool; + }; interval = mkOption { default = "weekly"; @@ -309,6 +328,32 @@ in ''; }; }; + + services.zfs.zed.settings = mkOption { + type = with types; attrsOf (oneOf [ str int bool (listOf str) ]); + example = literalExample '' + { + ZED_DEBUG_LOG = "/tmp/zed.debug.log"; + + ZED_EMAIL_ADDR = [ "root" ]; + ZED_EMAIL_PROG = "mail"; + ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@"; + + ZED_NOTIFY_INTERVAL_SECS = 3600; + ZED_NOTIFY_VERBOSE = false; + + ZED_USE_ENCLOSURE_LEDS = true; + ZED_SCRUB_AFTER_RESILVER = false; + } + ''; + description = '' + ZFS Event Daemon /etc/zfs/zed.d/zed.rc content + + See + <citerefentry><refentrytitle>zed</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for details on ZED and the scripts in /etc/zfs/zed.d to find the possible variables + ''; + }; }; ###### implementation @@ -386,11 +431,36 @@ in zfsSupport = true; }; - environment.etc."zfs/zed.d".source = "${packages.zfsUser}/etc/zfs/zed.d/"; + services.zfs.zed.settings = { + ZED_EMAIL_PROG = mkDefault "${pkgs.mailutils}/bin/mail"; + }; + + environment.etc = genAttrs + (map + (file: "zfs/zed.d/${file}") + [ + "all-syslog.sh" + "pool_import-led.sh" + "resilver_finish-start-scrub.sh" + "statechange-led.sh" + "vdev_attach-led.sh" + "zed-functions.sh" + "data-notify.sh" + "resilver_finish-notify.sh" + "scrub_finish-notify.sh" + "statechange-notify.sh" + "vdev_clear-led.sh" + ] + ) + (file: { source = "${packages.zfsUser}/etc/${file}"; }) + // { + "zfs/zed.d/zed.rc".text = zedConf; + "zfs/zpool.d".source = "${packages.zfsUser}/etc/zfs/zpool.d/"; + }; system.fsPackages = [ packages.zfsUser ]; # XXX: needed? zfs doesn't have (need) a fsck environment.systemPackages = [ packages.zfsUser ] - ++ optional enableAutoSnapshots autosnapPkg; # so the user can run the command to see flags + ++ optional cfgSnapshots.enable autosnapPkg; # so the user can run the command to see flags services.udev.packages = [ packages.zfsUser ]; # to hook zvol naming, etc. systemd.packages = [ packages.zfsUser ]; @@ -482,7 +552,7 @@ in systemd.targets.zfs.wantedBy = [ "multi-user.target" ]; }) - (mkIf enableAutoSnapshots { + (mkIf (enableZfs && cfgSnapshots.enable) { systemd.services = let descr = name: if name == "frequent" then "15 mins" else if name == "hourly" then "hour" @@ -520,7 +590,7 @@ in }) snapshotNames); }) - (mkIf enableAutoScrub { + (mkIf (enableZfs && cfgScrub.enable) { systemd.services.zfs-scrub = { description = "ZFS pools scrubbing"; after = [ "zfs-import.target" ]; @@ -547,15 +617,13 @@ in }; }) - (mkIf cfgTrim.enable { + (mkIf (enableZfs && cfgTrim.enable) { systemd.services.zpool-trim = { description = "ZFS pools trim"; after = [ "zfs-import.target" ]; path = [ packages.zfsUser ]; startAt = cfgTrim.interval; - script = '' - zpool list -H -o name | xargs -n1 zpool trim - ''; + serviceConfig.ExecStart = "${pkgs.runtimeShell} -c 'zpool list -H -o name | xargs --no-run-if-empty -n1 zpool trim'"; }; }) ]; diff --git a/nixpkgs/nixos/modules/tasks/kbd.nix b/nixpkgs/nixos/modules/tasks/kbd.nix deleted file mode 100644 index c6ba998b19e6..000000000000 --- a/nixpkgs/nixos/modules/tasks/kbd.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - makeColor = n: value: "COLOR_${toString n}=${value}"; - makeColorCS = - let positions = [ "0" "1" "2" "3" "4" "5" "6" "7" "8" "9" "A" "B" "C" "D" "E" "F" ]; - in n: value: "\\033]P${elemAt positions (n - 1)}${value}"; - colors = concatImapStringsSep "\n" makeColor config.i18n.consoleColors; - - isUnicode = hasSuffix "UTF-8" (toUpper config.i18n.defaultLocale); - - optimizedKeymap = pkgs.runCommand "keymap" { - nativeBuildInputs = [ pkgs.buildPackages.kbd ]; - LOADKEYS_KEYMAP_PATH = "${kbdEnv}/share/keymaps/**"; - preferLocalBuild = true; - } '' - loadkeys -b ${optionalString isUnicode "-u"} "${config.i18n.consoleKeyMap}" > $out - ''; - - # Sadly, systemd-vconsole-setup doesn't support binary keymaps. - vconsoleConf = pkgs.writeText "vconsole.conf" '' - KEYMAP=${config.i18n.consoleKeyMap} - FONT=${config.i18n.consoleFont} - ${colors} - ''; - - kbdEnv = pkgs.buildEnv { - name = "kbd-env"; - paths = [ pkgs.kbd ] ++ config.i18n.consolePackages; - pathsToLink = [ "/share/consolefonts" "/share/consoletrans" "/share/keymaps" "/share/unimaps" ]; - }; - - setVconsole = !config.boot.isContainer; -in - -{ - ###### interface - - options = { - - # most options are defined in i18n.nix - - # FIXME: still needed? - boot.extraTTYs = mkOption { - default = []; - type = types.listOf types.str; - example = ["tty8" "tty9"]; - description = '' - Tty (virtual console) devices, in addition to the consoles on - which mingetty and syslogd run, that must be initialised. - Only useful if you have some program that you want to run on - some fixed console. For example, the NixOS installation CD - opens the manual in a web browser on console 7, so it sets - <option>boot.extraTTYs</option> to <literal>["tty7"]</literal>. - ''; - }; - - boot.earlyVconsoleSetup = mkOption { - default = false; - type = types.bool; - description = '' - Enable setting font as early as possible (in initrd). - ''; - }; - - }; - - - ###### implementation - - config = mkMerge [ - (mkIf (!setVconsole) { - systemd.services.systemd-vconsole-setup.enable = false; - }) - - (mkIf setVconsole (mkMerge [ - { environment.systemPackages = [ pkgs.kbd ]; - - # Let systemd-vconsole-setup.service do the work of setting up the - # virtual consoles. - environment.etc."vconsole.conf".source = vconsoleConf; - # Provide kbd with additional packages. - environment.etc.kbd.source = "${kbdEnv}/share"; - - boot.initrd.preLVMCommands = mkBefore '' - kbd_mode ${if isUnicode then "-u" else "-a"} -C /dev/console - printf "\033%%${if isUnicode then "G" else "@"}" >> /dev/console - loadkmap < ${optimizedKeymap} - - ${optionalString config.boot.earlyVconsoleSetup '' - setfont -C /dev/console $extraUtils/share/consolefonts/font.psf - ''} - - ${concatImapStringsSep "\n" (n: color: '' - printf "${makeColorCS n color}" >> /dev/console - '') config.i18n.consoleColors} - ''; - - systemd.services.systemd-vconsole-setup = - { before = [ "display-manager.service" ]; - after = [ "systemd-udev-settle.service" ]; - restartTriggers = [ vconsoleConf kbdEnv ]; - }; - } - - (mkIf config.boot.earlyVconsoleSetup { - boot.initrd.extraUtilsCommands = '' - mkdir -p $out/share/consolefonts - ${if substring 0 1 config.i18n.consoleFont == "/" then '' - font="${config.i18n.consoleFont}" - '' else '' - font="$(echo ${kbdEnv}/share/consolefonts/${config.i18n.consoleFont}.*)" - ''} - if [[ $font == *.gz ]]; then - gzip -cd $font > $out/share/consolefonts/font.psf - else - cp -L $font $out/share/consolefonts/font.psf - fi - ''; - }) - ])) - ]; - -} diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix index 7c6604922cf7..e25dc0c0b39a 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix @@ -31,13 +31,19 @@ in message = "networking.defaultGatewayWindowSize is not supported by networkd."; } { assertion = cfg.vswitches == {}; - message = "networking.vswichtes are not supported by networkd."; + message = "networking.vswitches are not supported by networkd."; } { assertion = cfg.defaultGateway == null || cfg.defaultGateway.interface == null; message = "networking.defaultGateway.interface is not supported by networkd."; } { assertion = cfg.defaultGateway6 == null || cfg.defaultGateway6.interface == null; message = "networking.defaultGateway6.interface is not supported by networkd."; + } { + assertion = cfg.useDHCP == false; + message = '' + networking.useDHCP is not supported by networkd. + Please use per interface configuration and set the global option to false. + ''; } ] ++ flip mapAttrsToList cfg.bridges (n: { rstp, ... }: { assertion = !rstp; message = "networking.bridges.${n}.rstp is not supported by networkd."; @@ -54,11 +60,9 @@ in let domains = cfg.search ++ (optional (cfg.domain != null) cfg.domain); genericNetwork = override: - let gateway = optional (cfg.defaultGateway != null) cfg.defaultGateway.address - ++ optional (cfg.defaultGateway6 != null) cfg.defaultGateway6.address; - in { - DHCP = override (dhcpStr cfg.useDHCP); - } // optionalAttrs (gateway != [ ]) { + let gateway = optional (cfg.defaultGateway != null && (cfg.defaultGateway.address or "") != "") cfg.defaultGateway.address + ++ optional (cfg.defaultGateway6 != null && (cfg.defaultGateway6.address or "") != "") cfg.defaultGateway6.address; + in optionalAttrs (gateway != [ ]) { routes = override [ { routeConfig = { @@ -72,15 +76,6 @@ in }; in mkMerge [ { enable = true; - networks."99-main" = (genericNetwork mkDefault) // { - # We keep the "broken" behaviour of applying this to all interfaces. - # In general we want to get rid of this workaround but there hasn't - # been any work on that. - # See the following issues for details: - # - https://github.com/NixOS/nixpkgs/issues/18962 - # - https://github.com/NixOS/nixpkgs/issues/61629 - matchConfig = mkDefault { Name = "*"; }; - }; } (mkMerge (forEach interfaces (i: { netdevs = mkIf i.virtual ({ @@ -97,7 +92,7 @@ in networks."40-${i.name}" = mkMerge [ (genericNetwork mkDefault) { name = mkDefault i.name; DHCP = mkForce (dhcpStr - (if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ])); + (if i.useDHCP != null then i.useDHCP else false)); address = forEach (interfaceIps i) (ip: "${ip.address}/${toString ip.prefixLength}"); networkConfig.IPv6PrivacyExtensions = "kernel"; diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces.nix b/nixpkgs/nixos/modules/tasks/network-interfaces.nix index 5bf7b0d227f0..31e2ed1cd1ea 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces.nix @@ -305,7 +305,7 @@ let optional (defined ipv6Address && defined ipv6PrefixLength) { address = ipv6Address; prefixLength = ipv6PrefixLength; })) - ({ options.warnings = options.warnings; }) + ({ options.warnings = options.warnings; options.assertions = options.assertions; }) ]; }; @@ -903,6 +903,11 @@ in Whether to use DHCP to obtain an IP address and other configuration for all network interfaces that are not manually configured. + + Using this option is highly discouraged and also incompatible with + <option>networking.useNetworkd</option>. Please use + <option>networking.interfaces.<name>.useDHCP</option> instead + and set this to false. ''; }; @@ -967,9 +972,9 @@ in "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces) - (i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))) + (i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${replaceChars ["."] ["/"] i.name}.proxy_arp" true))) // listToAttrs (forEach (filter (i: i.preferTempAddress) interfaces) - (i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2)); + (i: nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr" 2)); # Capabilities won't work unless we have at-least a 4.3 Linux # kernel because we need the ambient capability @@ -1092,7 +1097,7 @@ in destination = "/etc/udev/rules.d/98-${name}"; text = '' # enable and prefer IPv6 privacy addresses by default - ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.%k.use_tempaddr=2" + ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo 2 > /proc/sys/net/ipv6/conf/%k/use_tempaddr'" ''; }) (pkgs.writeTextFile rec { @@ -1100,7 +1105,7 @@ in destination = "/etc/udev/rules.d/99-${name}"; text = concatMapStrings (i: '' # enable IPv6 privacy addresses but prefer EUI-64 addresses for ${i.name} - ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${i.name}.use_tempaddr=1" + ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.procps}/bin/sysctl net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr=1" '') (filter (i: !i.preferTempAddress) interfaces); }) ] ++ lib.optional (cfg.wlanInterfaces != {}) diff --git a/nixpkgs/nixos/modules/testing/test-instrumentation.nix b/nixpkgs/nixos/modules/testing/test-instrumentation.nix index 1a11d9ce7c26..1baeab53b0c2 100644 --- a/nixpkgs/nixos/modules/testing/test-instrumentation.nix +++ b/nixpkgs/nixos/modules/testing/test-instrumentation.nix @@ -15,7 +15,7 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; # # One particular example are the boot tests where we want instrumentation # within the images but not other stuff like setting up 9p filesystems. - options.virtualisation.qemu.program = mkOption { type = types.path; }; + options.virtualisation.qemu = { }; config = { diff --git a/nixpkgs/nixos/modules/virtualisation/amazon-image.nix b/nixpkgs/nixos/modules/virtualisation/amazon-image.nix index aadfc5add350..20d48add7129 100644 --- a/nixpkgs/nixos/modules/virtualisation/amazon-image.nix +++ b/nixpkgs/nixos/modules/virtualisation/amazon-image.nix @@ -135,6 +135,9 @@ in services.openssh.enable = true; services.openssh.permitRootLogin = "prohibit-password"; + # Creates symlinks for block device names. + services.udev.packages = [ pkgs.ec2-utils ]; + # Force getting the hostname from EC2. networking.hostName = mkDefault ""; diff --git a/nixpkgs/nixos/modules/virtualisation/container-config.nix b/nixpkgs/nixos/modules/virtualisation/container-config.nix index 604fb8a75932..6ff6bdd30c20 100644 --- a/nixpkgs/nixos/modules/virtualisation/container-config.nix +++ b/nixpkgs/nixos/modules/virtualisation/container-config.nix @@ -7,8 +7,10 @@ with lib; config = mkIf config.boot.isContainer { # Disable some features that are not useful in a container. + nix.optimise.automatic = mkDefault false; # the store is host managed services.udisks2.enable = mkDefault false; powerManagement.enable = mkDefault false; + documentation.nixos.enable = mkDefault false; networking.useHostResolvConf = mkDefault true; diff --git a/nixpkgs/nixos/modules/virtualisation/containers.nix b/nixpkgs/nixos/modules/virtualisation/containers.nix index 9c9f8fc0c215..02de5801da25 100644 --- a/nixpkgs/nixos/modules/virtualisation/containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/containers.nix @@ -149,7 +149,7 @@ let --setenv PATH="$PATH" \ ${optionalString cfg.ephemeral "--ephemeral"} \ ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then - ''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else "" + ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"'' else "" } \ ${if cfg.tmpfs != null && cfg.tmpfs != [] then ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' else "" @@ -225,12 +225,6 @@ let fi ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)} fi - - # Get the leader PID so that we can signal it in - # preStop. We can't use machinectl there because D-Bus - # might be shutting down. FIXME: in systemd 219 we can - # just signal systemd-nspawn to do a clean shutdown. - machinectl show "$INSTANCE" | sed 's/Leader=\(.*\)/\1/;t;d' > "/run/containers/$INSTANCE.pid" '' ); @@ -715,14 +709,7 @@ in postStart = postStartScript dummyConfig; - preStop = - '' - pid="$(cat /run/containers/$INSTANCE.pid)" - if [ -n "$pid" ]; then - kill -RTMIN+4 "$pid" - fi - rm -f "/run/containers/$INSTANCE.pid" - ''; + preStop = "machinectl poweroff $INSTANCE"; restartIfChanged = false; @@ -824,5 +811,12 @@ in ''; environment.systemPackages = [ pkgs.nixos-container ]; + + boot.kernelModules = [ + "bridge" + "macvlan" + "tap" + "tun" + ]; }); } diff --git a/nixpkgs/nixos/modules/virtualisation/digital-ocean-config.nix b/nixpkgs/nixos/modules/virtualisation/digital-ocean-config.nix new file mode 100644 index 000000000000..88cb0cd450e8 --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/digital-ocean-config.nix @@ -0,0 +1,197 @@ +{ config, pkgs, lib, modulesPath, ... }: +with lib; +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/virtualisation/digital-ocean-init.nix") + ]; + options.virtualisation.digitalOcean = with types; { + setRootPassword = mkOption { + type = bool; + default = false; + example = true; + description = "Whether to set the root password from the Digital Ocean metadata"; + }; + setSshKeys = mkOption { + type = bool; + default = true; + example = true; + description = "Whether to fetch ssh keys from Digital Ocean"; + }; + seedEntropy = mkOption { + type = bool; + default = true; + example = true; + description = "Whether to run the kernel RNG entropy seeding script from the Digital Ocean vendor data"; + }; + }; + config = + let + cfg = config.virtualisation.digitalOcean; + hostName = config.networking.hostName; + doMetadataFile = "/run/do-metadata/v1.json"; + in mkMerge [{ + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + boot = { + growPartition = true; + kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; + initrd.kernelModules = [ "virtio_scsi" ]; + kernelModules = [ "virtio_pci" "virtio_net" ]; + loader = { + grub.device = "/dev/vda"; + timeout = 0; + grub.configurationLimit = 0; + }; + }; + services.openssh = { + enable = mkDefault true; + passwordAuthentication = mkDefault false; + }; + services.do-agent.enable = mkDefault true; + networking = { + hostName = mkDefault ""; # use Digital Ocean metadata server + }; + + /* Check for and wait for the metadata server to become reachable. + * This serves as a dependency for all the other metadata services. */ + systemd.services.digitalocean-metadata = { + path = [ pkgs.curl ]; + description = "Get host metadata provided by Digitalocean"; + script = '' + set -eu + DO_DELAY_ATTEMPTS=0 + while ! curl -fsSL -o $RUNTIME_DIRECTORY/v1.json http://169.254.169.254/metadata/v1.json; do + DO_DELAY_ATTEMPTS=$((DO_DELAY_ATTEMPTS + 1)) + if (( $DO_DELAY_ATTEMPTS >= $DO_DELAY_ATTEMPTS_MAX )); then + echo "giving up" + exit 1 + fi + + echo "metadata unavailable, trying again in 1s..." + sleep 1 + done + chmod 600 $RUNTIME_DIRECTORY/v1.json + ''; + environment = { + DO_DELAY_ATTEMPTS_MAX = "10"; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + RuntimeDirectory = "do-metadata"; + RuntimeDirectoryPreserve = "yes"; + }; + unitConfig = { + ConditionPathExists = "!${doMetadataFile}"; + After = [ "network-pre.target" ] ++ + optional config.networking.dhcpcd.enable "dhcpcd.service" ++ + optional config.systemd.network.enable "systemd-networkd.service"; + }; + }; + + /* Fetch the root password from the digital ocean metadata. + * There is no specific route for this, so we use jq to get + * it from the One Big JSON metadata blob */ + systemd.services.digitalocean-set-root-password = mkIf cfg.setRootPassword { + path = [ pkgs.shadow pkgs.jq ]; + description = "Set root password provided by Digitalocean"; + wantedBy = [ "multi-user.target" ]; + script = '' + set -eo pipefail + ROOT_PASSWORD=$(jq -er '.auth_key' ${doMetadataFile}) + echo "root:$ROOT_PASSWORD" | chpasswd + mkdir -p /etc/do-metadata/set-root-password + ''; + unitConfig = { + ConditionPathExists = "!/etc/do-metadata/set-root-password"; + Before = optional config.services.openssh.enable "sshd.service"; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + /* Set the hostname from Digital Ocean, unless the user configured it in + * the NixOS configuration. The cached metadata file isn't used here + * because the hostname is a mutable part of the droplet. */ + systemd.services.digitalocean-set-hostname = mkIf (hostName == "") { + path = [ pkgs.curl pkgs.nettools ]; + description = "Set hostname provided by Digitalocean"; + wantedBy = [ "network.target" ]; + script = '' + set -e + DIGITALOCEAN_HOSTNAME=$(curl -fsSL http://169.254.169.254/metadata/v1/hostname) + hostname "$DIGITALOCEAN_HOSTNAME" + if [[ ! -e /etc/hostname || -w /etc/hostname ]]; then + printf "%s\n" "$DIGITALOCEAN_HOSTNAME" > /etc/hostname + fi + ''; + unitConfig = { + Before = [ "network.target" ]; + After = [ "digitalocean-metadata.service" ]; + Wants = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + /* Fetch the ssh keys for root from Digital Ocean */ + systemd.services.digitalocean-ssh-keys = mkIf cfg.setSshKeys { + description = "Set root ssh keys provided by Digital Ocean"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.jq ]; + script = '' + set -e + mkdir -m 0700 -p /root/.ssh + jq -er '.public_keys[]' ${doMetadataFile} > /root/.ssh/authorized_keys + chmod 600 /root/.ssh/authorized_keys + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + unitConfig = { + ConditionPathExists = "!/root/.ssh/authorized_keys"; + Before = optional config.services.openssh.enable "sshd.service"; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + }; + + /* Initialize the RNG by running the entropy-seed script from the + * Digital Ocean metadata + */ + systemd.services.digitalocean-entropy-seed = mkIf cfg.seedEntropy { + description = "Run the kernel RNG entropy seeding script from the Digital Ocean vendor data"; + wantedBy = [ "network.target" ]; + path = [ pkgs.jq pkgs.mpack ]; + script = '' + set -eo pipefail + TEMPDIR=$(mktemp -d) + jq -er '.vendor_data' ${doMetadataFile} | munpack -tC $TEMPDIR + ENTROPY_SEED=$(grep -rl "DigitalOcean Entropy Seed script" $TEMPDIR) + ${pkgs.runtimeShell} $ENTROPY_SEED + rm -rf $TEMPDIR + ''; + unitConfig = { + Before = [ "network.target" ]; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + } + ]; + meta.maintainers = with maintainers; [ arianvp eamsden ]; +} + diff --git a/nixpkgs/nixos/modules/virtualisation/digital-ocean-image.nix b/nixpkgs/nixos/modules/virtualisation/digital-ocean-image.nix new file mode 100644 index 000000000000..b582e235d435 --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/digital-ocean-image.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.virtualisation.digitalOceanImage; +in +{ + + imports = [ ./digital-ocean-config.nix ]; + + options = { + virtualisation.digitalOceanImage.diskSize = mkOption { + type = with types; int; + default = 4096; + description = '' + Size of disk image. Unit is MB. + ''; + }; + + virtualisation.digitalOceanImage.configFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + A path to a configuration file which will be placed at + <literal>/etc/nixos/configuration.nix</literal> and be used when switching + to a new configuration. If set to <literal>null</literal>, a default + configuration is used that imports + <literal>(modulesPath + "/virtualisation/digital-ocean-config.nix")</literal>. + ''; + }; + + virtualisation.digitalOceanImage.compressionMethod = mkOption { + type = types.enum [ "gzip" "bzip2" ]; + default = "gzip"; + example = "bzip2"; + description = '' + Disk image compression method. Choose bzip2 to generate smaller images that + take longer to generate but will consume less metered storage space on your + Digital Ocean account. + ''; + }; + }; + + #### implementation + config = { + + system.build.digitalOceanImage = import ../../lib/make-disk-image.nix { + name = "digital-ocean-image"; + format = "qcow2"; + postVM = let + compress = { + "gzip" = "${pkgs.gzip}/bin/gzip"; + "bzip2" = "${pkgs.bzip2}/bin/bzip2"; + }.${cfg.compressionMethod}; + in '' + ${compress} $diskImage + ''; + configFile = if cfg.configFile == null + then config.virtualisation.digitalOcean.defaultConfigFile + else cfg.configFile; + inherit (cfg) diskSize; + inherit config lib pkgs; + }; + + }; + + meta.maintainers = with maintainers; [ arianvp eamsden ]; + +} diff --git a/nixpkgs/nixos/modules/virtualisation/digital-ocean-init.nix b/nixpkgs/nixos/modules/virtualisation/digital-ocean-init.nix new file mode 100644 index 000000000000..02f4de009fa8 --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/digital-ocean-init.nix @@ -0,0 +1,95 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.virtualisation.digitalOcean; + defaultConfigFile = pkgs.writeText "digitalocean-configuration.nix" '' + { modulesPath, lib, ... }: + { + imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ + (modulesPath + "/virtualisation/digital-ocean-config.nix") + ]; + } + ''; +in { + options.virtualisation.digitalOcean.rebuildFromUserData = mkOption { + type = types.bool; + default = true; + example = true; + description = "Whether to reconfigure the system from Digital Ocean user data"; + }; + options.virtualisation.digitalOcean.defaultConfigFile = mkOption { + type = types.path; + default = defaultConfigFile; + defaultText = '' + The default configuration imports user-data if applicable and + <literal>(modulesPath + "/virtualisation/digital-ocean-config.nix")</literal>. + ''; + description = '' + A path to a configuration file which will be placed at + <literal>/etc/nixos/configuration.nix</literal> and be used when switching to + a new configuration. + ''; + }; + + config = { + systemd.services.digitalocean-init = mkIf cfg.rebuildFromUserData { + description = "Reconfigure the system from Digital Ocean userdata on startup"; + wantedBy = [ "network-online.target" ]; + unitConfig = { + ConditionPathExists = "!/etc/nixos/do-userdata.nix"; + After = [ "digitalocean-metadata.service" "network-online.target" ]; + Requires = [ "digitalocean-metadata.service" ]; + X-StopOnRemoval = false; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + restartIfChanged = false; + path = [ pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.systemd config.nix.package config.system.build.nixos-rebuild ]; + environment = { + HOME = "/root"; + NIX_PATH = concatStringsSep ":" [ + "/nix/var/nix/profiles/per-user/root/channels/nixos" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; + }; + script = '' + set -e + echo "attempting to fetch configuration from Digital Ocean user data..." + userData=$(mktemp) + if jq -er '.user_data' /run/do-metadata/v1.json > $userData; then + # If the user-data looks like it could be a nix expression, + # copy it over. Also, look for a magic three-hash comment and set + # that as the channel. + if nix-instantiate --parse $userData > /dev/null; then + channels="$(grep '^###' "$userData" | sed 's|###\s*||')" + printf "%s" "$channels" | while read channel; do + echo "writing channel: $channel" + done + + if [[ -n "$channels" ]]; then + printf "%s" "$channels" > /root/.nix-channels + nix-channel --update + fi + + echo "setting configuration from Digital Ocean user data" + cp "$userData" /etc/nixos/do-userdata.nix + if [[ ! -e /etc/nixos/configuration.nix ]]; then + install -m0644 ${cfg.defaultConfigFile} /etc/nixos/configuration.nix + fi + else + echo "user data does not appear to be a Nix expression; ignoring" + exit + fi + + nixos-rebuild switch + else + echo "no user data is available" + fi + ''; + }; + }; + meta.maintainers = with maintainers; [ arianvp eamsden ]; +} diff --git a/nixpkgs/nixos/modules/virtualisation/docker-containers.nix b/nixpkgs/nixos/modules/virtualisation/docker-containers.nix index 59b0943f591f..760cb9122a2f 100644 --- a/nixpkgs/nixos/modules/virtualisation/docker-containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/docker-containers.nix @@ -186,7 +186,7 @@ let ++ map escapeShellArg container.cmd ); ExecStartPre = "-${pkgs.docker}/bin/docker rm -f %n"; - ExecStop = "${pkgs.docker}/bin/docker stop %n"; + ExecStop = ''${pkgs.bash}/bin/sh -c "[ $SERVICE_RESULT = success ] || ${pkgs.docker}/bin/docker stop %n"''; ExecStopPost = "-${pkgs.docker}/bin/docker rm -f %n"; ### There is no generalized way of supporting `reload` for docker diff --git a/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix b/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix index f640bb21b133..3b4e55d39d7b 100644 --- a/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix +++ b/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix @@ -291,5 +291,21 @@ let self = { "19.03".sa-east-1.hvm-ebs = "ami-0c6a43c6e0ad1f4e2"; "19.03".ap-south-1.hvm-ebs = "ami-0303deb1b5890f878"; - latest = self."19.03"; + # 19.09.981.205691b7cbe + "19.09".eu-west-1.hvm-ebs = "ami-0ebd3156e21e9642f"; + "19.09".eu-west-2.hvm-ebs = "ami-02a2b5480a79084b7"; + "19.09".eu-west-3.hvm-ebs = "ami-09aa175c7588734f7"; + "19.09".eu-central-1.hvm-ebs = "ami-00a7fafd7e237a330"; + "19.09".us-east-1.hvm-ebs = "ami-00a8eeaf232a74f84"; + "19.09".us-east-2.hvm-ebs = "ami-093efd3a57a1e03a8"; + "19.09".us-west-1.hvm-ebs = "ami-0913e9a2b677fac30"; + "19.09".us-west-2.hvm-ebs = "ami-02d9a19f77b47882a"; + "19.09".ca-central-1.hvm-ebs = "ami-0627dd3f7b3627a29"; + "19.09".ap-southeast-1.hvm-ebs = "ami-083614e4d08f2164d"; + "19.09".ap-southeast-2.hvm-ebs = "ami-0048c704185ded6dc"; + "19.09".ap-northeast-1.hvm-ebs = "ami-0329e7fc2d7f60bd0"; + "19.09".ap-northeast-2.hvm-ebs = "ami-03d4ae7d0b5fc364f"; + "19.09".ap-south-1.hvm-ebs = "ami-0b599690b35aeef23"; + + latest = self."19.09"; }; in self diff --git a/nixpkgs/nixos/modules/virtualisation/ec2-data.nix b/nixpkgs/nixos/modules/virtualisation/ec2-data.nix index 82451787e8a1..629125350182 100644 --- a/nixpkgs/nixos/modules/virtualisation/ec2-data.nix +++ b/nixpkgs/nixos/modules/virtualisation/ec2-data.nix @@ -7,6 +7,10 @@ with lib; { + imports = [ + (mkRemovedOptionModule [ "ec2" "metadata" ] "") + ]; + config = { systemd.services.apply-ec2-data = diff --git a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix index 16b79d869193..52d852894ce5 100644 --- a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix +++ b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix @@ -28,6 +28,11 @@ let in { + imports = [ + (mkRemovedOptionModule [ "virtualisation" "libvirtd" "enableKVM" ] + "Set the option `virtualisation.libvirtd.qemuPackage' instead.") + ]; + ###### interface options.virtualisation.libvirtd = { @@ -146,7 +151,8 @@ in { # this file is expected in /etc/qemu and not sysconfdir (/var/lib) etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: "allow ${e}") cfg.allowedBridges; - systemPackages = with pkgs; [ libvirt libressl.nc cfg.qemuPackage ]; + systemPackages = with pkgs; [ libvirt libressl.nc iptables cfg.qemuPackage ]; + etc.ethertypes.source = "${pkgs.iptables}/etc/ethertypes"; }; boot.kernelModules = [ "tun" ]; diff --git a/nixpkgs/nixos/modules/virtualisation/lxc.nix b/nixpkgs/nixos/modules/virtualisation/lxc.nix index 9b5adaf08249..f484d5ee59a8 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxc.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxc.nix @@ -58,7 +58,7 @@ in '' This is the config file for managing unprivileged user network administration access in LXC. See <citerefentry> - <refentrytitle>lxc-user-net</refentrytitle><manvolnum>5</manvolnum> + <refentrytitle>lxc-usernet</refentrytitle><manvolnum>5</manvolnum> </citerefentry>. ''; }; diff --git a/nixpkgs/nixos/modules/virtualisation/lxd.nix b/nixpkgs/nixos/modules/virtualisation/lxd.nix index 505c11abd208..b4934a86cf56 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxd.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxd.nix @@ -35,6 +35,18 @@ in with nixos. ''; }; + recommendedSysctlSettings = mkOption { + type = types.bool; + default = false; + description = '' + enables various settings to avoid common pitfalls when + running containers requiring many file operations. + Fixes errors like "Too many open files" or + "neighbour: ndisc_cache: neighbor table overflow!". + See https://lxd.readthedocs.io/en/latest/production-setup/ + for details. + ''; + }; }; }; @@ -69,8 +81,11 @@ in ExecStart = "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd"; Type = "simple"; KillMode = "process"; # when stopping, leave the containers alone + LimitMEMLOCK = "infinity"; + LimitNOFILE = "1048576"; + LimitNPROC = "infinity"; + TasksMax = "infinity"; }; - }; users.groups.lxd.gid = config.ids.gids.lxd; @@ -79,5 +94,16 @@ in subUidRanges = [ { startUid = 1000000; count = 65536; } ]; subGidRanges = [ { startGid = 1000000; count = 65536; } ]; }; + + boot.kernel.sysctl = mkIf cfg.recommendedSysctlSettings { + "fs.inotify.max_queued_events" = 1048576; + "fs.inotify.max_user_instances" = 1048576; + "fs.inotify.max_user_watches" = 1048576; + "vm.max_map_count" = 262144; + "kernel.dmesg_restrict" = 1; + "net.ipv4.neigh.default.gc_thresh3" = 8192; + "net.ipv6.neigh.default.gc_thresh3" = 8192; + "kernel.keys.maxkeys" = 2000; + }; }; } diff --git a/nixpkgs/nixos/modules/virtualisation/openvswitch.nix b/nixpkgs/nixos/modules/virtualisation/openvswitch.nix index edec37402308..6b8ad83661fe 100644 --- a/nixpkgs/nixos/modules/virtualisation/openvswitch.nix +++ b/nixpkgs/nixos/modules/virtualisation/openvswitch.nix @@ -42,6 +42,9 @@ in { default = false; description = '' Whether to start racoon service for openvswitch. + Supported only if openvswitch version is less than 2.6.0. + Use <literal>virtualisation.vswitch.package = pkgs.openvswitch-lts</literal> + for a version that supports ipsec over GRE. ''; }; }; @@ -89,6 +92,13 @@ in { "${cfg.package}/share/openvswitch/vswitch.ovsschema" fi chmod -R +w /var/db/openvswitch + if ${cfg.package}/bin/ovsdb-tool needs-conversion /var/db/openvswitch/conf.db | grep -q "yes" + then + echo "Performing database upgrade" + ${cfg.package}/bin/ovsdb-tool convert /var/db/openvswitch/conf.db + else + echo "Database already up to date" + fi ''; serviceConfig = { ExecStart = @@ -133,7 +143,7 @@ in { }; } - (mkIf cfg.ipsec { + (mkIf (cfg.ipsec && (versionOlder cfg.package.version "2.6.0")) { services.racoon.enable = true; services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf"; @@ -172,5 +182,4 @@ in { ''; }; })])); - } diff --git a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix index ed3431554be4..31d332e9f07a 100644 --- a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix @@ -23,24 +23,56 @@ let cfg = config.virtualisation; - qemuGraphics = lib.optionalString (!cfg.graphics) "-nographic"; - consoles = lib.concatMapStringsSep " " (c: "console=${c}") cfg.qemu.consoles; - # XXX: This is very ugly and in the future we really should use attribute - # sets to build ALL of the QEMU flags instead of this mixed mess of Nix - # expressions and shell script stuff. - mkDiskIfaceDriveFlag = idx: driveArgs: let - inherit (cfg.qemu) diskInterface; - # The drive identifier created by incrementing the index by one using the - # shell. - drvId = "drive$((${idx} + 1))"; - # NOTE: DO NOT shell escape, because this may contain shell variables. - commonArgs = "index=${idx},id=${drvId},${driveArgs}"; - isSCSI = diskInterface == "scsi"; - devArgs = "${diskInterface}-hd,drive=${drvId}"; - args = "-drive ${commonArgs},if=none -device lsi53c895a -device ${devArgs}"; - in if isSCSI then args else "-drive ${commonArgs},if=${diskInterface}"; + driveOpts = { ... }: { + + options = { + + file = mkOption { + type = types.str; + description = "The file image used for this drive."; + }; + + driveExtraOpts = mkOption { + type = types.attrsOf types.str; + default = {}; + description = "Extra options passed to drive flag."; + }; + + deviceExtraOpts = mkOption { + type = types.attrsOf types.str; + default = {}; + description = "Extra options passed to device flag."; + }; + + }; + + }; + + driveCmdline = idx: { file, driveExtraOpts, deviceExtraOpts, ... }: + let + drvId = "drive${toString idx}"; + mkKeyValue = generators.mkKeyValueDefault {} "="; + mkOpts = opts: concatStringsSep "," (mapAttrsToList mkKeyValue opts); + driveOpts = mkOpts (driveExtraOpts // { + index = idx; + id = drvId; + "if" = "none"; + inherit file; + }); + deviceOpts = mkOpts (deviceExtraOpts // { + drive = drvId; + }); + device = + if cfg.qemu.diskInterface == "scsi" then + "-device lsi53c895a -device scsi-hd,${deviceOpts}" + else + "-device virtio-blk-pci,${deviceOpts}"; + in + "-drive ${driveOpts} ${device}"; + + drivesCmdLine = drives: concatStringsSep " " (imap1 driveCmdline drives); # Shell script to start the VM. startVM = @@ -77,13 +109,11 @@ let ''} cd $TMPDIR - idx=2 - extraDisks="" + idx=0 ${flip concatMapStrings cfg.emptyDiskImages (size: '' if ! test -e "empty$idx.qcow2"; then ${qemu}/bin/qemu-img create -f qcow2 "empty$idx.qcow2" "${toString size}M" fi - extraDisks="$extraDisks ${mkDiskIfaceDriveFlag "$idx" "file=$(pwd)/empty$idx.qcow2,werror=report"}" idx=$((idx + 1)) '')} @@ -97,21 +127,7 @@ let -virtfs local,path=/nix/store,security_model=none,mount_tag=store \ -virtfs local,path=$TMPDIR/xchg,security_model=none,mount_tag=xchg \ -virtfs local,path=''${SHARED_DIR:-$TMPDIR/xchg},security_model=none,mount_tag=shared \ - ${if cfg.useBootLoader then '' - ${mkDiskIfaceDriveFlag "0" "file=$NIX_DISK_IMAGE,cache=writeback,werror=report"} \ - ${mkDiskIfaceDriveFlag "1" "file=$TMPDIR/disk.img,media=disk"} \ - ${if cfg.useEFIBoot then '' - -pflash $TMPDIR/bios.bin \ - '' else '' - ''} - '' else '' - ${mkDiskIfaceDriveFlag "0" "file=$NIX_DISK_IMAGE,cache=writeback,werror=report"} \ - -kernel ${config.system.build.toplevel}/kernel \ - -initrd ${config.system.build.toplevel}/initrd \ - -append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${consoles} $QEMU_KERNEL_PARAMS" \ - ''} \ - $extraDisks \ - ${qemuGraphics} \ + ${drivesCmdLine config.virtualisation.qemu.drives} \ ${toString config.virtualisation.qemu.options} \ $QEMU_OPTS \ "$@" @@ -367,6 +383,12 @@ in ''; }; + drives = + mkOption { + type = types.listOf (types.submodule driveOpts); + description = "Drives passed to qemu."; + }; + diskInterface = mkOption { default = "virtio"; @@ -476,8 +498,49 @@ in # FIXME: Consolidate this one day. virtualisation.qemu.options = mkMerge [ - (mkIf (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ "-vga std" "-usb" "-device usb-tablet,bus=usb-bus.0" ]) - (mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ "-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet" ]) + (mkIf (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ + "-vga std" "-usb" "-device usb-tablet,bus=usb-bus.0" + ]) + (mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ + "-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet" + ]) + (mkIf (!cfg.useBootLoader) [ + "-kernel ${config.system.build.toplevel}/kernel" + "-initrd ${config.system.build.toplevel}/initrd" + ''-append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${consoles} $QEMU_KERNEL_PARAMS"'' + ]) + (mkIf cfg.useEFIBoot [ + "-pflash $TMPDIR/bios.bin" + ]) + (mkIf (!cfg.graphics) [ + "-nographic" + ]) + ]; + + virtualisation.qemu.drives = mkMerge [ + (mkIf cfg.useBootLoader [ + { + file = "$NIX_DISK_IMAGE"; + driveExtraOpts.cache = "writeback"; + driveExtraOpts.werror = "report"; + } + { + file = "$TMPDIR/disk.img"; + driveExtraOpts.media = "disk"; + deviceExtraOpts.bootindex = "1"; + } + ]) + (mkIf (!cfg.useBootLoader) [ + { + file = "$NIX_DISK_IMAGE"; + driveExtraOpts.cache = "writeback"; + driveExtraOpts.werror = "report"; + } + ]) + (imap0 (idx: _: { + file = "$(pwd)/empty${toString idx}.qcow2"; + driveExtraOpts.werror = "report"; + }) cfg.emptyDiskImages) ]; # Mount the host filesystem via 9P, and bind-mount the Nix store @@ -557,7 +620,7 @@ in # Wireless won't work in the VM. networking.wireless.enable = mkVMOverride false; - networking.connman.enable = mkVMOverride false; + services.connman.enable = mkVMOverride false; # Speed up booting by not waiting for ARP. networking.dhcpcd.extraConfig = "noarp"; diff --git a/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix b/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix index 6081d4153a6c..ddb0a7bda4f3 100644 --- a/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix @@ -149,5 +149,12 @@ in # Make sure NetworkManager won't assume this interface being up # means we have internet access. networking.networkmanager.unmanaged = ["vboxnet0"]; - })]); + }) (mkIf config.networking.useNetworkd { + systemd.network.networks."40-vboxnet0".extraConfig = '' + [Link] + RequiredForOnline=no + ''; + }) + +]); } diff --git a/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix b/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix index f418f849759f..962a9059ea47 100644 --- a/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixpkgs/nixos/modules/virtualisation/vmware-guest.nix @@ -8,6 +8,10 @@ let xf86inputvmmouse = pkgs.xorg.xf86inputvmmouse; in { + imports = [ + (mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ]) + ]; + options.virtualisation.vmware.guest = { enable = mkEnableOption "VMWare Guest Support"; headless = mkOption { diff --git a/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix b/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix index 06d5c63476f9..7f0af9901b9b 100644 --- a/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix @@ -9,6 +9,11 @@ let in { + imports = [ + (mkRemovedOptionModule [ "virtualisation" "xen" "qemu" ] "You don't need this option anymore, it will work without it.") + (mkRenamedOptionModule [ "virtualisation" "xen" "qemu-package" ] [ "virtualisation" "xen" "package-qemu" ]) + ]; + ###### interface options = { @@ -228,26 +233,19 @@ in environment.etc = - [ { source = "${cfg.package}/etc/xen/xl.conf"; - target = "xen/xl.conf"; - } - { source = "${cfg.package}/etc/xen/scripts"; - target = "xen/scripts"; - } - { text = '' - source ${cfg.package}/etc/default/xendomains - - ${cfg.domains.extraConfig} - ''; - target = "default/xendomains"; - } - ] - ++ lib.optionals (builtins.compareVersions cfg.package.version "4.10" >= 0) [ + { + "xen/xl.conf".source = "${cfg.package}/etc/xen/xl.conf"; + "xen/scripts".source = "${cfg.package}/etc/xen/scripts"; + "default/xendomains".text = '' + source ${cfg.package}/etc/default/xendomains + + ${cfg.domains.extraConfig} + ''; + } + // optionalAttrs (builtins.compareVersions cfg.package.version "4.10" >= 0) { # in V 4.10 oxenstored requires /etc/xen/oxenstored.conf to start - { source = "${cfg.package}/etc/xen/oxenstored.conf"; - target = "xen/oxenstored.conf"; - } - ]; + "xen/oxenstored.conf".source = "${cfg.package}/etc/xen/oxenstored.conf"; + }; # Xen provides udev rules. services.udev.packages = [ cfg.package ]; diff --git a/nixpkgs/nixos/release-combined.nix b/nixpkgs/nixos/release-combined.nix index 9e2109d88b5f..ca9c6f9a7f91 100644 --- a/nixpkgs/nixos/release-combined.nix +++ b/nixpkgs/nixos/release-combined.nix @@ -63,8 +63,7 @@ in rec { #(all nixos.tests.containers) (all nixos.tests.containers-imperative) - (all nixos.tests.containers-ipv4) - (all nixos.tests.containers-ipv6) + (all nixos.tests.containers-ip) nixos.tests.chromium.x86_64-linux or [] (all nixos.tests.firefox) (all nixos.tests.firewall) @@ -121,8 +120,8 @@ in rec { (all nixos.tests.networking.scripted.macvlan) (all nixos.tests.networking.scripted.sit) (all nixos.tests.networking.scripted.vlan) - (all nixos.tests.nfs3) - (all nixos.tests.nfs4) + (all nixos.tests.nfs3.simple) + (all nixos.tests.nfs4.simple) (all nixos.tests.openssh) (all nixos.tests.php-pcre) (all nixos.tests.predictable-interface-names.predictable) @@ -133,11 +132,9 @@ in rec { (all nixos.tests.proxy) (all nixos.tests.sddm.default) (all nixos.tests.simple) - (all nixos.tests.slim) (all nixos.tests.switchTest) (all nixos.tests.udisks2) (all nixos.tests.xfce) - (all nixos.tests.xfce4-14) nixpkgs.tarball (all allSupportedNixpkgs.emacs) diff --git a/nixpkgs/nixos/release-small.nix b/nixpkgs/nixos/release-small.nix index 84af457801a1..74c16e990f35 100644 --- a/nixpkgs/nixos/release-small.nix +++ b/nixpkgs/nixos/release-small.nix @@ -32,8 +32,7 @@ in rec { tests = { inherit (nixos'.tests) containers-imperative - containers-ipv4 - containers-ipv6 + containers-ip firewall ipv6 login diff --git a/nixpkgs/nixos/release.nix b/nixpkgs/nixos/release.nix index a4b6b6bb91a8..f40b5fa9bd7f 100644 --- a/nixpkgs/nixos/release.nix +++ b/nixpkgs/nixos/release.nix @@ -180,6 +180,11 @@ in rec { inherit system; }); + sd_image_raspberrypi4 = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage { + module = ./modules/installer/cd-dvd/sd-image-raspberrypi4.nix; + inherit system; + }); + # A bootable VirtualBox virtual appliance as an OVA file (i.e. packaged OVF). ova = forMatchingSystems [ "x86_64-linux" ] (system: diff --git a/nixpkgs/nixos/tests/3proxy.nix b/nixpkgs/nixos/tests/3proxy.nix new file mode 100644 index 000000000000..3e2061d7e42f --- /dev/null +++ b/nixpkgs/nixos/tests/3proxy.nix @@ -0,0 +1,185 @@ +import ./make-test-python.nix ({ pkgs, ...} : { + name = "3proxy"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ misuzu ]; + }; + + nodes = { + peer0 = { lib, ... }: { + networking.useDHCP = false; + networking.interfaces.eth1 = { + ipv4.addresses = [ + { + address = "192.168.0.1"; + prefixLength = 24; + } + { + address = "216.58.211.111"; + prefixLength = 24; + } + ]; + }; + }; + + peer1 = { lib, ... }: { + networking.useDHCP = false; + networking.interfaces.eth1 = { + ipv4.addresses = [ + { + address = "192.168.0.2"; + prefixLength = 24; + } + { + address = "216.58.211.112"; + prefixLength = 24; + } + ]; + }; + # test that binding to [::] is working when ipv6 is disabled + networking.enableIPv6 = false; + services._3proxy = { + enable = true; + services = [ + { + type = "admin"; + bindPort = 9999; + auth = [ "none" ]; + } + { + type = "proxy"; + bindPort = 3128; + auth = [ "none" ]; + } + ]; + }; + networking.firewall.allowedTCPPorts = [ 3128 9999 ]; + }; + + peer2 = { lib, ... }: { + networking.useDHCP = false; + networking.interfaces.eth1 = { + ipv4.addresses = [ + { + address = "192.168.0.3"; + prefixLength = 24; + } + { + address = "216.58.211.113"; + prefixLength = 24; + } + ]; + }; + services._3proxy = { + enable = true; + services = [ + { + type = "admin"; + bindPort = 9999; + auth = [ "none" ]; + } + { + type = "proxy"; + bindPort = 3128; + auth = [ "iponly" ]; + acl = [ + { + rule = "allow"; + } + ]; + } + ]; + }; + networking.firewall.allowedTCPPorts = [ 3128 9999 ]; + }; + + peer3 = { lib, ... }: { + networking.useDHCP = false; + networking.interfaces.eth1 = { + ipv4.addresses = [ + { + address = "192.168.0.4"; + prefixLength = 24; + } + { + address = "216.58.211.114"; + prefixLength = 24; + } + ]; + }; + services._3proxy = { + enable = true; + usersFile = pkgs.writeText "3proxy.passwd" '' + admin:CR:$1$.GUV4Wvk$WnEVQtaqutD9.beO5ar1W/ + ''; + services = [ + { + type = "admin"; + bindPort = 9999; + auth = [ "none" ]; + } + { + type = "proxy"; + bindPort = 3128; + auth = [ "strong" ]; + acl = [ + { + rule = "allow"; + } + ]; + } + ]; + }; + networking.firewall.allowedTCPPorts = [ 3128 9999 ]; + }; + }; + + testScript = '' + peer1.wait_for_unit("3proxy.service") + peer1.wait_for_open_port("9999") + + # test none auth + peer0.succeed( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.2:3128 -S -O /dev/null http://216.58.211.112:9999" + ) + peer0.succeed( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.2:3128 -S -O /dev/null http://192.168.0.2:9999" + ) + peer0.succeed( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.2:3128 -S -O /dev/null http://127.0.0.1:9999" + ) + + peer2.wait_for_unit("3proxy.service") + peer2.wait_for_open_port("9999") + + # test iponly auth + peer0.succeed( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.3:3128 -S -O /dev/null http://216.58.211.113:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.3:3128 -S -O /dev/null http://192.168.0.3:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.3:3128 -S -O /dev/null http://127.0.0.1:9999" + ) + + peer3.wait_for_unit("3proxy.service") + peer3.wait_for_open_port("9999") + + # test strong auth + peer0.succeed( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://admin:bigsecret\@192.168.0.4:3128 -S -O /dev/null http://216.58.211.114:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://admin:bigsecret\@192.168.0.4:3128 -S -O /dev/null http://192.168.0.4:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.4:3128 -S -O /dev/null http://216.58.211.114:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.4:3128 -S -O /dev/null http://192.168.0.4:9999" + ) + peer0.fail( + "${pkgs.wget}/bin/wget -e use_proxy=yes -e http_proxy=http://192.168.0.4:3128 -S -O /dev/null http://127.0.0.1:9999" + ) + ''; +}) diff --git a/nixpkgs/nixos/tests/acme.nix b/nixpkgs/nixos/tests/acme.nix index 8cfdea4a16ef..6bd315ff1eaa 100644 --- a/nixpkgs/nixos/tests/acme.nix +++ b/nixpkgs/nixos/tests/acme.nix @@ -1,6 +1,6 @@ let commonConfig = ./common/letsencrypt/common.nix; -in import ./make-test.nix { +in import ./make-test-python.nix { name = "acme"; nodes = rec { @@ -12,8 +12,11 @@ in import ./make-test.nix { networking.extraHosts = '' ${config.networking.primaryIPAddress} standalone.com ''; - security.acme.certs."standalone.com" = { - webroot = "/var/lib/acme/acme-challenges"; + security.acme = { + server = "https://acme-v02.api.letsencrypt.org/dir"; + certs."standalone.com" = { + webroot = "/var/lib/acme/acme-challenges"; + }; }; systemd.targets."acme-finished-standalone.com" = {}; systemd.services."acme-standalone.com" = { @@ -54,6 +57,8 @@ in import ./make-test.nix { ''; }; + security.acme.server = "https://acme-v02.api.letsencrypt.org/dir"; + nesting.clone = [ ({pkgs, ...}: { @@ -80,36 +85,49 @@ in import ./make-test.nix { client = commonConfig; }; - testScript = {nodes, ...}: + testScript = {nodes, ...}: let newServerSystem = nodes.webserver2.config.system.build.toplevel; switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test"; in - # Note, waitForUnit does not work for oneshot services that do not have RemainAfterExit=true, + # Note, wait_for_unit does not work for oneshot services that do not have RemainAfterExit=true, # this is because a oneshot goes from inactive => activating => inactive, and never # reaches the active state. To work around this, we create some mock target units which # get pulled in by the oneshot units. The target units linger after activation, and hence we # can use them to probe that a oneshot fired. It is a bit ugly, but it is the best we can do '' - $client->waitForUnit("default.target"); - $letsencrypt->waitForUnit("default.target"); - $letsencrypt->waitForUnit("boulder.service"); - - subtest "can request certificate with HTTPS-01 challenge", sub { - $acmeStandalone->waitForUnit("default.target"); - $acmeStandalone->succeed("systemctl start acme-standalone.com.service"); - $acmeStandalone->waitForUnit("acme-finished-standalone.com.target"); - }; + client.start() + letsencrypt.start() + acmeStandalone.start() - subtest "Can request certificate for nginx service", sub { - $webserver->waitForUnit("acme-finished-a.example.com.target"); - $client->succeed('curl https://a.example.com/ | grep -qF "hello world"'); - }; + letsencrypt.wait_for_unit("default.target") + letsencrypt.wait_for_unit("pebble.service") - subtest "Can add another certificate for nginx service", sub { - $webserver->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test"); - $webserver->waitForUnit("acme-finished-b.example.com.target"); - $client->succeed('curl https://b.example.com/ | grep -qF "hello world"'); - }; + with subtest("can request certificate with HTTPS-01 challenge"): + acmeStandalone.wait_for_unit("default.target") + acmeStandalone.succeed("systemctl start acme-standalone.com.service") + acmeStandalone.wait_for_unit("acme-finished-standalone.com.target") + + client.wait_for_unit("default.target") + + client.succeed("curl https://acme-v02.api.letsencrypt.org:15000/roots/0 > /tmp/ca.crt") + client.succeed( + "curl https://acme-v02.api.letsencrypt.org:15000/intermediate-keys/0 >> /tmp/ca.crt" + ) + + with subtest("Can request certificate for nginx service"): + webserver.wait_for_unit("acme-finished-a.example.com.target") + client.succeed( + "curl --cacert /tmp/ca.crt https://a.example.com/ | grep -qF 'hello world'" + ) + + with subtest("Can add another certificate for nginx service"): + webserver.succeed( + "/run/current-system/fine-tune/child-1/bin/switch-to-configuration test" + ) + webserver.wait_for_unit("acme-finished-b.example.com.target") + client.succeed( + "curl --cacert /tmp/ca.crt https://b.example.com/ | grep -qF 'hello world'" + ) ''; } diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index 5643da99e557..fe9c4df1416f 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -21,13 +21,15 @@ let else {}; in { + _3proxy = handleTest ./3proxy.nix {}; acme = handleTestOn ["x86_64-linux"] ./acme.nix {}; atd = handleTest ./atd.nix {}; automysqlbackup = handleTest ./automysqlbackup.nix {}; avahi = handleTest ./avahi.nix {}; + babeld = handleTest ./babeld.nix {}; bcachefs = handleTestOn ["x86_64-linux"] ./bcachefs.nix {}; # linux-4.18.2018.10.12 is unsupported on aarch64 beanstalkd = handleTest ./beanstalkd.nix {}; - beegfs = handleTestOn ["x86_64-linux"] ./beegfs.nix {}; # beegfs is unsupported on aarch64 + bees = handleTest ./bees.nix {}; bind = handleTest ./bind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; #blivet = handleTest ./blivet.nix {}; # broken since 2017-07024 @@ -35,9 +37,11 @@ in boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; buildbot = handleTest ./buildbot.nix {}; + caddy = handleTest ./caddy.nix {}; cadvisor = handleTestOn ["x86_64-linux"] ./cadvisor.nix {}; cassandra = handleTest ./cassandra.nix {}; - ceph = handleTestOn ["x86_64-linux"] ./ceph.nix {}; + ceph-single-node = handleTestOn ["x86_64-linux"] ./ceph-single-node.nix {}; + ceph-multi-node = handleTestOn ["x86_64-linux"] ./ceph-multi-node.nix {}; certmgr = handleTest ./certmgr.nix {}; cfssl = handleTestOn ["x86_64-linux"] ./cfssl.nix {}; chromium = (handleTestOn ["x86_64-linux"] ./chromium.nix {}).stable or {}; @@ -45,16 +49,16 @@ in clickhouse = handleTest ./clickhouse.nix {}; cloud-init = handleTest ./cloud-init.nix {}; codimd = handleTest ./codimd.nix {}; - colord = handleTest ./colord.nix {}; + consul = handleTest ./consul.nix {}; containers-bridge = handleTest ./containers-bridge.nix {}; containers-ephemeral = handleTest ./containers-ephemeral.nix {}; containers-extra_veth = handleTest ./containers-extra_veth.nix {}; containers-hosts = handleTest ./containers-hosts.nix {}; containers-imperative = handleTest ./containers-imperative.nix {}; - containers-ipv4 = handleTest ./containers-ipv4.nix {}; - containers-ipv6 = handleTest ./containers-ipv6.nix {}; + containers-ip = handleTest ./containers-ip.nix {}; containers-macvlans = handleTest ./containers-macvlans.nix {}; containers-physical_interfaces = handleTest ./containers-physical_interfaces.nix {}; + containers-portforward = handleTest ./containers-portforward.nix {}; containers-restart_networking = handleTest ./containers-restart_networking.nix {}; containers-tmpfs = handleTest ./containers-tmpfs.nix {}; couchdb = handleTest ./couchdb.nix {}; @@ -79,34 +83,31 @@ in env = handleTest ./env.nix {}; etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {}; etcd-cluster = handleTestOn ["x86_64-linux"] ./etcd-cluster.nix {}; + fancontrol = handleTest ./fancontrol.nix {}; ferm = handleTest ./ferm.nix {}; firefox = handleTest ./firefox.nix {}; firewall = handleTest ./firewall.nix {}; fish = handleTest ./fish.nix {}; flannel = handleTestOn ["x86_64-linux"] ./flannel.nix {}; - flatpak = handleTest ./flatpak.nix {}; - flatpak-builder = handleTest ./flatpak-builder.nix {}; fluentd = handleTest ./fluentd.nix {}; fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {}; fsck = handleTest ./fsck.nix {}; - fwupd = handleTestOn ["x86_64-linux"] ./fwupd.nix {}; # libsmbios is unsupported on aarch64 - gdk-pixbuf = handleTest ./gdk-pixbuf.nix {}; + gotify-server = handleTest ./gotify-server.nix {}; gitea = handleTest ./gitea.nix {}; gitlab = handleTest ./gitlab.nix {}; gitolite = handleTest ./gitolite.nix {}; - gjs = handleTest ./gjs.nix {}; - glib-networking = handleTest ./glib-networking.nix {}; + gitolite-fcgiwrap = handleTest ./gitolite-fcgiwrap.nix {}; glusterfs = handleTest ./glusterfs.nix {}; gnome3-xorg = handleTest ./gnome3-xorg.nix {}; gnome3 = handleTest ./gnome3.nix {}; - gnome-photos = handleTest ./gnome-photos.nix {}; + installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {}); gocd-agent = handleTest ./gocd-agent.nix {}; gocd-server = handleTest ./gocd-server.nix {}; google-oslogin = handleTest ./google-oslogin {}; - graphene = handleTest ./graphene.nix {}; grafana = handleTest ./grafana.nix {}; graphite = handleTest ./graphite.nix {}; graylog = handleTest ./graylog.nix {}; + gvisor = handleTest ./gvisor.nix {}; hadoop.hdfs = handleTestOn [ "x86_64-linux" ] ./hadoop/hdfs.nix {}; hadoop.yarn = handleTestOn [ "x86_64-linux" ] ./hadoop/yarn.nix {}; handbrake = handleTestOn ["x86_64-linux"] ./handbrake.nix {}; @@ -121,6 +122,7 @@ in i3wm = handleTest ./i3wm.nix {}; icingaweb2 = handleTest ./icingaweb2.nix {}; iftop = handleTest ./iftop.nix {}; + ihatemoney = handleTest ./ihatemoney.nix {}; incron = handleTest ./incron.nix {}; influxdb = handleTest ./influxdb.nix {}; initrd-network-ssh = handleTest ./initrd-network-ssh {}; @@ -130,8 +132,8 @@ in jackett = handleTest ./jackett.nix {}; jellyfin = handleTest ./jellyfin.nix {}; jenkins = handleTest ./jenkins.nix {}; - jormungandr = handleTest ./jormungandr.nix {}; kafka = handleTest ./kafka.nix {}; + keepalived = handleTest ./keepalived.nix {}; kerberos = handleTest ./kerberos/default.nix {}; kernel-latest = handleTest ./kernel-latest.nix {}; kernel-lts = handleTest ./kernel-lts.nix {}; @@ -145,16 +147,17 @@ in latestKernel.login = handleTest ./login.nix { latestKernel = true; }; ldap = handleTest ./ldap.nix {}; leaps = handleTest ./leaps.nix {}; - libgdata = handleTest ./libgdata.nix {}; - libxmlb = handleTest ./libxmlb.nix {}; lidarr = handleTest ./lidarr.nix {}; lightdm = handleTest ./lightdm.nix {}; limesurvey = handleTest ./limesurvey.nix {}; login = handleTest ./login.nix {}; loki = handleTest ./loki.nix {}; #logstash = handleTest ./logstash.nix {}; + lorri = handleTest ./lorri/default.nix {}; + magnetico = handleTest ./magnetico.nix {}; mailcatcher = handleTest ./mailcatcher.nix {}; mathics = handleTest ./mathics.nix {}; + matomo = handleTest ./matomo.nix {}; matrix-synapse = handleTest ./matrix-synapse.nix {}; mediawiki = handleTest ./mediawiki.nix {}; memcached = handleTest ./memcached.nix {}; @@ -164,6 +167,7 @@ in minio = handleTest ./minio.nix {}; minidlna = handleTest ./minidlna.nix {}; misc = handleTest ./misc.nix {}; + moinmoin = handleTest ./moinmoin.nix {}; mongodb = handleTest ./mongodb.nix {}; moodle = handleTest ./moodle.nix {}; morty = handleTest ./morty.nix {}; @@ -176,6 +180,7 @@ in mysql = handleTest ./mysql.nix {}; mysqlBackup = handleTest ./mysql-backup.nix {}; mysqlReplication = handleTest ./mysql-replication.nix {}; + nagios = handleTest ./nagios.nix {}; nat.firewall = handleTest ./nat.nix { withFirewall = true; }; nat.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; }; nat.standalone = handleTest ./nat.nix { withFirewall = false; }; @@ -189,26 +194,28 @@ in networkingProxy = handleTest ./networking-proxy.nix {}; nextcloud = handleTest ./nextcloud {}; nexus = handleTest ./nexus.nix {}; - nfs3 = handleTest ./nfs.nix { version = 3; }; - nfs4 = handleTest ./nfs.nix { version = 4; }; + # TODO: Test nfsv3 + Kerberos + nfs3 = handleTest ./nfs { version = 3; }; + nfs4 = handleTest ./nfs { version = 4; }; nghttpx = handleTest ./nghttpx.nix {}; nginx = handleTest ./nginx.nix {}; + nginx-etag = handleTest ./nginx-etag.nix {}; nginx-sso = handleTest ./nginx-sso.nix {}; nix-ssh-serve = handleTest ./nix-ssh-serve.nix {}; nixos-generate-config = handleTest ./nixos-generate-config.nix {}; novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {}; nsd = handleTest ./nsd.nix {}; nzbget = handleTest ./nzbget.nix {}; + openarena = handleTest ./openarena.nix {}; openldap = handleTest ./openldap.nix {}; opensmtpd = handleTest ./opensmtpd.nix {}; openssh = handleTest ./openssh.nix {}; # openstack-image-userdata doesn't work in a sandbox as the simulated openstack instance needs network access #openstack-image-userdata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).userdata or {}; openstack-image-metadata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).metadata or {}; + orangefs = handleTest ./orangefs.nix {}; os-prober = handleTestOn ["x86_64-linux"] ./os-prober.nix {}; - osquery = handleTest ./osquery.nix {}; osrm-backend = handleTest ./osrm-backend.nix {}; - ostree = handleTest ./ostree.nix {}; overlayfs = handleTest ./overlayfs.nix {}; packagekit = handleTest ./packagekit.nix {}; pam-oath-login = handleTest ./pam-oath-login.nix {}; @@ -225,6 +232,7 @@ in postgresql = handleTest ./postgresql.nix {}; postgresql-wal-receiver = handleTest ./postgresql-wal-receiver.nix {}; powerdns = handleTest ./powerdns.nix {}; + pppd = handleTest ./pppd.nix {}; predictable-interface-names = handleTest ./predictable-interface-names.nix {}; printing = handleTest ./printing.nix {}; prometheus = handleTest ./prometheus.nix {}; @@ -233,7 +241,6 @@ in prosodyMysql = handleTest ./xmpp/prosody-mysql.nix {}; proxy = handleTest ./proxy.nix {}; quagga = handleTest ./quagga.nix {}; - quake3 = handleTest ./quake3.nix {}; rabbitmq = handleTest ./rabbitmq.nix {}; radarr = handleTest ./radarr.nix {}; radicale = handleTest ./radicale.nix {}; @@ -247,13 +254,14 @@ in rxe = handleTest ./rxe.nix {}; samba = handleTest ./samba.nix {}; sddm = handleTest ./sddm.nix {}; + shiori = handleTest ./shiori.nix {}; signal-desktop = handleTest ./signal-desktop.nix {}; simple = handleTest ./simple.nix {}; - slim = handleTest ./slim.nix {}; slurm = handleTest ./slurm.nix {}; smokeping = handleTest ./smokeping.nix {}; snapper = handleTest ./snapper.nix {}; solr = handleTest ./solr.nix {}; + spacecookie = handleTest ./spacecookie.nix {}; sonarr = handleTest ./sonarr.nix {}; strongswan-swanctl = handleTest ./strongswan-swanctl.nix {}; sudo = handleTest ./sudo.nix {}; @@ -261,17 +269,23 @@ in syncthing-init = handleTest ./syncthing-init.nix {}; syncthing-relay = handleTest ./syncthing-relay.nix {}; systemd = handleTest ./systemd.nix {}; + systemd-analyze = handleTest ./systemd-analyze.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {}; + systemd-nspawn = handleTest ./systemd-nspawn.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; tiddlywiki = handleTest ./tiddlywiki.nix {}; + timezone = handleTest ./timezone.nix {}; tinydns = handleTest ./tinydns.nix {}; tor = handleTest ./tor.nix {}; transmission = handleTest ./transmission.nix {}; + trac = handleTest ./trac.nix {}; + trilium-server = handleTestOn ["x86_64-linux"] ./trilium-server.nix {}; trezord = handleTest ./trezord.nix {}; + trickster = handleTest ./trickster.nix {}; udisks2 = handleTest ./udisks2.nix {}; upnp = handleTest ./upnp.nix {}; uwsgi = handleTest ./uwsgi.nix {}; @@ -279,14 +293,15 @@ in virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; wireguard = handleTest ./wireguard {}; wireguard-generated = handleTest ./wireguard/generated.nix {}; + wireguard-namespaces = handleTest ./wireguard/namespaces.nix {}; wordpress = handleTest ./wordpress.nix {}; xautolock = handleTest ./xautolock.nix {}; - xdg-desktop-portal = handleTest ./xdg-desktop-portal.nix {}; xfce = handleTest ./xfce.nix {}; - xfce4-14 = handleTest ./xfce4-14.nix {}; xmonad = handleTest ./xmonad.nix {}; xrdp = handleTest ./xrdp.nix {}; xss-lock = handleTest ./xss-lock.nix {}; yabar = handleTest ./yabar.nix {}; + yggdrasil = handleTest ./yggdrasil.nix {}; + zsh-history = handleTest ./zsh-history.nix {}; zookeeper = handleTest ./zookeeper.nix {}; } diff --git a/nixpkgs/nixos/tests/ammonite.nix b/nixpkgs/nixos/tests/ammonite.nix index fedfde233e8d..1955e42be5f0 100644 --- a/nixpkgs/nixos/tests/ammonite.nix +++ b/nixpkgs/nixos/tests/ammonite.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "ammonite"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -13,8 +13,8 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $amm->succeed("amm -c 'val foo = 21; println(foo * 2)' | grep 42") + amm.succeed("amm -c 'val foo = 21; println(foo * 2)' | grep 42") ''; }) diff --git a/nixpkgs/nixos/tests/atd.nix b/nixpkgs/nixos/tests/atd.nix index 25db72799241..c3abe5c253df 100644 --- a/nixpkgs/nixos/tests/atd.nix +++ b/nixpkgs/nixos/tests/atd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "atd"; @@ -14,18 +14,18 @@ import ./make-test.nix ({ pkgs, ... }: # "at" has a resolution of 1 minute testScript = '' - startAll; + start_all() - $machine->waitForUnit('atd.service'); # wait for atd to start - $machine->fail("test -f ~root/at-1"); - $machine->fail("test -f ~alice/at-1"); + machine.wait_for_unit("atd.service") # wait for atd to start + machine.fail("test -f ~root/at-1") + machine.fail("test -f ~alice/at-1") - $machine->succeed("echo 'touch ~root/at-1' | at now+1min"); - $machine->succeed("su - alice -c \"echo 'touch at-1' | at now+1min\""); + machine.succeed("echo 'touch ~root/at-1' | at now+1min") + machine.succeed("su - alice -c \"echo 'touch at-1' | at now+1min\"") - $machine->succeed("sleep 1.5m"); + machine.succeed("sleep 1.5m") - $machine->succeed("test -f ~root/at-1"); - $machine->succeed("test -f ~alice/at-1"); + machine.succeed("test -f ~root/at-1") + machine.succeed("test -f ~alice/at-1") ''; }) diff --git a/nixpkgs/nixos/tests/automysqlbackup.nix b/nixpkgs/nixos/tests/automysqlbackup.nix index ada104a34de3..224b93862fbd 100644 --- a/nixpkgs/nixos/tests/automysqlbackup.nix +++ b/nixpkgs/nixos/tests/automysqlbackup.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "automysqlbackup"; @@ -15,20 +15,24 @@ import ./make-test.nix ({ pkgs, lib, ... }: }; testScript = '' - startAll; + start_all() # Need to have mysql started so that it can be populated with data. - $machine->waitForUnit("mysql.service"); - - # Wait for testdb to be fully populated (5 rows). - $machine->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); - - # Do a backup and wait for it to start - $machine->startJob("automysqlbackup.service"); - $machine->waitForJob("automysqlbackup.service"); - - # wait for backup file and check that data appears in backup - $machine->waitForFile("/var/backup/mysql/daily/testdb"); - $machine->succeed("${pkgs.gzip}/bin/zcat /var/backup/mysql/daily/testdb/daily_testdb_*.sql.gz | grep hello"); + machine.wait_for_unit("mysql.service") + + with subtest("Wait for testdb to be fully populated (5 rows)."): + machine.wait_until_succeeds( + "mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5" + ) + + with subtest("Do a backup and wait for it to start"): + machine.start_job("automysqlbackup.service") + machine.wait_for_job("automysqlbackup.service") + + with subtest("wait for backup file and check that data appears in backup"): + machine.wait_for_file("/var/backup/mysql/daily/testdb") + machine.succeed( + "${pkgs.gzip}/bin/zcat /var/backup/mysql/daily/testdb/daily_testdb_*.sql.gz | grep hello" + ) ''; }) diff --git a/nixpkgs/nixos/tests/avahi.nix b/nixpkgs/nixos/tests/avahi.nix index ae4f54d5266a..fe027c14d5a8 100644 --- a/nixpkgs/nixos/tests/avahi.nix +++ b/nixpkgs/nixos/tests/avahi.nix @@ -1,5 +1,5 @@ # Test whether `avahi-daemon' and `libnss-mdns' work as expected. -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "avahi"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco ]; @@ -23,45 +23,45 @@ import ./make-test.nix ({ pkgs, ... } : { two = cfg; }; - testScript = - '' startAll; + testScript = '' + start_all() - # mDNS. - $one->waitForUnit("network.target"); - $two->waitForUnit("network.target"); + # mDNS. + one.wait_for_unit("network.target") + two.wait_for_unit("network.target") - $one->succeed("avahi-resolve-host-name one.local | tee out >&2"); - $one->succeed("test \"`cut -f1 < out`\" = one.local"); - $one->succeed("avahi-resolve-host-name two.local | tee out >&2"); - $one->succeed("test \"`cut -f1 < out`\" = two.local"); + one.succeed("avahi-resolve-host-name one.local | tee out >&2") + one.succeed('test "`cut -f1 < out`" = one.local') + one.succeed("avahi-resolve-host-name two.local | tee out >&2") + one.succeed('test "`cut -f1 < out`" = two.local') - $two->succeed("avahi-resolve-host-name one.local | tee out >&2"); - $two->succeed("test \"`cut -f1 < out`\" = one.local"); - $two->succeed("avahi-resolve-host-name two.local | tee out >&2"); - $two->succeed("test \"`cut -f1 < out`\" = two.local"); + two.succeed("avahi-resolve-host-name one.local | tee out >&2") + two.succeed('test "`cut -f1 < out`" = one.local') + two.succeed("avahi-resolve-host-name two.local | tee out >&2") + two.succeed('test "`cut -f1 < out`" = two.local') - # Basic DNS-SD. - $one->succeed("avahi-browse -r -t _workstation._tcp | tee out >&2"); - $one->succeed("test `wc -l < out` -gt 0"); - $two->succeed("avahi-browse -r -t _workstation._tcp | tee out >&2"); - $two->succeed("test `wc -l < out` -gt 0"); + # Basic DNS-SD. + one.succeed("avahi-browse -r -t _workstation._tcp | tee out >&2") + one.succeed("test `wc -l < out` -gt 0") + two.succeed("avahi-browse -r -t _workstation._tcp | tee out >&2") + two.succeed("test `wc -l < out` -gt 0") - # More DNS-SD. - $one->execute("avahi-publish -s \"This is a test\" _test._tcp 123 one=1 &"); - $one->sleep(5); - $two->succeed("avahi-browse -r -t _test._tcp | tee out >&2"); - $two->succeed("test `wc -l < out` -gt 0"); + # More DNS-SD. + one.execute('avahi-publish -s "This is a test" _test._tcp 123 one=1 &') + one.sleep(5) + two.succeed("avahi-browse -r -t _test._tcp | tee out >&2") + two.succeed("test `wc -l < out` -gt 0") - # NSS-mDNS. - $one->succeed("getent hosts one.local >&2"); - $one->succeed("getent hosts two.local >&2"); - $two->succeed("getent hosts one.local >&2"); - $two->succeed("getent hosts two.local >&2"); + # NSS-mDNS. + one.succeed("getent hosts one.local >&2") + one.succeed("getent hosts two.local >&2") + two.succeed("getent hosts one.local >&2") + two.succeed("getent hosts two.local >&2") - # extra service definitions - $one->succeed("avahi-browse -r -t _ssh._tcp | tee out >&2"); - $one->succeed("test `wc -l < out` -gt 0"); - $two->succeed("avahi-browse -r -t _ssh._tcp | tee out >&2"); - $two->succeed("test `wc -l < out` -gt 0"); - ''; + # extra service definitions + one.succeed("avahi-browse -r -t _ssh._tcp | tee out >&2") + one.succeed("test `wc -l < out` -gt 0") + two.succeed("avahi-browse -r -t _ssh._tcp | tee out >&2") + two.succeed("test `wc -l < out` -gt 0") + ''; }) diff --git a/nixpkgs/nixos/tests/babeld.nix b/nixpkgs/nixos/tests/babeld.nix new file mode 100644 index 000000000000..fafa788ba57b --- /dev/null +++ b/nixpkgs/nixos/tests/babeld.nix @@ -0,0 +1,148 @@ + +import ./make-test-python.nix ({ pkgs, lib, ...} : { + name = "babeld"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ hexa ]; + }; + + nodes = + { client = { pkgs, lib, ... }: + { + virtualisation.vlans = [ 10 ]; + + networking = { + useDHCP = false; + interfaces."eth1" = { + ipv4.addresses = lib.mkForce [ { address = "192.168.10.2"; prefixLength = 24; } ]; + ipv4.routes = lib.mkForce [ { address = "0.0.0.0"; prefixLength = 0; via = "192.168.10.1"; } ]; + ipv6.addresses = lib.mkForce [ { address = "2001:db8:10::2"; prefixLength = 64; } ]; + ipv6.routes = lib.mkForce [ { address = "::"; prefixLength = 0; via = "2001:db8:10::1"; } ]; + }; + }; + }; + + local_router = { pkgs, lib, ... }: + { + virtualisation.vlans = [ 10 20 ]; + + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1; + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; + + networking = { + useDHCP = false; + firewall.enable = false; + + interfaces."eth1" = { + ipv4.addresses = lib.mkForce [ { address = "192.168.10.1"; prefixLength = 24; } ]; + ipv6.addresses = lib.mkForce [ { address = "2001:db8:10::1"; prefixLength = 64; } ]; + }; + + interfaces."eth2" = { + ipv4.addresses = lib.mkForce [ { address = "192.168.20.1"; prefixLength = 24; } ]; + ipv6.addresses = lib.mkForce [ { address = "2001:db8:20::1"; prefixLength = 64; } ]; + }; + }; + + services.babeld = { + enable = true; + interfaces.eth2 = { + hello-interval = 1; + type = "wired"; + }; + extraConfig = '' + local-port-readwrite 33123 + + import-table 254 # main + export-table 254 # main + + in ip 192.168.10.0/24 deny + in ip 192.168.20.0/24 deny + in ip 2001:db8:10::/64 deny + in ip 2001:db8:20::/64 deny + + in ip 192.168.30.0/24 allow + in ip 2001:db8:30::/64 allow + + in deny + + redistribute local proto 2 + redistribute local deny + ''; + }; + }; + remote_router = { pkgs, lib, ... }: + { + virtualisation.vlans = [ 20 30 ]; + + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1; + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; + + networking = { + useDHCP = false; + firewall.enable = false; + + interfaces."eth1" = { + ipv4.addresses = lib.mkForce [ { address = "192.168.20.2"; prefixLength = 24; } ]; + ipv6.addresses = lib.mkForce [ { address = "2001:db8:20::2"; prefixLength = 64; } ]; + }; + + interfaces."eth2" = { + ipv4.addresses = lib.mkForce [ { address = "192.168.30.1"; prefixLength = 24; } ]; + ipv6.addresses = lib.mkForce [ { address = "2001:db8:30::1"; prefixLength = 64; } ]; + }; + }; + + services.babeld = { + enable = true; + interfaces.eth1 = { + hello-interval = 1; + type = "wired"; + }; + extraConfig = '' + local-port-readwrite 33123 + + import-table 254 # main + export-table 254 # main + + in ip 192.168.20.0/24 deny + in ip 192.168.30.0/24 deny + in ip 2001:db8:20::/64 deny + in ip 2001:db8:30::/64 deny + + in ip 192.168.10.0/24 allow + in ip 2001:db8:10::/64 allow + + in deny + + redistribute local proto 2 + redistribute local deny + ''; + }; + + }; + }; + + testScript = + '' + start_all() + + client.wait_for_unit("network-online.target") + local_router.wait_for_unit("network-online.target") + remote_router.wait_for_unit("network-online.target") + + local_router.wait_for_unit("babeld.service") + remote_router.wait_for_unit("babeld.service") + + local_router.wait_until_succeeds("ip route get 192.168.30.1") + local_router.wait_until_succeeds("ip route get 2001:db8:30::1") + + remote_router.wait_until_succeeds("ip route get 192.168.10.1") + remote_router.wait_until_succeeds("ip route get 2001:db8:10::1") + + client.succeed("ping -c1 192.168.30.1") + client.succeed("ping -c1 2001:db8:30::1") + + remote_router.succeed("ping -c1 192.168.10.2") + remote_router.succeed("ping -c1 2001:db8:10::2") + ''; +}) diff --git a/nixpkgs/nixos/tests/bcachefs.nix b/nixpkgs/nixos/tests/bcachefs.nix index 658676ef0ab9..0541e5803225 100644 --- a/nixpkgs/nixos/tests/bcachefs.nix +++ b/nixpkgs/nixos/tests/bcachefs.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "bcachefs"; meta.maintainers = with pkgs.stdenv.lib.maintainers; [ chiiruno ]; @@ -10,29 +10,25 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - $machine->succeed("modprobe bcachefs"); - $machine->succeed("bcachefs version"); - $machine->succeed("ls /dev"); + machine.succeed("modprobe bcachefs") + machine.succeed("bcachefs version") + machine.succeed("ls /dev") - $machine->succeed( - "mkdir /tmp/mnt", - - "udevadm settle", - "parted --script /dev/vdb mklabel msdos", - "parted --script /dev/vdb -- mkpart primary 1024M -1s", - "udevadm settle", - - # Due to #32279, we cannot use encryption for this test yet - # "echo password | bcachefs format --encrypted /dev/vdb1", - # "echo password | bcachefs unlock /dev/vdb1", - "bcachefs format /dev/vdb1", - "mount -t bcachefs /dev/vdb1 /tmp/mnt", - "udevadm settle", - - "bcachefs fs usage /tmp/mnt", - - "umount /tmp/mnt", - "udevadm settle" - ); + machine.succeed( + "mkdir /tmp/mnt", + "udevadm settle", + "parted --script /dev/vdb mklabel msdos", + "parted --script /dev/vdb -- mkpart primary 1024M -1s", + "udevadm settle", + # Due to #32279, we cannot use encryption for this test yet + # "echo password | bcachefs format --encrypted /dev/vdb1", + # "echo password | bcachefs unlock /dev/vdb1", + "bcachefs format /dev/vdb1", + "mount -t bcachefs /dev/vdb1 /tmp/mnt", + "udevadm settle", + "bcachefs fs usage /tmp/mnt", + "umount /tmp/mnt", + "udevadm settle", + ) ''; }) diff --git a/nixpkgs/nixos/tests/beanstalkd.nix b/nixpkgs/nixos/tests/beanstalkd.nix index fa2fbc2c92ab..4f4a454fb47f 100644 --- a/nixpkgs/nixos/tests/beanstalkd.nix +++ b/nixpkgs/nixos/tests/beanstalkd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let pythonEnv = pkgs.python3.withPackages (p: [p.beanstalkc]); @@ -34,12 +34,16 @@ in }; testScript = '' - startAll; + start_all() - $machine->waitForUnit('beanstalkd.service'); + machine.wait_for_unit("beanstalkd.service") - $machine->succeed("${produce}"); - $machine->succeed("${consume}") eq "this is a job\n" or die; - $machine->succeed("${consume}") eq "this is another job\n" or die; + machine.succeed("${produce}") + assert "this is a job\n" == machine.succeed( + "${consume}" + ) + assert "this is another job\n" == machine.succeed( + "${consume}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/beegfs.nix b/nixpkgs/nixos/tests/beegfs.nix deleted file mode 100644 index 3465272f5599..000000000000 --- a/nixpkgs/nixos/tests/beegfs.nix +++ /dev/null @@ -1,115 +0,0 @@ -import ./make-test.nix ({ ... } : - -let - connAuthFile="beegfs/auth-def.key"; - - client = { pkgs, ... } : { - networking.firewall.enable = false; - services.beegfsEnable = true; - services.beegfs.default = { - mgmtdHost = "mgmt"; - connAuthFile = "/etc/${connAuthFile}"; - client = { - mount = false; - enable = true; - }; - }; - - fileSystems = pkgs.lib.mkVMOverride # FIXME: this should be creatd by the module - [ { mountPoint = "/beegfs"; - device = "default"; - fsType = "beegfs"; - options = [ "cfgFile=/etc/beegfs/client-default.conf" "_netdev" ]; - } - ]; - - environment.etc.${connAuthFile} = { - enable = true; - text = "ThisIsALousySecret"; - mode = "0600"; - }; - }; - - - server = service : { pkgs, ... } : { - networking.firewall.enable = false; - boot.initrd.postDeviceCommands = '' - ${pkgs.e2fsprogs}/bin/mkfs.ext4 -L data /dev/vdb - ''; - - virtualisation.emptyDiskImages = [ 4096 ]; - - fileSystems = pkgs.lib.mkVMOverride - [ { mountPoint = "/data"; - device = "/dev/disk/by-label/data"; - fsType = "ext4"; - } - ]; - - environment.systemPackages = with pkgs; [ beegfs ]; - environment.etc.${connAuthFile} = { - enable = true; - text = "ThisIsALousySecret"; - mode = "0600"; - }; - - services.beegfsEnable = true; - services.beegfs.default = { - mgmtdHost = "mgmt"; - connAuthFile = "/etc/${connAuthFile}"; - ${service} = { - enable = true; - storeDir = "/data"; - }; - }; - }; - -in -{ - name = "beegfs"; - - nodes = { - meta = server "meta"; - mgmt = server "mgmtd"; - storage1 = server "storage"; - storage2 = server "storage"; - client1 = client; - client2 = client; - }; - - testScript = '' - # Initalize the data directories - $mgmt->waitForUnit("default.target"); - $mgmt->succeed("beegfs-setup-mgmtd -C -f -p /data"); - $mgmt->succeed("systemctl start beegfs-mgmtd-default"); - - $meta->waitForUnit("default.target"); - $meta->succeed("beegfs-setup-meta -C -f -s 1 -p /data"); - $meta->succeed("systemctl start beegfs-meta-default"); - - $storage1->waitForUnit("default.target"); - $storage1->succeed("beegfs-setup-storage -C -f -s 1 -i 1 -p /data"); - $storage1->succeed("systemctl start beegfs-storage-default"); - - $storage2->waitForUnit("default.target"); - $storage2->succeed("beegfs-setup-storage -C -f -s 2 -i 2 -p /data"); - $storage2->succeed("systemctl start beegfs-storage-default"); - - # - - # Basic test - $client1->waitForUnit("beegfs.mount"); - $client1->succeed("beegfs-check-servers-default"); - $client1->succeed("echo test > /beegfs/test"); - $client2->waitForUnit("beegfs.mount"); - $client2->succeed("test -e /beegfs/test"); - $client2->succeed("cat /beegfs/test | grep test"); - - # test raid0/stripping - $client1->succeed("dd if=/dev/urandom bs=1M count=10 of=/beegfs/striped"); - $client2->succeed("cat /beegfs/striped > /dev/null"); - - # check if fs is still healthy - $client1->succeed("beegfs-fsck-default --checkfs"); - ''; -}) diff --git a/nixpkgs/nixos/tests/bees.nix b/nixpkgs/nixos/tests/bees.nix index 6f68c2f834f1..6e6a9c3446b0 100644 --- a/nixpkgs/nixos/tests/bees.nix +++ b/nixpkgs/nixos/tests/bees.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "bees"; @@ -29,27 +29,34 @@ import ./make-test.nix ({ lib, ... }: testScript = let - withRetry = content: maxTests: sleepTime: '' - max_tests=${lib.escapeShellArg maxTests}; sleep_time=${lib.escapeShellArg sleepTime}; for ((i=0; i<max_tests; i++)); do ${content} && exit 0; sleep "$sleep_time"; done; exit 1; + someContentIsShared = loc: pkgs.writeShellScript "some-content-is-shared" '' + [[ $(btrfs fi du -s --raw ${lib.escapeShellArg loc}/dedup-me-{1,2} | awk 'BEGIN { count=0; } NR>1 && $3 == 0 { count++ } END { print count }') -eq 0 ]] ''; - someContentIsShared = loc: ''[[ $(btrfs fi du -s --raw ${lib.escapeShellArg loc}/dedup-me-{1,2} | awk 'BEGIN { count=0; } NR>1 && $3 == 0 { count++ } END { print count }') -eq 0 ]]''; in '' # shut down the instance started by systemd at boot, so we can test our test procedure - $machine->succeed("systemctl stop beesd\@aux1.service"); + machine.succeed("systemctl stop beesd@aux1.service") - $machine->succeed("dd if=/dev/urandom of=/aux1/dedup-me-1 bs=1M count=8"); - $machine->succeed("cp --reflink=never /aux1/dedup-me-1 /aux1/dedup-me-2"); - $machine->succeed("cp --reflink=never /aux1/* /aux2/"); - $machine->succeed("sync"); - $machine->fail(q(${someContentIsShared "/aux1"})); - $machine->fail(q(${someContentIsShared "/aux2"})); - $machine->succeed("systemctl start beesd\@aux1.service"); + machine.succeed( + "dd if=/dev/urandom of=/aux1/dedup-me-1 bs=1M count=8", + "cp --reflink=never /aux1/dedup-me-1 /aux1/dedup-me-2", + "cp --reflink=never /aux1/* /aux2/", + "sync", + ) + machine.fail( + "${someContentIsShared "/aux1"}", + "${someContentIsShared "/aux2"}", + ) + machine.succeed("systemctl start beesd@aux1.service") # assert that "Set Shared" column is nonzero - $machine->succeed(q(${withRetry (someContentIsShared "/aux1") 20 2})); - $machine->fail(q(${someContentIsShared "/aux2"})); + machine.wait_until_succeeds( + "${someContentIsShared "/aux1"}", + ) + machine.fail("${someContentIsShared "/aux2"}") # assert that 16MB hash table size requested was honored - $machine->succeed(q([[ $(stat -c %s /aux1/.beeshome/beeshash.dat) = $(( 16 * 1024 * 1024)) ]])) + machine.succeed( + "[[ $(stat -c %s /aux1/.beeshome/beeshash.dat) = $(( 16 * 1024 * 1024)) ]]" + ) ''; }) diff --git a/nixpkgs/nixos/tests/bind.nix b/nixpkgs/nixos/tests/bind.nix index 1f8c1dc7be40..09917b15a8e0 100644 --- a/nixpkgs/nixos/tests/bind.nix +++ b/nixpkgs/nixos/tests/bind.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "bind"; machine = { pkgs, lib, ... }: { @@ -20,8 +20,8 @@ import ./make-test.nix { }; testScript = '' - $machine->waitForUnit('bind.service'); - $machine->waitForOpenPort(53); - $machine->succeed('host 192.168.0.1 127.0.0.1 | grep -qF ns.example.org'); + machine.wait_for_unit("bind.service") + machine.wait_for_open_port(53) + machine.succeed("host 192.168.0.1 127.0.0.1 | grep -qF ns.example.org") ''; } diff --git a/nixpkgs/nixos/tests/bittorrent.nix b/nixpkgs/nixos/tests/bittorrent.nix index 3b1169a1b7f2..e5be652c7112 100644 --- a/nixpkgs/nixos/tests/bittorrent.nix +++ b/nixpkgs/nixos/tests/bittorrent.nix @@ -6,7 +6,7 @@ # which only works if the first client successfully uses the UPnP-IGD # protocol to poke a hole in the NAT. -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let @@ -108,42 +108,56 @@ in testScript = { nodes, ... }: '' - startAll; + start_all() # Wait for network and miniupnpd. - $router->waitForUnit("network-online.target"); - $router->waitForUnit("miniupnpd"); + router.wait_for_unit("network-online.target") + router.wait_for_unit("miniupnpd") # Create the torrent. - $tracker->succeed("mkdir /tmp/data"); - $tracker->succeed("cp ${file} /tmp/data/test.tar.bz2"); - $tracker->succeed("transmission-create /tmp/data/test.tar.bz2 --private --tracker http://${externalTrackerAddress}:6969/announce --outfile /tmp/test.torrent"); - $tracker->succeed("chmod 644 /tmp/test.torrent"); + tracker.succeed("mkdir /tmp/data") + tracker.succeed( + "cp ${file} /tmp/data/test.tar.bz2" + ) + tracker.succeed( + "transmission-create /tmp/data/test.tar.bz2 --private --tracker http://${externalTrackerAddress}:6969/announce --outfile /tmp/test.torrent" + ) + tracker.succeed("chmod 644 /tmp/test.torrent") # Start the tracker. !!! use a less crappy tracker - $tracker->waitForUnit("network-online.target"); - $tracker->waitForUnit("opentracker.service"); - $tracker->waitForOpenPort(6969); + tracker.wait_for_unit("network-online.target") + tracker.wait_for_unit("opentracker.service") + tracker.wait_for_open_port(6969) # Start the initial seeder. - $tracker->succeed("transmission-remote --add /tmp/test.torrent --no-portmap --no-dht --download-dir /tmp/data"); + tracker.succeed( + "transmission-remote --add /tmp/test.torrent --no-portmap --no-dht --download-dir /tmp/data" + ) # Now we should be able to download from the client behind the NAT. - $tracker->waitForUnit("httpd"); - $client1->waitForUnit("network-online.target"); - $client1->succeed("transmission-remote --add http://${externalTrackerAddress}/test.torrent --download-dir /tmp >&2 &"); - $client1->waitForFile("/tmp/test.tar.bz2"); - $client1->succeed("cmp /tmp/test.tar.bz2 ${file}"); + tracker.wait_for_unit("httpd") + client1.wait_for_unit("network-online.target") + client1.succeed( + "transmission-remote --add http://${externalTrackerAddress}/test.torrent --download-dir /tmp >&2 &" + ) + client1.wait_for_file("/tmp/test.tar.bz2") + client1.succeed( + "cmp /tmp/test.tar.bz2 ${file}" + ) # Bring down the initial seeder. - # $tracker->stopJob("transmission"); + # tracker.stop_job("transmission") # Now download from the second client. This can only succeed if # the first client created a NAT hole in the router. - $client2->waitForUnit("network-online.target"); - $client2->succeed("transmission-remote --add http://${externalTrackerAddress}/test.torrent --no-portmap --no-dht --download-dir /tmp >&2 &"); - $client2->waitForFile("/tmp/test.tar.bz2"); - $client2->succeed("cmp /tmp/test.tar.bz2 ${file}"); + client2.wait_for_unit("network-online.target") + client2.succeed( + "transmission-remote --add http://${externalTrackerAddress}/test.torrent --no-portmap --no-dht --download-dir /tmp >&2 &" + ) + client2.wait_for_file("/tmp/test.tar.bz2") + client2.succeed( + "cmp /tmp/test.tar.bz2 ${file}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/boot-stage1.nix b/nixpkgs/nixos/tests/boot-stage1.nix index b2e74bff6fcd..cfb2ccb82856 100644 --- a/nixpkgs/nixos/tests/boot-stage1.nix +++ b/nixpkgs/nixos/tests/boot-stage1.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "boot-stage1"; machine = { config, pkgs, lib, ... }: { @@ -150,12 +150,12 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - $machine->waitForUnit("multi-user.target"); - $machine->succeed('test -s /run/canary2.pid'); - $machine->fail('pgrep -a canary1'); - $machine->fail('kill -0 $(< /run/canary2.pid)'); - $machine->succeed('pgrep -a -f \'^@canary3$\'''); - $machine->succeed('pgrep -a -f \'^kcanary$\'''); + machine.wait_for_unit("multi-user.target") + machine.succeed("test -s /run/canary2.pid") + machine.fail("pgrep -a canary1") + machine.fail("kill -0 $(< /run/canary2.pid)") + machine.succeed('pgrep -a -f "^@canary3$"') + machine.succeed('pgrep -a -f "^kcanary$"') ''; meta.maintainers = with pkgs.stdenv.lib.maintainers; [ aszlig ]; diff --git a/nixpkgs/nixos/tests/boot.nix b/nixpkgs/nixos/tests/boot.nix index 57d8006d7ac3..c5040f3b31fb 100644 --- a/nixpkgs/nixos/tests/boot.nix +++ b/nixpkgs/nixos/tests/boot.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let @@ -17,11 +17,11 @@ let ]; }).config.system.build.isoImage; - perlAttrs = params: "{ ${concatStringsSep ", " (mapAttrsToList (name: param: "${name} => ${builtins.toJSON param}") params)} }"; + pythonDict = params: "\n {\n ${concatStringsSep ",\n " (mapAttrsToList (name: param: "\"${name}\": \"${param}\"") params)},\n }\n"; makeBootTest = name: extraConfig: let - machineConfig = perlAttrs ({ qemuFlags = "-m 768"; } // extraConfig); + machineConfig = pythonDict ({ qemuFlags = "-m 768"; } // extraConfig); in makeTest { inherit iso; @@ -29,16 +29,16 @@ let nodes = { }; testScript = '' - my $machine = createMachine(${machineConfig}); - $machine->start; - $machine->waitForUnit("multi-user.target"); - $machine->succeed("nix verify -r --no-trust /run/current-system"); + machine = create_machine(${machineConfig}) + machine.start() + machine.wait_for_unit("multi-user.target") + machine.succeed("nix verify -r --no-trust /run/current-system") - # Test whether the channel got installed correctly. - $machine->succeed("nix-instantiate --dry-run '<nixpkgs>' -A hello"); - $machine->succeed("nix-env --dry-run -iA nixos.procps"); + with subtest("Check whether the channel got installed correctly"): + machine.succeed("nix-instantiate --dry-run '<nixpkgs>' -A hello") + machine.succeed("nix-env --dry-run -iA nixos.procps") - $machine->shutdown; + machine.shutdown() ''; }; @@ -60,7 +60,7 @@ let config.system.build.netbootIpxeScript ]; }; - machineConfig = perlAttrs ({ + machineConfig = pythonDict ({ qemuFlags = "-boot order=n -m 2000"; netBackendArgs = "tftp=${ipxeBootDir},bootfile=netboot.ipxe"; } // extraConfig); @@ -68,12 +68,11 @@ let makeTest { name = "boot-netboot-" + name; nodes = { }; - testScript = - '' - my $machine = createMachine(${machineConfig}); - $machine->start; - $machine->waitForUnit("multi-user.target"); - $machine->shutdown; + testScript = '' + machine = create_machine(${machineConfig}) + machine.start() + machine.wait_for_unit("multi-user.target") + machine.shutdown() ''; }; in { diff --git a/nixpkgs/nixos/tests/borgbackup.nix b/nixpkgs/nixos/tests/borgbackup.nix index 165f64b0d6dc..d97471e293e8 100644 --- a/nixpkgs/nixos/tests/borgbackup.nix +++ b/nixpkgs/nixos/tests/borgbackup.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let passphrase = "supersecret"; @@ -106,60 +106,70 @@ in { }; testScript = '' - startAll; - - $client->fail('test -d "${remoteRepo}"'); - - $client->succeed("cp ${privateKey} /root/id_ed25519"); - $client->succeed("chmod 0600 /root/id_ed25519"); - $client->succeed("cp ${privateKeyAppendOnly} /root/id_ed25519.appendOnly"); - $client->succeed("chmod 0600 /root/id_ed25519.appendOnly"); - - $client->succeed("mkdir -p ${dataDir}"); - $client->succeed("touch ${dataDir}/${excludeFile}"); - $client->succeed("echo '${keepFileData}' > ${dataDir}/${keepFile}"); - - subtest "local", sub { - my $borg = "BORG_PASSPHRASE='${passphrase}' borg"; - $client->systemctl("start --wait borgbackup-job-local"); - $client->fail("systemctl is-failed borgbackup-job-local"); - # Make sure exactly one archive has been created - $client->succeed("c=\$($borg list '${localRepo}' | wc -l) && [[ \$c == '1' ]]"); - # Make sure excludeFile has been excluded - $client->fail("$borg list '${localRepo}::${archiveName}' | grep -qF '${excludeFile}'"); - # Make sure keepFile has the correct content - $client->succeed("$borg extract '${localRepo}::${archiveName}'"); - $client->succeed('c=$(cat ${dataDir}/${keepFile}) && [[ "$c" == "${keepFileData}" ]]'); - # Make sure the same is true when using `borg mount` - $client->succeed("mkdir -p /mnt/borg && $borg mount '${localRepo}::${archiveName}' /mnt/borg"); - $client->succeed('c=$(cat /mnt/borg/${dataDir}/${keepFile}) && [[ "$c" == "${keepFileData}" ]]'); - }; - - subtest "remote", sub { - my $borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519' borg"; - $server->waitForUnit("sshd.service"); - $client->waitForUnit("network.target"); - $client->systemctl("start --wait borgbackup-job-remote"); - $client->fail("systemctl is-failed borgbackup-job-remote"); - - # Make sure we can't access repos other than the specified one - $client->fail("$borg list borg\@server:wrong"); - - #TODO: Make sure that data is actually deleted - }; - - subtest "remoteAppendOnly", sub { - my $borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly' borg"; - $server->waitForUnit("sshd.service"); - $client->waitForUnit("network.target"); - $client->systemctl("start --wait borgbackup-job-remoteAppendOnly"); - $client->fail("systemctl is-failed borgbackup-job-remoteAppendOnly"); - - # Make sure we can't access repos other than the specified one - $client->fail("$borg list borg\@server:wrong"); - - #TODO: Make sure that data is not actually deleted - }; - + start_all() + + client.fail('test -d "${remoteRepo}"') + + client.succeed( + "cp ${privateKey} /root/id_ed25519" + ) + client.succeed("chmod 0600 /root/id_ed25519") + client.succeed( + "cp ${privateKeyAppendOnly} /root/id_ed25519.appendOnly" + ) + client.succeed("chmod 0600 /root/id_ed25519.appendOnly") + + client.succeed("mkdir -p ${dataDir}") + client.succeed("touch ${dataDir}/${excludeFile}") + client.succeed("echo '${keepFileData}' > ${dataDir}/${keepFile}") + + with subtest("local"): + borg = "BORG_PASSPHRASE='${passphrase}' borg" + client.systemctl("start --wait borgbackup-job-local") + client.fail("systemctl is-failed borgbackup-job-local") + # Make sure exactly one archive has been created + assert int(client.succeed("{} list '${localRepo}' | wc -l".format(borg))) > 0 + # Make sure excludeFile has been excluded + client.fail( + "{} list '${localRepo}::${archiveName}' | grep -qF '${excludeFile}'".format(borg) + ) + # Make sure keepFile has the correct content + client.succeed("{} extract '${localRepo}::${archiveName}'".format(borg)) + assert "${keepFileData}" in client.succeed("cat ${dataDir}/${keepFile}") + # Make sure the same is true when using `borg mount` + client.succeed( + "mkdir -p /mnt/borg && {} mount '${localRepo}::${archiveName}' /mnt/borg".format( + borg + ) + ) + assert "${keepFileData}" in client.succeed( + "cat /mnt/borg/${dataDir}/${keepFile}" + ) + + with subtest("remote"): + borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519' borg" + server.wait_for_unit("sshd.service") + client.wait_for_unit("network.target") + client.systemctl("start --wait borgbackup-job-remote") + client.fail("systemctl is-failed borgbackup-job-remote") + + # Make sure we can't access repos other than the specified one + client.fail("{} list borg\@server:wrong".format(borg)) + + # TODO: Make sure that data is actually deleted + + with subtest("remoteAppendOnly"): + borg = ( + "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly' borg" + ) + server.wait_for_unit("sshd.service") + client.wait_for_unit("network.target") + client.systemctl("start --wait borgbackup-job-remoteAppendOnly") + client.fail("systemctl is-failed borgbackup-job-remoteAppendOnly") + + # Make sure we can't access repos other than the specified one + client.fail("{} list borg\@server:wrong".format(borg)) + + # TODO: Make sure that data is not actually deleted ''; }) diff --git a/nixpkgs/nixos/tests/caddy.nix b/nixpkgs/nixos/tests/caddy.nix new file mode 100644 index 000000000000..fc10df0c79b5 --- /dev/null +++ b/nixpkgs/nixos/tests/caddy.nix @@ -0,0 +1,87 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "caddy"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ xfix ]; + }; + + nodes = { + webserver = { pkgs, lib, ... }: { + services.caddy.enable = true; + services.caddy.config = '' + http://localhost { + gzip + + root ${ + pkgs.runCommand "testdir" {} '' + mkdir "$out" + echo hello world > "$out/example.html" + '' + } + } + ''; + + nesting.clone = [ + { + services.caddy.config = lib.mkForce '' + http://localhost { + gzip + + root ${ + pkgs.runCommand "testdir2" {} '' + mkdir "$out" + echo changed > "$out/example.html" + '' + } + } + ''; + } + + { + services.caddy.config = '' + http://localhost:8080 { + } + ''; + } + ]; + }; + }; + + testScript = { nodes, ... }: let + etagSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-1"; + justReloadSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-2"; + in '' + url = "http://localhost/example.html" + webserver.wait_for_unit("caddy") + webserver.wait_for_open_port("80") + + + def check_etag(url): + etag = webserver.succeed( + "curl -v '{}' 2>&1 | sed -n -e \"s/^< [Ee][Tt][Aa][Gg]: *//p\"".format(url) + ) + etag = etag.replace("\r\n", " ") + http_code = webserver.succeed( + "curl -w \"%{{http_code}}\" -X HEAD -H 'If-None-Match: {}' {}".format(etag, url) + ) + assert int(http_code) == 304, "HTTP code is not 304" + return etag + + + with subtest("check ETag if serving Nix store paths"): + old_etag = check_etag(url) + webserver.succeed( + "${etagSystem}/bin/switch-to-configuration test >&2" + ) + webserver.sleep(1) + new_etag = check_etag(url) + assert old_etag != new_etag, "Old ETag {} is the same as {}".format( + old_etag, new_etag + ) + + with subtest("config is reloaded on nixos-rebuild switch"): + webserver.succeed( + "${justReloadSystem}/bin/switch-to-configuration test >&2" + ) + webserver.wait_for_open_port("8080") + ''; +}) diff --git a/nixpkgs/nixos/tests/cadvisor.nix b/nixpkgs/nixos/tests/cadvisor.nix index e60bae4b7003..60c04f147800 100644 --- a/nixpkgs/nixos/tests/cadvisor.nix +++ b/nixpkgs/nixos/tests/cadvisor.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "cadvisor"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ offline ]; @@ -16,20 +16,19 @@ import ./make-test.nix ({ pkgs, ... } : { }; }; - testScript = - '' - startAll; - $machine->waitForUnit("cadvisor.service"); - $machine->succeed("curl http://localhost:8080/containers/"); + testScript = '' + start_all() + machine.wait_for_unit("cadvisor.service") + machine.succeed("curl http://localhost:8080/containers/") - $influxdb->waitForUnit("influxdb.service"); + influxdb.wait_for_unit("influxdb.service") # create influxdb database - $influxdb->succeed(q~ - curl -XPOST http://localhost:8086/query --data-urlencode "q=CREATE DATABASE root" - ~); + influxdb.succeed( + 'curl -XPOST http://localhost:8086/query --data-urlencode "q=CREATE DATABASE root"' + ) - $influxdb->waitForUnit("cadvisor.service"); - $influxdb->succeed("curl http://localhost:8080/containers/"); + influxdb.wait_for_unit("cadvisor.service") + influxdb.succeed("curl http://localhost:8080/containers/") ''; }) diff --git a/nixpkgs/nixos/tests/cassandra.nix b/nixpkgs/nixos/tests/cassandra.nix index c55733c9be7b..05607956a9d6 100644 --- a/nixpkgs/nixos/tests/cassandra.nix +++ b/nixpkgs/nixos/tests/cassandra.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let # Change this to test a different version of Cassandra: testPackage = pkgs.cassandra; @@ -9,13 +9,16 @@ let jmxRolesFile = ./cassandra-jmx-roles; jmxAuthArgs = "-u ${(builtins.elemAt jmxRoles 0).username} -pw ${(builtins.elemAt jmxRoles 0).password}"; jmxPort = 7200; # Non-standard port so it doesn't accidentally work + jmxPortStr = toString jmxPort; - # Would usually be assigned to 512M + # Would usually be assigned to 512M. + # Set it to a different value, so that we can check whether our config + # actually changes it. numMaxHeapSize = "400"; getHeapLimitCommand = '' - nodetool info -p ${toString jmxPort} | grep "^Heap Memory" | awk \'{print $NF}\' + nodetool info -p ${jmxPortStr} | grep "^Heap Memory" | awk '{print $NF}' ''; - checkHeapLimitCommand = '' + checkHeapLimitCommand = pkgs.writeShellScript "check-heap-limit.sh" '' [ 1 -eq "$(echo "$(${getHeapLimitCommand}) < ${numMaxHeapSize}" | ${pkgs.bc}/bin/bc)" ] ''; @@ -44,7 +47,10 @@ let }; in { - name = "cassandra-ci"; + name = "cassandra"; + meta = { + maintainers = with lib.maintainers; [ johnazoidberg ]; + }; nodes = { cass0 = nodeCfg "192.168.1.1" {}; @@ -52,66 +58,74 @@ in cass2 = nodeCfg "192.168.1.3" { jvmOpts = [ "-Dcassandra.replace_address=cass1" ]; }; }; - testScript = let - jmxPortS = toString jmxPort; - in '' + testScript = '' # Check configuration - subtest "Timers exist", sub { - $cass0->succeed("systemctl list-timers | grep cassandra-full-repair.timer"); - $cass0->succeed("systemctl list-timers | grep cassandra-incremental-repair.timer"); - }; - subtest "Can connect via cqlsh", sub { - $cass0->waitForUnit("cassandra.service"); - $cass0->waitUntilSucceeds("nc -z cass0 9042"); - $cass0->succeed("echo 'show version;' | cqlsh cass0"); - }; - subtest "Nodetool is operational", sub { - $cass0->waitForUnit("cassandra.service"); - $cass0->waitUntilSucceeds("nc -z localhost ${jmxPortS}"); - $cass0->succeed("nodetool status -p ${jmxPortS} --resolve-ip | egrep '^UN[[:space:]]+cass0'"); - }; - subtest "Cluster name was set", sub { - $cass0->waitForUnit("cassandra.service"); - $cass0->waitUntilSucceeds("nc -z localhost ${jmxPortS}"); - $cass0->waitUntilSucceeds("nodetool describecluster -p ${jmxPortS} | grep 'Name: ${clusterName}'"); - }; - subtest "Heap limit set correctly", sub { - # Nodetool takes a while until it can display info - $cass0->waitUntilSucceeds('nodetool info -p ${jmxPortS}'); - $cass0->succeed('${checkHeapLimitCommand}'); - }; + with subtest("Timers exist"): + cass0.succeed("systemctl list-timers | grep cassandra-full-repair.timer") + cass0.succeed("systemctl list-timers | grep cassandra-incremental-repair.timer") + + with subtest("Can connect via cqlsh"): + cass0.wait_for_unit("cassandra.service") + cass0.wait_until_succeeds("nc -z cass0 9042") + cass0.succeed("echo 'show version;' | cqlsh cass0") + + with subtest("Nodetool is operational"): + cass0.wait_for_unit("cassandra.service") + cass0.wait_until_succeeds("nc -z localhost ${jmxPortStr}") + cass0.succeed("nodetool status -p ${jmxPortStr} --resolve-ip | egrep '^UN[[:space:]]+cass0'") + + with subtest("Cluster name was set"): + cass0.wait_for_unit("cassandra.service") + cass0.wait_until_succeeds("nc -z localhost ${jmxPortStr}") + cass0.wait_until_succeeds( + "nodetool describecluster -p ${jmxPortStr} | grep 'Name: ${clusterName}'" + ) + + with subtest("Heap limit set correctly"): + # Nodetool takes a while until it can display info + cass0.wait_until_succeeds("nodetool info -p ${jmxPortStr}") + cass0.succeed("${checkHeapLimitCommand}") # Check cluster interaction - subtest "Bring up cluster", sub { - $cass1->waitForUnit("cassandra.service"); - $cass1->waitUntilSucceeds("nodetool -p ${jmxPortS} ${jmxAuthArgs} status | egrep -c '^UN' | grep 2"); - $cass0->succeed("nodetool status -p ${jmxPortS} --resolve-ip | egrep '^UN[[:space:]]+cass1'"); - }; + with subtest("Bring up cluster"): + cass1.wait_for_unit("cassandra.service") + cass1.wait_until_succeeds( + "nodetool -p ${jmxPortStr} ${jmxAuthArgs} status | egrep -c '^UN' | grep 2" + ) + cass0.succeed("nodetool status -p ${jmxPortStr} --resolve-ip | egrep '^UN[[:space:]]+cass1'") '' + lib.optionalString testRemoteAuth '' - subtest "Remote authenticated jmx", sub { - # Doesn't work if not enabled - $cass0->waitUntilSucceeds("nc -z localhost ${jmxPortS}"); - $cass1->fail("nc -z 192.168.1.1 ${toString jmxPort}"); - $cass1->fail("nodetool -p ${jmxPortS} -h 192.168.1.1 status"); + with subtest("Remote authenticated jmx"): + # Doesn't work if not enabled + cass0.wait_until_succeeds("nc -z localhost ${jmxPortStr}") + cass1.fail("nc -z 192.168.1.1 ${jmxPortStr}") + cass1.fail("nodetool -p ${jmxPortStr} -h 192.168.1.1 status") - # Works if enabled - $cass1->waitUntilSucceeds("nc -z localhost ${toString jmxPort}"); - $cass0->succeed("nodetool -p ${jmxPortS} -h 192.168.1.2 ${jmxAuthArgs} status"); - }; + # Works if enabled + cass1.wait_until_succeeds("nc -z localhost ${jmxPortStr}") + cass0.succeed("nodetool -p ${jmxPortStr} -h 192.168.1.2 ${jmxAuthArgs} status") '' + '' - subtest "Break and fix node", sub { - $cass1->block; - $cass0->waitUntilSucceeds("nodetool status -p ${jmxPortS} --resolve-ip | egrep -c '^DN[[:space:]]+cass1'"); - $cass0->succeed("nodetool status -p ${jmxPortS} | egrep -c '^UN' | grep 1"); - $cass1->unblock; - $cass1->waitUntilSucceeds("nodetool -p ${jmxPortS} ${jmxAuthArgs} status | egrep -c '^UN' | grep 2"); - $cass0->succeed("nodetool status -p ${jmxPortS} | egrep -c '^UN' | grep 2"); - }; - subtest "Replace crashed node", sub { - $cass1->crash; - $cass2->waitForUnit("cassandra.service"); - $cass0->waitUntilFails("nodetool status -p ${jmxPortS} --resolve-ip | egrep '^UN[[:space:]]+cass1'"); - $cass0->waitUntilSucceeds("nodetool status -p ${jmxPortS} --resolve-ip | egrep '^UN[[:space:]]+cass2'"); - }; + with subtest("Break and fix node"): + cass1.block() + cass0.wait_until_succeeds( + "nodetool status -p ${jmxPortStr} --resolve-ip | egrep -c '^DN[[:space:]]+cass1'" + ) + cass0.succeed("nodetool status -p ${jmxPortStr} | egrep -c '^UN' | grep 1") + cass1.unblock() + cass1.wait_until_succeeds( + "nodetool -p ${jmxPortStr} ${jmxAuthArgs} status | egrep -c '^UN' | grep 2" + ) + cass0.succeed("nodetool status -p ${jmxPortStr} | egrep -c '^UN' | grep 2") + + with subtest("Replace crashed node"): + cass1.block() # .crash() waits until it's fully shutdown + cass2.start() + cass0.wait_until_fails( + "nodetool status -p ${jmxPortStr} --resolve-ip | egrep '^UN[[:space:]]+cass1'" + ) + + cass2.wait_for_unit("cassandra.service") + cass0.wait_until_succeeds( + "nodetool status -p ${jmxPortStr} --resolve-ip | egrep '^UN[[:space:]]+cass2'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/ceph-multi-node.nix b/nixpkgs/nixos/tests/ceph-multi-node.nix new file mode 100644 index 000000000000..90dd747525de --- /dev/null +++ b/nixpkgs/nixos/tests/ceph-multi-node.nix @@ -0,0 +1,233 @@ +import ./make-test-python.nix ({pkgs, lib, ...}: + +let + cfg = { + clusterId = "066ae264-2a5d-4729-8001-6ad265f50b03"; + monA = { + name = "a"; + ip = "192.168.1.1"; + }; + osd0 = { + name = "0"; + ip = "192.168.1.2"; + key = "AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg=="; + uuid = "55ba2294-3e24-478f-bee0-9dca4c231dd9"; + }; + osd1 = { + name = "1"; + ip = "192.168.1.3"; + key = "AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ=="; + uuid = "5e97a838-85b6-43b0-8950-cb56d554d1e5"; + }; + osd2 = { + name = "2"; + ip = "192.168.1.4"; + key = "AQAdyhZeIaUlARAAGRoidDAmS6Vkp546UFEf5w=="; + uuid = "ea999274-13d0-4dd5-9af9-ad25a324f72f"; + }; + }; + generateCephConfig = { daemonConfig }: { + enable = true; + global = { + fsid = cfg.clusterId; + monHost = cfg.monA.ip; + monInitialMembers = cfg.monA.name; + }; + } // daemonConfig; + + generateHost = { pkgs, cephConfig, networkConfig, ... }: { + virtualisation = { + memorySize = 512; + emptyDiskImages = [ 20480 ]; + vlans = [ 1 ]; + }; + + networking = networkConfig; + + environment.systemPackages = with pkgs; [ + bash + sudo + ceph + xfsprogs + netcat-openbsd + ]; + + boot.kernelModules = [ "xfs" ]; + + services.ceph = cephConfig; + }; + + networkMonA = { + dhcpcd.enable = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = cfg.monA.ip; prefixLength = 24; } + ]; + firewall = { + allowedTCPPorts = [ 6789 3300 ]; + allowedTCPPortRanges = [ { from = 6800; to = 7300; } ]; + }; + }; + cephConfigMonA = generateCephConfig { daemonConfig = { + mon = { + enable = true; + daemons = [ cfg.monA.name ]; + }; + mgr = { + enable = true; + daemons = [ cfg.monA.name ]; + }; + }; }; + + networkOsd = osd: { + dhcpcd.enable = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = osd.ip; prefixLength = 24; } + ]; + firewall = { + allowedTCPPortRanges = [ { from = 6800; to = 7300; } ]; + }; + }; + + cephConfigOsd = osd: generateCephConfig { daemonConfig = { + osd = { + enable = true; + daemons = [ osd.name ]; + }; + }; }; + + # Following deployment is based on the manual deployment described here: + # https://docs.ceph.com/docs/master/install/manual-deployment/ + # For other ways to deploy a ceph cluster, look at the documentation at + # https://docs.ceph.com/docs/master/ + testscript = { ... }: '' + start_all() + + monA.wait_for_unit("network.target") + osd0.wait_for_unit("network.target") + osd1.wait_for_unit("network.target") + osd2.wait_for_unit("network.target") + + # Bootstrap ceph-mon daemon + monA.succeed( + "sudo -u ceph ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'", + "sudo -u ceph ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'", + "sudo -u ceph ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring", + "monmaptool --create --add ${cfg.monA.name} ${cfg.monA.ip} --fsid ${cfg.clusterId} /tmp/monmap", + "sudo -u ceph ceph-mon --mkfs -i ${cfg.monA.name} --monmap /tmp/monmap --keyring /tmp/ceph.mon.keyring", + "sudo -u ceph mkdir -p /var/lib/ceph/mgr/ceph-${cfg.monA.name}/", + "sudo -u ceph touch /var/lib/ceph/mon/ceph-${cfg.monA.name}/done", + "systemctl start ceph-mon-${cfg.monA.name}", + ) + monA.wait_for_unit("ceph-mon-${cfg.monA.name}") + monA.succeed("ceph mon enable-msgr2") + + # Can't check ceph status until a mon is up + monA.succeed("ceph -s | grep 'mon: 1 daemons'") + + # Start the ceph-mgr daemon, it has no deps and hardly any setup + monA.succeed( + "ceph auth get-or-create mgr.${cfg.monA.name} mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/ceph-${cfg.monA.name}/keyring", + "systemctl start ceph-mgr-${cfg.monA.name}", + ) + monA.wait_for_unit("ceph-mgr-a") + monA.wait_until_succeeds("ceph -s | grep 'quorum ${cfg.monA.name}'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + + # Send the admin keyring to the OSD machines + monA.succeed("cp /etc/ceph/ceph.client.admin.keyring /tmp/shared") + osd0.succeed("cp /tmp/shared/ceph.client.admin.keyring /etc/ceph") + osd1.succeed("cp /tmp/shared/ceph.client.admin.keyring /etc/ceph") + osd2.succeed("cp /tmp/shared/ceph.client.admin.keyring /etc/ceph") + + # Bootstrap OSDs + osd0.succeed( + "mkfs.xfs /dev/vdb", + "mkdir -p /var/lib/ceph/osd/ceph-${cfg.osd0.name}", + "mount /dev/vdb /var/lib/ceph/osd/ceph-${cfg.osd0.name}", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-${cfg.osd0.name}/keyring --name osd.${cfg.osd0.name} --add-key ${cfg.osd0.key}", + 'echo \'{"cephx_secret": "${cfg.osd0.key}"}\' | ceph osd new ${cfg.osd0.uuid} -i -', + ) + osd1.succeed( + "mkfs.xfs /dev/vdb", + "mkdir -p /var/lib/ceph/osd/ceph-${cfg.osd1.name}", + "mount /dev/vdb /var/lib/ceph/osd/ceph-${cfg.osd1.name}", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-${cfg.osd1.name}/keyring --name osd.${cfg.osd1.name} --add-key ${cfg.osd1.key}", + 'echo \'{"cephx_secret": "${cfg.osd1.key}"}\' | ceph osd new ${cfg.osd1.uuid} -i -', + ) + osd2.succeed( + "mkfs.xfs /dev/vdb", + "mkdir -p /var/lib/ceph/osd/ceph-${cfg.osd2.name}", + "mount /dev/vdb /var/lib/ceph/osd/ceph-${cfg.osd2.name}", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-${cfg.osd2.name}/keyring --name osd.${cfg.osd2.name} --add-key ${cfg.osd2.key}", + 'echo \'{"cephx_secret": "${cfg.osd2.key}"}\' | ceph osd new ${cfg.osd2.uuid} -i -', + ) + + # Initialize the OSDs with regular filestore + osd0.succeed( + "ceph-osd -i ${cfg.osd0.name} --mkfs --osd-uuid ${cfg.osd0.uuid}", + "chown -R ceph:ceph /var/lib/ceph/osd", + "systemctl start ceph-osd-${cfg.osd0.name}", + ) + osd1.succeed( + "ceph-osd -i ${cfg.osd1.name} --mkfs --osd-uuid ${cfg.osd1.uuid}", + "chown -R ceph:ceph /var/lib/ceph/osd", + "systemctl start ceph-osd-${cfg.osd1.name}", + ) + osd2.succeed( + "ceph-osd -i ${cfg.osd2.name} --mkfs --osd-uuid ${cfg.osd2.uuid}", + "chown -R ceph:ceph /var/lib/ceph/osd", + "systemctl start ceph-osd-${cfg.osd2.name}", + ) + monA.wait_until_succeeds("ceph osd stat | grep -e '3 osds: 3 up[^,]*, 3 in'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + + monA.succeed( + "ceph osd pool create multi-node-test 100 100", + "ceph osd pool ls | grep 'multi-node-test'", + "ceph osd pool rename multi-node-test multi-node-other-test", + "ceph osd pool ls | grep 'multi-node-other-test'", + ) + monA.wait_until_succeeds("ceph -s | grep '1 pools, 100 pgs'") + monA.succeed("ceph osd pool set multi-node-other-test size 2") + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + monA.wait_until_succeeds("ceph -s | grep '100 active+clean'") + monA.fail( + "ceph osd pool ls | grep 'multi-node-test'", + "ceph osd pool delete multi-node-other-test multi-node-other-test --yes-i-really-really-mean-it", + ) + + # Shut down ceph on all machines in a very unpolite way + monA.crash() + osd0.crash() + osd1.crash() + osd2.crash() + + # Start it up + osd0.start() + osd1.start() + osd2.start() + monA.start() + + # Ensure the cluster comes back up again + monA.succeed("ceph -s | grep 'mon: 1 daemons'") + monA.wait_until_succeeds("ceph -s | grep 'quorum ${cfg.monA.name}'") + monA.wait_until_succeeds("ceph osd stat | grep -e '3 osds: 3 up[^,]*, 3 in'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + ''; +in { + name = "basic-multi-node-ceph-cluster"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lejonet ]; + }; + + nodes = { + monA = generateHost { pkgs = pkgs; cephConfig = cephConfigMonA; networkConfig = networkMonA; }; + osd0 = generateHost { pkgs = pkgs; cephConfig = cephConfigOsd cfg.osd0; networkConfig = networkOsd cfg.osd0; }; + osd1 = generateHost { pkgs = pkgs; cephConfig = cephConfigOsd cfg.osd1; networkConfig = networkOsd cfg.osd1; }; + osd2 = generateHost { pkgs = pkgs; cephConfig = cephConfigOsd cfg.osd2; networkConfig = networkOsd cfg.osd2; }; + }; + + testScript = testscript; +}) diff --git a/nixpkgs/nixos/tests/ceph-single-node.nix b/nixpkgs/nixos/tests/ceph-single-node.nix new file mode 100644 index 000000000000..1a027e178367 --- /dev/null +++ b/nixpkgs/nixos/tests/ceph-single-node.nix @@ -0,0 +1,196 @@ +import ./make-test-python.nix ({pkgs, lib, ...}: + +let + cfg = { + clusterId = "066ae264-2a5d-4729-8001-6ad265f50b03"; + monA = { + name = "a"; + ip = "192.168.1.1"; + }; + osd0 = { + name = "0"; + key = "AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg=="; + uuid = "55ba2294-3e24-478f-bee0-9dca4c231dd9"; + }; + osd1 = { + name = "1"; + key = "AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ=="; + uuid = "5e97a838-85b6-43b0-8950-cb56d554d1e5"; + }; + osd2 = { + name = "2"; + key = "AQAdyhZeIaUlARAAGRoidDAmS6Vkp546UFEf5w=="; + uuid = "ea999274-13d0-4dd5-9af9-ad25a324f72f"; + }; + }; + generateCephConfig = { daemonConfig }: { + enable = true; + global = { + fsid = cfg.clusterId; + monHost = cfg.monA.ip; + monInitialMembers = cfg.monA.name; + }; + } // daemonConfig; + + generateHost = { pkgs, cephConfig, networkConfig, ... }: { + virtualisation = { + memorySize = 512; + emptyDiskImages = [ 20480 20480 20480 ]; + vlans = [ 1 ]; + }; + + networking = networkConfig; + + environment.systemPackages = with pkgs; [ + bash + sudo + ceph + xfsprogs + ]; + + boot.kernelModules = [ "xfs" ]; + + services.ceph = cephConfig; + }; + + networkMonA = { + dhcpcd.enable = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = cfg.monA.ip; prefixLength = 24; } + ]; + }; + cephConfigMonA = generateCephConfig { daemonConfig = { + mon = { + enable = true; + daemons = [ cfg.monA.name ]; + }; + mgr = { + enable = true; + daemons = [ cfg.monA.name ]; + }; + osd = { + enable = true; + daemons = [ cfg.osd0.name cfg.osd1.name cfg.osd2.name ]; + }; + }; }; + + # Following deployment is based on the manual deployment described here: + # https://docs.ceph.com/docs/master/install/manual-deployment/ + # For other ways to deploy a ceph cluster, look at the documentation at + # https://docs.ceph.com/docs/master/ + testscript = { ... }: '' + start_all() + + monA.wait_for_unit("network.target") + + # Bootstrap ceph-mon daemon + monA.succeed( + "sudo -u ceph ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'", + "sudo -u ceph ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'", + "sudo -u ceph ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring", + "monmaptool --create --add ${cfg.monA.name} ${cfg.monA.ip} --fsid ${cfg.clusterId} /tmp/monmap", + "sudo -u ceph ceph-mon --mkfs -i ${cfg.monA.name} --monmap /tmp/monmap --keyring /tmp/ceph.mon.keyring", + "sudo -u ceph touch /var/lib/ceph/mon/ceph-${cfg.monA.name}/done", + "systemctl start ceph-mon-${cfg.monA.name}", + ) + monA.wait_for_unit("ceph-mon-${cfg.monA.name}") + monA.succeed("ceph mon enable-msgr2") + + # Can't check ceph status until a mon is up + monA.succeed("ceph -s | grep 'mon: 1 daemons'") + + # Start the ceph-mgr daemon, after copying in the keyring + monA.succeed( + "sudo -u ceph mkdir -p /var/lib/ceph/mgr/ceph-${cfg.monA.name}/", + "ceph auth get-or-create mgr.${cfg.monA.name} mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/ceph-${cfg.monA.name}/keyring", + "systemctl start ceph-mgr-${cfg.monA.name}", + ) + monA.wait_for_unit("ceph-mgr-a") + monA.wait_until_succeeds("ceph -s | grep 'quorum ${cfg.monA.name}'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + + # Bootstrap OSDs + monA.succeed( + "mkfs.xfs /dev/vdb", + "mkfs.xfs /dev/vdc", + "mkfs.xfs /dev/vdd", + "mkdir -p /var/lib/ceph/osd/ceph-${cfg.osd0.name}", + "mount /dev/vdb /var/lib/ceph/osd/ceph-${cfg.osd0.name}", + "mkdir -p /var/lib/ceph/osd/ceph-${cfg.osd1.name}", + "mount /dev/vdc /var/lib/ceph/osd/ceph-${cfg.osd1.name}", + "mkdir -p /var/lib/ceph/osd/ceph-${cfg.osd2.name}", + "mount /dev/vdd /var/lib/ceph/osd/ceph-${cfg.osd2.name}", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-${cfg.osd0.name}/keyring --name osd.${cfg.osd0.name} --add-key ${cfg.osd0.key}", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-${cfg.osd1.name}/keyring --name osd.${cfg.osd1.name} --add-key ${cfg.osd1.key}", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-${cfg.osd2.name}/keyring --name osd.${cfg.osd2.name} --add-key ${cfg.osd2.key}", + 'echo \'{"cephx_secret": "${cfg.osd0.key}"}\' | ceph osd new ${cfg.osd0.uuid} -i -', + 'echo \'{"cephx_secret": "${cfg.osd1.key}"}\' | ceph osd new ${cfg.osd1.uuid} -i -', + 'echo \'{"cephx_secret": "${cfg.osd2.key}"}\' | ceph osd new ${cfg.osd2.uuid} -i -', + ) + + # Initialize the OSDs with regular filestore + monA.succeed( + "ceph-osd -i ${cfg.osd0.name} --mkfs --osd-uuid ${cfg.osd0.uuid}", + "ceph-osd -i ${cfg.osd1.name} --mkfs --osd-uuid ${cfg.osd1.uuid}", + "ceph-osd -i ${cfg.osd2.name} --mkfs --osd-uuid ${cfg.osd2.uuid}", + "chown -R ceph:ceph /var/lib/ceph/osd", + "systemctl start ceph-osd-${cfg.osd0.name}", + "systemctl start ceph-osd-${cfg.osd1.name}", + "systemctl start ceph-osd-${cfg.osd2.name}", + ) + monA.wait_until_succeeds("ceph osd stat | grep -e '3 osds: 3 up[^,]*, 3 in'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + + monA.succeed( + "ceph osd pool create single-node-test 100 100", + "ceph osd pool ls | grep 'single-node-test'", + "ceph osd pool rename single-node-test single-node-other-test", + "ceph osd pool ls | grep 'single-node-other-test'", + ) + monA.wait_until_succeeds("ceph -s | grep '1 pools, 100 pgs'") + monA.succeed( + "ceph osd getcrushmap -o crush", + "crushtool -d crush -o decrushed", + "sed 's/step chooseleaf firstn 0 type host/step chooseleaf firstn 0 type osd/' decrushed > modcrush", + "crushtool -c modcrush -o recrushed", + "ceph osd setcrushmap -i recrushed", + "ceph osd pool set single-node-other-test size 2", + ) + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + monA.wait_until_succeeds("ceph -s | grep '100 active+clean'") + monA.fail( + "ceph osd pool ls | grep 'multi-node-test'", + "ceph osd pool delete single-node-other-test single-node-other-test --yes-i-really-really-mean-it", + ) + + # Shut down ceph by stopping ceph.target. + monA.succeed("systemctl stop ceph.target") + + # Start it up + monA.succeed("systemctl start ceph.target") + monA.wait_for_unit("ceph-mon-${cfg.monA.name}") + monA.wait_for_unit("ceph-mgr-${cfg.monA.name}") + monA.wait_for_unit("ceph-osd-${cfg.osd0.name}") + monA.wait_for_unit("ceph-osd-${cfg.osd1.name}") + monA.wait_for_unit("ceph-osd-${cfg.osd2.name}") + + # Ensure the cluster comes back up again + monA.succeed("ceph -s | grep 'mon: 1 daemons'") + monA.wait_until_succeeds("ceph -s | grep 'quorum ${cfg.monA.name}'") + monA.wait_until_succeeds("ceph osd stat | grep -e '3 osds: 3 up[^,]*, 3 in'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + ''; +in { + name = "basic-single-node-ceph-cluster"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lejonet johanot ]; + }; + + nodes = { + monA = generateHost { pkgs = pkgs; cephConfig = cephConfigMonA; networkConfig = networkMonA; }; + }; + + testScript = testscript; +}) diff --git a/nixpkgs/nixos/tests/ceph.nix b/nixpkgs/nixos/tests/ceph.nix deleted file mode 100644 index 57120ff978f7..000000000000 --- a/nixpkgs/nixos/tests/ceph.nix +++ /dev/null @@ -1,161 +0,0 @@ -import ./make-test.nix ({pkgs, lib, ...}: { - name = "All-in-one-basic-ceph-cluster"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ johanot lejonet ]; - }; - - nodes = { - aio = { pkgs, ... }: { - virtualisation = { - memorySize = 1536; - emptyDiskImages = [ 20480 20480 ]; - vlans = [ 1 ]; - }; - - networking = { - useDHCP = false; - interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ - { address = "192.168.1.1"; prefixLength = 24; } - ]; - }; - - environment.systemPackages = with pkgs; [ - bash - sudo - ceph - xfsprogs - ]; - - boot.kernelModules = [ "xfs" ]; - - services.ceph.enable = true; - services.ceph.global = { - fsid = "066ae264-2a5d-4729-8001-6ad265f50b03"; - monInitialMembers = "aio"; - monHost = "192.168.1.1"; - }; - - services.ceph.mon = { - enable = true; - daemons = [ "aio" ]; - }; - - services.ceph.mgr = { - enable = true; - daemons = [ "aio" ]; - }; - - services.ceph.osd = { - enable = true; - daemons = [ "0" "1" ]; - }; - - # So that we don't have to battle systemd when bootstraping - systemd.targets.ceph.wantedBy = lib.mkForce []; - }; - }; - - testScript = { ... }: '' - startAll; - - $aio->waitForUnit("network.target"); - - # Create the ceph-related directories - $aio->mustSucceed( - "mkdir -p /var/lib/ceph/mgr/ceph-aio", - "mkdir -p /var/lib/ceph/mon/ceph-aio", - "mkdir -p /var/lib/ceph/osd/ceph-{0,1}", - "chown ceph:ceph -R /var/lib/ceph/", - "mkdir -p /etc/ceph", - "chown ceph:ceph -R /etc/ceph" - ); - - # Bootstrap ceph-mon daemon - $aio->mustSucceed( - "sudo -u ceph ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'", - "sudo -u ceph ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'", - "sudo -u ceph ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring", - "monmaptool --create --add aio 192.168.1.1 --fsid 066ae264-2a5d-4729-8001-6ad265f50b03 /tmp/monmap", - "sudo -u ceph ceph-mon --mkfs -i aio --monmap /tmp/monmap --keyring /tmp/ceph.mon.keyring", - "sudo -u ceph touch /var/lib/ceph/mon/ceph-aio/done", - "systemctl start ceph-mon-aio" - ); - $aio->waitForUnit("ceph-mon-aio"); - $aio->mustSucceed("ceph mon enable-msgr2"); - - # Can't check ceph status until a mon is up - $aio->succeed("ceph -s | grep 'mon: 1 daemons'"); - - # Start the ceph-mgr daemon, it has no deps and hardly any setup - $aio->mustSucceed( - "ceph auth get-or-create mgr.aio mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/ceph-aio/keyring", - "systemctl start ceph-mgr-aio" - ); - $aio->waitForUnit("ceph-mgr-aio"); - $aio->waitUntilSucceeds("ceph -s | grep 'quorum aio'"); - $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active,'"); - - # Bootstrap both OSDs - $aio->mustSucceed( - "mkfs.xfs /dev/vdb", - "mkfs.xfs /dev/vdc", - "mount /dev/vdb /var/lib/ceph/osd/ceph-0", - "mount /dev/vdc /var/lib/ceph/osd/ceph-1", - "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-0/keyring --name osd.0 --add-key AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg==", - "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-1/keyring --name osd.1 --add-key AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ==", - "echo '{\"cephx_secret\": \"AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg==\"}' | ceph osd new 55ba2294-3e24-478f-bee0-9dca4c231dd9 -i -", - "echo '{\"cephx_secret\": \"AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ==\"}' | ceph osd new 5e97a838-85b6-43b0-8950-cb56d554d1e5 -i -" - ); - - # Initialize the OSDs with regular filestore - $aio->mustSucceed( - "ceph-osd -i 0 --mkfs --osd-uuid 55ba2294-3e24-478f-bee0-9dca4c231dd9", - "ceph-osd -i 1 --mkfs --osd-uuid 5e97a838-85b6-43b0-8950-cb56d554d1e5", - "chown -R ceph:ceph /var/lib/ceph/osd", - "systemctl start ceph-osd-0", - "systemctl start ceph-osd-1" - ); - - $aio->waitUntilSucceeds("ceph osd stat | grep -e '2 osds: 2 up[^,]*, 2 in'"); - $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active,'"); - $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); - - $aio->mustSucceed( - "ceph osd pool create aio-test 100 100", - "ceph osd pool ls | grep 'aio-test'", - "ceph osd pool rename aio-test aio-other-test", - "ceph osd pool ls | grep 'aio-other-test'", - "ceph -s | grep '1 pools, 100 pgs'", - "ceph osd getcrushmap -o crush", - "crushtool -d crush -o decrushed", - "sed 's/step chooseleaf firstn 0 type host/step chooseleaf firstn 0 type osd/' decrushed > modcrush", - "crushtool -c modcrush -o recrushed", - "ceph osd setcrushmap -i recrushed", - "ceph osd pool set aio-other-test size 2" - ); - $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); - $aio->waitUntilSucceeds("ceph -s | grep '100 active+clean'"); - $aio->mustFail( - "ceph osd pool ls | grep 'aio-test'", - "ceph osd pool delete aio-other-test aio-other-test --yes-i-really-really-mean-it" - ); - - # As we disable the target in the config, we still want to test that it works as intended - $aio->mustSucceed( - "systemctl stop ceph-osd-0", - "systemctl stop ceph-osd-1", - "systemctl stop ceph-mgr-aio", - "systemctl stop ceph-mon-aio" - ); - $aio->succeed("systemctl start ceph.target"); - $aio->waitForUnit("ceph-mon-aio"); - $aio->waitForUnit("ceph-mgr-aio"); - $aio->waitForUnit("ceph-osd-0"); - $aio->waitForUnit("ceph-osd-1"); - $aio->succeed("ceph -s | grep 'mon: 1 daemons'"); - $aio->waitUntilSucceeds("ceph -s | grep 'quorum aio'"); - $aio->waitUntilSucceeds("ceph osd stat | grep -e '2 osds: 2 up[^,]*, 2 in'"); - $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active,'"); - $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/certmgr.nix b/nixpkgs/nixos/tests/certmgr.nix index fe67833808ce..cb69f35e862f 100644 --- a/nixpkgs/nixos/tests/certmgr.nix +++ b/nixpkgs/nixos/tests/certmgr.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; let mkSpec = { host, service ? null, action }: { inherit action; @@ -123,17 +123,17 @@ in ))); }; testScript = '' - $machine->waitForUnit('cfssl.service'); - $machine->waitUntilSucceeds('ls /tmp/decl.example.org-ca.pem'); - $machine->waitUntilSucceeds('ls /tmp/decl.example.org-key.pem'); - $machine->waitUntilSucceeds('ls /tmp/decl.example.org-cert.pem'); - $machine->waitUntilSucceeds('ls /tmp/imp.example.org-ca.pem'); - $machine->waitUntilSucceeds('ls /tmp/imp.example.org-key.pem'); - $machine->waitUntilSucceeds('ls /tmp/imp.example.org-cert.pem'); - $machine->waitForUnit('nginx.service'); - $machine->succeed('[ "1" -lt "$(journalctl -u nginx | grep "Starting Nginx" | wc -l)" ]'); - $machine->succeed('curl --cacert /tmp/imp.example.org-ca.pem https://imp.example.org'); - $machine->succeed('curl --cacert /tmp/decl.example.org-ca.pem https://decl.example.org'); + machine.wait_for_unit("cfssl.service") + machine.wait_until_succeeds("ls /tmp/decl.example.org-ca.pem") + machine.wait_until_succeeds("ls /tmp/decl.example.org-key.pem") + machine.wait_until_succeeds("ls /tmp/decl.example.org-cert.pem") + machine.wait_until_succeeds("ls /tmp/imp.example.org-ca.pem") + machine.wait_until_succeeds("ls /tmp/imp.example.org-key.pem") + machine.wait_until_succeeds("ls /tmp/imp.example.org-cert.pem") + machine.wait_for_unit("nginx.service") + assert 1 < int(machine.succeed('journalctl -u nginx | grep "Starting Nginx" | wc -l')) + machine.succeed("curl --cacert /tmp/imp.example.org-ca.pem https://imp.example.org") + machine.succeed("curl --cacert /tmp/decl.example.org-ca.pem https://decl.example.org") ''; }; @@ -143,8 +143,8 @@ in test = mkSpec { host = "command.example.org"; action = "touch /tmp/command.executed"; }; }; testScript = '' - $machine->waitForUnit('cfssl.service'); - $machine->waitUntilSucceeds('stat /tmp/command.executed'); + machine.wait_for_unit("cfssl.service") + machine.wait_until_succeeds("stat /tmp/command.executed") ''; }; diff --git a/nixpkgs/nixos/tests/cfssl.nix b/nixpkgs/nixos/tests/cfssl.nix index 513ed8c45741..e291fc285fba 100644 --- a/nixpkgs/nixos/tests/cfssl.nix +++ b/nixpkgs/nixos/tests/cfssl.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "cfssl"; machine = { config, lib, pkgs, ... }: @@ -60,8 +60,8 @@ import ./make-test.nix ({ pkgs, ...} : { }); in '' - $machine->waitForUnit('cfssl.service'); - $machine->waitUntilSucceeds('${cfsslrequest}'); - $machine->succeed('ls /tmp/certificate-key.pem'); + machine.wait_for_unit("cfssl.service") + machine.wait_until_succeeds("${cfsslrequest}") + machine.succeed("ls /tmp/certificate-key.pem") ''; }) diff --git a/nixpkgs/nixos/tests/chromium.nix b/nixpkgs/nixos/tests/chromium.nix index af5db2a3dbe1..a5531d112e3c 100644 --- a/nixpkgs/nixos/tests/chromium.nix +++ b/nixpkgs/nixos/tests/chromium.nix @@ -36,7 +36,7 @@ mapAttrs (channel: chromiumPkg: makeTest rec { <body onload="javascript:document.title='startup done'"> <img src="file://${pkgs.fetchurl { url = "http://nixos.org/logo/nixos-hex.svg"; - sha256 = "0wxpp65npdw2cg8m0cxc9qff1sb3b478cxpg1741d8951g948rg8"; + sha256 = "07ymq6nw8kc22m7kzxjxldhiq8gzmc7f45kq2bvhbdm0w5s112s4"; }}" /> </body> </html> diff --git a/nixpkgs/nixos/tests/cjdns.nix b/nixpkgs/nixos/tests/cjdns.nix index 6660eecf05b9..d72236d415d4 100644 --- a/nixpkgs/nixos/tests/cjdns.nix +++ b/nixpkgs/nixos/tests/cjdns.nix @@ -17,7 +17,7 @@ let in -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "cjdns"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ehmry ]; @@ -83,36 +83,39 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - startAll; + import re - $alice->waitForUnit("cjdns.service"); - $bob->waitForUnit("cjdns.service"); - $carol->waitForUnit("cjdns.service"); + start_all() - sub cjdnsIp { - my ($machine) = @_; - my $ip = (split /[ \/]+/, $machine->succeed("ip -o -6 addr show dev tun0"))[3]; - $machine->log("has ip $ip"); - return $ip; - } + alice.wait_for_unit("cjdns.service") + bob.wait_for_unit("cjdns.service") + carol.wait_for_unit("cjdns.service") - my $aliceIp6 = cjdnsIp $alice; - my $bobIp6 = cjdnsIp $bob; - my $carolIp6 = cjdnsIp $carol; + + def cjdns_ip(machine): + res = machine.succeed("ip -o -6 addr show dev tun0") + ip = re.split("\s+|/", res)[3] + machine.log("has ip {}".format(ip)) + return ip + + + alice_ip6 = cjdns_ip(alice) + bob_ip6 = cjdns_ip(bob) + carol_ip6 = cjdns_ip(carol) # ping a few times each to let the routing table establish itself - $alice->succeed("ping -c 4 $carolIp6"); - $bob->succeed("ping -c 4 $carolIp6"); + alice.succeed("ping -c 4 {}".format(carol_ip6)) + bob.succeed("ping -c 4 {}".format(carol_ip6)) - $carol->succeed("ping -c 4 $aliceIp6"); - $carol->succeed("ping -c 4 $bobIp6"); + carol.succeed("ping -c 4 {}".format(alice_ip6)) + carol.succeed("ping -c 4 {}".format(bob_ip6)) - $alice->succeed("ping -c 4 $bobIp6"); - $bob->succeed("ping -c 4 $aliceIp6"); + alice.succeed("ping -c 4 {}".format(bob_ip6)) + bob.succeed("ping -c 4 {}".format(alice_ip6)) - $alice->waitForUnit("httpd.service"); + alice.wait_for_unit("httpd.service") - $bob->succeed("curl --fail -g http://[$aliceIp6]"); + bob.succeed("curl --fail -g http://[{}]".format(alice_ip6)) ''; }) diff --git a/nixpkgs/nixos/tests/clickhouse.nix b/nixpkgs/nixos/tests/clickhouse.nix index 7d835069ec4d..2d8a7cf7aa9f 100644 --- a/nixpkgs/nixos/tests/clickhouse.nix +++ b/nixpkgs/nixos/tests/clickhouse.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "clickhouse"; meta.maintainers = with pkgs.stdenv.lib.maintainers; [ ma27 ]; @@ -14,12 +14,18 @@ import ./make-test.nix ({ pkgs, ... }: { selectQuery = pkgs.writeText "select.sql" "SELECT * from `demo`"; in '' - $machine->start(); - $machine->waitForUnit("clickhouse.service"); - $machine->waitForOpenPort(9000); + machine.start() + machine.wait_for_unit("clickhouse.service") + machine.wait_for_open_port(9000) - $machine->succeed("cat ${tableDDL} | clickhouse-client"); - $machine->succeed("cat ${insertQuery} | clickhouse-client"); - $machine->succeed("cat ${selectQuery} | clickhouse-client | grep foo"); + machine.succeed( + "cat ${tableDDL} | clickhouse-client" + ) + machine.succeed( + "cat ${insertQuery} | clickhouse-client" + ) + machine.succeed( + "cat ${selectQuery} | clickhouse-client | grep foo" + ) ''; }) diff --git a/nixpkgs/nixos/tests/cloud-init.nix b/nixpkgs/nixos/tests/cloud-init.nix index 516d29c9036b..aafa6e24e84a 100644 --- a/nixpkgs/nixos/tests/cloud-init.nix +++ b/nixpkgs/nixos/tests/cloud-init.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let @@ -30,6 +30,7 @@ let ''; }; in makeTest { + name = "cloud-init"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ lewo ]; }; @@ -40,10 +41,12 @@ in makeTest { services.cloud-init.enable = true; }; testScript = '' - $machine->start; - $machine->waitForUnit("cloud-init.service"); - $machine->succeed("cat /tmp/cloudinit-write-file | grep -q 'cloudinit'"); + machine.start() + machine.wait_for_unit("cloud-init.service") + machine.succeed("cat /tmp/cloudinit-write-file | grep -q 'cloudinit'") - $machine->waitUntilSucceeds("cat /root/.ssh/authorized_keys | grep -q 'should be a key!'"); + machine.wait_until_succeeds( + "cat /root/.ssh/authorized_keys | grep -q 'should be a key!'" + ) ''; } diff --git a/nixpkgs/nixos/tests/codimd.nix b/nixpkgs/nixos/tests/codimd.nix index 562f6f24f999..b1acbf4a8322 100644 --- a/nixpkgs/nixos/tests/codimd.nix +++ b/nixpkgs/nixos/tests/codimd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "codimd"; @@ -35,20 +35,18 @@ import ./make-test.nix ({ pkgs, lib, ... }: }; testScript = '' - startAll(); + start_all() - subtest "CodiMD sqlite", sub { - $codimdSqlite->waitForUnit("codimd.service"); - $codimdSqlite->waitForOpenPort(3000); - $codimdSqlite->waitUntilSucceeds("curl -sSf http://localhost:3000/new"); - }; + with subtest("CodiMD sqlite"): + codimdSqlite.wait_for_unit("codimd.service") + codimdSqlite.wait_for_open_port(3000) + codimdSqlite.wait_until_succeeds("curl -sSf http://localhost:3000/new") - subtest "CodiMD postgres", sub { - $codimdPostgres->waitForUnit("postgresql.service"); - $codimdPostgres->waitForUnit("codimd.service"); - $codimdPostgres->waitForOpenPort(5432); - $codimdPostgres->waitForOpenPort(3000); - $codimdPostgres->waitUntilSucceeds("curl -sSf http://localhost:3000/new"); - }; + with subtest("CodiMD postgres"): + codimdPostgres.wait_for_unit("postgresql.service") + codimdPostgres.wait_for_unit("codimd.service") + codimdPostgres.wait_for_open_port(5432) + codimdPostgres.wait_for_open_port(3000) + codimdPostgres.wait_until_succeeds("curl -sSf http://localhost:3000/new") ''; }) diff --git a/nixpkgs/nixos/tests/colord.nix b/nixpkgs/nixos/tests/colord.nix deleted file mode 100644 index ce38aaca4bf2..000000000000 --- a/nixpkgs/nixos/tests/colord.nix +++ /dev/null @@ -1,18 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "colord"; - - meta = { - maintainers = pkgs.colord.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.colord.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/common/letsencrypt/common.nix b/nixpkgs/nixos/tests/common/letsencrypt/common.nix index 798a749f7f9b..c530de817bf2 100644 --- a/nixpkgs/nixos/tests/common/letsencrypt/common.nix +++ b/nixpkgs/nixos/tests/common/letsencrypt/common.nix @@ -1,27 +1,9 @@ -{ lib, nodes, ... }: { +{ lib, nodes, pkgs, ... }: let + letsencrypt-ca = nodes.letsencrypt.config.test-support.letsencrypt.caCert; +in { networking.nameservers = [ nodes.letsencrypt.config.networking.primaryIPAddress ]; - nixpkgs.overlays = lib.singleton (self: super: { - cacert = super.cacert.overrideDerivation (drv: { - installPhase = (drv.installPhase or "") + '' - cat "${nodes.letsencrypt.config.test-support.letsencrypt.caCert}" \ - >> "$out/etc/ssl/certs/ca-bundle.crt" - ''; - }); - - # Override certifi so that it accepts fake certificate for Let's Encrypt - # Need to override the attribute used by simp_le, which is python3Packages - python3Packages = (super.python3.override { - packageOverrides = lib.const (pysuper: { - certifi = pysuper.certifi.overridePythonAttrs (attrs: { - postPatch = (attrs.postPatch or "") + '' - cat "${self.cacert}/etc/ssl/certs/ca-bundle.crt" \ - > certifi/cacert.pem - ''; - }); - }); - }).pkgs; - }); + security.pki.certificateFiles = [ letsencrypt-ca ]; } diff --git a/nixpkgs/nixos/tests/common/letsencrypt/default.nix b/nixpkgs/nixos/tests/common/letsencrypt/default.nix index 58d87c64e344..110a2520971d 100644 --- a/nixpkgs/nixos/tests/common/letsencrypt/default.nix +++ b/nixpkgs/nixos/tests/common/letsencrypt/default.nix @@ -1,6 +1,3 @@ -# Fully pluggable module to have Letsencrypt's Boulder ACME service running in -# a test environment. -# # The certificate for the ACME service is exported as: # # config.test-support.letsencrypt.caCert @@ -54,277 +51,35 @@ # that it has to be started _before_ the ACME service. { config, pkgs, lib, ... }: -let - softhsm = pkgs.stdenv.mkDerivation rec { - pname = "softhsm"; - version = "1.3.8"; - - src = pkgs.fetchurl { - url = "https://dist.opendnssec.org/source/${pname}-${version}.tar.gz"; - sha256 = "0flmnpkgp65ym7w3qyg78d3fbmvq3aznmi66rgd420n33shf7aif"; - }; - - configureFlags = [ "--with-botan=${pkgs.botan}" ]; - buildInputs = [ pkgs.sqlite ]; - }; - - pkcs11-proxy = pkgs.stdenv.mkDerivation { - name = "pkcs11-proxy"; - - src = pkgs.fetchFromGitHub { - owner = "SUNET"; - repo = "pkcs11-proxy"; - rev = "944684f78bca0c8da6cabe3fa273fed3db44a890"; - sha256 = "1nxgd29y9wmifm11pjcdpd2y293p0dgi0x5ycis55miy97n0f5zy"; - }; - - postPatch = "patchShebangs mksyscalls.sh"; - - nativeBuildInputs = [ pkgs.cmake ]; - buildInputs = [ pkgs.openssl pkgs.libseccomp ]; - }; - - mkGoDep = { goPackagePath, url ? "https://${goPackagePath}", rev, sha256 }: { - inherit goPackagePath; - src = pkgs.fetchgit { inherit url rev sha256; }; - }; - - goose = let - owner = "liamstask"; - repo = "goose"; - rev = "8488cc47d90c8a502b1c41a462a6d9cc8ee0a895"; - version = "20150116"; - - in pkgs.buildGoPackage rec { - name = "${repo}-${version}"; - - src = pkgs.fetchFromBitbucket { - name = "${name}-src"; - inherit rev owner repo; - sha256 = "1jy0pscxjnxjdg3hj111w21g8079rq9ah2ix5ycxxhbbi3f0wdhs"; - }; - - goPackagePath = "bitbucket.org/${owner}/${repo}"; - subPackages = [ "cmd/goose" ]; - extraSrcs = map mkGoDep [ - { goPackagePath = "github.com/go-sql-driver/mysql"; - rev = "2e00b5cd70399450106cec6431c2e2ce3cae5034"; - sha256 = "085g48jq9hzmlcxg122n0c4pi41sc1nn2qpx1vrl2jfa8crsppa5"; - } - { goPackagePath = "github.com/kylelemons/go-gypsy"; - rev = "08cad365cd28a7fba23bb1e57aa43c5e18ad8bb8"; - sha256 = "1djv7nii3hy451n5jlslk0dblqzb1hia1cbqpdwhnps1g8hqjy8q"; - } - { goPackagePath = "github.com/lib/pq"; - rev = "ba5d4f7a35561e22fbdf7a39aa0070f4d460cfc0"; - sha256 = "1mfbqw9g00bk24bfmf53wri5c2wqmgl0qh4sh1qv2da13a7cwwg3"; - } - { goPackagePath = "github.com/mattn/go-sqlite3"; - rev = "2acfafad5870400156f6fceb12852c281cbba4d5"; - sha256 = "1rpgil3w4hh1cibidskv1js898hwz83ps06gh0hm3mym7ki8d5h7"; - } - { goPackagePath = "github.com/ziutek/mymysql"; - rev = "0582bcf675f52c0c2045c027fd135bd726048f45"; - sha256 = "0bkc9x8sgqbzgdimsmsnhb0qrzlzfv33fgajmmjxl4hcb21qz3rf"; - } - { goPackagePath = "golang.org/x/net"; - url = "https://go.googlesource.com/net"; - rev = "10c134ea0df15f7e34d789338c7a2d76cc7a3ab9"; - sha256 = "14cbr2shl08gyg85n5gj7nbjhrhhgrd52h073qd14j97qcxsakcz"; - } - ]; - }; - - boulder = let - owner = "letsencrypt"; - repo = "boulder"; - rev = "9c6a1f2adc4c26d925588f5ae366cfd4efb7813a"; - version = "20180129"; - - in pkgs.buildGoPackage rec { - name = "${repo}-${version}"; - - src = pkgs.fetchFromGitHub { - name = "${name}-src"; - inherit rev owner repo; - sha256 = "09kszswrifm9rc6idfaq0p1mz5w21as2qbc8gd5pphrq9cf9pn55"; - }; - - postPatch = '' - # compat for go < 1.8 - sed -i -e 's/time\.Until(\([^)]\+\))/\1.Sub(time.Now())/' \ - test/ocsp/helper/helper.go - - find test -type f -exec sed -i -e '/libpkcs11-proxy.so/ { - s,/usr/local,${pkcs11-proxy}, - }' {} + - - sed -i -r \ - -e '/^def +install/a \ return True' \ - -e 's,exec \./bin/,,' \ - test/startservers.py - - cat ${lib.escapeShellArg snakeOilCerts.ca.key} > test/test-ca.key - cat ${lib.escapeShellArg snakeOilCerts.ca.cert} > test/test-ca.pem - ''; - - # Until vendored pkcs11 is go 1.9 compatible - preBuild = '' - rm -r go/src/github.com/letsencrypt/boulder/vendor/github.com/miekg/pkcs11 - ''; - - # XXX: Temporarily brought back putting the source code in the output, - # since e95f17e2720e67e2eabd59d7754c814d3e27a0b2 was removing that from - # buildGoPackage. - preInstall = '' - mkdir -p $out - pushd "$NIX_BUILD_TOP/go" - while read f; do - echo "$f" | grep -q '^./\(src\|pkg/[^/]*\)/${goPackagePath}' \ - || continue - mkdir -p "$(dirname "$out/share/go/$f")" - cp "$NIX_BUILD_TOP/go/$f" "$out/share/go/$f" - done < <(find . -type f) - popd - ''; - - extraSrcs = map mkGoDep [ - { goPackagePath = "github.com/miekg/pkcs11"; - rev = "6dbd569b952ec150d1425722dbbe80f2c6193f83"; - sha256 = "1m8g6fx7df6hf6q6zsbyw1icjmm52dmsx28rgb0h930wagvngfwb"; - } - ]; - - goPackagePath = "github.com/${owner}/${repo}"; - buildInputs = [ pkgs.libtool ]; - }; - - boulderSource = "${boulder.out}/share/go/src/${boulder.goPackagePath}"; - - softHsmConf = pkgs.writeText "softhsm.conf" '' - 0:/var/lib/softhsm/slot0.db - 1:/var/lib/softhsm/slot1.db - ''; +let snakeOilCerts = import ./snakeoil-certs.nix; - wfeDomain = "acme-v01.api.letsencrypt.org"; + wfeDomain = "acme-v02.api.letsencrypt.org"; wfeCertFile = snakeOilCerts.${wfeDomain}.cert; wfeKeyFile = snakeOilCerts.${wfeDomain}.key; siteDomain = "letsencrypt.org"; siteCertFile = snakeOilCerts.${siteDomain}.cert; siteKeyFile = snakeOilCerts.${siteDomain}.key; - - # Retrieved via: - # curl -s -I https://acme-v01.api.letsencrypt.org/terms \ - # | sed -ne 's/^[Ll]ocation: *//p' - tosUrl = "https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf"; - tosPath = builtins.head (builtins.match "https?://[^/]+(.*)" tosUrl); - - tosFile = pkgs.fetchurl { - url = tosUrl; - sha256 = "0yvyckqzj0b1xi61sypcha82nanizzlm8yqy828h2jbza7cxi26c"; - }; - + pebble = pkgs.pebble; resolver = let message = "You need to define a resolver for the letsencrypt test module."; firstNS = lib.head config.networking.nameservers; in if config.networking.nameservers == [] then throw message else firstNS; - cfgDir = pkgs.stdenv.mkDerivation { - name = "boulder-config"; - src = "${boulderSource}/test/config"; - nativeBuildInputs = [ pkgs.jq ]; - phases = [ "unpackPhase" "patchPhase" "installPhase" ]; - postPatch = '' - sed -i -e 's/5002/80/' -e 's/5002/443/' va.json - sed -i -e '/listenAddress/s/:4000/:80/' wfe.json - sed -i -r \ - -e ${lib.escapeShellArg "s,http://boulder:4000/terms/v1,${tosUrl},g"} \ - -e 's,http://(boulder|127\.0\.0\.1):4000,https://${wfeDomain},g' \ - -e '/dnsResolver/s/127\.0\.0\.1:8053/${resolver}:53/' \ - *.json - if grep 4000 *.json; then exit 1; fi - - # Change all ports from 1909X to 909X, because the 1909X range of ports is - # allocated by startservers.py in order to intercept gRPC communication. - sed -i -e 's/\<1\(909[0-9]\)\>/\1/' *.json - - # Patch out all additional issuer certs - jq '. + {ca: (.ca + {Issuers: - [.ca.Issuers[] | select(.CertFile == "test/test-ca.pem")] - })}' ca.json > tmp - mv tmp ca.json - ''; - installPhase = "cp -r . \"$out\""; - }; - - components = { - gsb-test-srv.args = "-apikey my-voice-is-my-passport"; - gsb-test-srv.waitForPort = 6000; - gsb-test-srv.first = true; - boulder-sa.args = "--config ${cfgDir}/sa.json"; - boulder-wfe.args = "--config ${cfgDir}/wfe.json"; - boulder-ra.args = "--config ${cfgDir}/ra.json"; - boulder-ca.args = "--config ${cfgDir}/ca.json"; - boulder-va.args = "--config ${cfgDir}/va.json"; - boulder-publisher.args = "--config ${cfgDir}/publisher.json"; - boulder-publisher.waitForPort = 9091; - ocsp-updater.args = "--config ${cfgDir}/ocsp-updater.json"; - ocsp-updater.after = [ "boulder-publisher" ]; - ocsp-responder.args = "--config ${cfgDir}/ocsp-responder.json"; - ct-test-srv = {}; - mail-test-srv.args = let - key = "${boulderSource}/test/mail-test-srv/minica-key.pem"; - crt = "${boulderSource}/test/mail-test-srv/minica.pem"; - in - "--closeFirst 5 --cert ${crt} --key ${key}"; + pebbleConf.pebble = { + listenAddress = "0.0.0.0:443"; + managementListenAddress = "0.0.0.0:15000"; + certificate = snakeOilCerts.${wfeDomain}.cert; + privateKey = snakeOilCerts.${wfeDomain}.key; + httpPort = 80; + tlsPort = 443; + ocspResponderURL = "http://0.0.0.0:4002"; }; - commonPath = [ softhsm pkgs.mariadb goose boulder ]; - - mkServices = a: b: with lib; listToAttrs (concatLists (mapAttrsToList a b)); - - componentServices = mkServices (name: attrs: let - mkSrvName = n: "boulder-${n}.service"; - firsts = lib.filterAttrs (lib.const (c: c.first or false)) components; - firstServices = map mkSrvName (lib.attrNames firsts); - firstServicesNoSelf = lib.remove "boulder-${name}.service" firstServices; - additionalAfter = firstServicesNoSelf ++ map mkSrvName (attrs.after or []); - needsPort = attrs ? waitForPort; - inits = map (n: "boulder-init-${n}.service") [ "mysql" "softhsm" ]; - portWaiter = { - name = "boulder-${name}"; - value = { - description = "Wait For Port ${toString attrs.waitForPort} (${name})"; - after = [ "boulder-real-${name}.service" "bind.service" ]; - requires = [ "boulder-real-${name}.service" ]; - requiredBy = [ "boulder.service" ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - script = let - netcat = "${pkgs.libressl.nc}/bin/nc"; - portCheck = "${netcat} -z 127.0.0.1 ${toString attrs.waitForPort}"; - in "while ! ${portCheck}; do :; done"; - }; - }; - in lib.optional needsPort portWaiter ++ lib.singleton { - name = if needsPort then "boulder-real-${name}" else "boulder-${name}"; - value = { - description = "Boulder ACME Component (${name})"; - after = inits ++ additionalAfter; - requires = inits; - requiredBy = [ "boulder.service" ]; - path = commonPath; - environment.GORACE = "halt_on_error=1"; - environment.SOFTHSM_CONF = softHsmConf; - environment.PKCS11_PROXY_SOCKET = "tcp://127.0.0.1:5657"; - serviceConfig.WorkingDirectory = boulderSource; - serviceConfig.ExecStart = "${boulder}/bin/${name} ${attrs.args or ""}"; - serviceConfig.Restart = "on-failure"; - }; - }) components; + pebbleConfFile = pkgs.writeText "pebble.conf" (builtins.toJSON pebbleConf); + pebbleDataDir = "/root/pebble"; in { imports = [ ../resolver.nix ]; @@ -352,94 +107,29 @@ in { networking.firewall.enable = false; networking.extraHosts = '' - 127.0.0.1 ${toString [ - "sa.boulder" "ra.boulder" "wfe.boulder" "ca.boulder" "va.boulder" - "publisher.boulder" "ocsp-updater.boulder" "admin-revoker.boulder" - "boulder" "boulder-mysql" wfeDomain - ]} + 127.0.0.1 ${wfeDomain} ${config.networking.primaryIPAddress} ${wfeDomain} ${siteDomain} ''; - services.mysql.enable = true; - services.mysql.package = pkgs.mariadb; - - services.nginx.enable = true; - services.nginx.recommendedProxySettings = true; - # This fixes the test on i686 - services.nginx.commonHttpConfig = '' - server_names_hash_bucket_size 64; - ''; - services.nginx.virtualHosts.${wfeDomain} = { - onlySSL = true; - enableACME = false; - sslCertificate = wfeCertFile; - sslCertificateKey = wfeKeyFile; - locations."/".proxyPass = "http://127.0.0.1:80"; - }; - services.nginx.virtualHosts.${siteDomain} = { - onlySSL = true; - enableACME = false; - sslCertificate = siteCertFile; - sslCertificateKey = siteKeyFile; - locations."= ${tosPath}".alias = tosFile; - }; - systemd.services = { - pkcs11-daemon = { - description = "PKCS11 Daemon"; - after = [ "boulder-init-softhsm.service" ]; - before = map (n: "${n}.service") (lib.attrNames componentServices); - wantedBy = [ "multi-user.target" ]; - environment.SOFTHSM_CONF = softHsmConf; - environment.PKCS11_DAEMON_SOCKET = "tcp://127.0.0.1:5657"; - serviceConfig.ExecStart = let - softhsmLib = "${softhsm}/lib/softhsm/libsofthsm.so"; - in "${pkcs11-proxy}/bin/pkcs11-daemon ${softhsmLib}"; - }; - - boulder-init-mysql = { - description = "Boulder ACME Init (MySQL)"; - after = [ "mysql.service" ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - serviceConfig.WorkingDirectory = boulderSource; - path = commonPath; - script = "${pkgs.bash}/bin/sh test/create_db.sh"; - }; - - boulder-init-softhsm = { - description = "Boulder ACME Init (SoftHSM)"; - environment.SOFTHSM_CONF = softHsmConf; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - serviceConfig.WorkingDirectory = boulderSource; - preStart = "mkdir -p /var/lib/softhsm"; - path = commonPath; + pebble = { + enable = true; + description = "Pebble ACME server"; + requires = [ ]; + wantedBy = [ "network.target" ]; + preStart = '' + mkdir ${pebbleDataDir} + ''; script = '' - softhsm --slot 0 --init-token \ - --label intermediate --pin 5678 --so-pin 1234 - softhsm --slot 0 --import test/test-ca.key \ - --label intermediate_key --pin 5678 --id FB - softhsm --slot 1 --init-token \ - --label root --pin 5678 --so-pin 1234 - softhsm --slot 1 --import test/test-root.key \ - --label root_key --pin 5678 --id FA + cd ${pebbleDataDir} + ${pebble}/bin/pebble -config ${pebbleConfFile} ''; + serviceConfig = { + # Required to bind on privileged ports. + User = "root"; + Group = "root"; + }; }; - - boulder = { - description = "Boulder ACME Server"; - after = map (n: "${n}.service") (lib.attrNames componentServices); - wantedBy = [ "multi-user.target" ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - script = let - ports = lib.range 8000 8005 ++ lib.singleton 80; - netcat = "${pkgs.libressl.nc}/bin/nc"; - mkPortCheck = port: "${netcat} -z 127.0.0.1 ${toString port}"; - checks = "(${lib.concatMapStringsSep " && " mkPortCheck ports})"; - in "while ! ${checks}; do :; done"; - }; - } // componentServices; + }; }; } diff --git a/nixpkgs/nixos/tests/common/letsencrypt/mkcerts.nix b/nixpkgs/nixos/tests/common/letsencrypt/mkcerts.nix index 3b4a589e4142..e7ac2bae46bd 100644 --- a/nixpkgs/nixos/tests/common/letsencrypt/mkcerts.nix +++ b/nixpkgs/nixos/tests/common/letsencrypt/mkcerts.nix @@ -1,7 +1,7 @@ { pkgs ? import <nixpkgs> {} , lib ? pkgs.lib -, domains ? [ "acme-v01.api.letsencrypt.org" "letsencrypt.org" ] +, domains ? [ "acme-v02.api.letsencrypt.org" "letsencrypt.org" ] }: pkgs.runCommand "letsencrypt-snakeoil-ca" { diff --git a/nixpkgs/nixos/tests/common/letsencrypt/snakeoil-certs.nix b/nixpkgs/nixos/tests/common/letsencrypt/snakeoil-certs.nix index c3d29ab8f163..ca4f71ae688a 100644 --- a/nixpkgs/nixos/tests/common/letsencrypt/snakeoil-certs.nix +++ b/nixpkgs/nixos/tests/common/letsencrypt/snakeoil-certs.nix @@ -2,252 +2,253 @@ { ca.key = builtins.toFile "ca.key" '' -----BEGIN PRIVATE KEY----- - MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDfdVxC/4HwhuzD - 9or9CDDu3TBQE5lirJI5KYmfMZtfgdzEjgOzmR9AVSkn2rQeCqzM5m+YCzPO+2y7 - 0Fdk7vDORi1OdhYfUQIW6/TZ27xEjx4t82j9i705yUqTJZKjMbD830geXImJ6VGj - Nv/WisTHmwBspWKefYQPN68ZvYNCn0d5rYJg9uROZPJHSI0MYj9iERWIPN+xhZoS - xN74ILJ0rEOQfx2GHDhTr99vZYAFqbAIfh35fYulRWarUSekI+rDxa83FD8q9cMg - OP84KkLep2dRXXTbUWErGUOpHP55M9M7ws0RVNdl9PUSbDgChl7yYlHCde3261q/ - zGp5dMV/t/jXXNUgRurvXc4gUKKjS4Sffvg0XVnPs3sMlZ4JNmycK9klgISVmbTK - VcjRRJv8Bva2NQVsJ9TIryV0QEk94DucgsC3LbhQfQdmnWVcEdzwrZHNpk9az5mn - w42RuvZW9L19T7xpIrdLSHaOis4VEquZjkWIhfIz0DVMeXtYEQmwqFG23Ww0utcp - mCW4FPvpyYs5GAPmGWfrlMxsLD/7eteot3AheC+56ZBoVBnI8FFvIX2qci+gfVDu - CjvDmbyS/0NvxLGqvSC1GUPmWP3TR5Fb1H8Rp+39zJHRmH+qYWlhcv6p7FlY2/6d - 9Rkw8WKRTSCB7yeUdNNPiPopk6N4NwIDAQABAoICAQCzV0ei5dntpvwjEp3eElLj - glYiDnjOPt5kTjgLsg6XCmyau7ewzrXMNgz/1YE1ky+4i0EI8AS2nAdafQ2HDlXp - 11zJWfDLVYKtztYGe1qQU6TPEEo1I4/M7waRLliP7XO0n6cL5wzjyIQi0CNolprz - 8CzZBasutGHmrLQ1nmnYcGk2+NBo7f2yBUaFe27of3mLRVbYrrKBkU5kveiNkABp - r0/SipKxbbivQbm7d+TVpqiHSGDaOa54CEksOcfs7n6efOvw8qj326KtG9GJzDE6 - 7XP4U19UHe40XuR0t7Zso/FmRyO6QzNUutJt5LjXHezZ75razTcdMyr0QCU8MUHH - jXZxQCsbt+9AmdxUMBm1SMNVBdHYM8oiNHynlgsEj9eM6jxDEss/Uc3FeKoHl+XL - L6m28guIB8NivqjVzZcwhxvdiQCzYxjyqMC+/eX7aaK4NIlX2QRMoDL6mJ58Bz/8 - V2Qxp2UNVwKJFWAmpgXC+sq6XV/TP3HkOvd0OK82Nid2QxEvfE/EmOhU63qAjgUR - QnteLEcJ3MkGGurs05pYBDE7ejKVz6uu2tHahFMOv+yanGP2gfivnT9a323/nTqH - oR5ffMEI1u/ufpWU7sWXZfL/mH1L47x87k+9wwXHCPeSigcy+hFI7t1+rYsdCmz9 - V6QtmxZHMLanwzh5R0ipcQKCAQEA8kuZIz9JyYP6L+5qmIUxiWESihVlRCSKIqLB - fJ5sQ06aDBV2sqS4XnoWsHuJWUd39rulks8cg8WIQu8oJwVkFI9EpARt/+a1fRP0 - Ncc9qiBdP6VctQGgKfe5KyOfMzIBUl3zj2cAmU6q+CW1OgdhnEl4QhgBe5XQGquZ - Alrd2P2jhJbMO3sNFgzTy7xPEr3KqUy+L4gtRnGOegKIh8EllmsyMRO4eIrZV2z3 - XI+S2ZLyUn3WHYkaJqvUFrbfekgBBmbk5Ead6ImlsLsBla6MolKrVYV1kN6KT+Y+ - plcxNpWY8bnWfw5058OWPLPa9LPfReu9rxAeGT2ZLmAhSkjGxQKCAQEA7BkBzT3m - SIzop9RKl5VzYbVysCYDjFU9KYMW5kBIw5ghSMnRmU7kXIZUkc6C1L/v9cTNFFLw - ZSF4vCHLdYLmDysW2d4DU8fS4qdlDlco5A00g8T1FS7nD9CzdkVN/oix6ujw7RuI - 7pE1K3JELUYFBc8AZ7mIGGbddeCwnM+NdPIlhWzk5s4x4/r31cdk0gzor0kE4e+d - 5m0s1T4O/Iak6rc0MGDeTejZQg04p1eAJFYQ6OY23tJhH/kO8CMYnQ4fidfCkf8v - 85v4EC1MCorFR7J65uSj8MiaL7LTXPvLAkgFls1c3ijQ2tJ8qXvqmfo0by33T1OF - ZGyaOP9/1WQSywKCAQB47m6CfyYO5EZNAgxGD8SHsuGT9dXTSwF/BAjacB/NAEA2 - 48eYpko3LWyBrUcCPn+LsGCVg7XRtxepgMBjqXcoI9G4o1VbsgTHZtwus0D91qV0 - DM7WsPcFu1S6SU8+OCkcuTPFUT2lRvRiYj+vtNttK+ZP5rdmvYFermLyH/Q2R3ID - zVgmH+aKKODVASneSsgJ8/nAs5EVZbwc/YKzbx2Zk+s7P4KE95g+4G4dzrMW0RcN - QS1LFJDu2DhFFgU4fRO15Ek9/lj2JS2DpfLGiJY8tlI5nyDsq4YRFvQSBdbUTZpG - m+CJDegffSlRJtuT4ur/dQf5hmvfYTVBRk2XS/eZAoIBAB143a22PWnvFRfmO02C - 3X1j/iYZCLZa6aCl+ZTSj4LDGdyRPPXrUDxwlFwDMHfIYfcHEyanV9T4Aa9SdKh9 - p6RbF6YovbeWqS+b/9RzcupM77JHQuTbDwL9ZXmtGxhcDgGqBHFEz6ogPEfpIrOY - GwZnmcBY+7E4HgsZ+lII4rqng6GNP2HEeZvg91Eba+2AqQdAkTh3Bfn+xOr1rT8+ - u5WFOyGS5g1JtN0280yIcrmWeNPp8Q2Nq4wnNgMqDmeEnNFDOsmo1l6NqMC0NtrW - CdxyXj82aXSkRgMQSqw/zk7BmNkDV8VvyOqX/fHWQynnfuYmEco4Pd2UZQgadOW5 - cVMCggEBANGz1fC+QQaangUzsVNOJwg2+CsUFYlAKYA3pRKZPIyMob2CBXk3Oln/ - YqOq6j373kG2AX74EZT07JFn28F27JF3r+zpyS/TYrfZyO1lz/5ZejPtDTmqBiVd - qa2coaPKwCOz64s77A9KSPyvpvyuTfRVa8UoArHcrQsPXMHgEhnFRsbxgmdP582A - kfYfoJBSse6dQtS9ZnREJtyWJlBNIBvsuKwzicuIgtE3oCBcIUZpEa6rBSN7Om2d - ex8ejCcS7qpHeULYspXbm5ZcwE4glKlQbJDTKaJ9mjiMdvuNFUZnv1BdMQ3Tb8zf - Gvfq54FbDuB10XP8JdLrsy9Z6GEsmoE= + MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDQ0b23I1srJZwR + 2MMdvSJK5pcwLfrXU+4gEZEnWNyT8yeVweya+8vmNNOlvK3zxf+ZiY/7aQ0RZJMO + h2+VdlgHmr2QKhQTf1HwfZA/06FolD3/DcS+DMJMSTVr179/XLndeVVZUqU7tjvB + AWKSIS8H2hSF1UOPi9gBDR8MwCP6Qgj8WYhbkt9q47/lO96qAmm6U1F+Q7RYM9ZQ + IWI81N0Ms5wJocg7n6S19iV66ePh7APapZFYup61gFGWfahmA217ELIZd56n8yjO + F0epb9sC0XpYCDRrYKBWLqPiv+6wvdZtZvALItyIv08ZwXlBkFg3LbAAhPnf0Vxz + pYysQmyyyzkgy252n+Sie0kx+B4qm6fOkpfgYlPSVTb2dXx/be/SE08u0a9FO0fZ + pkByWEZJUUwngsJgLUa7MorQf3avxozfC25XqvzbieZfSXlA7mOUclZbC/WUFpyj + MlyJU2eCQ8wSwsPXl91oxcYlOkuVLgd41gr9pGXQSuKIkrgbfkftjg2tDC+7g7O8 + qrdF42FjbZjIx/74AasmsGh4GTQtiSkvEnTstioC6aCV44DlJWbBIMvkyawubjUl + Ppij0H66Y9Q4tEc/ktc7oGQfqqluyLb43TeobTPHALsNeAYb39rMtBo5DDCUc81s + fuDMhMr/oYXKrFstUsg5AY6mJaRG0QIDAQABAoICAF5ZVfmoPOoKzTB3GvmV2iez + dj4rmDmwT1gn98iqasdiRtFwVGJWQHNcDQDGdmY9YNZThD2Y4nGoWpVm9jC2zuFo + thusF3QTw8cARKvCCBzDVhumce1YwHVNYpi+W2TFValOyBRathN7rBXxdUMHQUOv + 8jPh/uudyNP4xL2zFs5dBchW/7g4bT/TdYGyglGYU4L/YEPHfXWYvk1oOAW6O8Ig + aPElKt5drEMW2yplATSzua4RvtEzSMBDIRn43pxxEgdXrNC67nF9+ULc2+Efi/oD + Ad9CncSiXO9zlVK/W655p6e4qd6uOqyCm8/MTegkuub7eplRe8D3zGjoNN4kCQ4S + rckVvIDDb6vZk7PKx9F7GWIqaG/YvFFFKO1MrAZg7SguFA6PtGOYAFocT03P6KXT + l2SnZQWKyxUAlh4tOBGlRFgGCx/krRIKbgNYn/qk/ezcRl8c7GpOPh+b7Icoq7u3 + l4tIVBBHqS8uGgtyi+YwuJeht2MV1aEcSkykKLh2ipp8tb6spORJUkhjawDjvxeQ + GztN30Xh2riTXYZ0HExVTtJa8jyvFyp/97ptPIJXaVt2A2KIS3sBFHKnpY+/OrQg + uUauYgi13WFHsKOxZL9GYGk7Ujd8bw4CEcJFxKY7bhpGVI6Du7NRkUDWN0+0yusI + 2szCJ7+ZqJkrc1+GrI/RAoIBAQDseAEggOLYZkpU2Pht15ZbxjM9ayT2ANq1+RTu + LjJx4gv2/o/XJCfMZCL0b9TJqtYeH+N6G9oDRJ99VIhUPedhWSYdj9Qj+rPd++TS + bp+MoSjmfUfxLTDrmFHL7ppquAE65aDy3B5c+OCb0I4X6CILUf0LynBzgl4kdrzN + U6BG3Mt0RiGPojlPV82B9ZUF/09YAz7BIz9X3KMhze1Gps5OeGuUnc9O2IAJYkrj + ur9H2YlNS4w+IjRLAXSXUqC8bqPZp6WTo1G/rlyAkIRXCGN90uk5JQvXoj9immFO + WaylbdcNG3YcGutreYeZL/UIWF6zCdc6pYG0cCBJS6S/RN7FAoIBAQDiERrLuUbV + 3fx/a8uMeZop6hXtQpF7jlFxqUmza7QSvBuwks4QVJF+qMSiSvKDkCKqZD4qVf4N + TMxEj5vNR0PbnmDshyKJNGVjEauKJSb65CFDUcL1eR/A/oJvxiIdN1Z4cPrpnRux + /zIfPuYfYHpdz52buxxmlD7bfwYmVKVpnzjB9z0I1CasZ5uqB0Z8H0OLyUu8S4ju + RfkKBDMgVl2q96i8ZvX4C1b7XuimIUqv4WHq5+ejcYirgrYtUbBIaDU3/LORcJdy + /K76L1/up70RTDUYYm/HKaRy+vMTpUsZJ7Qbh0hrvQkUvNQ1HXjprW2AePIYi33N + h3mb1ulqw4idAoIBAQCsn0YjVjNDShkFK4bfmLv4rw2Ezoyi0SjYIsb2wN6uaBfX + 7SlQIuKywH8L9f9eYMoCH8FNyLs0G4paUbVb2fzpAc1jUzXINiHL8TCvtXXfkV5s + NBSqqRTHR+CegMZVFZJATpVZ9PptYHmHBY5VQW5o2SdizhudFxRmhg95zIx6boBP + l0q0sfYoR66MKpzpTeG8HFJZZ8O7/iNQcCXAp9B/VEUkrrdBlaaSMyD8cb1lVBZ5 + SKdOTGXkQ2G7feQ86n/OSiYDSvxIc56vc9BIQKVwmuEKiFLGzXh8ILrcGXaBJVgS + B3QHPFeTk5o7Z9j2iJxJEuv9sginkhrfpsrTnhEJAoIBACkrUkTtjd/e2F/gIqaH + crLVZX7a06G7rktTuA9LuvR6e1Rxt8Mzk3eMhprDqVyaQCXlsYiGNoj3hm+p84az + xsDVG/OXPIveFeSv0ByNXYbtSr12w1lu4ICGGP0ACTBm5oFymc83hFarEdas3r2y + FTbGW36D2c04jCXvARCz85fDnlN8kgnskMpu5+NUBdsO2n83fmphGyPBbHQNhb4K + 3G4JQhplab/tWL7YbufqQi67jdh4uS+Duo75c/HW4ZKeH6r9gzomVf5j0/3N6NuO + gpkG1tiE/LQ5ejBSUTgvrvh6yYsF3QN53pB/PuoZXu63Xay62ePsa1GlrVjbD5EY + 4OUCggEAJFr7F7AQLMJTAxHFLCsZZ0ZZ+tXYclBC4eHPkZ6sD5jvL3KIpW3Q7jXk + oIoD/XEX4B+Qe5M3jQJ/Y5ZJETHcgfcHZbDpCKN2WHQgldQbAJiFd4GY1OegdVsr + 7TC8jh3Q2eYjzL8u4z7LSNI6aQSv1eWE7S1Q5j/sX/YYDR4W3CBMeIUpqoDWpn87 + czbIRyA/4L0Y/HLpg/ZCbvtJZbsQwYXhyqfbjlm4BRQ6JiC5uEBKvuDRUXToBJta + JU8XMm+Ae5Ogrw7P6hg68dWpagfjb7UZ7Zxv+VDsbrU6KsDcyGCAwrrRZou/6KUG + Eq4OVTSu/s8gmY94tgbjeOaLUPEPmg== -----END PRIVATE KEY----- ''; ca.cert = builtins.toFile "ca.cert" '' -----BEGIN CERTIFICATE----- - MIIFATCCAumgAwIBAgIJANydi4uFZr0LMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV - BAMMC1NuYWtlb2lsIENBMCAXDTE4MDcxMjAwMjIxNloYDzIxMTgwNjE4MDAyMjE2 - WjAWMRQwEgYDVQQDDAtTbmFrZW9pbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIP - ADCCAgoCggIBAN91XEL/gfCG7MP2iv0IMO7dMFATmWKskjkpiZ8xm1+B3MSOA7OZ - H0BVKSfatB4KrMzmb5gLM877bLvQV2Tu8M5GLU52Fh9RAhbr9NnbvESPHi3zaP2L - vTnJSpMlkqMxsPzfSB5ciYnpUaM2/9aKxMebAGylYp59hA83rxm9g0KfR3mtgmD2 - 5E5k8kdIjQxiP2IRFYg837GFmhLE3vggsnSsQ5B/HYYcOFOv329lgAWpsAh+Hfl9 - i6VFZqtRJ6Qj6sPFrzcUPyr1wyA4/zgqQt6nZ1FddNtRYSsZQ6kc/nkz0zvCzRFU - 12X09RJsOAKGXvJiUcJ17fbrWr/Manl0xX+3+Ndc1SBG6u9dziBQoqNLhJ9++DRd - Wc+zewyVngk2bJwr2SWAhJWZtMpVyNFEm/wG9rY1BWwn1MivJXRAST3gO5yCwLct - uFB9B2adZVwR3PCtkc2mT1rPmafDjZG69lb0vX1PvGkit0tIdo6KzhUSq5mORYiF - 8jPQNUx5e1gRCbCoUbbdbDS61ymYJbgU++nJizkYA+YZZ+uUzGwsP/t616i3cCF4 - L7npkGhUGcjwUW8hfapyL6B9UO4KO8OZvJL/Q2/Esaq9ILUZQ+ZY/dNHkVvUfxGn - 7f3MkdGYf6phaWFy/qnsWVjb/p31GTDxYpFNIIHvJ5R000+I+imTo3g3AgMBAAGj - UDBOMB0GA1UdDgQWBBQ3vPWzjLmu5krbSpfhBAht9KL3czAfBgNVHSMEGDAWgBQ3 - vPWzjLmu5krbSpfhBAht9KL3czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA - A4ICAQDF9HyC1ZFN3Ob+JA9Dj5+Rcobi7JIA5F8uW3Q92LfPoVaUGEkBrwJSiTFX - 47zvP/ySBJIpZ9rzHMbJ+1L+eJgczF1uQ91inthCKo1THTPo5TgBrpJj0YAIunsj - 9eH1tBnfWFYdVIDZoTSiwPtgIvglpyuK/eJXEe+FRzubhtdc9w1Hlzox1sd0TQuy - Pl9KFHg7BlFZfCPig1mkB8pfwjBDgVhv5DKJ9cJXh3R5zSoiyuS2b+qYSvw8YTHq - 0WNKWUthb7BVAYE3OmcbOHgUAUjtJ6EIGIB9z/SoLe90CofXLXFR5dppuVLKCMBA - kgL4luBIu7t8mcnN2yzobvcGHy8RVY6F5abCCy6gackLzjOzvH1SYOxP8yN74aKB - ANgcqdWspb8JYoU8lEbA8dhBVrsgBf7XeJlrZvMdcUENlJ2PI0JWr9WvlRAM9rYY - EY1alJqBCp6530Ggd6/f0V64cEqptejUdmN9L0zboxKjQf4LjpUNraGvg8tw/xkY - 4dT1U2HlVnhOyBVkx/tE6zIK/RU16oMqwpjCdfbK/TuWCNc/emJz5PMlp81zm83+ - dExpWwuV4rt6OQbZ/GSatNLJXOw+pkLjaEhnHgrsgI+HqAUXg3ByKol+1e76wN51 - k1ZKpB6mk4kejySGPYBHiJwED0IyXu9gUfalSczXFO4ySAvhCg== + MIIFDzCCAvegAwIBAgIUU9rbCLTuvaI6gjSsFsJJjfLWIX8wDQYJKoZIhvcNAQEL + BQAwFjEUMBIGA1UEAwwLU25ha2VvaWwgQ0EwIBcNMTkxMDE4MDc1NDEyWhgPMjEx + OTA5MjQwNzU0MTJaMBYxFDASBgNVBAMMC1NuYWtlb2lsIENBMIICIjANBgkqhkiG + 9w0BAQEFAAOCAg8AMIICCgKCAgEA0NG9tyNbKyWcEdjDHb0iSuaXMC3611PuIBGR + J1jck/MnlcHsmvvL5jTTpbyt88X/mYmP+2kNEWSTDodvlXZYB5q9kCoUE39R8H2Q + P9OhaJQ9/w3EvgzCTEk1a9e/f1y53XlVWVKlO7Y7wQFikiEvB9oUhdVDj4vYAQ0f + DMAj+kII/FmIW5LfauO/5TveqgJpulNRfkO0WDPWUCFiPNTdDLOcCaHIO5+ktfYl + eunj4ewD2qWRWLqetYBRln2oZgNtexCyGXeep/MozhdHqW/bAtF6WAg0a2CgVi6j + 4r/usL3WbWbwCyLciL9PGcF5QZBYNy2wAIT539Fcc6WMrEJssss5IMtudp/kontJ + MfgeKpunzpKX4GJT0lU29nV8f23v0hNPLtGvRTtH2aZAclhGSVFMJ4LCYC1GuzKK + 0H92r8aM3wtuV6r824nmX0l5QO5jlHJWWwv1lBacozJciVNngkPMEsLD15fdaMXG + JTpLlS4HeNYK/aRl0EriiJK4G35H7Y4NrQwvu4OzvKq3ReNhY22YyMf++AGrJrBo + eBk0LYkpLxJ07LYqAumgleOA5SVmwSDL5MmsLm41JT6Yo9B+umPUOLRHP5LXO6Bk + H6qpbsi2+N03qG0zxwC7DXgGG9/azLQaOQwwlHPNbH7gzITK/6GFyqxbLVLIOQGO + piWkRtECAwEAAaNTMFEwHQYDVR0OBBYEFAZcEiVphGxBT4OWXbM6lKu96dvbMB8G + A1UdIwQYMBaAFAZcEiVphGxBT4OWXbM6lKu96dvbMA8GA1UdEwEB/wQFMAMBAf8w + DQYJKoZIhvcNAQELBQADggIBAGJ5Jnxq1IQ++IRYxCE7r7BqzzF+HTx0EWKkSOmt + eSPqeOdhC26hJlclgGZXAF/Xosmn8vkSQMHhj/jr4HI0VF9IyvDUJm8AKsnOgu/7 + DUey3lEUdOtJpTG9NyTOcrzxToMJ+hWlFLZKxx2dk4FLIvTLjmo1VHM97Bat7XYW + IrL9RRIZ25V+eCYtlR7XYjceGFQ0rCdp8SFIQwC6C/AH2tV3b1AJFsND9PcoLu7c + //fH+WUQCcD/N0grdC/QCX7AFWzd4rKQ8gjfND4TSYFTSDwW10Mud4kAVhY2P1sY + Y3ZpnxWrCHbIZMbszlbMyD+cjsCBnNvOtYGm7pDut/371rllVcB/uOWYWMCtKPoj + 0elPrwNMrK+P+wceNBCRQO+9gwzB589F2morFTtsob/qtpAygW8Sfl8M+iLWXeYS + c3LBLnj0TpgXKRWg7wgIWKSZx9v6pgy70U0qvkjNS1XseUCPf7hfAbxT3xF+37Dw + zZRwF4WAWqdnJoOey21mgc+a2DQzqtykA6KfHgCqNFfDbQXPXvNy25DDThbk+paX + G2M2EWtr+Nv9s/zm7Xv/pOXlgMFavaj+ikqZ4wfJf6c/sMOdZJtMA4TsYtAJgbc8 + ts+0eymTq4v5S8/fW51Lbjw6hc1Kcm8k7NbHSi9sEjBfxFLTZNQ5eb4NGr9Od3sU + kgwJ -----END CERTIFICATE----- ''; - "acme-v01.api.letsencrypt.org".key = builtins.toFile "acme-v01.api.letsencrypt.org.key" '' + "acme-v02.api.letsencrypt.org".key = builtins.toFile "acme-v02.api.letsencrypt.org.key" '' -----BEGIN RSA PRIVATE KEY----- - MIIJKQIBAAKCAgEAvG+sL4q0VkgSClBTn4NkPiUrtXx5oLyZ+CCM1jrQx/xotUt5 - X2S4/7vMnAK/yRLsR7R2PhXO8CZPqJ7B6OfAgaDTgvipJkZYPZQSMP3KOinM3WJL - ssqKh7/HOxZIf0iyUXewrnX5eTAo/CLsUnhBjBD7E99nmQz/leLWSl82sSYDkO3n - Uk3/1qJZA8iddb4uH0IEQWcNKev3WoQQzwiVrXBiftlRQOJy5JJXm5m8229MCpMA - 1AUWmpdu6sl3/gFFdsDhUFq/a7LFrVyaUCMRIHg9szAB7ZFkixr9umQs8jKwuo98 - 3JHB11h2SirwgfIzHHmyhaWhCt22ucTwEXGhq63LtrzZvLsfP8Ql5S+AuqGTH0v8 - meuc784leAjulBZjkpuIFwDnVv9+YeUEbqJeo1hSHrILddora3nkH4E2dJWmLpqp - iPr++GRi+BNgYKW/BQLTJ7C6v+vUs+kdPgYJH5z7oP6f0YZkT0Wkubp/UEz7UV2d - fjz57d77DYx5rFWGYzJriWR/xltgL1zDpjwjwG1FDpRqwlyYbBFpjQhxI+X0aT98 - m6fCzBDQHDb/+JgvsjTHh6OZatahFAwzFIEfrceDv1BG8sBWIaZGhLzYiWQxafl8 - oXbWv1T6I1jpsTlCdCSkWzaJb4ZjxI9Ga1ynVu8F16+GR2a71wKWu7UbZQsCAwEA - AQKCAgBYvrs4FLoD3KNqahRIDqhaQEVKjtn1Yn2dBy9tAXwsg2qI34fE7nnWLwsY - +o56U0gmKQ57BOhV36Uqg8JNP0BBjI2wpA19simCrsa2fgAMznzmUpHWHV+KuT5K - TJ9OGt2oUpdKQtOASLc0r/neiTZNkf29iTyQLzf7zj4f/qGSYpXRXsnP0F5KJmGH - z6agujWckQnSB4eCk9gFsCb+akubyE8K8Kw8w6lajrVl2czBB7SnUj5UnCTeH62k - M8goP08Is6QppON8BFDm6bLfRPSe9yIPzu9JhGz2unp+mwkz872Zz1P9yUOieM4U - 9g4ZFQkPQx1ZpfynUm3pJZ/uhzadBabnIvMe/1qwDAEDifh/WzEM76/2kBpQkHtS - qcjwjAElfWnP8aBr1Pj42/cVJy3dbDqb0OawFHx/8xSO2CkY4Gq2h3OYv1XpPv3g - S9qqKhvuaT+aD0YjKhP4FYc2vvQSJwdZL8vqOyma8JGmc+r7jakIPCyOx3oPVqnS - L2P7DuJ1FcGIZyYOU3UUSzKndDU9fVC8YoLWvHDlwm4RK9UPtdsBY8mEu6BlaAwL - zEQG+fbcFnEkHPiJeAohYUCHiqCihLt0pqGwZi+QrudPQE6C47YijGZWJu4VVLjB - B2L9iDQKsN4FnBJ9egJIwWBLX3XXQfjC43UGm1A5sBvD+ScsCQKCAQEA7GxU7/SW - 4YJ+wBXrp7Z3vzlc5mTT5U4L2muWZLhIjT/jmpHpZ4c9a5DY/K9OYcu8XJ+7kx2B - N40cU3ZkT2ZbB5/BUCEmi3Wzy3R/KZshHDzvvSZHcXJqVBtv+HGJgR5ssFqAw8c6 - gJtDls+JE9Sz+nhLk0ZZ4658vbTQfG1lmtzrbC3Kz2xK8RPTdOU5Or7fayeaEKEW - ECBJPE41ME2UTdB/E85vyYoee0MBijjAs19QKqvoNbyrsZ5bihcIDYsrvjCmkdW1 - 20IUrSF3ZYJ9bb+CxHeRyNqwvRxPYSkzdMjZHx+xEAvJgw51QqmIi2QQf/qB+ych - cSbE/0Jhx4QbDQKCAQEAzAoenEOgmZvUegFUu8C6gWeibMjl3Y9SikQ4CoQO/zWr - aoCr5BpbzbtOffwnPfgk9wCGvXf6smOdrLUP1K2QAhBr/vJh7ih2MonvpYr5HPP7 - maVARR66IgtxXP2ER2I9+9p2OQdecGRP2fUn2KCDQIASHSSY/VjBb8LLJgryC/DS - r2b0+m1e2qXfNWt/BYTQZhD/8B/jl/2pl/jI2ne3rkeiwEm7lqZaDt3Q8gC+qoP5 - /IdG1Gob7UTMCbICWy1aGuzRYUmbpg0Vq4DAV1RtgBySB5oNq5PMBHYpOxedM2nM - NxHvf0u6wsxVULwQ4IfWUqUTspjxDmIgogSzmOGadwKCAQEA558if4tynjBImUtg - egirvG4oc5doeQhDWJN63eYlPizPgUleD41RQSbBTp04/1qoiV38WJ7ZT2Ex1Rry - H0+58vgyXZx8tLh1kufpBQv0HkQc44SzDZP4U7olspMZEaSK+yNPb36p9AEo8IEW - XJVQVhywffK4cfUqRHj2oFBU8KlrA6rBPQFtUk4IJkfED6ecHtDHgW8vvFDFLw23 - 0kDPAIU5WmAu6JYmUsBMq+v57kF8urF8Z9kVpIfuSpVR0GL+UfA74DgtWEefFhbp - cEutMm4jYPN7ofmOmVc49Yl13f4/qNxVjdDedUUe4FZTbax09cyotzOY8c/3w9R3 - Ew57qQKCAQAa5jqi30eM+L5KV2KUXhQ4ezEupk2np/15vQSmXkKb4rd2kwAWUmNH - /Cmc8mE6CjzVU3xv/iFO41MmMbikkT0rCH80XUAL5cmvX//4ExpEduX0m5SdiC+B - zYBkggeuYYVKbsKnQhFxP8hHM8rNBFxJZJj+vpRs0gaudT/TBB5k9JrSBQDHAyQ+ - Lx/+Ku3UDG5tBlC3l3ypzQdOwb25D49nqooKT64rbkLxMs0ZGoAIet26LRtpZZPI - 9AjyPkWRP6lhY1c3PD0I5zC0K4Uv/jFxclLOLcEfnZyH+gv1fmd7H7eMixDH93Pn - uoiE3EZdU4st2hV+tisRel5S/cuvnA6BAoIBAQDJISK8H0hwYp+J4/WUv/WLtrm4 - Mhmn8ItdEPAyCljycU6oLHJy4fgmmfRHeoO1i3jb87ks2GghegFBbJNzugfoGxIM - dLWIV+uFXWs24fMJ/J6lqN1JtAj7HjvqkXp061X+MdIJ0DsACygzFfJOjv+Ij77Q - Q1OBTSPfb0EWFNOuIJr9i2TwdN9eW/2ZMo1bPuwe4ttPEIBssfIC02dn2KD1RTqM - 1l+L97vVFk7CoSJZf5rLeysLVyUeGdDcoEcRA6fKhfB/55h+iqrZNvySX1HrR6on - PQcxDRPJD7f9rMsTzVl3DOxzvXAU3lIcZtPZps97IwXceAAh2e1kZNNv/cxj + MIIJKQIBAAKCAgEApny0WhfDwEXe6WDTCw8qBuMAPDr88pj6kbhQWfzAW2c0TggJ + Etjs9dktENeTpSl14nnLVMiSYIJPYY3KbOIFQH1qDaOuQ7NaOhj9CdMTm5r9bl+C + YAyqLIMQ9AAZDhUcQjOy3moiL7ClFHlkFYuEzZBO9DF7hJpfUFIs0Idg50mNoZh/ + K/fb4P2skNjfCjjomTRUmZHxT6G00ImSTtSaYbN/WHut1xXwJvOoT1nlEA/PghKm + JJ9ZuRMSddUJmjL+sT09L8LVkK8CKeHi4r58DHM0D0u8owIFV9qsXd5UvZHaNgvQ + 4OAWGukMX+TxRuqkUZkaj84vnNL+ttEMl4jedw0ImzNtCOYehDyTPRkfng5PLWMS + vWbwyP8jDd2578mSbx5BF7ypYX366+vknjIFyZ5WezcC1pscIHxLoEwuhuf+knN+ + kFkLOHeYbqQrU6mxSnu9q0hnNvGUkTP0a/1aLOGRfQ5C/pxpE/Rebi8qfM/OJFd4 + mSxGL93JUTXWAItiIeBnQpIne65/Ska9dWynOEfIb0okdet3kfmNHz3zc17dZ5g4 + AdOSCgHAlQgFt/Qd8W6xXUe4C5Mfv2ctxRrfQhDwtB6rMByPwzImnciC2h3vCwD3 + vS/vjUyWICyhZyi2LZDUQz+sCKBXCYYcYh8ThFO40j5x1OnYMq7XQvyl8QkCAwEA + AQKCAgBSAfdssWwRF9m3p6QNPIj9H3AMOxpB/azffqTFzsSJwYp4LWkayZPfffy+ + 4RGvN38D8e6ActP3ifjEGu3tOGBR5fUJhujeHEiDea+a2Ug9S9kuNwmnelWQ23bM + Wgf9cdSbn4+qEymHyEFolmsAWdsuzri1fHJVXR06GWBNz4GiLA8B3HY4GD1M1Gfe + aZVkGagpXyeVBdiR2xuP5VQWVI8/NQWzdiipW/sRlNABVkyI3uDeN4VzYLL3gTeE + p021kQz4DSxIjHZacHpmWwhBnIbKMy0fo7TlrqcnIWXqTwv63Q9Zs/RN8NOyqb0Y + t1NKFWafcwUsdOnrG9uv/cVwF1FNE8puydaOi8rL1zAeK89JH8NRQ02wohR9w8qy + b2tB6DyGMtuqBt8Il6GA16ZoEuaXeayvlsvDEmG1cS9ZwBvfgrVPAmlm2AYdIf5B + RHIJu4BJC6Nn2ehVLqxx1QDhog3SOnAsCmcfg5g/fCwxcVMLIhODFoiKYGeMitDG + Q4e5JKcOg+RR8PT/n4eY4rUDBGtsR+Nw8S2DWgXmSufyfDtKCjZB4IuLWPS29tNh + zF6iYfoiTWzrSs/yqPSKIFpv+PWZwkKSvjdxia6lSBYYEON4W2QICEtiEs+SvcG4 + 0eIqWM+rRmPnJyMfGqX6GCs3rHDQB2VNJPBCYPQalJ/KwZumAQKCAQEA0ezM6qPJ + 1JM/fddgeQ50h0T9TRXVUTCISxXza+l4NuFt1NdqUOdHsGtbL1JR4GaQUG8qD1/P + R39YgnQEQimxpmYLCZkobkwPxTZm9oiMXpcJrlN4PB5evaWShRSv3mgigpt3Wzml + Td+2R9RoA/hvF/wEyIvaWznYOyugBC7GXs20dNnZDULhUapeQu7r6JvgmxBOby7S + 0FbhGplBiSDETzZURqzH/GMJKaJtNgyyVf3Hbg4mZAQDWoBRr+8HxsNbDkxP6e91 + QrPHy2VZFiaTmJfoxRhyMTn7/JZaLJaUHDOniOsdMj/V7vMCgpfBqh5vR8bKzuPy + ZINggpcFPp1IYQKCAQEAywc7AQoktMBCru/3vzBqUveXbR3RKzNyZCTH5CMm3UNH + zmblFgqF2nxzNil21GqAXzSwZk5FyHbkeD3yvEZm+bXzsZTDNokAwoiTgyrr2tf8 + GLMlCHHl5euIh1xHuyg/oKajVGOoXUXK8piqiDpQKd3Zwc6u2oyQlh+gYTPKh+7i + ilipkYawoE6teb6JUGpvU+d27INgNhB2oDEXY3pG2PbV+wv229ykSZxh1sJUdDwT + a8eTg+3pCGXtOZiJoQTFwKUlD2WYTGqS4Gx6dIJco5k+ZikGNST1JGE64Jl4MZdI + rtyvpcYblh5Q14sJGvp4kWYS9tjEM8pA+4Z9th3JqQKCAQEAkidH0+UM1A9gmQCm + jiHeR39ky5Jz3f7oJT63J15479yrVxBTWNhtNQrJhXzOvGkr+JQsuF+ANMsYmFql + zFqy8KMC9D/JwmD6adeif+o5sHF/r/s1LsYGOAtao4TvnOzrefs7ciwERt+GTSQ4 + 9uq0jgJMYkPcVr9DKI8K7V6ThdW52dECKRVzQiRXVEp7vIsqKUuFECuNYrfaKWai + FhLWGkA9FKee5L0e1/naB1N3ph72Bk2btO6GVzAXr2HADEZe0umWiczJ2xLH+3go + Oh/JiufYi8ClYFh6dDVJutlrbOcZsV3gCegfzikqijmWABcIavSgpsJVNF2zh7gV + Uq62gQKCAQAdO2FHeQpn6/at8WceY/4rC/MFhvGC4tlpidIuCtGhsfo4wZ/iWImF + N73u4nF1jBAHpTJwyHxLrLKgjWrRqOFSutvniZ/BzmAJolh63kcvL0Hg3IpMePm8 + 7PivZJ3/WIAwxU1m7SJkq5PY8ho7mwnHvWWI/hU26l42/z68QBS9FawQd0uS5G2x + 5yIbEU/8ABcfYYhB7XiA0EYEMo1HiWeB/ag5iTN13ILbBmUf4sL+KVgygH3A1RRk + XSiWzluij2lZn22ClgIjnoSfQ38uH0bvVzUgyG9YX4XcQxOTGwWvPjT82FGB8NAw + ARVqs14QQFfzt1qrp/I38rsAfBDFk+xhAoIBAQCEKNk/oJcy9t/jMIbLcn6z3aCc + Fn8GBPSXtFj0t6weN5lHof+cggw4owMFWQQyAXxo/K6NnKNydMPZ5qjtLsHNpbpQ + aT1Or0/1YR1bJ8Lo82B4QM++7F761GWQPvE/tyrfPkfkWl92ITIpmnlw4wycRlkq + 9anI2fnj1nIZwixzE2peb6PcsZU2HOs9uZ5RRd9wia696I7IpNibs4O4J2WTm4va + +NeYif3V2g9qwgT0Va0c9/Jlg3b58R0vA8j/VCU5I0TyXpkB3Xapx+pvEdZ3viUL + mXZaVotmWjgBXGDtd2VQg2ZiAMXHn3RzXSgV4Z+A/XacRs75h9bNw0ZJYrz1 -----END RSA PRIVATE KEY----- ''; - "acme-v01.api.letsencrypt.org".cert = builtins.toFile "acme-v01.api.letsencrypt.org.cert" '' + "acme-v02.api.letsencrypt.org".cert = builtins.toFile "acme-v02.api.letsencrypt.org.cert" '' -----BEGIN CERTIFICATE----- MIIEtDCCApwCAgKaMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC1NuYWtlb2ls - IENBMCAXDTE4MDcxMjAwMjIxN1oYDzIxMTgwNjE4MDAyMjE3WjAnMSUwIwYDVQQD - DBxhY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnMIICIjANBgkqhkiG9w0BAQEF - AAOCAg8AMIICCgKCAgEAvG+sL4q0VkgSClBTn4NkPiUrtXx5oLyZ+CCM1jrQx/xo - tUt5X2S4/7vMnAK/yRLsR7R2PhXO8CZPqJ7B6OfAgaDTgvipJkZYPZQSMP3KOinM - 3WJLssqKh7/HOxZIf0iyUXewrnX5eTAo/CLsUnhBjBD7E99nmQz/leLWSl82sSYD - kO3nUk3/1qJZA8iddb4uH0IEQWcNKev3WoQQzwiVrXBiftlRQOJy5JJXm5m8229M - CpMA1AUWmpdu6sl3/gFFdsDhUFq/a7LFrVyaUCMRIHg9szAB7ZFkixr9umQs8jKw - uo983JHB11h2SirwgfIzHHmyhaWhCt22ucTwEXGhq63LtrzZvLsfP8Ql5S+AuqGT - H0v8meuc784leAjulBZjkpuIFwDnVv9+YeUEbqJeo1hSHrILddora3nkH4E2dJWm - LpqpiPr++GRi+BNgYKW/BQLTJ7C6v+vUs+kdPgYJH5z7oP6f0YZkT0Wkubp/UEz7 - UV2dfjz57d77DYx5rFWGYzJriWR/xltgL1zDpjwjwG1FDpRqwlyYbBFpjQhxI+X0 - aT98m6fCzBDQHDb/+JgvsjTHh6OZatahFAwzFIEfrceDv1BG8sBWIaZGhLzYiWQx - afl8oXbWv1T6I1jpsTlCdCSkWzaJb4ZjxI9Ga1ynVu8F16+GR2a71wKWu7UbZQsC - AwEAATANBgkqhkiG9w0BAQsFAAOCAgEAzeGlFMz1Bo+bbpZDQ60HLdw7qDp3SPJi - x5LYG860yzbh9ghvyc59MIm5E6vB140LRJAs+Xo6VdVSTC4jUA2kI9k1BQsbZKds - XT0RqA7HkqcLS3t3JWFkkKbCshMGZTSZ//hpbaUG1qEAfUfmZw1lAxqSa0kqavbP - awf7k8qHbqcj7WORCdH7fjKAjntEQwIpl1GEkAdCSghOJz2/o9aWmiGZt27OM/sG - MLSrcmL3QBElCjOxg14P8rnsmZ+VEp6MO93otoJ4dJL7fN7vTIh5ThbS384at/4l - 4KK/y7XctUzAtWzhnodjk/NSgrrGX2kseOGOWEM1sZc9xtinHH2tpOMqtLVOkgHD - Lul+TArqgqeoOdEM/9OL64kgOrO/JzxBq+egLUi4wgAul2wmtecKZK1dkwYZHeqW - 74i55yeBp+TTomnPr0ZBns6xKFYldJVzC34OB+2YVDxe8y9XtWtuQOxFw0LQHhNb - zy5aBverWzZFwiIIjJoVHTQq848uKBJec0YILfMinS1Wjif4xqW/IMfi+GFS0oka - sKCGNE/8ur9u/Jm6cbto3f2dtV8/vkhiITQgwzM2jalyuVJ9jyPxG7EvbTvZORgw - pRvBRTd4/eE7I1L+UDe6x8EjR/MrqfF9FWVGOZo4vPTyNbrSWYBh6s9kYy56ds1l - IRxst1BXEfI= + IENBMCAXDTE5MTAxODA3NTQxM1oYDzIxMTkwOTI0MDc1NDEzWjAnMSUwIwYDVQQD + DBxhY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnMIICIjANBgkqhkiG9w0BAQEF + AAOCAg8AMIICCgKCAgEApny0WhfDwEXe6WDTCw8qBuMAPDr88pj6kbhQWfzAW2c0 + TggJEtjs9dktENeTpSl14nnLVMiSYIJPYY3KbOIFQH1qDaOuQ7NaOhj9CdMTm5r9 + bl+CYAyqLIMQ9AAZDhUcQjOy3moiL7ClFHlkFYuEzZBO9DF7hJpfUFIs0Idg50mN + oZh/K/fb4P2skNjfCjjomTRUmZHxT6G00ImSTtSaYbN/WHut1xXwJvOoT1nlEA/P + ghKmJJ9ZuRMSddUJmjL+sT09L8LVkK8CKeHi4r58DHM0D0u8owIFV9qsXd5UvZHa + NgvQ4OAWGukMX+TxRuqkUZkaj84vnNL+ttEMl4jedw0ImzNtCOYehDyTPRkfng5P + LWMSvWbwyP8jDd2578mSbx5BF7ypYX366+vknjIFyZ5WezcC1pscIHxLoEwuhuf+ + knN+kFkLOHeYbqQrU6mxSnu9q0hnNvGUkTP0a/1aLOGRfQ5C/pxpE/Rebi8qfM/O + JFd4mSxGL93JUTXWAItiIeBnQpIne65/Ska9dWynOEfIb0okdet3kfmNHz3zc17d + Z5g4AdOSCgHAlQgFt/Qd8W6xXUe4C5Mfv2ctxRrfQhDwtB6rMByPwzImnciC2h3v + CwD3vS/vjUyWICyhZyi2LZDUQz+sCKBXCYYcYh8ThFO40j5x1OnYMq7XQvyl8QkC + AwEAATANBgkqhkiG9w0BAQsFAAOCAgEAkx0GLPuCvKSLTHxVLh5tP4jxSGG/zN37 + PeZLu3QJTdRdRc8bgeOGXAVEVFbqOLTNTsuY1mvpiv2V6wxR6nns+PIHeLY/UOdc + mOreKPtMU2dWPp3ybec2Jwii6PhAXZJ26AKintmug1psMw7662crR3SCnn85/CvW + 192vhr5gM1PqLBIlbsX0tAqxAwBe1YkxBb9vCq8NVghJlKme49xnwGULMTGs15MW + hIPx6sW93zwrGiTsDImH49ILGF+NcX1AgAq90nG0j/l5zhDgXGJglX+K1xP99X1R + de3I4uoufPa5q+Pjmhy7muL+o4Qt0D0Vm86RqqjTkNPsr7gAJtt66A7TJrYiIoKn + GTIBsgM6egeFLLYQsT0ap/59HJismO2Pjx4Jk/jHOkC8TJsXQNRq1Km76VMBnuc0 + 2CMoD9pb38GjUUH94D4hJK4Ls/gJMF3ftKUyR8Sr/LjE6qU6Yj+ZpeEQP4kW9ANq + Lv9KSNDQQpRTL4LwGLTGomksLTQEekge7/q4J2TQRZNYJ/mxnrBKRcv9EAMgBMXq + Q+7GHtKDv9tJVlMfG/MRD3CMuuSRiT3OVbvMMkFzsPkqxYAP1CqE/JGvh67TzKI+ + MUfXKehA6TKuxrTVqCtoFIfGaqA9IWyoRTtugYq/xssB9ESeEYGeaM1A9Yueqz+h + KkBZO00jHSE= -----END CERTIFICATE----- ''; "letsencrypt.org".key = builtins.toFile "letsencrypt.org.key" '' -----BEGIN RSA PRIVATE KEY----- - MIIJKAIBAAKCAgEAwPvhlwemgPi6919sSD7Pz6l6CRfU1G/fDc0AvsMN/nTmiGND - pqn9ef1CA+RtLtOuPc1LLyEovcfu75/V+6KSgO4k19E2CrFCFwjEOWDGF4DgclT3 - 751WGmFJgzPEfZfhbOrmQfQau86KxAtNZVp9FxcKbuLyQ/sNNxfNMB+7IHbVhwvz - VcndHpYZEP6kdnwvNLP22bouX5q3avxWStln01uZ0BfUm4XwxaUNIU7t0Dv56FK9 - C9hW9AZae0do0BJBWRF7xSwLeDJqn9uZz+sX0X/tIaaSQSBuZySj0He5ZKzdUO0t - px2xTS2Brl3Y2BOJaOE98HubWvdKoslLt4X2rVrMxGa86SmFzcyDL1RSowcP/ruy - y555l7pepL5s4cmMgRBBXj5tXhqUTVOn5WO+JClLk+rtvtAT4rogJmMqEKmMw2t7 - LNy1W9ri/378QG/i3AGaLIL/7GsPbuRO51Sdti4QMVe2zNFze72mzNmj1SXokWy7 - +ZvjUMp55oEjRRsTPUZdNOEHJWy6Os2znuqL7ZpIHCxBG8FKnkCViXRJqAA8bzcE - hR+pLamLIOHlv4kdzJ6phHkSvK68qvbRReUmOjJgSupVBI9jhK+fHay/UWR4zfJQ - ed99H8ZOoiXlrLCVs+VPDynUUKrzF1nYyolNzi/NS4e4AbnfWgyC5JKRpjUCAwEA - AQKCAgB0fNYL+zM3MGxy+2d6KGf6GnuuV3NBlBGY3ACyJT0iNmAdPYXNaVi2tPeP - L+fz1xSa+3uBhEt6Wt/QRrO8g8JZDuawWvl69MpG6yS+2bpY35MbkExkl50sqULd - bncRtIb+3r+EWht099RtR8E9B6TwNhk3G8hO3pB4i+ZwQQcMLo7vSHhmdUYCu2mA - B6UwW/+GmYbMoARz8wj6DDzuS1LPksBCis/r3KqcMue9Dk6gXkOYR7ETIFBEVj1x - ooYS6qIFaHdEajS2JgCUY9LxXR/wdn6lzE0GANSDb+tt34bJzUp+Gdxvvo2SX4Ci - xsUokIpmA2gG7CW3gAPORSFuMu/VYZtvt+owNYlODXRPuGi/eLDknFRB/S4Nx0J0 - WZZq5uTgJdQainyKYtDZALia5X4cc5I2hNetCorG9jNZIsSunbIAG+htx2FI3eqK - jwOUiHE8SCZ6YdXoDQjg2w+g8jeB23eqkPyzunpZphYiKay7VFeLwQEMC2a791ln - +MbHhhpRAc1uAoU2reB2fxKyaPlOfAWVMgUOGlgpVOuEVeMoc1CwjajaFztGG7fI - 8EHNoyAftCdXnTaLZk2KZnnIDHHzFXR62TE1GJFD1fdI1pHAloCbgA4h+Dtwm1Uu - iAEEfvVU/E5wbtAzv6pY32+OKX5kyHAbM5/e918B8ZxmHG1J9QKCAQEA6FwxsRG3 - 526NnZak540yboht5kV12BNBChjmARv/XgZ7o1VsfwjaosErMvasUBcHDEYOC/oE - ZgPAyrMVsYm0xe/5FSIFLJVeYXTr0rmCNhVtBCHx3IS94BCXreNnz0qoEWnb5E09 - Z1O42D0yGcLXklg6QaJfb7EdHh03F3dSVMHyDR3JlAQHRINeuP6LlQpbvRD3adH5 - QWr2M3k+Stuq2OJdG7eUS1dreCxRShLuDjDhiZekdl/TB3LM0prOaWrKBrryN2g6 - mjiasH6I5zRD3LQP5zg57Thb8afHqA4Fb85Frt6ltfFlPTIoxXZ5drVhmRWfXXnQ - POnj8T+w4zVjvwKCAQEA1J4ivyFkCL0JTSY3/PtwAQvBBj3GazzU6P+urWeH74Vh - WK17Ae40iOUHGyy80Db/fVY4VLQTpxvAeG91Gj5Nd/AucXJgOrisabcEz6N/xUs5 - sjJNgXuNKTAgjYBu0bqLXxgZj43zT8JhA6KW7RuYU0PtHMRragz4RbK9NWDaVvJb - xSR5QoVLS00PerUa0SfupEYKCrlSTP6FOM5YNkCuSMt7X6/m9cR0WwVINKvUQBiT - ObrN+KeBmF9awpQQnQOq/GbCl3kf6VyPQqYFhdrWSg52w33c2tBVYrtHJpeXGcin - akw4KKcj4rdU2qxMuuRiD5paagshbLdGsYMTbSzjCwKCAQEAh89DGAyUIcfDLAWd - st0bSfGh0oJsw3NVg3JUFPfpRWqiny/Rr1pcd95RwoLc6h7bdrgHg8aJBZtR9ue/ - WTp0l3CQdGKjBZD0TiAJqevViIjzZAP3Gn3XgPwRu4f75/Pp0eu+o2zl49vSYUk7 - XEU+vIGm4y/leiHaM/y9c5DBZVrKgBIV/NZx7QCfv56/tMgOIK6m/YnFlw/OgP1v - hE9qR0PfSdD98x9QaDf290WjMFYvrL0eWjXd4S+fOcVTude55z8jTXE1N2i4OUpr - +D7bH0d7OBjr+pQDYXZAQyCW2ueEYRYvYu2Jz7/ehrOdgN25AsHZmMgXB1NpcFta - pyJQfwKCAQByoPMwworRH0GVg4Zp8RFYrwKZH9MK29gZ6kc9m/Sw0OND0PvhdZCD - QZ8MKpl9VDl4VHS4TgHOdWrWQ5kJ1g8kG6yeY0C4R/pEYHTKkWaAcucfSHl61qar - TxQt1dFpZz5evXqCZ9CG7tApCo5+NQNx2MxMVyVmHqn3wb66uYXdnHqXlet+Tqji - ZyByUpOrsfC6RjyBvZo+gnZGwxDR5xtPiczxML+/PvRQYk+kfgNHrzgoxqrnZT+8 - a6ReBT/TtzeHLsu4qIfo44slLqcJnIstkBC9ouzgV7PBMCDTEKVZNFH2QDOCz2HM - iHTKFFyl4h1wNhKK24dguor1hyqBENMzAoIBAAQvQHwRWIVlfCMRI170Ls8AXB9Z - MMdZJ37bh6kmJpkV3+HB1ZkKwofHKR9h/3xLt5iYXzqT+/zA4EAsFFs1A93+tkzh - yPrN5iTSJicophZSlA4ObX1hMkgshvl7ZB1fRM5WyiszBOfm8W7eAxaK8nY2oAoP - tI7rioo6CFBNMCGbOl4gEX6YJ4OsVSm+efCRSDDw+3HW8H2YgqufBzAULk1Jcj5t - ZvraXpC5qZ92VtsH0cGA1ovNDAmoOV4AAvtZVpLQsXwaphad/Fbn/ItGrrluvvFC - HuldRzYtl/AQtoirK86LTY3aAmcwVFuiYvDQMzjzkJvVMmRCFZBcUIaz2oI= + MIIJKgIBAAKCAgEA9dpdPEyzD3/BBds7tA/51s+WmLFyWuFrq4yMd2R+vi5gvK7n + lLNVKhYgiTmK2Um+UEpGucJqZHcTSZA1Bz4S/8ND/AI9I6EmwvBinY5/PubxEALk + 9YiDA+IzH8ZGFM8wXg7fMbbJAsyv+SHAtr2jmCsggrpuD5fgzs2p+F2q0+oVoeFw + MAOUdAf2jNtNLEj2Q6MiR5Xq+wFOcRtXlNlXWIX3NrmubO/xOpDNpsyjyYC5Ld+W + 06MS5bTHSdv56AkUg2PugMChj15TOddEJIK8zPXFTlMYye9SKwjhNUZovfe4xXCa + Tj2nmzrcuMKLz+S3sKQeTWjiRcY3w4zTlAbhtGXDjXjhMObrHoWM8e3cTL4NJMvt + tNStXficxbeTbIiYu+7dtF0q+iWaZqexc6PdAaIpFZ0XSw+i5iLdQZmBwzY7NLlH + pQupfh6ze0qDUVZAMDubo4JKUTBzH6QTuhHx+uUm7Lc8YdNArn7o/vMZDQym1Eia + xKxZuCGaqFvq8ZK4nBVsHfcXbhF/XD2HMid3t7ImbREVu9qnc+En+acU/SJaaL3r + jMW6HLVMr6+vQrCzYkvLzKYpoUm9D1Kcn6d8Ofxl2iCaY9CkMr5/6J1p1wcTdcN7 + IVQ/DFBeTDauyWbyZkO/lPoZoakWyXOx9S9tgClzhFmNgRkZv9wN+QguNDcCAwEA + AQKCAgEA0ndlacGfaJ1NeN39dmBW2XZMzdrassJXkjx34528gsLhPaXdyobbWXQn + 1lHUc7+VlNaBRXUR73+gm1FAlDqnuRxIjuy7ukyzCh8PzSG3/PlnVPWlXCzJPAHh + EkqCpD3agirpF34LBsKDwxsKB2bBLft9kWxX3DGA2olmAKDvJQs4CaUcjX4DEHHg + tyTmJAsyByUYq3/D8a1koZ9ukpadF8NXpxm+ILQoJqLf6vM1I8N2w7atP/BStSLV + mH0gq2tajEB4ZPCDXmC5jsKiKz9gsXWUu0CX8AdYqE6pvRnRgQ8Ytq1265QMb+8s + FV82oXqDZkyZRFuNmX3fLyDX39kkTcVS37S56Gzk4EzDWE/u2RXCAPeWla2zUFYI + hg8X4ZAwbZRODtK2cZTuCZEILM/iKmtSgHC+aQhp18EUAefa7WGrRD4AvbTxH4VF + ek60bwISBk5Mhf39MwqIiQxGOFmfLsQReZvzH4jI5zfDXf/0yZ/1SdGeu6+Walt0 + V81Ua/DB6zshHpeSP74HMuJHZ4DOQfcV/ndyzvoP84pAjenSx6O034OwQTkpoMI/ + f/2rK8kdzYSL4f//kFMuRLqmAwOmAFYB2oMo0/YaIoQ4vgTHDKTSxj5mbno56GdT + huMAVMKskaCSVbyMB/xyQG7senLItVv+HafVk6ChMUbkIjv9zgECggEBAP+ux1RG + cETGjK2U3CRoHGxR7FwaX6hkSokG+aFdVLer+WUrZmR8Ccvh2ALpm8K1G6TTk/5X + ZeVX4+1VFYDeTHMN8g20usS5mw3v2GF3fGxGLe4q56l4/4kKMZOrSBuWH4niiIKD + 0QogdzWkpQJ93nMbZxZ5lk+lRZVf3qSm6nzyP468ndrfI57Ov5OUIWZ7KhTUH9IK + 8/urUk+lEvyzQmNTlt5ZZXRz7cR01K8chx1zevVAyynzSuGjTysaBN7LTT0v3yVu + 96yKNsxJvuIz2+4qSjhbnN4jH+feN0VsdF3+Qkru0lBmLVgJl4X67XFaAKMDU9yv + 3alS53Pkol+Dy1cCggEBAPYodofHC1ydoOmCvUAq4oJNtyI4iIOY/ch3sxVhkNyi + KBscQqbay/DiXFiNl+NsemzB1PrHzvCaqKcBKw537XzeKqUgYuVLkFGubf9bDhXi + wSRcYbU/oNTgiTgXPW8wH60uIoLaiNi1/YjO2zh4GEY/kFqSuD54Y91iFmcC75bv + OjCNugnRdpRjOFhaeNx75tdverR37w3APVZuBSv3bJlMPCtaf+fEAKxJxeqCs3Oq + rtsw2TQ4TqfE8/w9qPCVv3bQbMbO48SwjxAz47qH2h3qGu3Ov8badeARe+Ou7nuI + U13gPuPOhPXIQP/MYOyamPJdFyng1b8vyNsfjOcWMiECggEAEkMgl6NkV3U7DRbp + 1mvdQ9tiH33+wR9Qt5LY966b43aUHKbJ7Hlzla1u6V5YMsMO02oNUwhZDdWGQShn + ncnC+iDP3iy/flenfIpaETQgnfcxRqan31H2Joqk2eBNCTNi001r5K6XmrqQ6TL2 + WkQ1RFF7vn42vz+VxcKQO4B0lTIUWhSczcpMWAZ6ZocZD6HScqRoFW+U16/39Bpd + TdFb944742vNNFEndXXGzy8hc3gRGz1ihX+MJKuuduyn1mX9AVbPAHR5mkhQ+6x0 + xuFfXxaEMJxSiwdFOyGDHyFM+n2zrHh8ayOxL22X9gjjNspv6zTMo6GoGnUCdSOq + eVoHhwKCAQEAot5O3rOB/vuEljwcv7IgQJrvCsNg/8FgWR1p7kGpuXHJG3btWrz1 + pyH+e9DjqGQD9KWjJ3LAp02NPUJ2nJIZHj9Y8/yjspb2nDTPLt+uSCjKJibBt0ys + O219HRGzYjfzHYCi8PVrCggQAk7rmUdMuF4iQutE4ICDgtz9eZbls3YBiFKdvxVK + Yg/sHflucmPAbtah13prPyvs6ZzN6zNANYXNYdn1OwHieBwvyWRFG8jY/MorTHPd + BwA3drPNbbGHBzQMZNZKub8gSVYr3SU52gUlYCclmIq+50xqLlF2FWIz1q8irVPd + gUnIR/eQQbxgaivRwbGze1ZAjUsozVVQQQKCAQEA9uAKU3O06bEUGj+L0G+7R7r/ + bi2DNi2kLJ7jyq+n0OqcHEQ1zFK4LAPaXY0yMYXieUzhivMGLSNDiubGO2/KxkFF + REXUFgYWZYMwrKsUuscybB64cQDwzD0oXrhvEa2PHecdG6AZ63iLcHaaDzyCPID/ + wtljekLO2jbJ5esXZd016lykFfUd/K4KP1DGyI2Dkq6q0gTc/Y36gDAcPhIWtzna + UujYCe3a8DWCElH4geKXaB5ABbV1eJ8Lch599lXJ9Hszem6QNosFsPaHDCcqLS9H + yy2WA6CY2LVU7kONN+O0kxs2fVbxIkI+d/LZyX/yIGlkXcAzL07llIlrTAYebQ== -----END RSA PRIVATE KEY----- ''; "letsencrypt.org".cert = builtins.toFile "letsencrypt.org.cert" '' -----BEGIN CERTIFICATE----- MIIEpzCCAo8CAgKaMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC1NuYWtlb2ls - IENBMCAXDTE4MDcxMjAwMjIxOVoYDzIxMTgwNjE4MDAyMjE5WjAaMRgwFgYDVQQD + IENBMCAXDTE5MTAxODA3NTQxNVoYDzIxMTkwOTI0MDc1NDE1WjAaMRgwFgYDVQQD DA9sZXRzZW5jcnlwdC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC - AQDA++GXB6aA+Lr3X2xIPs/PqXoJF9TUb98NzQC+ww3+dOaIY0Omqf15/UID5G0u - 0649zUsvISi9x+7vn9X7opKA7iTX0TYKsUIXCMQ5YMYXgOByVPfvnVYaYUmDM8R9 - l+Fs6uZB9Bq7zorEC01lWn0XFwpu4vJD+w03F80wH7sgdtWHC/NVyd0elhkQ/qR2 - fC80s/bZui5fmrdq/FZK2WfTW5nQF9SbhfDFpQ0hTu3QO/noUr0L2Fb0Blp7R2jQ - EkFZEXvFLAt4Mmqf25nP6xfRf+0hppJBIG5nJKPQd7lkrN1Q7S2nHbFNLYGuXdjY - E4lo4T3we5ta90qiyUu3hfatWszEZrzpKYXNzIMvVFKjBw/+u7LLnnmXul6kvmzh - yYyBEEFePm1eGpRNU6flY74kKUuT6u2+0BPiuiAmYyoQqYzDa3ss3LVb2uL/fvxA - b+LcAZosgv/saw9u5E7nVJ22LhAxV7bM0XN7vabM2aPVJeiRbLv5m+NQynnmgSNF - GxM9Rl004QclbLo6zbOe6ovtmkgcLEEbwUqeQJWJdEmoADxvNwSFH6ktqYsg4eW/ - iR3MnqmEeRK8rryq9tFF5SY6MmBK6lUEj2OEr58drL9RZHjN8lB5330fxk6iJeWs - sJWz5U8PKdRQqvMXWdjKiU3OL81Lh7gBud9aDILkkpGmNQIDAQABMA0GCSqGSIb3 - DQEBCwUAA4ICAQAkx3jcryukAuYP7PQxMy3LElOl65ZFVqxDtTDlr7DvAkWJzVCb - g08L6Tu+K0rKh2RbG/PqS0+8/jBgc4IwSOPfDDAX+sinfj0kwXG34WMzB0G3fQzU - 2BMplJDOaBcNqHG8pLP1BG+9HAtR/RHe9p2Jw8LG2qmZs6uemPT/nCTNoyIL4oxh - UncjETV4ayCHDKD1XA7/icgddYsnfLQHWuIMuCrmQCHo0uQAd7qVHfUWZ+gcsZx0 - jTNCcaI8OTS2S65Bjaq2HaM7GMcUYNUD2vSyNQeQbha4ZeyZ9bPyFzznPMmrPXQe - MJdkbJ009RQIG9As79En4m+l+/6zrdx4DNdROqaL6YNiSebWMnuFHpMW/rCnhrT/ - HYadijHOiJJGj9tWSdC4XJs7fvZW3crMPUYxpOvl01xW2ZlgaekILi1FAjSMQVoV - NhWstdGCKJdthJqLL5MtNdfgihKcmgkJqKFXTkPv7sgAQCopu6X+S+srCgn856Lv - 21haRWZa8Ml+E0L/ticT8Fd8Luysc6K9TJ4mT8ENC5ywvgDlEkwBD3yvINXm5lg1 - xOIxv/Ye5gFk1knuM7OzpUFBrXUHdVVxflCUqNAhFPbcXwjgEQ+A+S5B0vI6Ohue - ZnR/wuiou6Y+Yzh8XfqL/3H18mGDdjyMXI1B6l4Judk000UVyr46cnI7mw== + AQD12l08TLMPf8EF2zu0D/nWz5aYsXJa4WurjIx3ZH6+LmC8rueUs1UqFiCJOYrZ + Sb5QSka5wmpkdxNJkDUHPhL/w0P8Aj0joSbC8GKdjn8+5vEQAuT1iIMD4jMfxkYU + zzBeDt8xtskCzK/5IcC2vaOYKyCCum4Pl+DOzan4XarT6hWh4XAwA5R0B/aM200s + SPZDoyJHler7AU5xG1eU2VdYhfc2ua5s7/E6kM2mzKPJgLkt35bToxLltMdJ2/no + CRSDY+6AwKGPXlM510QkgrzM9cVOUxjJ71IrCOE1Rmi997jFcJpOPaebOty4wovP + 5LewpB5NaOJFxjfDjNOUBuG0ZcONeOEw5usehYzx7dxMvg0ky+201K1d+JzFt5Ns + iJi77t20XSr6JZpmp7Fzo90BoikVnRdLD6LmIt1BmYHDNjs0uUelC6l+HrN7SoNR + VkAwO5ujgkpRMHMfpBO6EfH65Sbstzxh00Cufuj+8xkNDKbUSJrErFm4IZqoW+rx + kricFWwd9xduEX9cPYcyJ3e3siZtERW72qdz4Sf5pxT9IlpoveuMxboctUyvr69C + sLNiS8vMpimhSb0PUpyfp3w5/GXaIJpj0KQyvn/onWnXBxN1w3shVD8MUF5MNq7J + ZvJmQ7+U+hmhqRbJc7H1L22AKXOEWY2BGRm/3A35CC40NwIDAQABMA0GCSqGSIb3 + DQEBCwUAA4ICAQBbJwE+qc0j6JGHWe0TGjv1viJU3WuyJkMRi+ejx0p/k7Ntp5An + 2wLC7b/lVP/Nh+PKY/iXWn/BErv2MUo4POc1g8svgxsmMMh5KGGieIfGs7xT+JMH + dzZZM+pUpIB5fEO5JfjiOEOKDdAvRSs0mTAVYZEokGkXSNWyylvEaA16mHtMgPjo + Lm75d0O66RfJDdd/hTl8umGpF7kEGW1qYk2QmuPr7AqOa8na7olL5fMPh6Q7yRqx + GIS9JKQ0fWl8Ngk09WfwUN/kEMcp9Jl5iunNRkbpUJIM/lHFkSA7yOFFL+dVWzd4 + 2r+ddJXTFzW8Rwt65l8SV2MEhijEamKva3mqKLIRWxDsfFVT1T04LWFtnzMW4Z29 + UHF9Pi7XSyKz0Y/Lz31mNTkjJYbOvbnwok8lc3wFWHc+lummZk8IkCq8xfqzwmwX + Ow6EV+Q6VaQpOHumQZ12pBBLtL8DyDhWaRUgVy2vYpwYsMYa5BFMcKCynjlSewo9 + G2hNoW45cQZP1qHltRR9Xad7SaP7iTETDCiR7AWOqSpDipSh9eMfVW97ZbSfz+vl + xl8PZEZMTRIIRVXsPP+E8gtDUhUQp2+Vcz8r6q71qslXM09xl/501uaNjCc3hH2R + iw2N77Lho1F3FrBbHdML3RYHZI55eC9iQw6R4S+R4b+iWLJoHzHrW61itg== -----END CERTIFICATE----- ''; } diff --git a/nixpkgs/nixos/tests/common/user-account.nix b/nixpkgs/nixos/tests/common/user-account.nix index 9cd531a1f96c..a57ee2d59ae3 100644 --- a/nixpkgs/nixos/tests/common/user-account.nix +++ b/nixpkgs/nixos/tests/common/user-account.nix @@ -4,6 +4,7 @@ { isNormalUser = true; description = "Alice Foobar"; password = "foobar"; + uid = 1000; }; users.users.bob = diff --git a/nixpkgs/nixos/tests/common/x11.nix b/nixpkgs/nixos/tests/common/x11.nix index c5a7c165d126..5ad0ac20fac8 100644 --- a/nixpkgs/nixos/tests/common/x11.nix +++ b/nixpkgs/nixos/tests/common/x11.nix @@ -1,12 +1,12 @@ +{ lib, ... }: + { services.xserver.enable = true; # Automatically log in. services.xserver.displayManager.auto.enable = true; # Use IceWM as the window manager. - services.xserver.windowManager.default = "icewm"; - services.xserver.windowManager.icewm.enable = true; - # Don't use a desktop manager. - services.xserver.desktopManager.default = "none"; + services.xserver.displayManager.defaultSession = lib.mkDefault "none+icewm"; + services.xserver.windowManager.icewm.enable = true; } diff --git a/nixpkgs/nixos/tests/consul.nix b/nixpkgs/nixos/tests/consul.nix new file mode 100644 index 000000000000..6600dae4770b --- /dev/null +++ b/nixpkgs/nixos/tests/consul.nix @@ -0,0 +1,143 @@ +import ./make-test-python.nix ({pkgs, lib, ...}: + +let + # Settings for both servers and agents + webUi = true; + retry_interval = "1s"; + raft_multiplier = 1; + + defaultExtraConfig = { + inherit retry_interval; + performance = { + inherit raft_multiplier; + }; + }; + + allConsensusServerHosts = [ + "192.168.1.1" + "192.168.1.2" + "192.168.1.3" + ]; + + allConsensusClientHosts = [ + "192.168.2.1" + "192.168.2.2" + ]; + + firewallSettings = { + # See https://www.consul.io/docs/install/ports.html + allowedTCPPorts = [ 8301 8302 8600 8500 8300 ]; + allowedUDPPorts = [ 8301 8302 8600 ]; + }; + + client = index: { pkgs, ... }: + let + ip = builtins.elemAt allConsensusClientHosts index; + in + { + environment.systemPackages = [ pkgs.consul ]; + + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = ip; prefixLength = 16; } + ]; + networking.firewall = firewallSettings; + + services.consul = { + enable = true; + inherit webUi; + extraConfig = defaultExtraConfig // { + server = false; + retry_join = allConsensusServerHosts; + bind_addr = ip; + }; + }; + }; + + server = index: { pkgs, ... }: + let + ip = builtins.elemAt allConsensusServerHosts index; + in + { + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = builtins.elemAt allConsensusServerHosts index; prefixLength = 16; } + ]; + networking.firewall = firewallSettings; + + services.consul = + let + thisConsensusServerHost = builtins.elemAt allConsensusServerHosts index; + in + assert builtins.elem thisConsensusServerHost allConsensusServerHosts; + { + enable = true; + inherit webUi; + extraConfig = defaultExtraConfig // { + server = true; + bootstrap_expect = builtins.length allConsensusServerHosts; + retry_join = + # If there's only 1 node in the network, we allow self-join; + # otherwise, the node must not try to join itself, and join only the other servers. + # See https://github.com/hashicorp/consul/issues/2868 + if builtins.length allConsensusServerHosts == 1 + then allConsensusServerHosts + else builtins.filter (h: h != thisConsensusServerHost) allConsensusServerHosts; + bind_addr = ip; + }; + }; + }; +in { + name = "consul"; + + nodes = { + server1 = server 0; + server2 = server 1; + server3 = server 2; + + client1 = client 0; + client2 = client 1; + }; + + testScript = '' + servers = [server1, server2, server3] + machines = [server1, server2, server3, client1, client2] + + for m in machines: + m.wait_for_unit("consul.service") + + for m in machines: + m.wait_until_succeeds("[ $(consul members | grep -o alive | wc -l) == 5 ]") + + client1.succeed("consul kv put testkey 42") + client2.succeed("[ $(consul kv get testkey) == 42 ]") + + # Test that the cluster can tolearate failures of any single server: + for server in servers: + server.crash() + + # For each client, wait until they have connection again + # using `kv get -recurse` before issuing commands. + client1.wait_until_succeeds("consul kv get -recurse") + client2.wait_until_succeeds("consul kv get -recurse") + + # Do some consul actions while one server is down. + client1.succeed("consul kv put testkey 43") + client2.succeed("[ $(consul kv get testkey) == 43 ]") + client2.succeed("consul kv delete testkey") + + # Restart crashed machine. + server.start() + + # Wait for recovery. + for m in machines: + m.wait_until_succeeds("[ $(consul members | grep -o alive | wc -l) == 5 ]") + + # Wait for client connections. + client1.wait_until_succeeds("consul kv get -recurse") + client2.wait_until_succeeds("consul kv get -recurse") + + # Do some consul actions with server back up. + client1.succeed("consul kv put testkey 44") + client2.succeed("[ $(consul kv get testkey) == 44 ]") + client2.succeed("consul kv delete testkey") + ''; +}) diff --git a/nixpkgs/nixos/tests/containers-bridge.nix b/nixpkgs/nixos/tests/containers-bridge.nix index 38db64eb7931..2c8e8fa5370f 100644 --- a/nixpkgs/nixos/tests/containers-bridge.nix +++ b/nixpkgs/nixos/tests/containers-bridge.nix @@ -7,7 +7,7 @@ let containerIp6 = "fc00::2/7"; in -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-bridge"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ aristid aszlig eelco kampfschlaefer ]; @@ -61,43 +61,42 @@ import ./make-test.nix ({ pkgs, ...} : { virtualisation.pathsInNixDB = [ pkgs.stdenv ]; }; - testScript = - '' - $machine->waitForUnit("default.target"); - $machine->succeed("nixos-container list") =~ /webserver/ or die; - - # Start the webserver container. - $machine->succeed("nixos-container status webserver") =~ /up/ or die; - - # Check if bridges exist inside containers - $machine->succeed("nixos-container run webserver -- ip link show eth0"); - $machine->succeed("nixos-container run web-noip -- ip link show eth0"); - - "${containerIp}" =~ /([^\/]+)\/([0-9+])/; - my $ip = $1; - chomp $ip; - $machine->succeed("ping -n -c 1 $ip"); - $machine->succeed("curl --fail http://$ip/ > /dev/null"); - - "${containerIp6}" =~ /([^\/]+)\/([0-9+])/; - my $ip6 = $1; - chomp $ip6; - $machine->succeed("ping -n -c 1 $ip6"); - $machine->succeed("curl --fail http://[$ip6]/ > /dev/null"); - - # Check that nixos-container show-ip works in case of an ipv4 address with - # subnetmask in CIDR notation. - my $result = $machine->succeed("nixos-container show-ip webserver"); - chomp $result; - $result eq $ip or die; - - # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); - $machine->fail("curl --fail --connect-timeout 2 http://[$ip6]/ > /dev/null"); - - # Destroying a declarative container should fail. - $machine->fail("nixos-container destroy webserver"); - ''; - + testScript = '' + machine.wait_for_unit("default.target") + assert "webserver" in machine.succeed("nixos-container list") + + with subtest("Start the webserver container"): + assert "up" in machine.succeed("nixos-container status webserver") + + with subtest("Bridges exist inside containers"): + machine.succeed( + "nixos-container run webserver -- ip link show eth0", + "nixos-container run web-noip -- ip link show eth0", + ) + + ip = "${containerIp}".split("/")[0] + machine.succeed(f"ping -n -c 1 {ip}") + machine.succeed(f"curl --fail http://{ip}/ > /dev/null") + + ip6 = "${containerIp6}".split("/")[0] + machine.succeed(f"ping -n -c 1 {ip6}") + machine.succeed(f"curl --fail http://[{ip6}]/ > /dev/null") + + with subtest( + "nixos-container show-ip works in case of an ipv4 address " + + "with subnetmask in CIDR notation." + ): + result = machine.succeed("nixos-container show-ip webserver").rstrip() + assert result == ip + + with subtest("Stop the container"): + machine.succeed("nixos-container stop webserver") + machine.fail( + f"curl --fail --connect-timeout 2 http://{ip}/ > /dev/null", + f"curl --fail --connect-timeout 2 http://[{ip6}]/ > /dev/null", + ) + + # Destroying a declarative container should fail. + machine.fail("nixos-container destroy webserver") + ''; }) diff --git a/nixpkgs/nixos/tests/containers-ephemeral.nix b/nixpkgs/nixos/tests/containers-ephemeral.nix index 1ef8717d9a0e..692554ac0ba2 100644 --- a/nixpkgs/nixos/tests/containers-ephemeral.nix +++ b/nixpkgs/nixos/tests/containers-ephemeral.nix @@ -1,6 +1,6 @@ # Test for NixOS' container support. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-ephemeral"; machine = { pkgs, ... }: { @@ -16,10 +16,10 @@ import ./make-test.nix ({ pkgs, ...} : { services.nginx = { enable = true; virtualHosts.localhost = { - root = (pkgs.runCommand "localhost" {} '' + root = pkgs.runCommand "localhost" {} '' mkdir "$out" echo hello world > "$out/index.html" - ''); + ''; }; }; networking.firewall.allowedTCPPorts = [ 80 ]; @@ -28,29 +28,27 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - $machine->succeed("nixos-container list") =~ /webserver/ or die; + assert "webserver" in machine.succeed("nixos-container list") - # Start the webserver container. - $machine->succeed("nixos-container start webserver"); + machine.succeed("nixos-container start webserver") - # Check that container got its own root folder - $machine->succeed("ls /run/containers/webserver"); + with subtest("Container got its own root folder"): + machine.succeed("ls /run/containers/webserver") - # Check that container persistent directory is not created - $machine->fail("ls /var/lib/containers/webserver"); + with subtest("Container persistent directory is not created"): + machine.fail("ls /var/lib/containers/webserver") # Since "start" returns after the container has reached # multi-user.target, we should now be able to access it. - my $ip = $machine->succeed("nixos-container show-ip webserver"); - chomp $ip; - $machine->succeed("ping -n -c1 $ip"); - $machine->succeed("curl --fail http://$ip/ > /dev/null"); + ip = machine.succeed("nixos-container show-ip webserver").rstrip() + machine.succeed(f"ping -n -c1 {ip}") + machine.succeed(f"curl --fail http://{ip}/ > /dev/null") - # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); + with subtest("Stop the container"): + machine.succeed("nixos-container stop webserver") + machine.fail(f"curl --fail --connect-timeout 2 http://{ip}/ > /dev/null") - # Check that container's root folder was removed - $machine->fail("ls /run/containers/webserver"); + with subtest("Container's root folder was removed"): + machine.fail("ls /run/containers/webserver") ''; }) diff --git a/nixpkgs/nixos/tests/containers-extra_veth.nix b/nixpkgs/nixos/tests/containers-extra_veth.nix index b3d3bce87579..7d30b3f76cd7 100644 --- a/nixpkgs/nixos/tests/containers-extra_veth.nix +++ b/nixpkgs/nixos/tests/containers-extra_veth.nix @@ -1,7 +1,7 @@ # Test for NixOS' container support. -import ./make-test.nix ({ pkgs, ...} : { - name = "containers-bridge"; +import ./make-test-python.nix ({ pkgs, ...} : { + name = "containers-extra_veth"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ kampfschlaefer ]; }; @@ -52,52 +52,43 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - $machine->waitForUnit("default.target"); - $machine->succeed("nixos-container list") =~ /webserver/ or die; + machine.wait_for_unit("default.target") + assert "webserver" in machine.succeed("nixos-container list") - # Status of the webserver container. - $machine->succeed("nixos-container status webserver") =~ /up/ or die; + with subtest("Status of the webserver container is up"): + assert "up" in machine.succeed("nixos-container status webserver") - # Debug - #$machine->succeed("nixos-container run webserver -- ip link >&2"); + with subtest("Ensure that the veths are inside the container"): + assert "state UP" in machine.succeed( + "nixos-container run webserver -- ip link show veth1" + ) + assert "state UP" in machine.succeed( + "nixos-container run webserver -- ip link show veth2" + ) - # Ensure that the veths are inside the container - $machine->succeed("nixos-container run webserver -- ip link show veth1") =~ /state UP/ or die; - $machine->succeed("nixos-container run webserver -- ip link show veth2") =~ /state UP/ or die; + with subtest("Ensure the presence of the extra veths"): + assert "state UP" in machine.succeed("ip link show veth1") + assert "state UP" in machine.succeed("ip link show veth2") - # Debug - #$machine->succeed("ip link >&2"); + with subtest("Ensure the veth1 is part of br1 on the host"): + assert "master br1" in machine.succeed("ip link show veth1") - # Ensure the presence of the extra veths - $machine->succeed("ip link show veth1") =~ /state UP/ or die; - $machine->succeed("ip link show veth2") =~ /state UP/ or die; + with subtest("Ping on main veth"): + machine.succeed("ping -n -c 1 192.168.0.100") + machine.succeed("ping -n -c 1 fc00::2") - # Ensure the veth1 is part of br1 on the host - $machine->succeed("ip link show veth1") =~ /master br1/ or die; + with subtest("Ping on the first extra veth"): + machine.succeed("ping -n -c 1 192.168.1.100 >&2") - # Debug - #$machine->succeed("ip -4 a >&2"); - #$machine->succeed("ip -4 r >&2"); - #$machine->succeed("nixos-container run webserver -- ip link >&2"); - #$machine->succeed("nixos-container run webserver -- ip -4 a >&2"); - #$machine->succeed("nixos-container run webserver -- ip -4 r >&2"); + with subtest("Ping on the second extra veth"): + machine.succeed("ping -n -c 1 192.168.2.100 >&2") - # Ping on main veth - $machine->succeed("ping -n -c 1 192.168.0.100"); - $machine->succeed("ping -n -c 1 fc00::2"); + with subtest("Container can be stopped"): + machine.succeed("nixos-container stop webserver") + machine.fail("ping -n -c 1 192.168.1.100 >&2") + machine.fail("ping -n -c 1 192.168.2.100 >&2") - # Ping on the first extra veth - $machine->succeed("ping -n -c 1 192.168.1.100 >&2"); - - # Ping on the second extra veth - $machine->succeed("ping -n -c 1 192.168.2.100 >&2"); - - # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("ping -n -c 1 192.168.1.100 >&2"); - $machine->fail("ping -n -c 1 192.168.2.100 >&2"); - - # Destroying a declarative container should fail. - $machine->fail("nixos-container destroy webserver"); + with subtest("Destroying a declarative container should fail"): + machine.fail("nixos-container destroy webserver") ''; }) diff --git a/nixpkgs/nixos/tests/containers-hosts.nix b/nixpkgs/nixos/tests/containers-hosts.nix index 8cf298c62258..d6fb4a761eef 100644 --- a/nixpkgs/nixos/tests/containers-hosts.nix +++ b/nixpkgs/nixos/tests/containers-hosts.nix @@ -1,6 +1,6 @@ # Test for NixOS' container support. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-hosts"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ montag451 ]; @@ -42,11 +42,11 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - $machine->waitForUnit("default.target"); + start_all() + machine.wait_for_unit("default.target") - # Ping the containers using the entries added in /etc/hosts - $machine->succeed("ping -n -c 1 simple.containers"); - $machine->succeed("ping -n -c 1 netmask.containers"); + with subtest("Ping the containers using the entries added in /etc/hosts"): + for host in "simple.containers", "netmask.containers": + machine.succeed(f"ping -n -c 1 {host}") ''; }) diff --git a/nixpkgs/nixos/tests/containers-imperative.nix b/nixpkgs/nixos/tests/containers-imperative.nix index 2e7e4b2f1d69..61df74042cb3 100644 --- a/nixpkgs/nixos/tests/containers-imperative.nix +++ b/nixpkgs/nixos/tests/containers-imperative.nix @@ -1,6 +1,6 @@ # Test for NixOS' container support. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-imperative"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ aristid aszlig eelco kampfschlaefer ]; @@ -36,95 +36,99 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = let - tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" '' - { - systemd.tmpfiles.rules = [ "d /foo - - - - -" ]; - systemd.services.foo = { - serviceConfig.Type = "oneshot"; - script = "ls -al /foo"; - wantedBy = [ "multi-user.target" ]; - }; - } - ''; in - '' - # Make sure we have a NixOS tree (required by ‘nixos-container create’). - $machine->succeed("PAGER=cat nix-env -qa -A nixos.hello >&2"); - - # Create some containers imperatively. - my $id1 = $machine->succeed("nixos-container create foo --ensure-unique-name"); - chomp $id1; - $machine->log("created container $id1"); - - my $id2 = $machine->succeed("nixos-container create foo --ensure-unique-name"); - chomp $id2; - $machine->log("created container $id2"); - - die if $id1 eq $id2; - - # Put the root of $id2 into a bind mount. - $machine->succeed( - "mv /var/lib/containers/$id2 /id2-bindmount", - "mount --bind /id2-bindmount /var/lib/containers/$id1" - ); - - my $ip1 = $machine->succeed("nixos-container show-ip $id1"); - chomp $ip1; - my $ip2 = $machine->succeed("nixos-container show-ip $id2"); - chomp $ip2; - die if $ip1 eq $ip2; - - # Create a directory and a file we can later check if it still exists - # after destruction of the container. - $machine->succeed( - "mkdir /nested-bindmount", - "echo important data > /nested-bindmount/dummy", - ); - - # Create a directory with a dummy file and bind-mount it into both - # containers. - foreach ($id1, $id2) { - my $importantPath = "/var/lib/containers/$_/very/important/data"; - $machine->succeed( - "mkdir -p $importantPath", - "mount --bind /nested-bindmount $importantPath" - ); - } - - # Start one of them. - $machine->succeed("nixos-container start $id1"); - - # Execute commands via the root shell. - $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die; - - # Execute a nix command via the root shell. (regression test for #40355) - $machine->succeed("nixos-container run $id1 -- nix-instantiate -E 'derivation { name = \"empty\"; builder = \"false\"; system = \"false\"; }'"); - - # Stop and start (regression test for #4989) - $machine->succeed("nixos-container stop $id1"); - $machine->succeed("nixos-container start $id1"); - - # Ensure tmpfiles are present - $machine->log("creating container tmpfiles"); - $machine->succeed("nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}"); - $machine->log("created, starting…"); - $machine->succeed("nixos-container start tmpfiles"); - $machine->log("done starting, investigating…"); - $machine->succeed("echo \$(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;"); - $machine->succeed("nixos-container destroy tmpfiles"); - - # Execute commands via the root shell. - $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die; - - # Destroy the containers. - $machine->succeed("nixos-container destroy $id1"); - $machine->succeed("nixos-container destroy $id2"); - - $machine->succeed( - # Check whether destruction of any container has killed important data - "grep -qF 'important data' /nested-bindmount/dummy", - # Ensure that the container path is gone - "test ! -e /var/lib/containers/$id1" - ); + tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" '' + { + systemd.tmpfiles.rules = [ "d /foo - - - - -" ]; + systemd.services.foo = { + serviceConfig.Type = "oneshot"; + script = "ls -al /foo"; + wantedBy = [ "multi-user.target" ]; + }; + } + ''; + in '' + with subtest("Make sure we have a NixOS tree (required by ‘nixos-container create’)"): + machine.succeed("PAGER=cat nix-env -qa -A nixos.hello >&2") + + id1, id2 = None, None + + with subtest("Create some containers imperatively"): + id1 = machine.succeed("nixos-container create foo --ensure-unique-name").rstrip() + machine.log(f"created container {id1}") + + id2 = machine.succeed("nixos-container create foo --ensure-unique-name").rstrip() + machine.log(f"created container {id2}") + + assert id1 != id2 + + with subtest(f"Put the root of {id2} into a bind mount"): + machine.succeed( + f"mv /var/lib/containers/{id2} /id2-bindmount", + f"mount --bind /id2-bindmount /var/lib/containers/{id1}", + ) + + ip1 = machine.succeed(f"nixos-container show-ip {id1}").rstrip() + ip2 = machine.succeed(f"nixos-container show-ip {id2}").rstrip() + assert ip1 != ip2 + + with subtest( + "Create a directory and a file we can later check if it still exists " + + "after destruction of the container" + ): + machine.succeed("mkdir /nested-bindmount") + machine.succeed("echo important data > /nested-bindmount/dummy") + + with subtest( + "Create a directory with a dummy file and bind-mount it into both containers." + ): + for id in id1, id2: + important_path = f"/var/lib/containers/{id}/very/important/data" + machine.succeed( + f"mkdir -p {important_path}", + f"mount --bind /nested-bindmount {important_path}", + ) + + with subtest("Start one of them"): + machine.succeed(f"nixos-container start {id1}") + + with subtest("Execute commands via the root shell"): + assert "Linux" in machine.succeed(f"nixos-container run {id1} -- uname") + + with subtest("Execute a nix command via the root shell. (regression test for #40355)"): + machine.succeed( + f"nixos-container run {id1} -- nix-instantiate -E " + + '\'derivation { name = "empty"; builder = "false"; system = "false"; }\' ' + ) + + with subtest("Stop and start (regression test for #4989)"): + machine.succeed(f"nixos-container stop {id1}") + machine.succeed(f"nixos-container start {id1}") + + with subtest("tmpfiles are present"): + machine.log("creating container tmpfiles") + machine.succeed( + "nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}" + ) + machine.log("created, starting…") + machine.succeed("nixos-container start tmpfiles") + machine.log("done starting, investigating…") + machine.succeed( + "echo $(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;" + ) + machine.succeed("nixos-container destroy tmpfiles") + + with subtest("Execute commands via the root shell"): + assert "Linux" in machine.succeed(f"nixos-container run {id1} -- uname") + + with subtest("Destroy the containers"): + for id in id1, id2: + machine.succeed(f"nixos-container destroy {id}") + + with subtest("Check whether destruction of any container has killed important data"): + machine.succeed("grep -qF 'important data' /nested-bindmount/dummy") + + with subtest("Ensure that the container path is gone"): + print(machine.succeed("ls -lsa /var/lib/containers")) + machine.succeed(f"test ! -e /var/lib/containers/{id1}") ''; - }) diff --git a/nixpkgs/nixos/tests/containers-ip.nix b/nixpkgs/nixos/tests/containers-ip.nix new file mode 100644 index 000000000000..8583a08c6258 --- /dev/null +++ b/nixpkgs/nixos/tests/containers-ip.nix @@ -0,0 +1,77 @@ +# Test for NixOS' container support. + +let + webserverFor = hostAddress: localAddress: { + inherit hostAddress localAddress; + privateNetwork = true; + config = { + services.httpd = { + enable = true; + adminAddr = "foo@example.org"; + }; + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + }; + +in import ./make-test-python.nix ({ pkgs, ...} : { + name = "containers-ipv4-ipv6"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ aristid aszlig eelco kampfschlaefer ]; + }; + + machine = + { pkgs, ... }: { + imports = [ ../modules/installer/cd-dvd/channel.nix ]; + virtualisation = { + writableStore = true; + memorySize = 768; + }; + + containers.webserver4 = webserverFor "10.231.136.1" "10.231.136.2"; + containers.webserver6 = webserverFor "fc00::2" "fc00::1"; + virtualisation.pathsInNixDB = [ pkgs.stdenv ]; + }; + + testScript = { nodes, ... }: '' + import time + + + def curl_host(ip): + # put [] around ipv6 addresses for curl + host = ip if ":" not in ip else f"[{ip}]" + return f"curl --fail --connect-timeout 2 http://{host}/ > /dev/null" + + + def get_ip(container): + # need to distinguish because show-ip won't work for ipv6 + if container == "webserver4": + ip = machine.succeed(f"nixos-container show-ip {container}").rstrip() + assert ip == "${nodes.machine.config.containers.webserver4.localAddress}" + return ip + return "${nodes.machine.config.containers.webserver6.localAddress}" + + + for container in "webserver4", "webserver6": + assert container in machine.succeed("nixos-container list") + + with subtest(f"Start container {container}"): + machine.succeed(f"nixos-container start {container}") + # wait 2s for container to start and network to be up + time.sleep(2) + + # Since "start" returns after the container has reached + # multi-user.target, we should now be able to access it. + + ip = get_ip(container) + with subtest(f"{container} reacts to pings and HTTP requests"): + machine.succeed(f"ping -n -c1 {ip}") + machine.succeed(curl_host(ip)) + + with subtest(f"Stop container {container}"): + machine.succeed(f"nixos-container stop {container}") + machine.fail(curl_host(ip)) + + # Destroying a declarative container should fail. + machine.fail(f"nixos-container destroy {container}") + ''; +}) diff --git a/nixpkgs/nixos/tests/containers-ipv4.nix b/nixpkgs/nixos/tests/containers-ipv4.nix deleted file mode 100644 index ace68ff2df8b..000000000000 --- a/nixpkgs/nixos/tests/containers-ipv4.nix +++ /dev/null @@ -1,55 +0,0 @@ -# Test for NixOS' container support. - -import ./make-test.nix ({ pkgs, ...} : { - name = "containers-ipv4"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ aristid aszlig eelco kampfschlaefer ]; - }; - - machine = - { pkgs, ... }: - { imports = [ ../modules/installer/cd-dvd/channel.nix ]; - virtualisation.writableStore = true; - virtualisation.memorySize = 768; - - containers.webserver = - { privateNetwork = true; - hostAddress = "10.231.136.1"; - localAddress = "10.231.136.2"; - config = - { services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - networking.firewall.allowedTCPPorts = [ 80 ]; - system.stateVersion = "18.03"; - }; - }; - - virtualisation.pathsInNixDB = [ pkgs.stdenv ]; - }; - - testScript = - '' - $machine->succeed("nixos-container list") =~ /webserver/ or die; - - # Start the webserver container. - $machine->succeed("nixos-container start webserver"); - - # wait two seconds for the container to start and the network to be up - sleep 2; - - # Since "start" returns after the container has reached - # multi-user.target, we should now be able to access it. - my $ip = $machine->succeed("nixos-container show-ip webserver"); - chomp $ip; - $machine->succeed("ping -n -c1 $ip"); - $machine->succeed("curl --fail http://$ip/ > /dev/null"); - - # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); - - # Destroying a declarative container should fail. - $machine->fail("nixos-container destroy webserver"); - ''; - -}) diff --git a/nixpkgs/nixos/tests/containers-ipv6.nix b/nixpkgs/nixos/tests/containers-ipv6.nix deleted file mode 100644 index a9499d192bd4..000000000000 --- a/nixpkgs/nixos/tests/containers-ipv6.nix +++ /dev/null @@ -1,60 +0,0 @@ -# Test for NixOS' container support. - -let - hostIp = "fc00::2"; - localIp = "fc00::1"; -in - -import ./make-test.nix ({ pkgs, ...} : { - name = "containers-ipv6"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ aristid aszlig eelco kampfschlaefer ]; - }; - - machine = - { pkgs, ... }: - { imports = [ ../modules/installer/cd-dvd/channel.nix ]; - virtualisation.writableStore = true; - virtualisation.memorySize = 768; - - containers.webserver = - { privateNetwork = true; - hostAddress6 = hostIp; - localAddress6 = localIp; - config = - { services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - networking.firewall.allowedTCPPorts = [ 80 ]; - }; - }; - - virtualisation.pathsInNixDB = [ pkgs.stdenv ]; - }; - - testScript = - '' - $machine->waitForUnit("default.target"); - $machine->succeed("nixos-container list") =~ /webserver/ or die; - - # Start the webserver container. - $machine->succeed("nixos-container start webserver"); - - # wait two seconds for the container to start and the network to be up - sleep 2; - - # Since "start" returns after the container has reached - # multi-user.target, we should now be able to access it. - my $ip = "${localIp}"; - chomp $ip; - $machine->succeed("ping -n -c 1 $ip"); - $machine->succeed("curl --fail http://[$ip]/ > /dev/null"); - - # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("curl --fail --connect-timeout 2 http://[$ip]/ > /dev/null"); - - # Destroying a declarative container should fail. - $machine->fail("nixos-container destroy webserver"); - ''; - -}) diff --git a/nixpkgs/nixos/tests/containers-macvlans.nix b/nixpkgs/nixos/tests/containers-macvlans.nix index 2bdb926a8e2b..0e8f67bc76f0 100644 --- a/nixpkgs/nixos/tests/containers-macvlans.nix +++ b/nixpkgs/nixos/tests/containers-macvlans.nix @@ -6,7 +6,7 @@ let containerIp2 = "192.168.1.254"; in -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-macvlans"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ montag451 ]; @@ -64,19 +64,23 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - $machine1->waitForUnit("default.target"); - $machine2->waitForUnit("default.target"); + start_all() + machine1.wait_for_unit("default.target") + machine2.wait_for_unit("default.target") - # Ping between containers to check that macvlans are created in bridge mode - $machine1->succeed("nixos-container run test1 -- ping -n -c 1 ${containerIp2}"); + with subtest( + "Ping between containers to check that macvlans are created in bridge mode" + ): + machine1.succeed("nixos-container run test1 -- ping -n -c 1 ${containerIp2}") - # Ping containers from the host (machine1) - $machine1->succeed("ping -n -c 1 ${containerIp1}"); - $machine1->succeed("ping -n -c 1 ${containerIp2}"); + with subtest("Ping containers from the host (machine1)"): + machine1.succeed("ping -n -c 1 ${containerIp1}") + machine1.succeed("ping -n -c 1 ${containerIp2}") - # Ping containers from the second machine to check that containers are reachable from the outside - $machine2->succeed("ping -n -c 1 ${containerIp1}"); - $machine2->succeed("ping -n -c 1 ${containerIp2}"); + with subtest( + "Ping containers from the second machine to check that containers are reachable from the outside" + ): + machine2.succeed("ping -n -c 1 ${containerIp1}") + machine2.succeed("ping -n -c 1 ${containerIp2}") ''; }) diff --git a/nixpkgs/nixos/tests/containers-physical_interfaces.nix b/nixpkgs/nixos/tests/containers-physical_interfaces.nix index 1e312f59f437..e800751a23c2 100644 --- a/nixpkgs/nixos/tests/containers-physical_interfaces.nix +++ b/nixpkgs/nixos/tests/containers-physical_interfaces.nix @@ -1,5 +1,5 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-physical_interfaces"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ kampfschlaefer ]; @@ -86,48 +86,51 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - - subtest "prepare server", sub { - $server->waitForUnit("default.target"); - $server->succeed("ip link show dev eth1 >&2"); - }; - - subtest "simple physical interface", sub { - $server->succeed("nixos-container start server"); - $server->waitForUnit("container\@server"); - $server->succeed("systemctl -M server list-dependencies network-addresses-eth1.service >&2"); - - # The other tests will ping this container on its ip. Here we just check - # that the device is present in the container. - $server->succeed("nixos-container run server -- ip a show dev eth1 >&2"); - }; - - subtest "physical device in bridge in container", sub { - $bridged->waitForUnit("default.target"); - $bridged->succeed("nixos-container start bridged"); - $bridged->waitForUnit("container\@bridged"); - $bridged->succeed("systemctl -M bridged list-dependencies network-addresses-br0.service >&2"); - $bridged->succeed("systemctl -M bridged status -n 30 -l network-addresses-br0.service"); - $bridged->succeed("nixos-container run bridged -- ping -w 10 -c 1 -n 10.10.0.1"); - }; - - subtest "physical device in bond in container", sub { - $bonded->waitForUnit("default.target"); - $bonded->succeed("nixos-container start bonded"); - $bonded->waitForUnit("container\@bonded"); - $bonded->succeed("systemctl -M bonded list-dependencies network-addresses-bond0 >&2"); - $bonded->succeed("systemctl -M bonded status -n 30 -l network-addresses-bond0 >&2"); - $bonded->succeed("nixos-container run bonded -- ping -w 10 -c 1 -n 10.10.0.1"); - }; - - subtest "physical device in bond in bridge in container", sub { - $bridgedbond->waitForUnit("default.target"); - $bridgedbond->succeed("nixos-container start bridgedbond"); - $bridgedbond->waitForUnit("container\@bridgedbond"); - $bridgedbond->succeed("systemctl -M bridgedbond list-dependencies network-addresses-br0.service >&2"); - $bridgedbond->succeed("systemctl -M bridgedbond status -n 30 -l network-addresses-br0.service"); - $bridgedbond->succeed("nixos-container run bridgedbond -- ping -w 10 -c 1 -n 10.10.0.1"); - }; + start_all() + + with subtest("Prepare server"): + server.wait_for_unit("default.target") + server.succeed("ip link show dev eth1 >&2") + + with subtest("Simple physical interface is up"): + server.succeed("nixos-container start server") + server.wait_for_unit("container@server") + server.succeed( + "systemctl -M server list-dependencies network-addresses-eth1.service >&2" + ) + + # The other tests will ping this container on its ip. Here we just check + # that the device is present in the container. + server.succeed("nixos-container run server -- ip a show dev eth1 >&2") + + with subtest("Physical device in bridge in container can ping server"): + bridged.wait_for_unit("default.target") + bridged.succeed("nixos-container start bridged") + bridged.wait_for_unit("container@bridged") + bridged.succeed( + "systemctl -M bridged list-dependencies network-addresses-br0.service >&2", + "systemctl -M bridged status -n 30 -l network-addresses-br0.service", + "nixos-container run bridged -- ping -w 10 -c 1 -n 10.10.0.1", + ) + + with subtest("Physical device in bond in container can ping server"): + bonded.wait_for_unit("default.target") + bonded.succeed("nixos-container start bonded") + bonded.wait_for_unit("container@bonded") + bonded.succeed( + "systemctl -M bonded list-dependencies network-addresses-bond0 >&2", + "systemctl -M bonded status -n 30 -l network-addresses-bond0 >&2", + "nixos-container run bonded -- ping -w 10 -c 1 -n 10.10.0.1", + ) + + with subtest("Physical device in bond in bridge in container can ping server"): + bridgedbond.wait_for_unit("default.target") + bridgedbond.succeed("nixos-container start bridgedbond") + bridgedbond.wait_for_unit("container@bridgedbond") + bridgedbond.succeed( + "systemctl -M bridgedbond list-dependencies network-addresses-br0.service >&2", + "systemctl -M bridgedbond status -n 30 -l network-addresses-br0.service", + "nixos-container run bridgedbond -- ping -w 10 -c 1 -n 10.10.0.1", + ) ''; }) diff --git a/nixpkgs/nixos/tests/containers-portforward.nix b/nixpkgs/nixos/tests/containers-portforward.nix index ec8e9629c21d..fc90e151bd9e 100644 --- a/nixpkgs/nixos/tests/containers-portforward.nix +++ b/nixpkgs/nixos/tests/containers-portforward.nix @@ -7,7 +7,7 @@ let containerPort = 80; in -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-portforward"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ aristid aszlig eelco kampfschlaefer ianwookim ]; @@ -36,27 +36,27 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - $machine->succeed("nixos-container list") =~ /webserver/ or die; + container_list = machine.succeed("nixos-container list") + assert "webserver" in container_list # Start the webserver container. - $machine->succeed("nixos-container start webserver"); + machine.succeed("nixos-container start webserver") # wait two seconds for the container to start and the network to be up - sleep 2; + machine.sleep(2) # Since "start" returns after the container has reached # multi-user.target, we should now be able to access it. - #my $ip = $machine->succeed("nixos-container show-ip webserver"); - #chomp $ip; - $machine->succeed("ping -n -c1 ${hostIp}"); - $machine->succeed("curl --fail http://${hostIp}:${toString hostPort}/ > /dev/null"); + # ip = machine.succeed("nixos-container show-ip webserver").strip() + machine.succeed("ping -n -c1 ${hostIp}") + machine.succeed("curl --fail http://${hostIp}:${toString hostPort}/ > /dev/null") # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("curl --fail --connect-timeout 2 http://${hostIp}:${toString hostPort}/ > /dev/null"); + machine.succeed("nixos-container stop webserver") + machine.fail("curl --fail --connect-timeout 2 http://${hostIp}:${toString hostPort}/ > /dev/null") # Destroying a declarative container should fail. - $machine->fail("nixos-container destroy webserver"); + machine.fail("nixos-container destroy webserver") ''; }) diff --git a/nixpkgs/nixos/tests/containers-reloadable.nix b/nixpkgs/nixos/tests/containers-reloadable.nix index f41dea91b1e4..35aff91e85b5 100644 --- a/nixpkgs/nixos/tests/containers-reloadable.nix +++ b/nixpkgs/nixos/tests/containers-reloadable.nix @@ -1,7 +1,7 @@ -import ./make-test.nix ({ pkgs, lib, ...} : +import ./make-test-python.nix ({ pkgs, lib, ...} : let client_base = { - + containers.test1 = { autoStart = true; config = { @@ -48,18 +48,25 @@ in { c1System = nodes.client_c1.config.system.build.toplevel; c2System = nodes.client_c2.config.system.build.toplevel; in '' - $client->start(); - $client->waitForUnit("default.target"); - $client->succeed("[[ \$(nixos-container run test1 cat /etc/check) == client_base ]] >&2"); + client.start() + client.wait_for_unit("default.target") + + assert "client_base" in client.succeed("nixos-container run test1 cat /etc/check") - $client->succeed("${c1System}/bin/switch-to-configuration test >&2"); - $client->succeed("[[ \$(nixos-container run test1 cat /etc/check) == client_c1 ]] >&2"); - $client->succeed("systemctl status httpd -M test1 >&2"); + with subtest("httpd is available after activating config1"): + client.succeed( + "${c1System}/bin/switch-to-configuration test >&2", + "[[ $(nixos-container run test1 cat /etc/check) == client_c1 ]] >&2", + "systemctl status httpd -M test1 >&2", + ) - $client->succeed("${c2System}/bin/switch-to-configuration test >&2"); - $client->succeed("[[ \$(nixos-container run test1 cat /etc/check) == client_c2 ]] >&2"); - $client->fail("systemctl status httpd -M test1 >&2"); - $client->succeed("systemctl status nginx -M test1 >&2"); + with subtest("httpd is not available any longer after switching to config2"): + client.succeed( + "${c2System}/bin/switch-to-configuration test >&2", + "[[ $(nixos-container run test1 cat /etc/check) == client_c2 ]] >&2", + "systemctl status nginx -M test1 >&2", + ) + client.fail("systemctl status httpd -M test1 >&2") ''; }) diff --git a/nixpkgs/nixos/tests/containers-restart_networking.nix b/nixpkgs/nixos/tests/containers-restart_networking.nix index df15f5b2f455..b50dadd13e47 100644 --- a/nixpkgs/nixos/tests/containers-restart_networking.nix +++ b/nixpkgs/nixos/tests/containers-restart_networking.nix @@ -16,7 +16,7 @@ let }; }; }; -in import ./make-test.nix ({ pkgs, ...} : +in import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-restart_networking"; meta = with pkgs.stdenv.lib.maintainers; { @@ -64,50 +64,52 @@ in import ./make-test.nix ({ pkgs, ...} : eth1_bridged = nodes.client_eth1.config.system.build.toplevel; eth1_rstp = nodes.client_eth1_rstp.config.system.build.toplevel; in '' - $client->start(); - - $client->waitForUnit("default.target"); - - subtest "initial state", sub { - $client->succeed("ping 192.168.1.122 -c 1 -n >&2"); - $client->succeed("nixos-container run webserver -- ping -c 1 -n 192.168.1.1 >&2"); - - $client->fail("ip l show eth1 |grep \"master br0\" >&2"); - $client->fail("grep eth1 /run/br0.interfaces >&2"); - }; - - subtest "interfaces without stp", sub { - $client->succeed("${eth1_bridged}/bin/switch-to-configuration test >&2"); - - $client->succeed("ping 192.168.1.122 -c 1 -n >&2"); - $client->succeed("nixos-container run webserver -- ping -c 1 -n 192.168.1.2 >&2"); - - $client->succeed("ip l show eth1 |grep \"master br0\" >&2"); - $client->succeed("grep eth1 /run/br0.interfaces >&2"); - }; - - # activating rstp needs another service, therefor the bridge will restart and the container will loose its connectivity - #subtest "interfaces with rstp", sub { - # $client->succeed("${eth1_rstp}/bin/switch-to-configuration test >&2"); - # $client->execute("ip -4 a >&2"); - # $client->execute("ip l >&2"); + client.start() + + client.wait_for_unit("default.target") + + with subtest("Initial configuration connectivity check"): + client.succeed("ping 192.168.1.122 -c 1 -n >&2") + client.succeed("nixos-container run webserver -- ping -c 1 -n 192.168.1.1 >&2") + + client.fail("ip l show eth1 |grep 'master br0' >&2") + client.fail("grep eth1 /run/br0.interfaces >&2") + + with subtest("Bridged configuration without STP preserves connectivity"): + client.succeed( + "${eth1_bridged}/bin/switch-to-configuration test >&2" + ) + + client.succeed( + "ping 192.168.1.122 -c 1 -n >&2", + "nixos-container run webserver -- ping -c 1 -n 192.168.1.2 >&2", + "ip l show eth1 |grep 'master br0' >&2", + "grep eth1 /run/br0.interfaces >&2", + ) + + # activating rstp needs another service, therefore the bridge will restart and the container will lose its connectivity + # with subtest("Bridged configuration with STP"): + # client.succeed("${eth1_rstp}/bin/switch-to-configuration test >&2") + # client.execute("ip -4 a >&2") + # client.execute("ip l >&2") # - # $client->succeed("ping 192.168.1.122 -c 1 -n >&2"); - # $client->succeed("nixos-container run webserver -- ping -c 1 -n 192.168.1.2 >&2"); - # - # $client->succeed("ip l show eth1 |grep \"master br0\" >&2"); - # $client->succeed("grep eth1 /run/br0.interfaces >&2"); - #}; - - subtest "back to no interfaces and no stp", sub { - $client->succeed("${originalSystem}/bin/switch-to-configuration test >&2"); - - $client->succeed("ping 192.168.1.122 -c 1 -n >&2"); - $client->succeed("nixos-container run webserver -- ping -c 1 -n 192.168.1.1 >&2"); - - $client->fail("ip l show eth1 |grep \"master br0\" >&2"); - $client->fail("grep eth1 /run/br0.interfaces >&2"); - }; + # client.succeed( + # "ping 192.168.1.122 -c 1 -n >&2", + # "nixos-container run webserver -- ping -c 1 -n 192.168.1.2 >&2", + # "ip l show eth1 |grep 'master br0' >&2", + # "grep eth1 /run/br0.interfaces >&2", + # ) + + with subtest("Reverting to initial configuration preserves connectivity"): + client.succeed( + "${originalSystem}/bin/switch-to-configuration test >&2" + ) + + client.succeed("ping 192.168.1.122 -c 1 -n >&2") + client.succeed("nixos-container run webserver -- ping -c 1 -n 192.168.1.1 >&2") + + client.fail("ip l show eth1 |grep 'master br0' >&2") + client.fail("grep eth1 /run/br0.interfaces >&2") ''; }) diff --git a/nixpkgs/nixos/tests/containers-tmpfs.nix b/nixpkgs/nixos/tests/containers-tmpfs.nix index e29fe6bbf032..171e8f01c7b9 100644 --- a/nixpkgs/nixos/tests/containers-tmpfs.nix +++ b/nixpkgs/nixos/tests/containers-tmpfs.nix @@ -1,6 +1,6 @@ # Test for NixOS' container support. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-tmpfs"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ kampka ]; @@ -31,49 +31,63 @@ import ./make-test.nix ({ pkgs, ...} : { virtualisation.pathsInNixDB = [ pkgs.stdenv ]; }; - testScript = - '' - $machine->waitForUnit("default.target"); - $machine->succeed("nixos-container list") =~ /tmpfs/ or die; - - # Start the tmpfs container. - #$machine->succeed("nixos-container status tmpfs") =~ /up/ or die; - - # Verify that /var is mounted as a tmpfs - #$machine->succeed("nixos-container run tmpfs -- systemctl status var.mount --no-pager 2>/dev/null") =~ /What: tmpfs/ or die; - $machine->succeed("nixos-container run tmpfs -- mountpoint -q /var 2>/dev/null"); - - # Verify that /var/log is mounted as a tmpfs - $machine->succeed("nixos-container run tmpfs -- systemctl status var-log.mount --no-pager 2>/dev/null") =~ /What: tmpfs/ or die; - $machine->succeed("nixos-container run tmpfs -- mountpoint -q /var/log 2>/dev/null"); - - # Verify that /some/random/path is mounted as a tmpfs - $machine->succeed("nixos-container run tmpfs -- systemctl status some-random-path.mount --no-pager 2>/dev/null") =~ /What: tmpfs/ or die; - $machine->succeed("nixos-container run tmpfs -- mountpoint -q /some/random/path 2>/dev/null"); - - # Verify that files created in the container in a non-tmpfs directory are visible on the host. - # This establishes legitimacy for the following tests - $machine->succeed("nixos-container run tmpfs -- touch /root/test.file 2>/dev/null"); - $machine->succeed("nixos-container run tmpfs -- ls -l /root | grep -q test.file 2>/dev/null"); - $machine->succeed("test -e /var/lib/containers/tmpfs/root/test.file"); - - - # Verify that /some/random/path is writable and that files created there - # are not in the hosts container dir but in the tmpfs - $machine->succeed("nixos-container run tmpfs -- touch /some/random/path/test.file 2>/dev/null"); - $machine->succeed("nixos-container run tmpfs -- test -e /some/random/path/test.file 2>/dev/null"); - - $machine->fail("test -e /var/lib/containers/tmpfs/some/random/path/test.file"); - - # Verify that files created in the hosts container dir in a path where a tmpfs file system has been mounted - # are not visible to the container as the do not exist in the tmpfs - $machine->succeed("touch /var/lib/containers/tmpfs/var/test.file"); - - $machine->succeed("test -e /var/lib/containers/tmpfs/var/test.file"); - $machine->succeed("ls -l /var/lib/containers/tmpfs/var/ | grep -q test.file 2>/dev/null"); - - $machine->fail("nixos-container run tmpfs -- ls -l /var | grep -q test.file 2>/dev/null"); - + testScript = '' + machine.wait_for_unit("default.target") + assert "tmpfs" in machine.succeed("nixos-container list") + + with subtest("tmpfs container is up"): + assert "up" in machine.succeed("nixos-container status tmpfs") + + + def tmpfs_cmd(command): + return f"nixos-container run tmpfs -- {command} 2>/dev/null" + + + with subtest("/var is mounted as a tmpfs"): + machine.succeed(tmpfs_cmd("mountpoint -q /var")) + + with subtest("/var/log is mounted as a tmpfs"): + assert "What: tmpfs" in machine.succeed( + tmpfs_cmd("systemctl status var-log.mount --no-pager") + ) + machine.succeed(tmpfs_cmd("mountpoint -q /var/log")) + + with subtest("/some/random/path is mounted as a tmpfs"): + assert "What: tmpfs" in machine.succeed( + tmpfs_cmd("systemctl status some-random-path.mount --no-pager") + ) + machine.succeed(tmpfs_cmd("mountpoint -q /some/random/path")) + + with subtest( + "files created in the container in a non-tmpfs directory are visible on the host." + ): + # This establishes legitimacy for the following tests + machine.succeed( + tmpfs_cmd("touch /root/test.file"), + tmpfs_cmd("ls -l /root | grep -q test.file"), + "test -e /var/lib/containers/tmpfs/root/test.file", + ) + + with subtest( + "/some/random/path is writable and that files created there are not " + + "in the hosts container dir but in the tmpfs" + ): + machine.succeed( + tmpfs_cmd("touch /some/random/path/test.file"), + tmpfs_cmd("test -e /some/random/path/test.file"), + ) + machine.fail("test -e /var/lib/containers/tmpfs/some/random/path/test.file") + + with subtest( + "files created in the hosts container dir in a path where a tmpfs " + + "file system has been mounted are not visible to the container as " + + "the do not exist in the tmpfs" + ): + machine.succeed( + "touch /var/lib/containers/tmpfs/var/test.file", + "test -e /var/lib/containers/tmpfs/var/test.file", + "ls -l /var/lib/containers/tmpfs/var/ | grep -q test.file 2>/dev/null", + ) + machine.fail(tmpfs_cmd("ls -l /var | grep -q test.file")) ''; - }) diff --git a/nixpkgs/nixos/tests/couchdb.nix b/nixpkgs/nixos/tests/couchdb.nix index 48ea48eebbb3..10e95701acdb 100644 --- a/nixpkgs/nixos/tests/couchdb.nix +++ b/nixpkgs/nixos/tests/couchdb.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ...}: +import ./make-test-python.nix ({ pkgs, lib, ...}: with lib; @@ -35,22 +35,42 @@ with lib; fi ''; in '' - startAll; - - $couchdb1->waitForUnit("couchdb.service"); - $couchdb1->waitUntilSucceeds("${curlJqCheck "GET" "" ".couchdb" "Welcome"}"); - $couchdb1->waitUntilSucceeds("${curlJqCheck "GET" "_all_dbs" ". | length" "2"}"); - $couchdb1->succeed("${curlJqCheck "PUT" "foo" ".ok" "true"}"); - $couchdb1->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "3"}"); - $couchdb1->succeed("${curlJqCheck "DELETE" "foo" ".ok" "true"}"); - $couchdb1->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "2"}"); - - $couchdb2->waitForUnit("couchdb.service"); - $couchdb2->waitUntilSucceeds("${curlJqCheck "GET" "" ".couchdb" "Welcome"}"); - $couchdb2->waitUntilSucceeds("${curlJqCheck "GET" "_all_dbs" ". | length" "0"}"); - $couchdb2->succeed("${curlJqCheck "PUT" "foo" ".ok" "true"}"); - $couchdb2->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "1"}"); - $couchdb2->succeed("${curlJqCheck "DELETE" "foo" ".ok" "true"}"); - $couchdb2->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "0"}"); + start_all() + + couchdb1.wait_for_unit("couchdb.service") + couchdb1.wait_until_succeeds( + "${curlJqCheck "GET" "" ".couchdb" "Welcome"}" + ) + couchdb1.wait_until_succeeds( + "${curlJqCheck "GET" "_all_dbs" ". | length" "2"}" + ) + couchdb1.succeed("${curlJqCheck "PUT" "foo" ".ok" "true"}") + couchdb1.succeed( + "${curlJqCheck "GET" "_all_dbs" ". | length" "3"}" + ) + couchdb1.succeed( + "${curlJqCheck "DELETE" "foo" ".ok" "true"}" + ) + couchdb1.succeed( + "${curlJqCheck "GET" "_all_dbs" ". | length" "2"}" + ) + + couchdb2.wait_for_unit("couchdb.service") + couchdb2.wait_until_succeeds( + "${curlJqCheck "GET" "" ".couchdb" "Welcome"}" + ) + couchdb2.wait_until_succeeds( + "${curlJqCheck "GET" "_all_dbs" ". | length" "0"}" + ) + couchdb2.succeed("${curlJqCheck "PUT" "foo" ".ok" "true"}") + couchdb2.succeed( + "${curlJqCheck "GET" "_all_dbs" ". | length" "1"}" + ) + couchdb2.succeed( + "${curlJqCheck "DELETE" "foo" ".ok" "true"}" + ) + couchdb2.succeed( + "${curlJqCheck "GET" "_all_dbs" ". | length" "0"}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/deluge.nix b/nixpkgs/nixos/tests/deluge.nix index b58030409b5c..37689c3d9137 100644 --- a/nixpkgs/nixos/tests/deluge.nix +++ b/nixpkgs/nixos/tests/deluge.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "deluge"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ flokli ]; @@ -45,18 +45,20 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $simple->waitForUnit("deluged"); - $simple->waitForUnit("delugeweb"); - $simple->waitForOpenPort("8112"); - $declarative->waitForUnit("network.target"); - $declarative->waitUntilSucceeds("curl --fail http://simple:8112"); + simple.wait_for_unit("deluged") + simple.wait_for_unit("delugeweb") + simple.wait_for_open_port("8112") + declarative.wait_for_unit("network.target") + declarative.wait_until_succeeds("curl --fail http://simple:8112") - $declarative->waitForUnit("deluged"); - $declarative->waitForUnit("delugeweb"); - $declarative->waitUntilSucceeds("curl --fail http://declarative:3142"); - $declarative->succeed("deluge-console 'help' | grep -q 'rm - Remove a torrent'"); - $declarative->succeed("deluge-console 'connect 127.0.0.1:58846 andrew password; help' | grep -q 'rm - Remove a torrent'"); + declarative.wait_for_unit("deluged") + declarative.wait_for_unit("delugeweb") + declarative.wait_until_succeeds("curl --fail http://declarative:3142") + declarative.succeed("deluge-console 'help' | grep -q 'rm - Remove a torrent'") + declarative.succeed( + "deluge-console 'connect 127.0.0.1:58846 andrew password; help' | grep -q 'rm - Remove a torrent'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/dhparams.nix b/nixpkgs/nixos/tests/dhparams.nix index d11dfeec5d0c..a0de2911777c 100644 --- a/nixpkgs/nixos/tests/dhparams.nix +++ b/nixpkgs/nixos/tests/dhparams.nix @@ -4,7 +4,7 @@ let environment.systemPackages = [ pkgs.openssl ]; }; -in import ./make-test.nix { +in import ./make-test-python.nix { name = "dhparams"; nodes.generation1 = { pkgs, config, ... }: { @@ -66,79 +66,77 @@ in import ./make-test.nix { node = "generation${toString gen}"; in nodes.${node}.config.security.dhparams.params.${name}.path; - assertParamBits = gen: name: bits: let - path = getParamPath gen name; - in '' - $machine->nest('check bit size of ${path}', sub { - my $out = $machine->succeed('openssl dhparam -in ${path} -text'); - $out =~ /^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$/m; - die "bit size should be ${toString bits} but it is $1 instead." - if $1 != ${toString bits}; - }); - ''; - switchToGeneration = gen: let node = "generation${toString gen}"; inherit (nodes.${node}.config.system.build) toplevel; switchCmd = "${toplevel}/bin/switch-to-configuration test"; in '' - $machine->nest('switch to generation ${toString gen}', sub { - $machine->succeed('${switchCmd}'); - $main::machine = ''$${node}; - }); + with machine.nested("switch to generation ${toString gen}"): + machine.succeed( + "${switchCmd}" + ) + machine = ${node} ''; in '' - my $machine = $generation1; + import re - $machine->waitForUnit('multi-user.target'); - subtest "verify startup order", sub { - $machine->succeed('systemctl is-active foo.service'); - }; + def assert_param_bits(path, bits): + with machine.nested(f"check bit size of {path}"): + output = machine.succeed(f"openssl dhparam -in {path} -text") + pattern = re.compile(r"^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$", re.M) + match = pattern.match(output) + if match is None: + raise Exception("bla") + if match[1] != str(bits): + raise Exception(f"bit size should be {bits} but it is {match[1]} instead.") - subtest "check bit sizes of dhparam files", sub { - ${assertParamBits 1 "foo" 16} - ${assertParamBits 1 "bar" 17} - }; + + machine = generation1 + + machine.wait_for_unit("multi-user.target") + + with subtest("verify startup order"): + machine.succeed("systemctl is-active foo.service") + + with subtest("check bit sizes of dhparam files"): + assert_param_bits("${getParamPath 1 "foo"}", 16) + assert_param_bits("${getParamPath 1 "bar"}", 17) ${switchToGeneration 2} - subtest "check whether bit size has changed", sub { - ${assertParamBits 2 "foo" 18} - }; + with subtest("check whether bit size has changed"): + assert_param_bits("${getParamPath 2 "foo"}", 18) - subtest "ensure that dhparams file for 'bar' was deleted", sub { - $machine->fail('test -e ${getParamPath 1 "bar"}'); - }; + with subtest("ensure that dhparams file for 'bar' was deleted"): + machine.fail("test -e ${getParamPath 1 "bar"}") ${switchToGeneration 3} - subtest "ensure that 'security.dhparams.path' has been deleted", sub { - $machine->fail( - 'test -e ${nodes.generation3.config.security.dhparams.path}' - ); - }; + with subtest("ensure that 'security.dhparams.path' has been deleted"): + machine.fail("test -e ${nodes.generation3.config.security.dhparams.path}") ${switchToGeneration 4} - subtest "check bit sizes dhparam files", sub { - ${assertParamBits 4 "foo2" 18} - ${assertParamBits 4 "bar2" 19} - }; + with subtest("check bit sizes dhparam files"): + assert_param_bits( + "${getParamPath 4 "foo2"}", 18 + ) + assert_param_bits( + "${getParamPath 4 "bar2"}", 19 + ) - subtest "check whether dhparam files are in the Nix store", sub { - $machine->succeed( - 'expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}', - 'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}', - ); - }; + with subtest("check whether dhparam files are in the Nix store"): + machine.succeed( + "expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}", + "expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}", + ) ${switchToGeneration 5} - subtest "check whether defaultBitSize works as intended", sub { - ${assertParamBits 5 "foo3" 30} - ${assertParamBits 5 "bar3" 30} - }; + with subtest("check whether defaultBitSize works as intended"): + assert_param_bits("${getParamPath 5 "foo3"}", 30) + assert_param_bits("${getParamPath 5 "bar3"}", 30) ''; } diff --git a/nixpkgs/nixos/tests/dnscrypt-proxy.nix b/nixpkgs/nixos/tests/dnscrypt-proxy.nix index 13bc9d3d9168..98153d5c9047 100644 --- a/nixpkgs/nixos/tests/dnscrypt-proxy.nix +++ b/nixpkgs/nixos/tests/dnscrypt-proxy.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "dnscrypt-proxy"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ joachifm ]; @@ -23,11 +23,13 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - $client->waitForUnit("dnsmasq"); + client.wait_for_unit("dnsmasq") # The daemon is socket activated; sending a single ping should activate it. - $client->fail("systemctl is-active dnscrypt-proxy"); - $client->execute("${pkgs.iputils}/bin/ping -c1 example.com"); - $client->waitUntilSucceeds("systemctl is-active dnscrypt-proxy"); + client.fail("systemctl is-active dnscrypt-proxy") + client.execute( + "${pkgs.iputils}/bin/ping -c1 example.com" + ) + client.wait_until_succeeds("systemctl is-active dnscrypt-proxy") ''; }) diff --git a/nixpkgs/nixos/tests/docker-edge.nix b/nixpkgs/nixos/tests/docker-edge.nix index b306c149be91..96de885a554a 100644 --- a/nixpkgs/nixos/tests/docker-edge.nix +++ b/nixpkgs/nixos/tests/docker-edge.nix @@ -1,6 +1,6 @@ # This test runs docker and checks if simple container starts -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "docker"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus offline ]; @@ -31,17 +31,19 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $docker->waitForUnit("sockets.target"); - $docker->succeed("tar cv --files-from /dev/null | docker import - scratchimg"); - $docker->succeed("docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"); - $docker->succeed("docker ps | grep sleeping"); - $docker->succeed("sudo -u hasprivs docker ps"); - $docker->fail("sudo -u noprivs docker ps"); - $docker->succeed("docker stop sleeping"); + docker.wait_for_unit("sockets.target") + docker.succeed("tar cv --files-from /dev/null | docker import - scratchimg") + docker.succeed( + "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + docker.succeed("docker ps | grep sleeping") + docker.succeed("sudo -u hasprivs docker ps") + docker.fail("sudo -u noprivs docker ps") + docker.succeed("docker stop sleeping") # Must match version twice to ensure client and server versions are correct - $docker->succeed('[ $(docker version | grep ${pkgs.docker-edge.version} | wc -l) = "2" ]'); + docker.succeed('[ $(docker version | grep ${pkgs.docker-edge.version} | wc -l) = "2" ]') ''; }) diff --git a/nixpkgs/nixos/tests/docker-registry.nix b/nixpkgs/nixos/tests/docker-registry.nix index 8936421072a9..2928fd8141a4 100644 --- a/nixpkgs/nixos/tests/docker-registry.nix +++ b/nixpkgs/nixos/tests/docker-registry.nix @@ -1,6 +1,6 @@ # This test runs docker-registry and check if it works -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "docker-registry"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ globin ma27 ironpinguin ]; @@ -28,36 +28,34 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - $client1->start(); - $client1->waitForUnit("docker.service"); - $client1->succeed("tar cv --files-from /dev/null | docker import - scratch"); - $client1->succeed("docker tag scratch registry:8080/scratch"); - - $registry->start(); - $registry->waitForUnit("docker-registry.service"); - $registry->waitForOpenPort("8080"); - $client1->succeed("docker push registry:8080/scratch"); - - $client2->start(); - $client2->waitForUnit("docker.service"); - $client2->succeed("docker pull registry:8080/scratch"); - $client2->succeed("docker images | grep scratch"); - - $client2->succeed( - 'curl -fsS -X DELETE registry:8080/v2/scratch/manifests/$(curl -fsS -I -H"Accept: application/vnd.docker.distribution.manifest.v2+json" registry:8080/v2/scratch/manifests/latest | grep Docker-Content-Digest | sed -e \'s/Docker-Content-Digest: //\' | tr -d \'\r\')' - ); - - $registry->systemctl("start docker-registry-garbage-collect.service"); - $registry->waitUntilFails("systemctl status docker-registry-garbage-collect.service"); - $registry->waitForUnit("docker-registry.service"); - - $registry->fail( - 'ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data' - ); - - $client1->succeed("docker push registry:8080/scratch"); - $registry->succeed( - 'ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data' - ); + client1.start() + client1.wait_for_unit("docker.service") + client1.succeed("tar cv --files-from /dev/null | docker import - scratch") + client1.succeed("docker tag scratch registry:8080/scratch") + + registry.start() + registry.wait_for_unit("docker-registry.service") + registry.wait_for_open_port("8080") + client1.succeed("docker push registry:8080/scratch") + + client2.start() + client2.wait_for_unit("docker.service") + client2.succeed("docker pull registry:8080/scratch") + client2.succeed("docker images | grep scratch") + + client2.succeed( + "curl -fsS -X DELETE registry:8080/v2/scratch/manifests/$(curl -fsS -I -H\"Accept: application/vnd.docker.distribution.manifest.v2+json\" registry:8080/v2/scratch/manifests/latest | grep Docker-Content-Digest | sed -e 's/Docker-Content-Digest: //' | tr -d '\\r')" + ) + + registry.systemctl("start docker-registry-garbage-collect.service") + registry.wait_until_fails("systemctl status docker-registry-garbage-collect.service") + registry.wait_for_unit("docker-registry.service") + + registry.fail("ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data") + + client1.succeed("docker push registry:8080/scratch") + registry.succeed( + "ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data" + ) ''; }) diff --git a/nixpkgs/nixos/tests/docker-tools-overlay.nix b/nixpkgs/nixos/tests/docker-tools-overlay.nix index 637957bd3e8b..1a0e0ea67750 100644 --- a/nixpkgs/nixos/tests/docker-tools-overlay.nix +++ b/nixpkgs/nixos/tests/docker-tools-overlay.nix @@ -1,6 +1,6 @@ # this test creates a simple GNU image with docker tools and sees if it executes -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "docker-tools-overlay"; meta = with pkgs.stdenv.lib.maintainers; { @@ -16,17 +16,18 @@ import ./make-test.nix ({ pkgs, ... }: }; }; - testScript = - '' - $docker->waitForUnit("sockets.target"); + testScript = '' + docker.wait_for_unit("sockets.target") - $docker->succeed("docker load --input='${pkgs.dockerTools.examples.bash}'"); - $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.bash.imageName} bash --version"); + docker.succeed( + "docker load --input='${pkgs.dockerTools.examples.bash}'", + "docker run --rm ${pkgs.dockerTools.examples.bash.imageName} bash --version", + ) # Check if the nix store has correct user permissions depending on what # storage driver is used, incorrectly built images can show up as readonly. # drw------- 3 0 0 3 Apr 14 11:36 /nix # drw------- 99 0 0 100 Apr 14 11:36 /nix/store - $docker->succeed("docker run --rm -u 1000:1000 ${pkgs.dockerTools.examples.bash.imageName} bash --version"); + docker.succeed("docker run --rm -u 1000:1000 ${pkgs.dockerTools.examples.bash.imageName} bash --version") ''; }) diff --git a/nixpkgs/nixos/tests/docker.nix b/nixpkgs/nixos/tests/docker.nix index d67b2f8743d8..8fda7c1395ef 100644 --- a/nixpkgs/nixos/tests/docker.nix +++ b/nixpkgs/nixos/tests/docker.nix @@ -1,6 +1,6 @@ # This test runs docker and checks if simple container starts -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "docker"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus offline ]; @@ -31,17 +31,19 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $docker->waitForUnit("sockets.target"); - $docker->succeed("tar cv --files-from /dev/null | docker import - scratchimg"); - $docker->succeed("docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"); - $docker->succeed("docker ps | grep sleeping"); - $docker->succeed("sudo -u hasprivs docker ps"); - $docker->fail("sudo -u noprivs docker ps"); - $docker->succeed("docker stop sleeping"); + docker.wait_for_unit("sockets.target") + docker.succeed("tar cv --files-from /dev/null | docker import - scratchimg") + docker.succeed( + "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + docker.succeed("docker ps | grep sleeping") + docker.succeed("sudo -u hasprivs docker ps") + docker.fail("sudo -u noprivs docker ps") + docker.succeed("docker stop sleeping") # Must match version twice to ensure client and server versions are correct - $docker->succeed('[ $(docker version | grep ${pkgs.docker.version} | wc -l) = "2" ]'); + docker.succeed('[ $(docker version | grep ${pkgs.docker.version} | wc -l) = "2" ]') ''; }) diff --git a/nixpkgs/nixos/tests/documize.nix b/nixpkgs/nixos/tests/documize.nix index 8b852a4f7795..3be20a780d31 100644 --- a/nixpkgs/nixos/tests/documize.nix +++ b/nixpkgs/nixos/tests/documize.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ...} : { name = "documize"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ma27 ]; @@ -29,30 +29,34 @@ import ./make-test.nix ({ pkgs, lib, ...} : { }; testScript = '' - startAll; - - $machine->waitForUnit("documize-server.service"); - $machine->waitForOpenPort(3000); - - my $dbhash = $machine->succeed("curl -f localhost:3000 " - . " | grep 'property=\"dbhash' " - . " | grep -Po 'content=\"\\K[^\"]*'" - ); - - chomp($dbhash); - - $machine->succeed("curl -X POST " - . "--data 'dbname=documize' " - . "--data 'dbhash=$dbhash' " - . "--data 'title=NixOS' " - . "--data 'message=Docs' " - . "--data 'firstname=John' " - . "--data 'lastname=Doe' " - . "--data 'email=john.doe\@nixos.org' " - . "--data 'password=verysafe' " - . "-f localhost:3000/api/setup" - ); - - $machine->succeed('test "$(curl -f localhost:3000/api/public/meta | jq ".title" | xargs echo)" = "NixOS"'); + start_all() + + machine.wait_for_unit("documize-server.service") + machine.wait_for_open_port(3000) + + dbhash = machine.succeed( + "curl -f localhost:3000 | grep 'property=\"dbhash' | grep -Po 'content=\"\\K[^\"]*'" + ) + + dbhash = dbhash.strip() + + machine.succeed( + ( + "curl -X POST" + " --data 'dbname=documize'" + " --data 'dbhash={}'" + " --data 'title=NixOS'" + " --data 'message=Docs'" + " --data 'firstname=John'" + " --data 'lastname=Doe'" + " --data 'email=john.doe@nixos.org'" + " --data 'password=verysafe'" + " -f localhost:3000/api/setup" + ).format(dbhash) + ) + + machine.succeed( + 'test "$(curl -f localhost:3000/api/public/meta | jq ".title" | xargs echo)" = "NixOS"' + ) ''; }) diff --git a/nixpkgs/nixos/tests/dovecot.nix b/nixpkgs/nixos/tests/dovecot.nix index 156079d1d585..c19850f418bc 100644 --- a/nixpkgs/nixos/tests/dovecot.nix +++ b/nixpkgs/nixos/tests/dovecot.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "dovecot"; machine = { pkgs, ... }: { @@ -66,12 +66,12 @@ import ./make-test.nix { }; testScript = '' - $machine->waitForUnit('postfix.service'); - $machine->waitForUnit('dovecot2.service'); - $machine->succeed('send-testmail'); - $machine->succeed('send-lda'); - $machine->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]'); - $machine->succeed('test-imap'); - $machine->succeed('test-pop'); + machine.wait_for_unit("postfix.service") + machine.wait_for_unit("dovecot2.service") + machine.succeed("send-testmail") + machine.succeed("send-lda") + machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]') + machine.succeed("test-imap") + machine.succeed("test-pop") ''; } diff --git a/nixpkgs/nixos/tests/ec2.nix b/nixpkgs/nixos/tests/ec2.nix index 384fce67c227..c649ce852dad 100644 --- a/nixpkgs/nixos/tests/ec2.nix +++ b/nixpkgs/nixos/tests/ec2.nix @@ -113,7 +113,7 @@ in { services.httpd = { enable = true; adminAddr = "test@example.org"; - documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html"; + virtualHosts.localhost.documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html"; }; networking.firewall.allowedTCPPorts = [ 80 ]; } diff --git a/nixpkgs/nixos/tests/ecryptfs.nix b/nixpkgs/nixos/tests/ecryptfs.nix index 3f02cecb8662..ef7bd13eb92c 100644 --- a/nixpkgs/nixos/tests/ecryptfs.nix +++ b/nixpkgs/nixos/tests/ecryptfs.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ ... }: +import ./make-test-python.nix ({ ... }: { name = "ecryptfs"; @@ -10,75 +10,76 @@ import ./make-test.nix ({ ... }: }; testScript = '' - $machine->waitForUnit("default.target"); + def login_as_alice(): + machine.wait_until_tty_matches(1, "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches(1, "Password: ") + machine.send_chars("foobar\n") + machine.wait_until_tty_matches(1, "alice\@machine") - # Set alice up with a password and a home - $machine->succeed("(echo foobar; echo foobar) | passwd alice"); - $machine->succeed("chown -R alice.users ~alice"); - # Migrate alice's home - my $out = $machine->succeed("echo foobar | ecryptfs-migrate-home -u alice"); - $machine->log("ecryptfs-migrate-home said: $out"); + def logout(): + machine.send_chars("logout\n") + machine.wait_until_tty_matches(1, "login: ") - # Log alice in (ecryptfs passwhrase is wrapped during first login) - $machine->waitUntilTTYMatches(1, "login: "); - $machine->sendChars("alice\n"); - $machine->waitUntilTTYMatches(1, "Password: "); - $machine->sendChars("foobar\n"); - $machine->waitUntilTTYMatches(1, "alice\@machine"); - $machine->sendChars("logout\n"); - $machine->waitUntilTTYMatches(1, "login: "); + + machine.wait_for_unit("default.target") + + with subtest("Set alice up with a password and a home"): + machine.succeed("(echo foobar; echo foobar) | passwd alice") + machine.succeed("chown -R alice.users ~alice") + + with subtest("Migrate alice's home"): + out = machine.succeed("echo foobar | ecryptfs-migrate-home -u alice") + machine.log(f"ecryptfs-migrate-home said: {out}") + + with subtest("Log alice in (ecryptfs passwhrase is wrapped during first login)"): + login_as_alice() + machine.send_chars("logout\n") + machine.wait_until_tty_matches(1, "login: ") # Why do I need to do this?? - $machine->succeed("su alice -c ecryptfs-umount-private || true"); - $machine->sleep(1); - $machine->fail("mount | grep ecryptfs"); # check that encrypted home is not mounted + machine.succeed("su alice -c ecryptfs-umount-private || true") + machine.sleep(1) + + with subtest("check that encrypted home is not mounted"): + machine.fail("mount | grep ecryptfs") - # Show contents of the user keyring - my $out = $machine->succeed("su - alice -c 'keyctl list \@u'"); - $machine->log("keyctl unlink said: " . $out); + with subtest("Show contents of the user keyring"): + out = machine.succeed("su - alice -c 'keyctl list \@u'") + machine.log(f"keyctl unlink said: {out}") - # Log alice again - $machine->waitUntilTTYMatches(1, "login: "); - $machine->sendChars("alice\n"); - $machine->waitUntilTTYMatches(1, "Password: "); - $machine->sendChars("foobar\n"); - $machine->waitUntilTTYMatches(1, "alice\@machine"); + with subtest("Log alice again"): + login_as_alice() - # Create some files in encrypted home - $machine->succeed("su alice -c 'touch ~alice/a'"); - $machine->succeed("su alice -c 'echo c > ~alice/b'"); + with subtest("Create some files in encrypted home"): + machine.succeed("su alice -c 'touch ~alice/a'") + machine.succeed("su alice -c 'echo c > ~alice/b'") - # Logout - $machine->sendChars("logout\n"); - $machine->waitUntilTTYMatches(1, "login: "); + with subtest("Logout"): + logout() # Why do I need to do this?? - $machine->succeed("su alice -c ecryptfs-umount-private || true"); - $machine->sleep(1); - - # Check that the filesystem is not accessible - $machine->fail("mount | grep ecryptfs"); - $machine->succeed("su alice -c 'test \! -f ~alice/a'"); - $machine->succeed("su alice -c 'test \! -f ~alice/b'"); - - # Log alice once more - $machine->waitUntilTTYMatches(1, "login: "); - $machine->sendChars("alice\n"); - $machine->waitUntilTTYMatches(1, "Password: "); - $machine->sendChars("foobar\n"); - $machine->waitUntilTTYMatches(1, "alice\@machine"); - - # Check that the files are there - $machine->sleep(1); - $machine->succeed("su alice -c 'test -f ~alice/a'"); - $machine->succeed("su alice -c 'test -f ~alice/b'"); - $machine->succeed(qq%test "\$(cat ~alice/b)" = "c"%); - - # Catch https://github.com/NixOS/nixpkgs/issues/16766 - $machine->succeed("su alice -c 'ls -lh ~alice/'"); - - $machine->sendChars("logout\n"); - $machine->waitUntilTTYMatches(1, "login: "); + machine.succeed("su alice -c ecryptfs-umount-private || true") + machine.sleep(1) + + with subtest("Check that the filesystem is not accessible"): + machine.fail("mount | grep ecryptfs") + machine.succeed("su alice -c 'test \! -f ~alice/a'") + machine.succeed("su alice -c 'test \! -f ~alice/b'") + + with subtest("Log alice once more"): + login_as_alice() + + with subtest("Check that the files are there"): + machine.sleep(1) + machine.succeed("su alice -c 'test -f ~alice/a'") + machine.succeed("su alice -c 'test -f ~alice/b'") + machine.succeed('test "$(cat ~alice/b)" = "c"') + + with subtest("Catch https://github.com/NixOS/nixpkgs/issues/16766"): + machine.succeed("su alice -c 'ls -lh ~alice/'") + + logout() ''; }) diff --git a/nixpkgs/nixos/tests/emacs-daemon.nix b/nixpkgs/nixos/tests/emacs-daemon.nix index 3594e35e343c..b89d9b1bde69 100644 --- a/nixpkgs/nixos/tests/emacs-daemon.nix +++ b/nixpkgs/nixos/tests/emacs-daemon.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "emacs-daemon"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ]; @@ -21,25 +21,28 @@ import ./make-test.nix ({ pkgs, ...} : { environment.variables.TEST_SYSTEM_VARIABLE = "system variable"; }; - testScript = - '' - $machine->waitForUnit("multi-user.target"); + testScript = '' + machine.wait_for_unit("multi-user.target") # checks that the EDITOR environment variable is set - $machine->succeed("test \$(basename \"\$EDITOR\") = emacseditor"); + machine.succeed('test $(basename "$EDITOR") = emacseditor') # waits for the emacs service to be ready - $machine->waitUntilSucceeds("systemctl --user status emacs.service | grep 'Active: active'"); + machine.wait_until_succeeds( + "systemctl --user status emacs.service | grep 'Active: active'" + ) # connects to the daemon - $machine->succeed("emacsclient --create-frame \$EDITOR &"); + machine.succeed("emacsclient --create-frame $EDITOR &") # checks that Emacs shows the edited filename - $machine->waitForText("emacseditor"); + machine.wait_for_text("emacseditor") # makes sure environment variables are accessible from Emacs - $machine->succeed("emacsclient --eval '(getenv \"TEST_SYSTEM_VARIABLE\")'") =~ /system variable/ or die; + machine.succeed( + "emacsclient --eval '(getenv \"TEST_SYSTEM_VARIABLE\")' | grep -q 'system variable'" + ) - $machine->screenshot("emacsclient"); + machine.screenshot("emacsclient") ''; }) diff --git a/nixpkgs/nixos/tests/env.nix b/nixpkgs/nixos/tests/env.nix index 6c681905b19f..e603338e489b 100644 --- a/nixpkgs/nixos/tests/env.nix +++ b/nixpkgs/nixos/tests/env.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "environment"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -20,16 +20,17 @@ import ./make-test.nix ({ pkgs, ...} : { }; }; - testScript = - '' - $machine->succeed('[ -L "/etc/plainFile" ]'); - $machine->succeed('cat "/etc/plainFile" | grep "Hello World"'); - $machine->succeed('[ -d "/etc/folder" ]'); - $machine->succeed('[ -d "/etc/folder/with" ]'); - $machine->succeed('[ -L "/etc/folder/with/file" ]'); - $machine->succeed('cat "/etc/plainFile" | grep "Hello World"'); + testScript = '' + machine.succeed('[ -L "/etc/plainFile" ]') + assert "Hello World" in machine.succeed('cat "/etc/plainFile"') + machine.succeed('[ -d "/etc/folder" ]') + machine.succeed('[ -d "/etc/folder/with" ]') + machine.succeed('[ -L "/etc/folder/with/file" ]') + assert "Hello World" in machine.succeed('cat "/etc/plainFile"') - $machine->succeed('echo ''${TERMINFO_DIRS} | grep "/run/current-system/sw/share/terminfo"'); - $machine->succeed('echo ''${NIXCON} | grep "awesome"'); - ''; + assert "/run/current-system/sw/share/terminfo" in machine.succeed( + "echo ''${TERMINFO_DIRS}" + ) + assert "awesome" in machine.succeed("echo ''${NIXCON}") + ''; }) diff --git a/nixpkgs/nixos/tests/etcd-cluster.nix b/nixpkgs/nixos/tests/etcd-cluster.nix index 43fde7d59205..19c5d9158236 100644 --- a/nixpkgs/nixos/tests/etcd-cluster.nix +++ b/nixpkgs/nixos/tests/etcd-cluster.nix @@ -1,6 +1,6 @@ # This test runs simple etcd cluster -import ./make-test.nix ({ pkgs, ... } : let +import ./make-test-python.nix ({ pkgs, ... } : let runWithOpenSSL = file: cmd: pkgs.runCommand file { buildInputs = [ pkgs.openssl ]; @@ -129,29 +129,26 @@ in { }; testScript = '' - subtest "should start etcd cluster", sub { - $node1->start(); - $node2->start(); - $node1->waitForUnit("etcd.service"); - $node2->waitForUnit("etcd.service"); - $node2->waitUntilSucceeds("etcdctl cluster-health"); - $node1->succeed("etcdctl set /foo/bar 'Hello world'"); - $node2->succeed("etcdctl get /foo/bar | grep 'Hello world'"); - }; - - subtest "should add another member", sub { - $node1->waitUntilSucceeds("etcdctl member add node3 https://node3:2380"); - $node3->start(); - $node3->waitForUnit("etcd.service"); - $node3->waitUntilSucceeds("etcdctl member list | grep 'node3'"); - $node3->succeed("etcdctl cluster-health"); - }; - - subtest "should survive member crash", sub { - $node3->crash; - $node1->succeed("etcdctl cluster-health"); - $node1->succeed("etcdctl set /foo/bar 'Hello degraded world'"); - $node1->succeed("etcdctl get /foo/bar | grep 'Hello degraded world'"); - }; + with subtest("should start etcd cluster"): + node1.start() + node2.start() + node1.wait_for_unit("etcd.service") + node2.wait_for_unit("etcd.service") + node2.wait_until_succeeds("etcdctl cluster-health") + node1.succeed("etcdctl set /foo/bar 'Hello world'") + node2.succeed("etcdctl get /foo/bar | grep 'Hello world'") + + with subtest("should add another member"): + node1.wait_until_succeeds("etcdctl member add node3 https://node3:2380") + node3.start() + node3.wait_for_unit("etcd.service") + node3.wait_until_succeeds("etcdctl member list | grep 'node3'") + node3.succeed("etcdctl cluster-health") + + with subtest("should survive member crash"): + node3.crash() + node1.succeed("etcdctl cluster-health") + node1.succeed("etcdctl set /foo/bar 'Hello degraded world'") + node1.succeed("etcdctl get /foo/bar | grep 'Hello degraded world'") ''; }) diff --git a/nixpkgs/nixos/tests/etcd.nix b/nixpkgs/nixos/tests/etcd.nix index 6c23b31779bc..842724343841 100644 --- a/nixpkgs/nixos/tests/etcd.nix +++ b/nixpkgs/nixos/tests/etcd.nix @@ -1,6 +1,6 @@ # This test runs simple etcd node -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "etcd"; meta = with pkgs.stdenv.lib.maintainers; { @@ -14,14 +14,12 @@ import ./make-test.nix ({ pkgs, ... } : { }; testScript = '' - subtest "should start etcd node", sub { - $node->start(); - $node->waitForUnit("etcd.service"); - }; + with subtest("should start etcd node"): + node.start() + node.wait_for_unit("etcd.service") - subtest "should write and read some values to etcd", sub { - $node->succeed("etcdctl set /foo/bar 'Hello world'"); - $node->succeed("etcdctl get /foo/bar | grep 'Hello world'"); - } + with subtest("should write and read some values to etcd"): + node.succeed("etcdctl set /foo/bar 'Hello world'") + node.succeed("etcdctl get /foo/bar | grep 'Hello world'") ''; }) diff --git a/nixpkgs/nixos/tests/fancontrol.nix b/nixpkgs/nixos/tests/fancontrol.nix new file mode 100644 index 000000000000..356cd57ffa1a --- /dev/null +++ b/nixpkgs/nixos/tests/fancontrol.nix @@ -0,0 +1,28 @@ +import ./make-test-python.nix ({ pkgs, ... } : { + name = "fancontrol"; + + machine = + { ... }: + { hardware.fancontrol.enable = true; + hardware.fancontrol.config = '' + INTERVAL=42 + DEVPATH=hwmon1=devices/platform/dummy + DEVNAME=hwmon1=dummy + FCTEMPS=hwmon1/device/pwm1=hwmon1/device/temp1_input + FCFANS=hwmon1/device/pwm1=hwmon1/device/fan1_input + MINTEMP=hwmon1/device/pwm1=25 + MAXTEMP=hwmon1/device/pwm1=65 + MINSTART=hwmon1/device/pwm1=150 + MINSTOP=hwmon1/device/pwm1=0 + ''; + }; + + # This configuration cannot be valid for the test VM, so it's expected to get an 'outdated' error. + testScript = '' + start_all() + machine.wait_for_unit("fancontrol.service") + machine.wait_until_succeeds( + "journalctl -eu fancontrol | grep 'Configuration appears to be outdated'" + ) + ''; +}) diff --git a/nixpkgs/nixos/tests/ferm.nix b/nixpkgs/nixos/tests/ferm.nix index b8e8663e3ad2..a73c9ce739cf 100644 --- a/nixpkgs/nixos/tests/ferm.nix +++ b/nixpkgs/nixos/tests/ferm.nix @@ -1,5 +1,5 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "ferm"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ mic92 ]; @@ -22,6 +22,8 @@ import ./make-test.nix ({ pkgs, ...} : { { networking = { dhcpcd.enable = false; + useNetworkd = true; + useDHCP = false; interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ]; interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ]; }; @@ -51,24 +53,22 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - startAll; + start_all() - $client->waitForUnit("network-online.target"); - $server->waitForUnit("ferm.service"); - $server->waitForUnit("nginx.service"); - $server->waitUntilSucceeds("ss -ntl | grep -q 80"); + client.wait_for_unit("network-online.target") + server.wait_for_unit("ferm.service") + server.wait_for_unit("nginx.service") + server.wait_until_succeeds("ss -ntl | grep -q 80") - subtest "port 80 is allowed", sub { - $client->succeed("curl --fail -g http://192.168.1.1:80/status"); - $client->succeed("curl --fail -g http://[fd00::1]:80/status"); - }; + with subtest("port 80 is allowed"): + client.succeed("curl --fail -g http://192.168.1.1:80/status") + client.succeed("curl --fail -g http://[fd00::1]:80/status") - subtest "port 8080 is not allowed", sub { - $server->succeed("curl --fail -g http://192.168.1.1:8080/status"); - $server->succeed("curl --fail -g http://[fd00::1]:8080/status"); + with subtest("port 8080 is not allowed"): + server.succeed("curl --fail -g http://192.168.1.1:8080/status") + server.succeed("curl --fail -g http://[fd00::1]:8080/status") - $client->fail("curl --fail -g http://192.168.1.1:8080/status"); - $client->fail("curl --fail -g http://[fd00::1]:8080/status"); - }; + client.fail("curl --fail -g http://192.168.1.1:8080/status") + client.fail("curl --fail -g http://[fd00::1]:8080/status") ''; }) diff --git a/nixpkgs/nixos/tests/firefox.nix b/nixpkgs/nixos/tests/firefox.nix index f5b946a08810..56ddabbae771 100644 --- a/nixpkgs/nixos/tests/firefox.nix +++ b/nixpkgs/nixos/tests/firefox.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "firefox"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco shlevy ]; @@ -11,19 +11,27 @@ import ./make-test.nix ({ pkgs, ... }: { environment.systemPackages = [ pkgs.firefox pkgs.xdotool ]; }; - testScript = - '' - $machine->waitForX; - $machine->execute("xterm -e 'firefox file://${pkgs.valgrind.doc}/share/doc/valgrind/html/index.html' &"); - $machine->waitForWindow(qr/Valgrind/); - $machine->sleep(40); # wait until Firefox has finished loading the page - $machine->execute("xdotool key space"); # do I want to make Firefox the - # default browser? I just want to close the dialog - $machine->sleep(2); # wait until Firefox hides the default browser window - $machine->execute("xdotool key F12"); - $machine->sleep(10); # wait until Firefox draws the developer tool panel - $machine->succeed("xwininfo -root -tree | grep Valgrind"); - $machine->screenshot("screen"); + testScript = '' + machine.wait_for_x() + + with subtest("wait until Firefox has finished loading the Valgrind docs page"): + machine.execute( + "xterm -e 'firefox file://${pkgs.valgrind.doc}/share/doc/valgrind/html/index.html' &" + ) + machine.wait_for_window("Valgrind") + machine.sleep(40) + + with subtest("Close default browser prompt"): + machine.execute("xdotool key space") + + with subtest("Hide default browser window"): + machine.sleep(2) + machine.execute("xdotool key F12") + + with subtest("wait until Firefox draws the developer tool panel"): + machine.sleep(10) + machine.succeed("xwininfo -root -tree | grep Valgrind") + machine.screenshot("screen") ''; }) diff --git a/nixpkgs/nixos/tests/firewall.nix b/nixpkgs/nixos/tests/firewall.nix index fcf758910e00..09a1fef852e6 100644 --- a/nixpkgs/nixos/tests/firewall.nix +++ b/nixpkgs/nixos/tests/firewall.nix @@ -1,6 +1,6 @@ # Test the firewall module. -import ./make-test.nix ( { pkgs, ... } : { +import ./make-test-python.nix ( { pkgs, ... } : { name = "firewall"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco ]; @@ -36,30 +36,30 @@ import ./make-test.nix ( { pkgs, ... } : { testScript = { nodes, ... }: let newSystem = nodes.walled2.config.system.build.toplevel; in '' - $walled->start; - $attacker->start; + start_all() - $walled->waitForUnit("firewall"); - $walled->waitForUnit("httpd"); - $attacker->waitForUnit("network.target"); + walled.wait_for_unit("firewall") + walled.wait_for_unit("httpd") + attacker.wait_for_unit("network.target") # Local connections should still work. - $walled->succeed("curl -v http://localhost/ >&2"); + walled.succeed("curl -v http://localhost/ >&2") # Connections to the firewalled machine should fail, but ping should succeed. - $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2"); - $attacker->succeed("ping -c 1 walled >&2"); + attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2") + attacker.succeed("ping -c 1 walled >&2") # Outgoing connections/pings should still work. - $walled->succeed("curl -v http://attacker/ >&2"); - $walled->succeed("ping -c 1 attacker >&2"); + walled.succeed("curl -v http://attacker/ >&2") + walled.succeed("ping -c 1 attacker >&2") # If we stop the firewall, then connections should succeed. - $walled->stopJob("firewall"); - $attacker->succeed("curl -v http://walled/ >&2"); + walled.stop_job("firewall") + attacker.succeed("curl -v http://walled/ >&2") # Check whether activation of a new configuration reloads the firewall. - $walled->succeed("${newSystem}/bin/switch-to-configuration test 2>&1" . - " | grep -qF firewall.service"); + walled.succeed( + "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF firewall.service" + ) ''; }) diff --git a/nixpkgs/nixos/tests/fish.nix b/nixpkgs/nixos/tests/fish.nix index 97c4e8e37ac1..68fba428439b 100644 --- a/nixpkgs/nixos/tests/fish.nix +++ b/nixpkgs/nixos/tests/fish.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "fish"; machine = @@ -14,8 +14,11 @@ import ./make-test.nix ({ pkgs, ... }: { testScript = '' - $machine->waitForFile("/etc/fish/generated_completions/coreutils.fish"); - $machine->waitForFile("/etc/fish/generated_completions/kill.fish"); - $machine->succeed("fish -ic 'echo \$fish_complete_path' | grep -q '/share/fish/completions /etc/fish/generated_completions /root/.local/share/fish/generated_completions\$'"); + start_all() + machine.wait_for_file("/etc/fish/generated_completions/coreutils.fish") + machine.wait_for_file("/etc/fish/generated_completions/kill.fish") + machine.succeed( + "fish -ic 'echo $fish_complete_path' | grep -q '/share/fish/completions /etc/fish/generated_completions /root/.local/share/fish/generated_completions$'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/flatpak-builder.nix b/nixpkgs/nixos/tests/flatpak-builder.nix deleted file mode 100644 index 49b97e8ca99e..000000000000 --- a/nixpkgs/nixos/tests/flatpak-builder.nix +++ /dev/null @@ -1,20 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "flatpak-builder"; - meta = { - maintainers = pkgs.flatpak-builder.meta.maintainers; - }; - - machine = { pkgs, ... }: { - services.flatpak.enable = true; - xdg.portal.enable = true; - environment.systemPackages = with pkgs; [ gnome-desktop-testing flatpak-builder ] ++ flatpak-builder.installedTestsDependencies; - virtualisation.diskSize = 2048; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.flatpak-builder.installedTests}/share' --timeout 3600"); - ''; -}) diff --git a/nixpkgs/nixos/tests/flatpak.nix b/nixpkgs/nixos/tests/flatpak.nix deleted file mode 100644 index b0c61830d05a..000000000000 --- a/nixpkgs/nixos/tests/flatpak.nix +++ /dev/null @@ -1,26 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "flatpak"; - meta = { - maintainers = pkgs.flatpak.meta.maintainers; - }; - - machine = { pkgs, ... }: { - imports = [ ./common/x11.nix ]; - services.xserver.desktopManager.gnome3.enable = true; # TODO: figure out minimal environment where the tests work - # common/x11.nix enables the auto display manager (lightdm) - services.xserver.displayManager.gdm.enable = false; - environment.gnome3.excludePackages = pkgs.gnome3.optionalPackages; - services.flatpak.enable = true; - environment.systemPackages = with pkgs; [ gnupg gnome-desktop-testing ostree python2 ]; - virtualisation.memorySize = 2047; - virtualisation.diskSize = 1024; - }; - - testScript = '' - $machine->waitForX(); - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.flatpak.installedTests}/share' --timeout 3600"); - ''; -}) diff --git a/nixpkgs/nixos/tests/fluentd.nix b/nixpkgs/nixos/tests/fluentd.nix index e5c4c3d21631..918f2f87db17 100644 --- a/nixpkgs/nixos/tests/fluentd.nix +++ b/nixpkgs/nixos/tests/fluentd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "fluentd"; machine = { pkgs, ... }: { @@ -33,14 +33,17 @@ import ./make-test.nix ({ pkgs, lib, ... }: { inherit testMessage; }); in '' - $machine->start; - $machine->waitForUnit('fluentd.service'); - $machine->waitForOpenPort(9880); + machine.start() + machine.wait_for_unit("fluentd.service") + machine.wait_for_open_port(9880) - $machine->succeed("curl -fsSL -X POST -H 'Content-type: application/json' -d @${payload} http://localhost:9880/test.tag"); + machine.succeed( + "curl -fsSL -X POST -H 'Content-type: application/json' -d @${payload} http://localhost:9880/test.tag" + ) - $machine->succeed("systemctl stop fluentd"); # blocking flush + # blocking flush + machine.succeed("systemctl stop fluentd") - $machine->succeed("grep '${testMessage}' /tmp/current-log"); + machine.succeed("grep '${testMessage}' /tmp/current-log") ''; }) diff --git a/nixpkgs/nixos/tests/fontconfig-default-fonts.nix b/nixpkgs/nixos/tests/fontconfig-default-fonts.nix index 1991cec92189..68c6ac9e9c83 100644 --- a/nixpkgs/nixos/tests/fontconfig-default-fonts.nix +++ b/nixpkgs/nixos/tests/fontconfig-default-fonts.nix @@ -1,7 +1,12 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: { name = "fontconfig-default-fonts"; + meta.maintainers = with lib.maintainers; [ + jtojnar + worldofpeace + ]; + machine = { config, pkgs, ... }: { fonts.enableDefaultFonts = true; # Background fonts fonts.fonts = with pkgs; [ @@ -20,9 +25,9 @@ import ./make-test.nix ({ lib, ... }: }; testScript = '' - $machine->succeed("fc-match serif | grep '\"Gentium Plus\"'"); - $machine->succeed("fc-match sans-serif | grep '\"Cantarell\"'"); - $machine->succeed("fc-match monospace | grep '\"Source Code Pro\"'"); - $machine->succeed("fc-match emoji | grep '\"Twitter Color Emoji\"'"); + machine.succeed("fc-match serif | grep '\"Gentium Plus\"'") + machine.succeed("fc-match sans-serif | grep '\"Cantarell\"'") + machine.succeed("fc-match monospace | grep '\"Source Code Pro\"'") + machine.succeed("fc-match emoji | grep '\"Twitter Color Emoji\"'") ''; }) diff --git a/nixpkgs/nixos/tests/fsck.nix b/nixpkgs/nixos/tests/fsck.nix index f943bb7f2350..e522419fde2b 100644 --- a/nixpkgs/nixos/tests/fsck.nix +++ b/nixpkgs/nixos/tests/fsck.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "fsck"; machine = { lib, ... }: { @@ -14,16 +14,18 @@ import ./make-test.nix { }; testScript = '' - $machine->waitForUnit('default.target'); + machine.wait_for_unit("default.target") - subtest "root fs is fsckd", sub { - $machine->succeed('journalctl -b | grep "fsck.ext4.*/dev/vda"'); - }; + with subtest("root fs is fsckd"): + machine.succeed("journalctl -b | grep 'fsck.ext4.*/dev/vda'") - subtest "mnt fs is fsckd", sub { - $machine->succeed('journalctl -b | grep "fsck.*/dev/vdb.*clean"'); - $machine->succeed('grep "Requires=systemd-fsck@dev-vdb.service" /run/systemd/generator/mnt.mount'); - $machine->succeed('grep "After=systemd-fsck@dev-vdb.service" /run/systemd/generator/mnt.mount'); - }; + with subtest("mnt fs is fsckd"): + machine.succeed("journalctl -b | grep 'fsck.*/dev/vdb.*clean'") + machine.succeed( + "grep 'Requires=systemd-fsck@dev-vdb.service' /run/systemd/generator/mnt.mount" + ) + machine.succeed( + "grep 'After=systemd-fsck@dev-vdb.service' /run/systemd/generator/mnt.mount" + ) ''; } diff --git a/nixpkgs/nixos/tests/fwupd.nix b/nixpkgs/nixos/tests/fwupd.nix deleted file mode 100644 index 88dac8ccbcdb..000000000000 --- a/nixpkgs/nixos/tests/fwupd.nix +++ /dev/null @@ -1,21 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: { - name = "fwupd"; - - meta = { - maintainers = pkgs.fwupd.meta.maintainers; - }; - - machine = { pkgs, ... }: { - services.fwupd.enable = true; - services.fwupd.blacklistPlugins = []; # don't blacklist test plugin - services.fwupd.enableTestRemote = true; - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - environment.variables.XDG_DATA_DIRS = [ "${pkgs.fwupd.installedTests}/share" ]; - virtualisation.memorySize = 768; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner"); - ''; -}) diff --git a/nixpkgs/nixos/tests/gdk-pixbuf.nix b/nixpkgs/nixos/tests/gdk-pixbuf.nix deleted file mode 100644 index 9a62b593f46d..000000000000 --- a/nixpkgs/nixos/tests/gdk-pixbuf.nix +++ /dev/null @@ -1,21 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: { - name = "gdk-pixbuf"; - - meta = { - maintainers = pkgs.gdk-pixbuf.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - environment.variables.XDG_DATA_DIRS = [ "${pkgs.gdk-pixbuf.installedTests}/share" ]; - - # Tests allocate a lot of memory trying to exploit a CVE - # but qemu-system-i386 has a 2047M memory limit - virtualisation.memorySize = if pkgs.stdenv.isi686 then 2047 else 4096; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -t 1800"); # increase timeout to 1800s - ''; -}) diff --git a/nixpkgs/nixos/tests/gitea.nix b/nixpkgs/nixos/tests/gitea.nix index b8ab6dabc8c1..aaed2486421f 100644 --- a/nixpkgs/nixos/tests/gitea.nix +++ b/nixpkgs/nixos/tests/gitea.nix @@ -3,65 +3,107 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; -{ - mysql = makeTest { - name = "gitea-mysql"; - meta.maintainers = with maintainers; [ aanderse kolaente ]; +let + supportedDbTypes = [ "mysql" "postgres" "sqlite3" ]; + makeGiteaTest = type: nameValuePair type (makeTest { + name = "gitea-${type}"; + meta.maintainers = with maintainers; [ aanderse kolaente ma27 ]; - machine = - { config, pkgs, ... }: - { services.gitea.enable = true; - services.gitea.database.type = "mysql"; + nodes = { + server = { config, pkgs, ... }: { + services.gitea = { + enable = true; + database = { inherit type; }; + disableRegistration = true; + }; + environment.systemPackages = [ pkgs.gitea pkgs.jq ]; + services.openssh.enable = true; }; + client1 = { config, pkgs, ... }: { + environment.systemPackages = [ pkgs.git ]; + }; + client2 = { config, pkgs, ... }: { + environment.systemPackages = [ pkgs.git ]; + }; + }; - testScript = '' - startAll; + testScript = let + inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; + in '' + GIT_SSH_COMMAND = "ssh -i $HOME/.ssh/privk -o StrictHostKeyChecking=no" + REPO = "gitea@server:test/repo" + PRIVK = "${snakeOilPrivateKey}" - $machine->waitForUnit('gitea.service'); - $machine->waitForOpenPort('3000'); - $machine->succeed("curl --fail http://localhost:3000/"); - ''; - }; + start_all() - postgres = makeTest { - name = "gitea-postgres"; - meta.maintainers = [ maintainers.aanderse ]; + client1.succeed("mkdir /tmp/repo") + client1.succeed("mkdir -p $HOME/.ssh") + client1.succeed(f"cat {PRIVK} > $HOME/.ssh/privk") + client1.succeed("chmod 0400 $HOME/.ssh/privk") + client1.succeed("git -C /tmp/repo init") + client1.succeed("echo hello world > /tmp/repo/testfile") + client1.succeed("git -C /tmp/repo add .") + client1.succeed("git config --global user.email test@localhost") + client1.succeed("git config --global user.name test") + client1.succeed("git -C /tmp/repo commit -m 'Initial import'") + client1.succeed(f"git -C /tmp/repo remote add origin {REPO}") - machine = - { config, pkgs, ... }: - { services.gitea.enable = true; - services.gitea.database.type = "postgres"; - }; + server.wait_for_unit("gitea.service") + server.wait_for_open_port(3000) + server.succeed("curl --fail http://localhost:3000/") - testScript = '' - startAll; + server.succeed( + "curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. " + + "Please contact your site administrator.'" + ) + server.succeed( + "su -l gitea -c 'GITEA_WORK_DIR=/var/lib/gitea gitea admin create-user " + + "--username test --password totallysafe --email test@localhost'" + ) - $machine->waitForUnit('gitea.service'); - $machine->waitForOpenPort('3000'); - $machine->succeed("curl --fail http://localhost:3000/"); - ''; - }; + api_token = server.succeed( + "curl --fail -X POST http://test:totallysafe@localhost:3000/api/v1/users/test/tokens " + + "-H 'Accept: application/json' -H 'Content-Type: application/json' -d " + + "'{\"name\":\"token\"}' | jq '.sha1' | xargs echo -n" + ) - sqlite = makeTest { - name = "gitea-sqlite"; - meta.maintainers = [ maintainers.aanderse ]; + server.succeed( + "curl --fail -X POST http://localhost:3000/api/v1/user/repos " + + "-H 'Accept: application/json' -H 'Content-Type: application/json' " + + f"-H 'Authorization: token {api_token}'" + + ' -d \'{"auto_init":false, "description":"string", "license":"mit", "name":"repo", "private":false}\''' + ) - machine = - { config, pkgs, ... }: - { services.gitea.enable = true; - services.gitea.disableRegistration = true; - }; + server.succeed( + "curl --fail -X POST http://localhost:3000/api/v1/user/keys " + + "-H 'Accept: application/json' -H 'Content-Type: application/json' " + + f"-H 'Authorization: token {api_token}'" + + ' -d \'{"key":"${snakeOilPublicKey}","read_only":true,"title":"SSH"}\''' + ) + + client1.succeed( + f"GIT_SSH_COMMAND='{GIT_SSH_COMMAND}' git -C /tmp/repo push origin master" + ) - testScript = '' - startAll; + client2.succeed("mkdir -p $HOME/.ssh") + client2.succeed(f"cat {PRIVK} > $HOME/.ssh/privk") + client2.succeed("chmod 0400 $HOME/.ssh/privk") + client2.succeed(f"GIT_SSH_COMMAND='{GIT_SSH_COMMAND}' git clone {REPO}") + client2.succeed('test "$(cat repo/testfile | xargs echo -n)" = "hello world"') - $machine->waitForUnit('gitea.service'); - $machine->waitForOpenPort('3000'); - $machine->succeed("curl --fail http://localhost:3000/"); - $machine->succeed("curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. Please contact your site administrator.'"); + server.succeed( + 'test "$(curl http://localhost:3000/api/v1/repos/test/repo/commits ' + + '-H "Accept: application/json" | jq length)" = "1"' + ) + + client1.shutdown() + client2.shutdown() + server.shutdown() ''; - }; -} + }); +in + +listToAttrs (map makeGiteaTest supportedDbTypes) diff --git a/nixpkgs/nixos/tests/gitlab.nix b/nixpkgs/nixos/tests/gitlab.nix index be0b3c8746a9..7e4e8bcef92d 100644 --- a/nixpkgs/nixos/tests/gitlab.nix +++ b/nixpkgs/nixos/tests/gitlab.nix @@ -3,7 +3,7 @@ let initialRootPassword = "notproduction"; in -import ./make-test.nix ({ pkgs, lib, ...} : with lib; { +import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; { name = "gitlab"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ globin ]; @@ -63,21 +63,35 @@ import ./make-test.nix ({ pkgs, lib, ...} : with lib; { }); in '' - $gitlab->start(); - $gitlab->waitForUnit("gitaly.service"); - $gitlab->waitForUnit("gitlab-workhorse.service"); - $gitlab->waitForUnit("gitlab.service"); - $gitlab->waitForUnit("gitlab-sidekiq.service"); - $gitlab->waitForFile("/var/gitlab/state/tmp/sockets/gitlab.socket"); - $gitlab->waitUntilSucceeds("curl -sSf http://gitlab/users/sign_in"); - $gitlab->succeed("curl -isSf http://gitlab | grep -i location | grep -q http://gitlab/users/sign_in"); - $gitlab->succeed("${pkgs.sudo}/bin/sudo -u gitlab -H gitlab-rake gitlab:check 1>&2"); - $gitlab->succeed("echo \"Authorization: Bearer \$(curl -X POST -H 'Content-Type: application/json' -d @${auth} http://gitlab/oauth/token | ${pkgs.jq}/bin/jq -r '.access_token')\" >/tmp/headers"); - $gitlab->succeed("curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${createProject} http://gitlab/api/v4/projects"); - $gitlab->succeed("curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${putFile} http://gitlab/api/v4/projects/1/repository/files/some-file.txt"); - $gitlab->succeed("curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.gz > /tmp/archive.tar.gz"); - $gitlab->succeed("curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.bz2 > /tmp/archive.tar.bz2"); - $gitlab->succeed("test -s /tmp/archive.tar.gz"); - $gitlab->succeed("test -s /tmp/archive.tar.bz2"); + gitlab.start() + gitlab.wait_for_unit("gitaly.service") + gitlab.wait_for_unit("gitlab-workhorse.service") + gitlab.wait_for_unit("gitlab.service") + gitlab.wait_for_unit("gitlab-sidekiq.service") + gitlab.wait_for_file("/var/gitlab/state/tmp/sockets/gitlab.socket") + gitlab.wait_until_succeeds("curl -sSf http://gitlab/users/sign_in") + gitlab.succeed( + "curl -isSf http://gitlab | grep -i location | grep -q http://gitlab/users/sign_in" + ) + gitlab.succeed( + "${pkgs.sudo}/bin/sudo -u gitlab -H gitlab-rake gitlab:check 1>&2" + ) + gitlab.succeed( + "echo \"Authorization: Bearer \$(curl -X POST -H 'Content-Type: application/json' -d @${auth} http://gitlab/oauth/token | ${pkgs.jq}/bin/jq -r '.access_token')\" >/tmp/headers" + ) + gitlab.succeed( + "curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${createProject} http://gitlab/api/v4/projects" + ) + gitlab.succeed( + "curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${putFile} http://gitlab/api/v4/projects/1/repository/files/some-file.txt" + ) + gitlab.succeed( + "curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.gz > /tmp/archive.tar.gz" + ) + gitlab.succeed( + "curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.bz2 > /tmp/archive.tar.bz2" + ) + gitlab.succeed("test -s /tmp/archive.tar.gz") + gitlab.succeed("test -s /tmp/archive.tar.bz2") ''; }) diff --git a/nixpkgs/nixos/tests/gitolite-fcgiwrap.nix b/nixpkgs/nixos/tests/gitolite-fcgiwrap.nix new file mode 100644 index 000000000000..414b7d6fe7ef --- /dev/null +++ b/nixpkgs/nixos/tests/gitolite-fcgiwrap.nix @@ -0,0 +1,93 @@ +import ./make-test-python.nix ( + { pkgs, ... }: + + let + user = "gitolite-admin"; + password = "some_password"; + + # not used but needed to setup gitolite + adminPublicKey = '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7urFhAA90BTpGuEHeWWTY3W/g9PBxXNxfWhfbrm4Le root@client + ''; + in + { + name = "gitolite-fcgiwrap"; + + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ bbigras ]; + }; + + nodes = { + + server = + { ... }: + { + networking.firewall.allowedTCPPorts = [ 80 ]; + + services.fcgiwrap.enable = true; + services.gitolite = { + enable = true; + adminPubkey = adminPublicKey; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts."server".locations."/git".extraConfig = '' + # turn off gzip as git objects are already well compressed + gzip off; + + # use file based basic authentication + auth_basic "Git Repository Authentication"; + auth_basic_user_file /etc/gitolite/htpasswd; + + # common FastCGI parameters are required + include ${pkgs.nginx}/conf/fastcgi_params; + + # strip the CGI program prefix + fastcgi_split_path_info ^(/git)(.*)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + + # pass authenticated user login(mandatory) to Gitolite + fastcgi_param REMOTE_USER $remote_user; + + # pass git repository root directory and hosting user directory + # these env variables can be set in a wrapper script + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories; + fastcgi_param GITOLITE_HTTP_HOME /var/lib/gitolite; + fastcgi_param SCRIPT_FILENAME ${pkgs.gitolite}/bin/gitolite-shell; + + # use Unix domain socket or inet socket + fastcgi_pass unix:/run/fcgiwrap.sock; + ''; + }; + + # WARNING: DON'T DO THIS IN PRODUCTION! + # This puts unhashed secrets directly into the Nix store for ease of testing. + environment.etc."gitolite/htpasswd".source = pkgs.runCommand "htpasswd" {} '' + ${pkgs.apacheHttpd}/bin/htpasswd -bc "$out" ${user} ${password} + ''; + }; + + client = + { pkgs, ... }: + { + environment.systemPackages = [ pkgs.git ]; + }; + }; + + testScript = '' + start_all() + + server.wait_for_unit("gitolite-init.service") + server.wait_for_unit("nginx.service") + server.wait_for_file("/run/fcgiwrap.sock") + + client.wait_for_unit("multi-user.target") + client.succeed( + "git clone http://${user}:${password}@server/git/gitolite-admin.git" + ) + ''; + } +) diff --git a/nixpkgs/nixos/tests/gitolite.nix b/nixpkgs/nixos/tests/gitolite.nix index 690e456ed7c8..a928645bd80f 100644 --- a/nixpkgs/nixos/tests/gitolite.nix +++ b/nixpkgs/nixos/tests/gitolite.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...}: +import ./make-test-python.nix ({ pkgs, ...}: let adminPrivateKey = pkgs.writeText "id_ed25519" '' @@ -43,7 +43,7 @@ let ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZNonUP1ePHLrvn0W9D2hdN6zWWZYFyJc+QR6pOKQEw bob@client ''; - gitoliteAdminConfSnippet = '' + gitoliteAdminConfSnippet = pkgs.writeText "gitolite-admin-conf-snippet" '' repo alice-project RW+ = alice ''; @@ -85,55 +85,54 @@ in }; testScript = '' - startAll; - - subtest "can setup ssh keys on system", sub { - $client->mustSucceed("mkdir -p ~root/.ssh"); - $client->mustSucceed("cp ${adminPrivateKey} ~root/.ssh/id_ed25519"); - $client->mustSucceed("chmod 600 ~root/.ssh/id_ed25519"); - - $client->mustSucceed("sudo -u alice mkdir -p ~alice/.ssh"); - $client->mustSucceed("sudo -u alice cp ${alicePrivateKey} ~alice/.ssh/id_ed25519"); - $client->mustSucceed("sudo -u alice chmod 600 ~alice/.ssh/id_ed25519"); - - $client->mustSucceed("sudo -u bob mkdir -p ~bob/.ssh"); - $client->mustSucceed("sudo -u bob cp ${bobPrivateKey} ~bob/.ssh/id_ed25519"); - $client->mustSucceed("sudo -u bob chmod 600 ~bob/.ssh/id_ed25519"); - }; - - subtest "gitolite server starts", sub { - $server->waitForUnit("gitolite-init.service"); - $server->waitForUnit("sshd.service"); - $client->mustSucceed('ssh gitolite@server info'); - }; - - subtest "admin can clone and configure gitolite-admin.git", sub { - $client->mustSucceed('git clone gitolite@server:gitolite-admin.git'); - $client->mustSucceed("git config --global user.name 'System Administrator'"); - $client->mustSucceed("git config --global user.email root\@domain.example"); - $client->mustSucceed("cp ${alicePublicKey} gitolite-admin/keydir/alice.pub"); - $client->mustSucceed("cp ${bobPublicKey} gitolite-admin/keydir/bob.pub"); - $client->mustSucceed('(cd gitolite-admin && git add . && git commit -m "Add keys for alice, bob" && git push)'); - $client->mustSucceed("printf '${gitoliteAdminConfSnippet}' >> gitolite-admin/conf/gitolite.conf"); - $client->mustSucceed('(cd gitolite-admin && git add . && git commit -m "Add repo for alice" && git push)'); - }; - - subtest "non-admins cannot clone gitolite-admin.git", sub { - $client->mustFail('sudo -i -u alice git clone gitolite@server:gitolite-admin.git'); - $client->mustFail('sudo -i -u bob git clone gitolite@server:gitolite-admin.git'); - }; - - subtest "non-admins can clone testing.git", sub { - $client->mustSucceed('sudo -i -u alice git clone gitolite@server:testing.git'); - $client->mustSucceed('sudo -i -u bob git clone gitolite@server:testing.git'); - }; - - subtest "alice can clone alice-project.git", sub { - $client->mustSucceed('sudo -i -u alice git clone gitolite@server:alice-project.git'); - }; - - subtest "bob cannot clone alice-project.git", sub { - $client->mustFail('sudo -i -u bob git clone gitolite@server:alice-project.git'); - }; + start_all() + + with subtest("can setup ssh keys on system"): + client.succeed( + "mkdir -p ~root/.ssh", + "cp ${adminPrivateKey} ~root/.ssh/id_ed25519", + "chmod 600 ~root/.ssh/id_ed25519", + ) + client.succeed( + "sudo -u alice mkdir -p ~alice/.ssh", + "sudo -u alice cp ${alicePrivateKey} ~alice/.ssh/id_ed25519", + "sudo -u alice chmod 600 ~alice/.ssh/id_ed25519", + ) + client.succeed( + "sudo -u bob mkdir -p ~bob/.ssh", + "sudo -u bob cp ${bobPrivateKey} ~bob/.ssh/id_ed25519", + "sudo -u bob chmod 600 ~bob/.ssh/id_ed25519", + ) + + with subtest("gitolite server starts"): + server.wait_for_unit("gitolite-init.service") + server.wait_for_unit("sshd.service") + client.succeed("ssh gitolite@server info") + + with subtest("admin can clone and configure gitolite-admin.git"): + client.succeed( + "git clone gitolite@server:gitolite-admin.git", + "git config --global user.name 'System Administrator'", + "git config --global user.email root\@domain.example", + "cp ${alicePublicKey} gitolite-admin/keydir/alice.pub", + "cp ${bobPublicKey} gitolite-admin/keydir/bob.pub", + "(cd gitolite-admin && git add . && git commit -m 'Add keys for alice, bob' && git push)", + "cat ${gitoliteAdminConfSnippet} >> gitolite-admin/conf/gitolite.conf", + "(cd gitolite-admin && git add . && git commit -m 'Add repo for alice' && git push)", + ) + + with subtest("non-admins cannot clone gitolite-admin.git"): + client.fail("sudo -i -u alice git clone gitolite@server:gitolite-admin.git") + client.fail("sudo -i -u bob git clone gitolite@server:gitolite-admin.git") + + with subtest("non-admins can clone testing.git"): + client.succeed("sudo -i -u alice git clone gitolite@server:testing.git") + client.succeed("sudo -i -u bob git clone gitolite@server:testing.git") + + with subtest("alice can clone alice-project.git"): + client.succeed("sudo -i -u alice git clone gitolite@server:alice-project.git") + + with subtest("bob cannot clone alice-project.git"): + client.fail("sudo -i -u bob git clone gitolite@server:alice-project.git") ''; }) diff --git a/nixpkgs/nixos/tests/gjs.nix b/nixpkgs/nixos/tests/gjs.nix deleted file mode 100644 index e6002ef98dd0..000000000000 --- a/nixpkgs/nixos/tests/gjs.nix +++ /dev/null @@ -1,19 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: { - name = "gjs"; - - meta = { - maintainers = pkgs.gnome3.gjs.meta.maintainers; - }; - - machine = { pkgs, ... }: { - imports = [ ./common/x11.nix ]; - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - environment.variables.XDG_DATA_DIRS = [ "${pkgs.gnome3.gjs.installedTests}/share" ]; - }; - - testScript = '' - $machine->waitForX; - $machine->succeed("gnome-desktop-testing-runner"); - ''; -}) diff --git a/nixpkgs/nixos/tests/glib-networking.nix b/nixpkgs/nixos/tests/glib-networking.nix deleted file mode 100644 index c0bbb2b3554b..000000000000 --- a/nixpkgs/nixos/tests/glib-networking.nix +++ /dev/null @@ -1,17 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "glib-networking"; - meta = { - maintainers = pkgs.glib-networking.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.glib-networking.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/glusterfs.nix b/nixpkgs/nixos/tests/glusterfs.nix index 9fd8bd2ed129..8f9cb8973d51 100644 --- a/nixpkgs/nixos/tests/glusterfs.nix +++ b/nixpkgs/nixos/tests/glusterfs.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ ... } : +import ./make-test-python.nix ({pkgs, lib, ...}: let client = { pkgs, ... } : { @@ -39,27 +39,29 @@ in { }; testScript = '' - $server1->waitForUnit("glusterd.service"); - $server2->waitForUnit("glusterd.service"); + server1.wait_for_unit("glusterd.service") + server2.wait_for_unit("glusterd.service") + + server1.wait_until_succeeds("gluster peer status") + server2.wait_until_succeeds("gluster peer status") # establish initial contact - $server1->succeed("sleep 2"); - $server1->succeed("gluster peer probe server2"); - $server1->succeed("gluster peer probe server1"); + server1.succeed("gluster peer probe server2") + server1.succeed("gluster peer probe server1") - $server1->succeed("gluster peer status | grep Connected"); + server1.succeed("gluster peer status | grep Connected") # create volumes - $server1->succeed("mkdir -p /data/vg0"); - $server2->succeed("mkdir -p /data/vg0"); - $server1->succeed("gluster volume create gv0 server1:/data/vg0 server2:/data/vg0"); - $server1->succeed("gluster volume start gv0"); + server1.succeed("mkdir -p /data/vg0") + server2.succeed("mkdir -p /data/vg0") + server1.succeed("gluster volume create gv0 server1:/data/vg0 server2:/data/vg0") + server1.succeed("gluster volume start gv0") # test clients - $client1->waitForUnit("gluster.mount"); - $client2->waitForUnit("gluster.mount"); + client1.wait_for_unit("gluster.mount") + client2.wait_for_unit("gluster.mount") - $client1->succeed("echo test > /gluster/file1"); - $client2->succeed("grep test /gluster/file1"); + client1.succeed("echo test > /gluster/file1") + client2.succeed("grep test /gluster/file1") ''; }) diff --git a/nixpkgs/nixos/tests/gnome-photos.nix b/nixpkgs/nixos/tests/gnome-photos.nix deleted file mode 100644 index 2ecda1d68ce3..000000000000 --- a/nixpkgs/nixos/tests/gnome-photos.nix +++ /dev/null @@ -1,42 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, lib, ... }: - -let - - # gsettings tool with access to gsettings-desktop-schemas - desktop-gsettings = with pkgs; stdenv.mkDerivation { - name = "desktop-gsettings"; - dontUnpack = true; - nativeBuildInputs = [ glib wrapGAppsHook ]; - buildInputs = [ gsettings-desktop-schemas ]; - installPhase = '' - runHook preInstall - mkdir -p $out/bin - ln -s ${glib.bin}/bin/gsettings $out/bin/desktop-gsettings - runHook postInstall - ''; - }; - -in - -{ - name = "gnome-photos"; - meta = { - maintainers = pkgs.gnome-photos.meta.maintainers; - }; - - machine = { pkgs, ... }: { - imports = [ ./common/x11.nix ]; - programs.dconf.enable = true; - services.gnome3.at-spi2-core.enable = true; # needed for dogtail - environment.systemPackages = with pkgs; [ gnome-desktop-testing desktop-gsettings ]; - services.dbus.packages = with pkgs; [ gnome-photos ]; - }; - - testScript = '' - $machine->waitForX; - # dogtail needs accessibility enabled - $machine->succeed("desktop-gsettings set org.gnome.desktop.interface toolkit-accessibility true 2>&1"); - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.gnome-photos.installedTests}/share' 2>&1"); - ''; -}) diff --git a/nixpkgs/nixos/tests/gnome3-xorg.nix b/nixpkgs/nixos/tests/gnome3-xorg.nix index f12361da0372..f793bb922ad7 100644 --- a/nixpkgs/nixos/tests/gnome3-xorg.nix +++ b/nixpkgs/nixos/tests/gnome3-xorg.nix @@ -1,41 +1,79 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "gnome3-xorg"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = pkgs.gnome3.maintainers; }; - machine = - { ... }: + machine = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + in { imports = [ ./common/user-account.nix ]; services.xserver.enable = true; - services.xserver.displayManager.gdm.enable = false; - services.xserver.displayManager.lightdm.enable = true; - services.xserver.displayManager.lightdm.autoLogin.enable = true; - services.xserver.displayManager.lightdm.autoLogin.user = "alice"; + services.xserver.displayManager.gdm = { + enable = true; + autoLogin = { + enable = true; + user = user.name; + }; + }; + services.xserver.desktopManager.gnome3.enable = true; - services.xserver.desktopManager.default = "gnome-xorg"; + services.xserver.displayManager.defaultSession = "gnome-xorg"; virtualisation.memorySize = 1024; }; - testScript = - '' - $machine->waitForX; + testScript = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + uid = toString user.uid; + bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/${uid}/bus"; + xauthority = "/run/user/${uid}/gdm/Xauthority"; + display = "DISPLAY=:0.0"; + env = "${bus} XAUTHORITY=${xauthority} ${display}"; + gdbus = "${env} gdbus"; + su = command: "su - ${user.name} -c '${env} ${command}'"; + + # Call javascript in gnome shell, returns a tuple (success, output), where + # `success` is true if the dbus call was successful and output is what the + # javascript evaluates to. + eval = "call --session -d org.gnome.Shell -o /org/gnome/Shell -m org.gnome.Shell.Eval"; + + # False when startup is done + startingUp = su "${gdbus} ${eval} Main.layoutManager._startingUp"; + + # Start gnome-terminal + gnomeTerminalCommand = su "gnome-terminal"; - # wait for alice to be logged in - $machine->waitForUnit("default.target","alice"); + # Hopefully gnome-terminal's wm class + wmClass = su "${gdbus} ${eval} global.display.focus_window.wm_class"; + in '' + with subtest("Login to GNOME Xorg with GDM"): + machine.wait_for_x() + # Wait for alice to be logged in" + machine.wait_for_unit("default.target", "${user.name}") + machine.wait_for_file("${xauthority}") + machine.succeed("xauth merge ${xauthority}") + # Check that logging in has given the user ownership of devices + assert "alice" in machine.succeed("getfacl -p /dev/snd/timer") - # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + with subtest("Wait for GNOME Shell"): + # correct output should be (true, 'false') + machine.wait_until_succeeds( + "${startingUp} | grep -q 'true,..false'" + ) - $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow(qr/alice.*machine/); - $machine->succeed("timeout 900 bash -c 'while read msg; do if [[ \$msg =~ \"GNOME Shell started\" ]]; then break; fi; done < <(journalctl -f)'"); - $machine->sleep(10); - $machine->screenshot("screen"); + with subtest("Open Gnome Terminal"): + machine.succeed( + "${gnomeTerminalCommand}" + ) + # correct output should be (true, '"Gnome-terminal"') + machine.wait_until_succeeds( + "${wmClass} | grep -q 'true,...Gnome-terminal'" + ) + machine.sleep(20) + machine.screenshot("screen") ''; }) diff --git a/nixpkgs/nixos/tests/gnome3.nix b/nixpkgs/nixos/tests/gnome3.nix index b6fe602a7327..ab363efb6a19 100644 --- a/nixpkgs/nixos/tests/gnome3.nix +++ b/nixpkgs/nixos/tests/gnome3.nix @@ -44,7 +44,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->waitForUnit("default.target","alice"); # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); # Wait for the wayland server $machine->waitForFile("/run/user/1000/wayland-0"); diff --git a/nixpkgs/nixos/tests/gocd-agent.nix b/nixpkgs/nixos/tests/gocd-agent.nix index 50470379576b..5b630a40736e 100644 --- a/nixpkgs/nixos/tests/gocd-agent.nix +++ b/nixpkgs/nixos/tests/gocd-agent.nix @@ -9,14 +9,18 @@ let header = "Accept: application/vnd.go.cd.v2+json"; in -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "gocd-agent"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ grahamc swarren83 ]; + + # gocd agent needs to register with the autoregister key created on first server startup, + # but NixOS module doesn't seem to allow to pass during runtime currently + broken = true; }; nodes = { - gocd_agent = + agent = { ... }: { virtualisation.memorySize = 2046; @@ -30,11 +34,15 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - $gocd_agent->waitForUnit("gocd-server"); - $gocd_agent->waitForOpenPort("8153"); - $gocd_agent->waitForUnit("gocd-agent"); - $gocd_agent->waitUntilSucceeds("curl ${serverUrl} -H '${header}' | ${pkgs.jq}/bin/jq -e ._embedded.agents[0].uuid"); - $gocd_agent->succeed("curl ${serverUrl} -H '${header}' | ${pkgs.jq}/bin/jq -e ._embedded.agents[0].agent_state | grep -q Idle"); + start_all() + agent.wait_for_unit("gocd-server") + agent.wait_for_open_port("8153") + agent.wait_for_unit("gocd-agent") + agent.wait_until_succeeds( + "curl ${serverUrl} -H '${header}' | ${pkgs.jq}/bin/jq -e ._embedded.agents[0].uuid" + ) + agent.succeed( + "curl ${serverUrl} -H '${header}' | ${pkgs.jq}/bin/jq -e ._embedded.agents[0].agent_state | grep -q Idle" + ) ''; }) diff --git a/nixpkgs/nixos/tests/gocd-server.nix b/nixpkgs/nixos/tests/gocd-server.nix index 80cf04ed6404..20faf85a1ccd 100644 --- a/nixpkgs/nixos/tests/gocd-server.nix +++ b/nixpkgs/nixos/tests/gocd-server.nix @@ -2,7 +2,7 @@ # 1. GoCD server starts # 2. GoCD server responds -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : { name = "gocd-server"; @@ -10,19 +10,19 @@ import ./make-test.nix ({ pkgs, ...} : maintainers = [ swarren83 ]; }; -nodes = { - gocd_server = - { ... }: - { - virtualisation.memorySize = 2046; - services.gocd-server.enable = true; - }; -}; + nodes = { + server = + { ... }: + { + virtualisation.memorySize = 2046; + services.gocd-server.enable = true; + }; + }; testScript = '' - $gocd_server->start; - $gocd_server->waitForUnit("gocd-server"); - $gocd_server->waitForOpenPort("8153"); - $gocd_server->waitUntilSucceeds("curl -s -f localhost:8153/go"); + server.start() + server.wait_for_unit("gocd-server") + server.wait_for_open_port(8153) + server.wait_until_succeeds("curl -s -f localhost:8153/go") ''; }) diff --git a/nixpkgs/nixos/tests/google-oslogin/default.nix b/nixpkgs/nixos/tests/google-oslogin/default.nix index 3b84bba3f985..1977e92e9877 100644 --- a/nixpkgs/nixos/tests/google-oslogin/default.nix +++ b/nixpkgs/nixos/tests/google-oslogin/default.nix @@ -1,7 +1,14 @@ -import ../make-test.nix ({ pkgs, ... } : +import ../make-test-python.nix ({ pkgs, ... } : let inherit (import ./../ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; + + # don't check host keys or known hosts, use the snakeoil ssh key + ssh-config = builtins.toFile "ssh.conf" '' + UserKnownHostsFile=/dev/null + StrictHostKeyChecking=no + IdentityFile=~/.ssh/id_snakeoil + ''; in { name = "google-oslogin"; meta = with pkgs.stdenv.lib.maintainers; { @@ -15,38 +22,49 @@ in { client = { ... }: {}; }; testScript = '' - startAll; + start_all() - $server->waitForUnit("mock-google-metadata.service"); - $server->waitForOpenPort(80); + server.wait_for_unit("mock-google-metadata.service") + server.wait_for_open_port(80) # mockserver should return a non-expired ssh key for both mockuser and mockadmin - $server->succeed('${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"'); - $server->succeed('${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"'); + server.succeed( + '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"' + ) + server.succeed( + '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"' + ) - # install snakeoil ssh key on the client - $client->succeed("mkdir -p ~/.ssh"); - $client->succeed("cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil"); - $client->succeed("chmod 600 ~/.ssh/id_snakeoil"); + # install snakeoil ssh key on the client, and provision .ssh/config file + client.succeed("mkdir -p ~/.ssh") + client.succeed( + "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil" + ) + client.succeed("chmod 600 ~/.ssh/id_snakeoil") + client.succeed("cp ${ssh-config} ~/.ssh/config") - $client->waitForUnit("network.target"); - $server->waitForUnit("sshd.service"); + client.wait_for_unit("network.target") + server.wait_for_unit("sshd.service") # we should not be able to connect as non-existing user - $client->fail("ssh -o User=ghost -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'"); + client.fail("ssh ghost@server 'true'") # we should be able to connect as mockuser - $client->succeed("ssh -o User=mockuser -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'"); + client.succeed("ssh mockuser@server 'true'") # but we shouldn't be able to sudo - $client->fail("ssh -o User=mockuser -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"); + client.fail( + "ssh mockuser@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" + ) # we should also be able to log in as mockadmin - $client->succeed("ssh -o User=mockadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'"); + client.succeed("ssh mockadmin@server 'true'") # pam_oslogin_admin.so should now have generated a sudoers file - $server->succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'"); + server.succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'") # and we should be able to sudo - $client->succeed("ssh -o User=mockadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"); + client.succeed( + "ssh mockadmin@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/gotify-server.nix b/nixpkgs/nixos/tests/gotify-server.nix new file mode 100644 index 000000000000..c6e00686aed9 --- /dev/null +++ b/nixpkgs/nixos/tests/gotify-server.nix @@ -0,0 +1,45 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : { + name = "gotify-server"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ma27 ]; + }; + + machine = { pkgs, ... }: { + environment.systemPackages = [ pkgs.jq ]; + + services.gotify = { + enable = true; + port = 3000; + }; + }; + + testScript = '' + machine.start() + + machine.wait_for_unit("gotify-server.service") + machine.wait_for_open_port(3000) + + token = machine.succeed( + "curl --fail -sS -X POST localhost:3000/application -F name=nixos " + + '-H "Authorization: Basic $(echo -ne "admin:admin" | base64 --wrap 0)" ' + + "| jq .token | xargs echo -n" + ) + + usertoken = machine.succeed( + "curl --fail -sS -X POST localhost:3000/client -F name=nixos " + + '-H "Authorization: Basic $(echo -ne "admin:admin" | base64 --wrap 0)" ' + + "| jq .token | xargs echo -n" + ) + + machine.succeed( + f"curl --fail -sS -X POST 'localhost:3000/message?token={token}' -H 'Accept: application/json' " + + "-F title=Gotify -F message=Works" + ) + + title = machine.succeed( + f"curl --fail -sS 'localhost:3000/message?since=0&token={usertoken}' | jq '.messages|.[0]|.title' | xargs echo -n" + ) + + assert title == "Gotify" + ''; +}) diff --git a/nixpkgs/nixos/tests/grafana.nix b/nixpkgs/nixos/tests/grafana.nix index 7a1b4c8ffbbc..4b453ece7f1e 100644 --- a/nixpkgs/nixos/tests/grafana.nix +++ b/nixpkgs/nixos/tests/grafana.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, pkgs, ... }: +import ./make-test-python.nix ({ lib, pkgs, ... }: let inherit (lib) mkMerge nameValuePair maintainers; @@ -64,28 +64,34 @@ in { inherit nodes; testScript = '' - startAll(); + start_all() - subtest "Grafana sqlite", sub { - $sqlite->waitForUnit("grafana.service"); - $sqlite->waitForOpenPort(3000); - $sqlite->succeed("curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost"); - }; + with subtest("Successful API query as admin user with sqlite db"): + sqlite.wait_for_unit("grafana.service") + sqlite.wait_for_open_port(3000) + sqlite.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost" + ) + sqlite.shutdown() - subtest "Grafana postgresql", sub { - $postgresql->waitForUnit("grafana.service"); - $postgresql->waitForUnit("postgresql.service"); - $postgresql->waitForOpenPort(3000); - $postgresql->waitForOpenPort(5432); - $postgresql->succeed("curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost"); - }; + with subtest("Successful API query as admin user with postgresql db"): + postgresql.wait_for_unit("grafana.service") + postgresql.wait_for_unit("postgresql.service") + postgresql.wait_for_open_port(3000) + postgresql.wait_for_open_port(5432) + postgresql.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost" + ) + postgresql.shutdown() - subtest "Grafana mysql", sub { - $mysql->waitForUnit("grafana.service"); - $mysql->waitForUnit("mysql.service"); - $mysql->waitForOpenPort(3000); - $mysql->waitForOpenPort(3306); - $mysql->succeed("curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost"); - }; + with subtest("Successful API query as admin user with mysql db"): + mysql.wait_for_unit("grafana.service") + mysql.wait_for_unit("mysql.service") + mysql.wait_for_open_port(3000) + mysql.wait_for_open_port(3306) + mysql.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost" + ) + mysql.shutdown() ''; }) diff --git a/nixpkgs/nixos/tests/graphene.nix b/nixpkgs/nixos/tests/graphene.nix deleted file mode 100644 index 5591bcc30c07..000000000000 --- a/nixpkgs/nixos/tests/graphene.nix +++ /dev/null @@ -1,18 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "graphene"; - - meta = { - maintainers = pkgs.graphene.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.graphene.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/graylog.nix b/nixpkgs/nixos/tests/graylog.nix index dc54afd1d26d..2d22012fa7c0 100644 --- a/nixpkgs/nixos/tests/graylog.nix +++ b/nixpkgs/nixos/tests/graylog.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "graylog"; meta.maintainers = with lib.maintainers; [ ma27 ]; @@ -64,48 +64,52 @@ import ./make-test.nix ({ pkgs, lib, ... }: { facility = "Test"; }); in '' - $machine->start; - $machine->waitForUnit("graylog.service"); - $machine->waitForOpenPort(9000); - $machine->succeed("curl -sSfL http://127.0.0.1:9000/"); + machine.start() + machine.wait_for_unit("graylog.service") + machine.wait_for_open_port(9000) + machine.succeed("curl -sSfL http://127.0.0.1:9000/") - my $session = $machine->succeed("curl -X POST " - . "-sSfL http://127.0.0.1:9000/api/system/sessions " - . "-d \$(cat ${payloads.login}) " - . "-H 'Content-Type: application/json' " - . "-H 'Accept: application/json' " - . "-H 'x-requested-by: cli' " - . "| jq .session_id | xargs echo" - ); + session = machine.succeed( + "curl -X POST " + + "-sSfL http://127.0.0.1:9000/api/system/sessions " + + "-d $(cat ${payloads.login}) " + + "-H 'Content-Type: application/json' " + + "-H 'Accept: application/json' " + + "-H 'x-requested-by: cli' " + + "| jq .session_id | xargs echo" + ).rstrip() - chomp($session); + machine.succeed( + "curl -X POST " + + f"-sSfL http://127.0.0.1:9000/api/system/inputs -u {session}:session " + + '-d $(cat ${payloads.input} | sed -e "s,@node@,$(cat /var/lib/graylog/server/node-id),") ' + + "-H 'Accept: application/json' " + + "-H 'Content-Type: application/json' " + + "-H 'x-requested-by: cli' " + ) - $machine->succeed("curl -X POST " - . "-sSfL http://127.0.0.1:9000/api/system/inputs -u $session:session " - . "-d \$(cat ${payloads.input} | sed -e \"s,\@node\@,\$(cat /var/lib/graylog/server/node-id),\") " - . "-H 'Accept: application/json' " - . "-H 'Content-Type: application/json' " - . "-H 'x-requested-by: cli' " - ); + machine.wait_until_succeeds( + "test \"$(curl -sSfL 'http://127.0.0.1:9000/api/cluster/inputstates' " + + f"-u {session}:session " + + "-H 'Accept: application/json' " + + "-H 'Content-Type: application/json' " + + "-H 'x-requested-by: cli'" + + "| jq 'to_entries[]|.value|.[0]|.state' | xargs echo" + + ')" = "RUNNING"' + ) - $machine->waitUntilSucceeds("test \"\$(curl -sSfL 'http://127.0.0.1:9000/api/cluster/inputstates' " - . "-u $session:session " - . "-H 'Accept: application/json' " - . "-H 'Content-Type: application/json' " - . "-H 'x-requested-by: cli'" - . "| jq 'to_entries[]|.value|.[0]|.state' | xargs echo" - . ")\" = \"RUNNING\"" - ); + machine.succeed( + "echo -n $(cat ${payloads.gelf_message}) | nc -w10 -u 127.0.0.1 12201" + ) - $machine->succeed("echo -n \$(cat ${payloads.gelf_message}) | nc -w10 -u 127.0.0.1 12201"); - - $machine->succeed("test \"\$(curl -X GET " - . "-sSfL 'http://127.0.0.1:9000/api/search/universal/relative?query=*' " - . "-u $session:session " - . "-H 'Accept: application/json' " - . "-H 'Content-Type: application/json' " - . "-H 'x-requested-by: cli'" - . " | jq '.total_results' | xargs echo)\" = \"1\"" - ); + machine.succeed( + 'test "$(curl -X GET ' + + "-sSfL 'http://127.0.0.1:9000/api/search/universal/relative?query=*' " + + f"-u {session}:session " + + "-H 'Accept: application/json' " + + "-H 'Content-Type: application/json' " + + "-H 'x-requested-by: cli'" + + ' | jq \'.total_results\' | xargs echo)" = "1"' + ) ''; }) diff --git a/nixpkgs/nixos/tests/gvisor.nix b/nixpkgs/nixos/tests/gvisor.nix new file mode 100644 index 000000000000..4d68a1d8a5f8 --- /dev/null +++ b/nixpkgs/nixos/tests/gvisor.nix @@ -0,0 +1,49 @@ +# This test runs a container through gvisor and checks if simple container starts + +import ./make-test-python.nix ({ pkgs, ...} : { + name = "gvisor"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ andrew-d ]; + }; + + nodes = { + gvisor = + { pkgs, ... }: + { + virtualisation.docker = { + enable = true; + extraOptions = "--add-runtime runsc=${pkgs.gvisor}/bin/runsc"; + }; + + networking = { + dhcpcd.enable = false; + defaultGateway = "192.168.1.1"; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = "192.168.1.2"; prefixLength = 24; } + ]; + }; + }; + }; + + testScript = '' + start_all() + + gvisor.wait_for_unit("network.target") + gvisor.wait_for_unit("sockets.target") + + # Start by verifying that gvisor itself works + output = gvisor.succeed( + "${pkgs.gvisor}/bin/runsc -alsologtostderr do ${pkgs.coreutils}/bin/echo hello world" + ) + assert output.strip() == "hello world" + + # Also test the Docker runtime + gvisor.succeed("tar cv --files-from /dev/null | docker import - scratchimg") + gvisor.succeed( + "docker run -d --name=sleeping --runtime=runsc -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + gvisor.succeed("docker ps | grep sleeping") + gvisor.succeed("docker stop sleeping") + ''; +}) + diff --git a/nixpkgs/nixos/tests/hadoop/hdfs.nix b/nixpkgs/nixos/tests/hadoop/hdfs.nix index e7d72a56e1e7..85aaab34b158 100644 --- a/nixpkgs/nixos/tests/hadoop/hdfs.nix +++ b/nixpkgs/nixos/tests/hadoop/hdfs.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({...}: { +import ../make-test-python.nix ({...}: { nodes = { namenode = {pkgs, ...}: { services.hadoop = { @@ -35,20 +35,20 @@ import ../make-test.nix ({...}: { }; testScript = '' - startAll + start_all() - $namenode->waitForUnit("hdfs-namenode"); - $namenode->waitForUnit("network.target"); - $namenode->waitForOpenPort(8020); - $namenode->waitForOpenPort(9870); + namenode.wait_for_unit("hdfs-namenode") + namenode.wait_for_unit("network.target") + namenode.wait_for_open_port(8020) + namenode.wait_for_open_port(9870) - $datanode->waitForUnit("hdfs-datanode"); - $datanode->waitForUnit("network.target"); - $datanode->waitForOpenPort(9864); - $datanode->waitForOpenPort(9866); - $datanode->waitForOpenPort(9867); + datanode.wait_for_unit("hdfs-datanode") + datanode.wait_for_unit("network.target") + datanode.wait_for_open_port(9864) + datanode.wait_for_open_port(9866) + datanode.wait_for_open_port(9867) - $namenode->succeed("curl http://namenode:9870"); - $datanode->succeed("curl http://datanode:9864"); + namenode.succeed("curl http://namenode:9870") + datanode.succeed("curl http://datanode:9864") ''; }) diff --git a/nixpkgs/nixos/tests/hadoop/yarn.nix b/nixpkgs/nixos/tests/hadoop/yarn.nix index 031592301f17..2264ecaff155 100644 --- a/nixpkgs/nixos/tests/hadoop/yarn.nix +++ b/nixpkgs/nixos/tests/hadoop/yarn.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({...}: { +import ../make-test-python.nix ({...}: { nodes = { resourcemanager = {pkgs, ...}: { services.hadoop.package = pkgs.hadoop_3_1; @@ -28,19 +28,19 @@ import ../make-test.nix ({...}: { }; testScript = '' - startAll; + start_all() - $resourcemanager->waitForUnit("yarn-resourcemanager"); - $resourcemanager->waitForUnit("network.target"); - $resourcemanager->waitForOpenPort(8031); - $resourcemanager->waitForOpenPort(8088); + resourcemanager.wait_for_unit("yarn-resourcemanager") + resourcemanager.wait_for_unit("network.target") + resourcemanager.wait_for_open_port(8031) + resourcemanager.wait_for_open_port(8088) - $nodemanager->waitForUnit("yarn-nodemanager"); - $nodemanager->waitForUnit("network.target"); - $nodemanager->waitForOpenPort(8042); - $nodemanager->waitForOpenPort(8041); + nodemanager.wait_for_unit("yarn-nodemanager") + nodemanager.wait_for_unit("network.target") + nodemanager.wait_for_open_port(8042) + nodemanager.wait_for_open_port(8041) - $resourcemanager->succeed("curl http://localhost:8088"); - $nodemanager->succeed("curl http://localhost:8042"); + resourcemanager.succeed("curl http://localhost:8088") + nodemanager.succeed("curl http://localhost:8042") ''; }) diff --git a/nixpkgs/nixos/tests/haka.nix b/nixpkgs/nixos/tests/haka.nix index 6277ebb4933f..3ca19cb0971c 100644 --- a/nixpkgs/nixos/tests/haka.nix +++ b/nixpkgs/nixos/tests/haka.nix @@ -1,6 +1,6 @@ # This test runs haka and probes it with hakactl -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "haka"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ tvestelind ]; @@ -15,10 +15,10 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $haka->waitForUnit("haka.service"); - $haka->succeed("hakactl status"); - $haka->succeed("hakactl stop"); + haka.wait_for_unit("haka.service") + haka.succeed("hakactl status") + haka.succeed("hakactl stop") ''; }) diff --git a/nixpkgs/nixos/tests/handbrake.nix b/nixpkgs/nixos/tests/handbrake.nix index ae87e1f69a7d..e5fb6b269b19 100644 --- a/nixpkgs/nixos/tests/handbrake.nix +++ b/nixpkgs/nixos/tests/handbrake.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let # Download Big Buck Bunny example, licensed under CC Attribution 3.0. testMkv = pkgs.fetchurl { @@ -19,7 +19,13 @@ in { testScript = '' # Test MP4 and MKV transcoding. Since this is a short clip, transcoding typically # only takes a few seconds. - $machine->succeed("HandBrakeCLI -i ${testMkv} -o test.mp4 -e x264 -q 20 -B 160"); - $machine->succeed("HandBrakeCLI -i ${testMkv} -o test.mkv -e x264 -q 20 -B 160"); + start_all() + + machine.succeed( + "HandBrakeCLI -i ${testMkv} -o test.mp4 -e x264 -q 20 -B 160" + ) + machine.succeed( + "HandBrakeCLI -i ${testMkv} -o test.mkv -e x264 -q 20 -B 160" + ) ''; }) diff --git a/nixpkgs/nixos/tests/haproxy.nix b/nixpkgs/nixos/tests/haproxy.nix index 22a83e9d1eab..79f34b07faf4 100644 --- a/nixpkgs/nixos/tests/haproxy.nix +++ b/nixpkgs/nixos/tests/haproxy.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...}: { +import ./make-test-python.nix ({ pkgs, ...}: { name = "haproxy"; nodes = { machine = { ... }: { @@ -16,26 +16,32 @@ import ./make-test.nix ({ pkgs, ...}: { frontend http bind *:80 mode http + option http-use-htx + http-request use-service prometheus-exporter if { path /metrics } use_backend http_server ''; }; services.httpd = { enable = true; - documentRoot = pkgs.writeTextDir "index.txt" "We are all good!"; - adminAddr = "notme@yourhost.local"; - listen = [{ - ip = "::1"; - port = 8000; - }]; + virtualHosts.localhost = { + documentRoot = pkgs.writeTextDir "index.txt" "We are all good!"; + adminAddr = "notme@yourhost.local"; + listen = [{ + ip = "::1"; + port = 8000; + }]; + }; }; }; }; testScript = '' - startAll; - $machine->waitForUnit('multi-user.target'); - $machine->waitForUnit('haproxy.service'); - $machine->waitForUnit('httpd.service'); - $machine->succeed('curl -k http://localhost:80/index.txt | grep "We are all good!"'); - + start_all() + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("haproxy.service") + machine.wait_for_unit("httpd.service") + assert "We are all good!" in machine.succeed("curl -k http://localhost:80/index.txt") + assert "haproxy_process_pool_allocated_bytes" in machine.succeed( + "curl -k http://localhost:80/metrics" + ) ''; }) diff --git a/nixpkgs/nixos/tests/hibernate.nix b/nixpkgs/nixos/tests/hibernate.nix index 274aa7becc82..8251c6e7ef85 100644 --- a/nixpkgs/nixos/tests/hibernate.nix +++ b/nixpkgs/nixos/tests/hibernate.nix @@ -1,6 +1,6 @@ # Test whether hibernation from partition works. -import ./make-test.nix (pkgs: { +import ./make-test-python.nix (pkgs: { name = "hibernate"; nodes = { @@ -28,16 +28,17 @@ import ./make-test.nix (pkgs: { testScript = '' - $machine->waitForUnit("multi-user.target"); - $machine->succeed("mkswap /dev/vdb"); - $machine->succeed("swapon -a"); - $machine->startJob("listener"); - $machine->waitForOpenPort(4444); - $machine->succeed("systemctl hibernate &"); - $machine->waitForShutdown; - $probe->waitForUnit("multi-user.target"); - $machine->start; - $probe->waitUntilSucceeds("echo test | nc machine 4444 -N"); + machine.start() + machine.wait_for_unit("multi-user.target") + machine.succeed("mkswap /dev/vdb") + machine.succeed("swapon -a") + machine.start_job("listener") + machine.wait_for_open_port(4444) + machine.succeed("systemctl hibernate &") + machine.wait_for_shutdown() + probe.wait_for_unit("multi-user.target") + machine.start() + probe.wait_until_succeeds("echo test | nc machine 4444 -N") ''; }) diff --git a/nixpkgs/nixos/tests/hitch/default.nix b/nixpkgs/nixos/tests/hitch/default.nix index cb24c4dcffc2..904d12619d70 100644 --- a/nixpkgs/nixos/tests/hitch/default.nix +++ b/nixpkgs/nixos/tests/hitch/default.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ... }: +import ../make-test-python.nix ({ pkgs, ... }: { name = "hitch"; meta = with pkgs.stdenv.lib.maintainers; { @@ -16,18 +16,18 @@ import ../make-test.nix ({ pkgs, ... }: services.httpd = { enable = true; - documentRoot = ./example; + virtualHosts.localhost.documentRoot = ./example; adminAddr = "noone@testing.nowhere"; }; }; testScript = '' - startAll; + start_all() - $machine->waitForUnit('multi-user.target'); - $machine->waitForUnit('hitch.service'); - $machine->waitForOpenPort(443); - $machine->succeed('curl -k https://localhost:443/index.txt | grep "We are all good!"'); + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("hitch.service") + machine.wait_for_open_port(443) + assert "We are all good!" in machine.succeed("curl -k https://localhost:443/index.txt") ''; }) diff --git a/nixpkgs/nixos/tests/home-assistant.nix b/nixpkgs/nixos/tests/home-assistant.nix index 6b53914fd859..80dca43f1f3d 100644 --- a/nixpkgs/nixos/tests/home-assistant.nix +++ b/nixpkgs/nixos/tests/home-assistant.nix @@ -1,11 +1,10 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let configDir = "/var/lib/foobar"; apiPassword = "some_secret"; mqttPassword = "another_secret"; hassCli = "hass-cli --server http://hass:8123 --password '${apiPassword}'"; - in { name = "home-assistant"; meta = with pkgs.stdenv.lib; { @@ -69,36 +68,44 @@ in { }; testScript = '' - startAll; - $hass->waitForUnit("home-assistant.service"); - - # The config is specified using a Nix attribute set, - # converted from JSON to YAML, and linked to the config dir - $hass->succeed("test -L ${configDir}/configuration.yaml"); - # The lovelace config is copied because lovelaceConfigWritable = true - $hass->succeed("test -f ${configDir}/ui-lovelace.yaml"); - - # Check that Home Assistant's web interface and API can be reached - $hass->waitForOpenPort(8123); - $hass->succeed("curl --fail http://localhost:8123/states"); - $hass->succeed("curl --fail -H 'x-ha-access: ${apiPassword}' http://localhost:8123/api/ | grep -qF 'API running'"); - - # Toggle a binary sensor using MQTT - $hass->succeed("curl http://localhost:8123/api/states/binary_sensor.mqtt_binary_sensor -H 'x-ha-access: ${apiPassword}' | grep -qF '\"state\": \"off\"'"); - $hass->waitUntilSucceeds("mosquitto_pub -V mqttv311 -t home-assistant/test -u homeassistant -P '${mqttPassword}' -m let_there_be_light"); - $hass->succeed("curl http://localhost:8123/api/states/binary_sensor.mqtt_binary_sensor -H 'x-ha-access: ${apiPassword}' | grep -qF '\"state\": \"on\"'"); - - # Toggle a binary sensor using hass-cli - $hass->succeed("${hassCli} --output json state get binary_sensor.mqtt_binary_sensor | grep -qF '\"state\": \"on\"'"); - $hass->succeed("${hassCli} state edit binary_sensor.mqtt_binary_sensor --json='{\"state\": \"off\"}'"); - $hass->succeed("curl http://localhost:8123/api/states/binary_sensor.mqtt_binary_sensor -H 'x-ha-access: ${apiPassword}' | grep -qF '\"state\": \"off\"'"); - - # Print log to ease debugging - my $log = $hass->succeed("cat ${configDir}/home-assistant.log"); - print "\n### home-assistant.log ###\n"; - print "$log\n"; + start_all() + hass.wait_for_unit("home-assistant.service") + with subtest("Check that YAML configuration file is in place"): + hass.succeed("test -L ${configDir}/configuration.yaml") + with subtest("lovelace config is copied because lovelaceConfigWritable = true"): + hass.succeed("test -f ${configDir}/ui-lovelace.yaml") + with subtest("Check that Home Assistant's web interface and API can be reached"): + hass.wait_for_open_port(8123) + hass.succeed("curl --fail http://localhost:8123/states") + assert "API running" in hass.succeed( + "curl --fail -H 'x-ha-access: ${apiPassword}' http://localhost:8123/api/" + ) + with subtest("Toggle a binary sensor using MQTT"): + assert '"state": "off"' in hass.succeed( + "curl http://localhost:8123/api/states/binary_sensor.mqtt_binary_sensor -H 'x-ha-access: ${apiPassword}'" + ) + hass.wait_until_succeeds( + "mosquitto_pub -V mqttv311 -t home-assistant/test -u homeassistant -P '${mqttPassword}' -m let_there_be_light" + ) + assert '"state": "on"' in hass.succeed( + "curl http://localhost:8123/api/states/binary_sensor.mqtt_binary_sensor -H 'x-ha-access: ${apiPassword}'" + ) + with subtest("Toggle a binary sensor using hass-cli"): + assert '"state": "on"' in hass.succeed( + "${hassCli} --output json state get binary_sensor.mqtt_binary_sensor" + ) + hass.succeed( + "${hassCli} state edit binary_sensor.mqtt_binary_sensor --json='{\"state\": \"off\"}'" + ) + assert '"state": "off"' in hass.succeed( + "curl http://localhost:8123/api/states/binary_sensor.mqtt_binary_sensor -H 'x-ha-access: ${apiPassword}'" + ) + with subtest("Print log to ease debugging"): + output_log = hass.succeed("cat ${configDir}/home-assistant.log") + print("\n### home-assistant.log ###\n") + print(output_log + "\n") - # Check that no errors were logged - $hass->fail("cat ${configDir}/home-assistant.log | grep -qF ERROR"); + with subtest("Check that no errors were logged"): + assert "ERROR" not in output_log ''; }) diff --git a/nixpkgs/nixos/tests/hound.nix b/nixpkgs/nixos/tests/hound.nix index cb8e25332c07..27c65abdf27c 100644 --- a/nixpkgs/nixos/tests/hound.nix +++ b/nixpkgs/nixos/tests/hound.nix @@ -1,5 +1,5 @@ # Test whether `houndd` indexes nixpkgs -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "hound"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ grahamc ]; @@ -46,13 +46,14 @@ import ./make-test.nix ({ pkgs, ... } : { }; }; - testScript = - '' startAll; + testScript = '' + start_all() - $machine->waitForUnit("network.target"); - $machine->waitForUnit("hound.service"); - $machine->waitForOpenPort(6080); - $machine->waitUntilSucceeds('curl http://127.0.0.1:6080/api/v1/search\?stats\=fosho\&repos\=\*\&rng=%3A20\&q\=hi\&files\=\&i=nope | grep "Filename" | grep "hello"'); - - ''; + machine.wait_for_unit("network.target") + machine.wait_for_unit("hound.service") + machine.wait_for_open_port(6080) + machine.wait_until_succeeds( + "curl http://127.0.0.1:6080/api/v1/search\?stats\=fosho\&repos\=\*\&rng=%3A20\&q\=hi\&files\=\&i=nope | grep 'Filename' | grep 'hello'" + ) + ''; }) diff --git a/nixpkgs/nixos/tests/hydra/default.nix b/nixpkgs/nixos/tests/hydra/default.nix index 6ca05a2c7797..1c0ed3369b1c 100644 --- a/nixpkgs/nixos/tests/hydra/default.nix +++ b/nixpkgs/nixos/tests/hydra/default.nix @@ -30,11 +30,11 @@ let callTest = f: f { inherit system pkgs; }; hydraPkgs = { - inherit (pkgs) nixStable nixUnstable; + inherit (pkgs) nixStable nixUnstable nixFlakes; }; tests = pkgs.lib.flip pkgs.lib.mapAttrs hydraPkgs (name: nix: - callTest (import ../make-test.nix ({ pkgs, lib, ... }: + callTest (import ../make-test-python.nix ({ pkgs, lib, ... }: { name = "hydra-with-${name}"; meta = with pkgs.stdenv.lib.maintainers; { @@ -73,26 +73,30 @@ let testScript = '' # let the system boot up - $machine->waitForUnit("multi-user.target"); + machine.wait_for_unit("multi-user.target") # test whether the database is running - $machine->waitForUnit("postgresql.service"); + machine.wait_for_unit("postgresql.service") # test whether the actual hydra daemons are running - $machine->waitForUnit("hydra-init.service"); - $machine->requireActiveUnit("hydra-queue-runner.service"); - $machine->requireActiveUnit("hydra-evaluator.service"); - $machine->requireActiveUnit("hydra-notify.service"); + machine.wait_for_unit("hydra-init.service") + machine.require_unit_state("hydra-queue-runner.service") + machine.require_unit_state("hydra-evaluator.service") + machine.require_unit_state("hydra-notify.service") - $machine->succeed("hydra-create-user admin --role admin --password admin"); + machine.succeed("hydra-create-user admin --role admin --password admin") # create a project with a trivial job - $machine->waitForOpenPort(3000); + machine.wait_for_open_port(3000) # make sure the build as been successfully built - $machine->succeed("create-trivial-project.sh"); + machine.succeed("create-trivial-project.sh") - $machine->waitUntilSucceeds('curl -L -s http://localhost:3000/build/1 -H "Accept: application/json" | jq .buildstatus | xargs test 0 -eq'); + machine.wait_until_succeeds( + 'curl -L -s http://localhost:3000/build/1 -H "Accept: application/json" | jq .buildstatus | xargs test 0 -eq' + ) - $machine->waitUntilSucceeds('journalctl -eu hydra-notify.service -o cat | grep -q "sending mail notification to hydra@localhost"'); + machine.wait_until_succeeds( + 'journalctl -eu hydra-notify.service -o cat | grep -q "sending mail notification to hydra@localhost"' + ) ''; }))); diff --git a/nixpkgs/nixos/tests/i3wm.nix b/nixpkgs/nixos/tests/i3wm.nix index d309f19a0b4a..126178d11879 100644 --- a/nixpkgs/nixos/tests/i3wm.nix +++ b/nixpkgs/nixos/tests/i3wm.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "i3wm"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ aszlig ]; @@ -7,29 +7,40 @@ import ./make-test.nix ({ pkgs, ...} : { machine = { lib, ... }: { imports = [ ./common/x11.nix ./common/user-account.nix ]; services.xserver.displayManager.auto.user = "alice"; - services.xserver.windowManager.default = lib.mkForce "i3"; + services.xserver.displayManager.defaultSession = lib.mkForce "none+i3"; services.xserver.windowManager.i3.enable = true; }; testScript = { ... }: '' - $machine->waitForX; - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow(qr/first configuration/); - $machine->sleep(2); - $machine->screenshot("started"); - $machine->sendKeys("ret"); - $machine->sleep(2); - $machine->sendKeys("alt"); - $machine->sleep(2); - $machine->screenshot("configured"); - $machine->sendKeys("ret"); - # make sure the config file is created before we continue - $machine->waitForFile("/home/alice/.config/i3/config"); - $machine->sleep(2); - $machine->sendKeys("alt-ret"); - $machine->waitForWindow(qr/alice.*machine/); - $machine->sleep(2); - $machine->screenshot("terminal"); + with subtest("ensure x starts"): + machine.wait_for_x() + machine.wait_for_file("/home/alice/.Xauthority") + machine.succeed("xauth merge ~alice/.Xauthority") + + with subtest("ensure we get first configuration window"): + machine.wait_for_window(r".*?first configuration.*?") + machine.sleep(2) + machine.screenshot("started") + + with subtest("ensure we generate and save a config"): + # press return to indicate we want to gen a new config + machine.send_key("\n") + machine.sleep(2) + machine.screenshot("preconfig") + # press alt then return to indicate we want to use alt as our Mod key + machine.send_key("alt") + machine.send_key("\n") + machine.sleep(2) + # make sure the config file is created before we continue + machine.wait_for_file("/home/alice/.config/i3/config") + machine.screenshot("postconfig") + machine.sleep(2) + + with subtest("ensure we can open a new terminal"): + machine.send_key("alt-ret") + machine.sleep(2) + machine.wait_for_window(r"alice.*?machine") + machine.sleep(2) + machine.screenshot("terminal") ''; }) diff --git a/nixpkgs/nixos/tests/icingaweb2.nix b/nixpkgs/nixos/tests/icingaweb2.nix index ea1b94c526b1..2f65604539c1 100644 --- a/nixpkgs/nixos/tests/icingaweb2.nix +++ b/nixpkgs/nixos/tests/icingaweb2.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "icingaweb2"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ das_j ]; @@ -64,8 +64,8 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - startAll(); - $icingaweb2->waitForUnit("multi-user.target"); - $icingaweb2->succeed("curl -sSf http://icingaweb2/authentication/login"); + start_all() + icingaweb2.wait_for_unit("multi-user.target") + icingaweb2.succeed("curl -sSf http://icingaweb2/authentication/login") ''; }) diff --git a/nixpkgs/nixos/tests/iftop.nix b/nixpkgs/nixos/tests/iftop.nix index a4f524ceb27b..8a161027c2ad 100644 --- a/nixpkgs/nixos/tests/iftop.nix +++ b/nixpkgs/nixos/tests/iftop.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: with lib; @@ -18,17 +18,16 @@ with lib; }; testScript = '' - subtest "machine with iftop enabled", sub { - $withIftop->waitForUnit("default.target"); - # limit to eth1 (eth0 is the test driver's control interface) - # and don't try name lookups - $withIftop->succeed("su -l alice -c 'iftop -t -s 1 -n -i eth1'"); - }; - subtest "machine without iftop", sub { - $withoutIftop->waitForUnit("default.target"); - # check that iftop is there but user alice lacks capabilities - $withoutIftop->succeed("iftop -t -s 1 -n -i eth1"); - $withoutIftop->fail("su -l alice -c 'iftop -t -s 1 -n -i eth1'"); - }; + with subtest("machine with iftop enabled"): + withIftop.wait_for_unit("default.target") + # limit to eth1 (eth0 is the test driver's control interface) + # and don't try name lookups + withIftop.succeed("su -l alice -c 'iftop -t -s 1 -n -i eth1'") + + with subtest("machine without iftop"): + withoutIftop.wait_for_unit("default.target") + # check that iftop is there but user alice lacks capabilitie + withoutIftop.succeed("iftop -t -s 1 -n -i eth1") + withoutIftop.fail("su -l alice -c 'iftop -t -s 1 -n -i eth1'") ''; }) diff --git a/nixpkgs/nixos/tests/ihatemoney.nix b/nixpkgs/nixos/tests/ihatemoney.nix new file mode 100644 index 000000000000..14db17fe5e67 --- /dev/null +++ b/nixpkgs/nixos/tests/ihatemoney.nix @@ -0,0 +1,52 @@ +{ system ? builtins.currentSystem +, config ? {} +, pkgs ? import ../.. { inherit system config; } +}: + +let + inherit (import ../lib/testing.nix { inherit system pkgs; }) makeTest; +in +map ( + backend: makeTest { + name = "ihatemoney-${backend}"; + machine = { lib, ... }: { + services.ihatemoney = { + enable = true; + enablePublicProjectCreation = true; + inherit backend; + uwsgiConfig = { + http = ":8000"; + }; + }; + boot.cleanTmpDir = true; + # ihatemoney needs a local smtp server otherwise project creation just crashes + services.opensmtpd = { + enable = true; + serverConfiguration = '' + listen on lo + action foo relay + match from any for any action foo + ''; + }; + }; + testScript = '' + $machine->waitForOpenPort(8000); + $machine->waitForUnit("uwsgi.service"); + my $return = $machine->succeed("curl -X POST http://localhost:8000/api/projects -d 'name=yay&id=yay&password=yay&contact_email=yay\@example.com'"); + die "wrong project id $return" unless "\"yay\"\n" eq $return; + my $timestamp = $machine->succeed("stat --printf %Y /var/lib/ihatemoney/secret_key"); + my $owner = $machine->succeed("stat --printf %U:%G /var/lib/ihatemoney/secret_key"); + die "wrong ownership for the secret key: $owner, is uwsgi running as the right user ?" unless $owner eq "ihatemoney:ihatemoney"; + $machine->shutdown(); + $machine->start(); + $machine->waitForOpenPort(8000); + $machine->waitForUnit("uwsgi.service"); + # check that the database is really persistent + print $machine->succeed("curl --basic -u yay:yay http://localhost:8000/api/projects/yay"); + # check that the secret key is really persistent + my $timestamp2 = $machine->succeed("stat --printf %Y /var/lib/ihatemoney/secret_key"); + die unless $timestamp eq $timestamp2; + $machine->succeed("curl http://localhost:8000 | grep ihatemoney"); + ''; + } +) [ "sqlite" "postgresql" ] diff --git a/nixpkgs/nixos/tests/incron.nix b/nixpkgs/nixos/tests/incron.nix index e39bbb5f096b..b22ee4c9a037 100644 --- a/nixpkgs/nixos/tests/incron.nix +++ b/nixpkgs/nixos/tests/incron.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "incron"; @@ -19,34 +19,34 @@ import ./make-test.nix ({ pkgs, lib, ... }: }; testScript = '' - startAll; + start_all() - $machine->waitForUnit("multi-user.target"); - $machine->waitForUnit("incron.service"); + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("incron.service") - $machine->succeed("test -d /test"); + machine.succeed("test -d /test") # create some activity for incron to monitor - $machine->succeed("touch /test/file"); - $machine->succeed("echo foo >> /test/file"); - $machine->succeed("mv /test/file /root"); - $machine->succeed("mv /root/file /test"); + machine.succeed("touch /test/file") + machine.succeed("echo foo >> /test/file") + machine.succeed("mv /test/file /root") + machine.succeed("mv /root/file /test") - $machine->sleep(1); + machine.sleep(1) # touch /test/file - $machine->succeed("grep '/test/file IN_CREATE' /root/incron.log"); + machine.succeed("grep '/test/file IN_CREATE' /root/incron.log") # echo foo >> /test/file - $machine->succeed("grep '/test/file IN_MODIFY' /root/incron.log"); - $machine->succeed("grep '/test/file IN_CLOSE_WRITE' /root/incron.log"); + machine.succeed("grep '/test/file IN_MODIFY' /root/incron.log") + machine.succeed("grep '/test/file IN_CLOSE_WRITE' /root/incron.log") # mv /test/file /root - $machine->succeed("grep '/test/file IN_MOVED_FROM' /root/incron.log"); + machine.succeed("grep '/test/file IN_MOVED_FROM' /root/incron.log") # mv /root/file /test - $machine->succeed("grep '/test/file IN_MOVED_TO' /root/incron.log"); + machine.succeed("grep '/test/file IN_MOVED_TO' /root/incron.log") # ensure something unexpected is not present - $machine->fail("grep 'IN_OPEN' /root/incron.log"); + machine.fail("grep 'IN_OPEN' /root/incron.log") ''; }) diff --git a/nixpkgs/nixos/tests/influxdb.nix b/nixpkgs/nixos/tests/influxdb.nix index 61201202204b..04ef80461010 100644 --- a/nixpkgs/nixos/tests/influxdb.nix +++ b/nixpkgs/nixos/tests/influxdb.nix @@ -1,6 +1,6 @@ # This test runs influxdb and checks if influxdb is up and running -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "influxdb"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ offline ]; @@ -9,25 +9,32 @@ import ./make-test.nix ({ pkgs, ...} : { nodes = { one = { ... }: { services.influxdb.enable = true; + environment.systemPackages = [ pkgs.httpie ]; }; }; testScript = '' - startAll; - - $one->waitForUnit("influxdb.service"); + import shlex + + start_all() + + one.wait_for_unit("influxdb.service") # create database - $one->succeed(q~ - curl -XPOST http://localhost:8086/query --data-urlencode "q=CREATE DATABASE test" - ~); + one.succeed( + "curl -XPOST http://localhost:8086/query --data-urlencode 'q=CREATE DATABASE test'" + ) # write some points and run simple query - $one->succeed(q~ - curl -XPOST 'http://localhost:8086/write?db=test' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000' - ~); - $one->succeed(q~ - curl -GET 'http://localhost:8086/query' --data-urlencode "db=test" --data-urlencode "q=SELECT \"value\" FROM \"cpu_load_short\" WHERE \"region\"='us-west'" | grep "0\.64" - ~); + out = one.succeed( + "curl -XPOST 'http://localhost:8086/write?db=test' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000'" + ) + + qv = "SELECT value FROM cpu_load_short WHERE region='us-west'" + cmd = f'curl -GET "http://localhost:8086/query?db=test" --data-urlencode {shlex.quote("q="+ qv)}' + out = one.succeed(cmd) + + assert "2015-06-11T20:46:02Z" in out + assert "0.64" in out ''; }) diff --git a/nixpkgs/nixos/tests/initrd-network-ssh/default.nix b/nixpkgs/nixos/tests/initrd-network-ssh/default.nix index 796c50c610e3..73d9f938e226 100644 --- a/nixpkgs/nixos/tests/initrd-network-ssh/default.nix +++ b/nixpkgs/nixos/tests/initrd-network-ssh/default.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ lib, ... }: +import ../make-test-python.nix ({ lib, ... }: { name = "initrd-network-ssh"; @@ -35,25 +35,31 @@ import ../make-test.nix ({ lib, ... }: client = { config, ... }: { - environment.etc.knownHosts = { - text = concatStrings [ - "server," - "${toString (head (splitString " " ( - toString (elemAt (splitString "\n" config.networking.extraHosts) 2) - )))} " - "${readFile ./dropbear.pub}" - ]; + environment.etc = { + knownHosts = { + text = concatStrings [ + "server," + "${toString (head (splitString " " ( + toString (elemAt (splitString "\n" config.networking.extraHosts) 2) + )))} " + "${readFile ./dropbear.pub}" + ]; + }; + sshKey = { + source = ./openssh.priv; # dont use this anywhere else + mode = "0600"; + }; }; }; }; testScript = '' - startAll; - $client->waitForUnit("network.target"); - $client->copyFileFromHost("${./openssh.priv}","/etc/sshKey"); - $client->succeed("chmod 0600 /etc/sshKey"); - $client->waitUntilSucceeds("ping -c 1 server"); - $client->succeed("ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'touch /fnord'"); - $client->shutdown; + start_all() + client.wait_for_unit("network.target") + client.wait_until_succeeds("ping -c 1 server") + client.succeed( + "ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'touch /fnord'" + ) + client.shutdown() ''; }) diff --git a/nixpkgs/nixos/tests/initrd-network.nix b/nixpkgs/nixos/tests/initrd-network.nix index ed9b82e2da77..4796ff9b7c8d 100644 --- a/nixpkgs/nixos/tests/initrd-network.nix +++ b/nixpkgs/nixos/tests/initrd-network.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "initrd-network"; meta.maintainers = [ pkgs.stdenv.lib.maintainers.eelco ]; @@ -15,8 +15,8 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - startAll; - $machine->waitForUnit("multi-user.target"); - $machine->succeed("ip link >&2"); + start_all() + machine.wait_for_unit("multi-user.target") + machine.succeed("ip link >&2") ''; }) diff --git a/nixpkgs/nixos/tests/installed-tests/colord.nix b/nixpkgs/nixos/tests/installed-tests/colord.nix new file mode 100644 index 000000000000..77e6b917fe68 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/colord.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.colord; +} diff --git a/nixpkgs/nixos/tests/installed-tests/default.nix b/nixpkgs/nixos/tests/installed-tests/default.nix new file mode 100644 index 000000000000..8e997ee4aeb9 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/default.nix @@ -0,0 +1,96 @@ +# NixOS tests for gnome-desktop-testing-runner using software +# See https://wiki.gnome.org/Initiatives/GnomeGoals/InstalledTests + +{ system ? builtins.currentSystem, + config ? {}, + pkgs ? import ../../.. { inherit system config; } +}: + +with import ../../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +let + + callInstalledTest = pkgs.newScope { inherit makeInstalledTest; }; + + makeInstalledTest = + { # Package to test. Needs to have an installedTests output + tested + + # Config to inject into machine + , testConfig ? {} + + # Test script snippet to inject before gnome-desktop-testing-runner begins. + # This is useful for extra setup the environment may need before the runner begins. + , preTestScript ? "" + + # Does test need X11? + , withX11 ? false + + # Extra flags to pass to gnome-desktop-testing-runner. + , testRunnerFlags ? "" + + # Extra attributes to pass to makeTest. + # They will be recursively merged into the attrset created by this function. + , ... + }@args: + makeTest + (recursiveUpdate + rec { + name = tested.name; + + meta = { + maintainers = tested.meta.maintainers; + }; + + machine = { ... }: { + imports = [ + testConfig + ] ++ optional withX11 ../common/x11.nix; + + environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; + + }; + + testScript = + optionalString withX11 '' + machine.wait_for_x() + '' + + optionalString (preTestScript != "") '' + ${preTestScript} + '' + + '' + machine.succeed( + "gnome-desktop-testing-runner ${testRunnerFlags} -d '${tested.installedTests}/share'" + ) + ''; + } + + (removeAttrs args [ + "tested" + "testConfig" + "preTestScript" + "withX11" + "testRunnerFlags" + ]) + ); + +in + +{ + colord = callInstalledTest ./colord.nix {}; + flatpak = callInstalledTest ./flatpak.nix {}; + flatpak-builder = callInstalledTest ./flatpak-builder.nix {}; + fwupd = callInstalledTest ./fwupd.nix {}; + gcab = callInstalledTest ./gcab.nix {}; + gdk-pixbuf = callInstalledTest ./gdk-pixbuf.nix {}; + gjs = callInstalledTest ./gjs.nix {}; + glib-networking = callInstalledTest ./glib-networking.nix {}; + gnome-photos = callInstalledTest ./gnome-photos.nix {}; + graphene = callInstalledTest ./graphene.nix {}; + ibus = callInstalledTest ./ibus.nix {}; + libgdata = callInstalledTest ./libgdata.nix {}; + libxmlb = callInstalledTest ./libxmlb.nix {}; + ostree = callInstalledTest ./ostree.nix {}; + xdg-desktop-portal = callInstalledTest ./xdg-desktop-portal.nix {}; +} diff --git a/nixpkgs/nixos/tests/installed-tests/flatpak-builder.nix b/nixpkgs/nixos/tests/installed-tests/flatpak-builder.nix new file mode 100644 index 000000000000..31b9f2b258fd --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/flatpak-builder.nix @@ -0,0 +1,14 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.flatpak-builder; + + testConfig = { + services.flatpak.enable = true; + xdg.portal.enable = true; + environment.systemPackages = with pkgs; [ flatpak-builder ] ++ flatpak-builder.installedTestsDependencies; + virtualisation.diskSize = 2048; + }; + + testRunnerFlags = "--timeout 3600"; +} diff --git a/nixpkgs/nixos/tests/installed-tests/flatpak.nix b/nixpkgs/nixos/tests/installed-tests/flatpak.nix new file mode 100644 index 000000000000..091c99326629 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/flatpak.nix @@ -0,0 +1,19 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.flatpak; + withX11 = true; + + testConfig = { + services.xserver.desktopManager.gnome3.enable = true; # TODO: figure out minimal environment where the tests work + # common/x11.nix enables the auto display manager (lightdm) + services.xserver.displayManager.gdm.enable = false; + services.gnome3.core-utilities.enable = false; + services.flatpak.enable = true; + environment.systemPackages = with pkgs; [ gnupg ostree python2 ]; + virtualisation.memorySize = 2047; + virtualisation.diskSize = 1024; + }; + + testRunnerFlags = "--timeout 3600"; +} diff --git a/nixpkgs/nixos/tests/installed-tests/fwupd.nix b/nixpkgs/nixos/tests/installed-tests/fwupd.nix new file mode 100644 index 000000000000..b9f761e99582 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/fwupd.nix @@ -0,0 +1,12 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.fwupd; + + testConfig = { + services.fwupd.enable = true; + services.fwupd.blacklistPlugins = []; # don't blacklist test plugin + services.fwupd.enableTestRemote = true; + virtualisation.memorySize = 768; + }; +} diff --git a/nixpkgs/nixos/tests/installed-tests/gcab.nix b/nixpkgs/nixos/tests/installed-tests/gcab.nix new file mode 100644 index 000000000000..b24cc2e01267 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/gcab.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.gcab; +} diff --git a/nixpkgs/nixos/tests/installed-tests/gdk-pixbuf.nix b/nixpkgs/nixos/tests/installed-tests/gdk-pixbuf.nix new file mode 100644 index 000000000000..3d0011a427a4 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/gdk-pixbuf.nix @@ -0,0 +1,13 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.gdk-pixbuf; + + testConfig = { + # Tests allocate a lot of memory trying to exploit a CVE + # but qemu-system-i386 has a 2047M memory limit + virtualisation.memorySize = if pkgs.stdenv.isi686 then 2047 else 4096; + }; + + testRunnerFlags = "--timeout 1800"; +} diff --git a/nixpkgs/nixos/tests/installed-tests/gjs.nix b/nixpkgs/nixos/tests/installed-tests/gjs.nix new file mode 100644 index 000000000000..1656e9de171b --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/gjs.nix @@ -0,0 +1,6 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.gjs; + withX11 = true; +} diff --git a/nixpkgs/nixos/tests/installed-tests/glib-networking.nix b/nixpkgs/nixos/tests/installed-tests/glib-networking.nix new file mode 100644 index 000000000000..b58d4df21fca --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/glib-networking.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.glib-networking; +} diff --git a/nixpkgs/nixos/tests/installed-tests/gnome-photos.nix b/nixpkgs/nixos/tests/installed-tests/gnome-photos.nix new file mode 100644 index 000000000000..05e7ccb65ad5 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/gnome-photos.nix @@ -0,0 +1,35 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.gnome-photos; + + withX11 = true; + + testConfig = { + programs.dconf.enable = true; + services.gnome3.at-spi2-core.enable = true; # needed for dogtail + environment.systemPackages = with pkgs; [ + # gsettings tool with access to gsettings-desktop-schemas + (stdenv.mkDerivation { + name = "desktop-gsettings"; + dontUnpack = true; + nativeBuildInputs = [ glib wrapGAppsHook ]; + buildInputs = [ gsettings-desktop-schemas ]; + installPhase = '' + runHook preInstall + mkdir -p $out/bin + ln -s ${glib.bin}/bin/gsettings $out/bin/desktop-gsettings + runHook postInstall + ''; + }) + ]; + services.dbus.packages = with pkgs; [ gnome-photos ]; + }; + + preTestScript = '' + # dogtail needs accessibility enabled + machine.succeed( + "desktop-gsettings set org.gnome.desktop.interface toolkit-accessibility true 2>&1" + ) + ''; +} diff --git a/nixpkgs/nixos/tests/installed-tests/graphene.nix b/nixpkgs/nixos/tests/installed-tests/graphene.nix new file mode 100644 index 000000000000..e43339abd88c --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/graphene.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.graphene; +} diff --git a/nixpkgs/nixos/tests/installed-tests/ibus.nix b/nixpkgs/nixos/tests/installed-tests/ibus.nix new file mode 100644 index 000000000000..af54b612b507 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/ibus.nix @@ -0,0 +1,20 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.ibus; + + testConfig = { + i18n.inputMethod.enabled = "ibus"; + }; + + preTestScript = '' + # ibus has ibus-desktop-testing-runner but it tries to manage desktop session so we just spawn ibus-daemon ourselves + machine.succeed("ibus-daemon --daemonize --verbose") + ''; + + withX11 = true; + + # TODO: ibus-daemon is currently crashing or something + # maybe make ibus systemd service that auto-restarts? + meta.broken = true; +} diff --git a/nixpkgs/nixos/tests/installed-tests/libgdata.nix b/nixpkgs/nixos/tests/installed-tests/libgdata.nix new file mode 100644 index 000000000000..f11a7bc1bc51 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/libgdata.nix @@ -0,0 +1,11 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.libgdata; + + testConfig = { + # # GLib-GIO-DEBUG: _g_io_module_get_default: Found default implementation dummy (GDummyTlsBackend) for ‘gio-tls-backend’ + # Bail out! libgdata:ERROR:../gdata/tests/common.c:134:gdata_test_init: assertion failed (child_error == NULL): TLS support is not available (g-tls-error-quark, 0) + services.gnome3.glib-networking.enable = true; + }; +} diff --git a/nixpkgs/nixos/tests/installed-tests/libxmlb.nix b/nixpkgs/nixos/tests/installed-tests/libxmlb.nix new file mode 100644 index 000000000000..af2bbe9c35e2 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/libxmlb.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.libxmlb; +} diff --git a/nixpkgs/nixos/tests/installed-tests/ostree.nix b/nixpkgs/nixos/tests/installed-tests/ostree.nix new file mode 100644 index 000000000000..eef7cace54cc --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/ostree.nix @@ -0,0 +1,23 @@ +{ pkgs, lib, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.ostree; + + # TODO: Wrap/patch the tests directly in the package + testConfig = { + environment.systemPackages = with pkgs; [ + (python3.withPackages (p: with p; [ pyyaml ])) + gnupg + ostree + ]; + + # for GJS tests + environment.variables.GI_TYPELIB_PATH = lib.makeSearchPath "lib/girepository-1.0" (with pkgs; [ + gtk3 + pango.out + ostree + gdk-pixbuf + atk + ]); + }; +} diff --git a/nixpkgs/nixos/tests/installed-tests/xdg-desktop-portal.nix b/nixpkgs/nixos/tests/installed-tests/xdg-desktop-portal.nix new file mode 100644 index 000000000000..b16008ff4add --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/xdg-desktop-portal.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.xdg-desktop-portal; +} diff --git a/nixpkgs/nixos/tests/installer.nix b/nixpkgs/nixos/tests/installer.nix index a136678c6eff..eb1f4f192dd1 100644 --- a/nixpkgs/nixos/tests/installer.nix +++ b/nixpkgs/nixos/tests/installer.nix @@ -54,8 +54,6 @@ let hardware.enableAllFirmware = lib.mkForce false; - services.udisks2.enable = lib.mkDefault false; - ${replaceChars ["\n"] ["\n "] extraConfig} } ''; @@ -295,8 +293,6 @@ let ++ optional (bootLoader == "grub" && grubVersion == 1) pkgs.grub ++ optionals (bootLoader == "grub" && grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ]; - services.udisks2.enable = mkDefault false; - nix.binaryCaches = mkForce [ ]; nix.extraOptions = '' diff --git a/nixpkgs/nixos/tests/ipv6.nix b/nixpkgs/nixos/tests/ipv6.nix index d11eba764da3..ba464b57447b 100644 --- a/nixpkgs/nixos/tests/ipv6.nix +++ b/nixpkgs/nixos/tests/ipv6.nix @@ -1,7 +1,7 @@ # Test of IPv6 functionality in NixOS, including whether router # solicication/advertisement using radvd works. -import ./make-test.nix ({ pkgs, lib, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ...} : { name = "ipv6"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco ]; @@ -35,51 +35,56 @@ import ./make-test.nix ({ pkgs, lib, ...} : { testScript = '' + import re + # Start the router first so that it respond to router solicitations. - $router->waitForUnit("radvd"); + router.wait_for_unit("radvd") - startAll; + start_all() - $client->waitForUnit("network.target"); - $server->waitForUnit("network.target"); - $server->waitForUnit("httpd.service"); + client.wait_for_unit("network.target") + server.wait_for_unit("network.target") + server.wait_for_unit("httpd.service") # Wait until the given interface has a non-tentative address of # the desired scope (i.e. has completed Duplicate Address # Detection). - sub waitForAddress { - my ($machine, $iface, $scope) = @_; - $machine->waitUntilSucceeds("[ `ip -o -6 addr show dev $iface scope $scope | grep -v tentative | wc -l` -ge 1 ]"); - my $ip = (split /[ \/]+/, $machine->succeed("ip -o -6 addr show dev $iface scope $scope"))[3]; - $machine->log("$scope address on $iface is $ip"); - return $ip; - } - - subtest "loopback address", sub { - $client->succeed("ping -c 1 ::1 >&2"); - $client->fail("ping -c 1 ::2 >&2"); - }; - - subtest "local link addressing", sub { - my $clientIp = waitForAddress $client, "eth1", "link"; - my $serverIp = waitForAddress $server, "eth1", "link"; - $client->succeed("ping -c 1 $clientIp%eth1 >&2"); - $client->succeed("ping -c 1 $serverIp%eth1 >&2"); - }; - - subtest "global addressing", sub { - my $clientIp = waitForAddress $client, "eth1", "global"; - my $serverIp = waitForAddress $server, "eth1", "global"; - $client->succeed("ping -c 1 $clientIp >&2"); - $client->succeed("ping -c 1 $serverIp >&2"); - $client->succeed("curl --fail -g http://[$serverIp]"); - $client->fail("curl --fail -g http://[$clientIp]"); - }; - subtest "privacy extensions", sub { - my $ip = waitForAddress $client, "eth1", "global temporary"; + def wait_for_address(machine, iface, scope, temporary=False): + temporary_flag = "temporary" if temporary else "-temporary" + cmd = f"ip -o -6 addr show dev {iface} scope {scope} -tentative {temporary_flag}" + + machine.wait_until_succeeds(f"[ `{cmd} | wc -l` -eq 1 ]") + output = machine.succeed(cmd) + ip = re.search(r"inet6 ([0-9a-f:]{2,})/", output).group(1) + + if temporary: + scope = scope + " temporary" + machine.log(f"{scope} address on {iface} is {ip}") + return ip + + + with subtest("Loopback address can be pinged"): + client.succeed("ping -c 1 ::1 >&2") + client.fail("ping -c 1 ::2 >&2") + + with subtest("Local link addresses can be obtained and pinged"): + client_ip = wait_for_address(client, "eth1", "link") + server_ip = wait_for_address(server, "eth1", "link") + client.succeed(f"ping -c 1 {client_ip}%eth1 >&2") + client.succeed(f"ping -c 1 {server_ip}%eth1 >&2") + + with subtest("Global addresses can be obtained, pinged, and reached via http"): + client_ip = wait_for_address(client, "eth1", "global") + server_ip = wait_for_address(server, "eth1", "global") + client.succeed(f"ping -c 1 {client_ip} >&2") + client.succeed(f"ping -c 1 {server_ip} >&2") + client.succeed(f"curl --fail -g http://[{server_ip}]") + client.fail(f"curl --fail -g http://[{client_ip}]") + + with subtest("Privacy extensions: Global temporary address can be obtained and pinged"): + ip = wait_for_address(client, "eth1", "global", temporary=True) # Default route should have "src <temporary address>" in it - $client->succeed("ip r g ::2 | grep $ip"); - }; + client.succeed(f"ip r g ::2 | grep {ip}") # TODO: test reachability of a machine on another network. ''; diff --git a/nixpkgs/nixos/tests/jackett.nix b/nixpkgs/nixos/tests/jackett.nix index c749c32ad04e..0a706c99b999 100644 --- a/nixpkgs/nixos/tests/jackett.nix +++ b/nixpkgs/nixos/tests/jackett.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: with lib; @@ -11,8 +11,9 @@ with lib; { services.jackett.enable = true; }; testScript = '' - $machine->waitForUnit('jackett.service'); - $machine->waitForOpenPort('9117'); - $machine->succeed("curl --fail http://localhost:9117/"); + machine.start() + machine.wait_for_unit("jackett.service") + machine.wait_for_open_port(9117) + machine.succeed("curl --fail http://localhost:9117/") ''; }) diff --git a/nixpkgs/nixos/tests/jellyfin.nix b/nixpkgs/nixos/tests/jellyfin.nix index b60c6eb94f46..65360624d487 100644 --- a/nixpkgs/nixos/tests/jellyfin.nix +++ b/nixpkgs/nixos/tests/jellyfin.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ...}: +import ./make-test-python.nix ({ lib, ...}: { name = "jellyfin"; @@ -9,8 +9,8 @@ import ./make-test.nix ({ lib, ...}: { services.jellyfin.enable = true; }; testScript = '' - $machine->waitForUnit('jellyfin.service'); - $machine->waitForOpenPort('8096'); - $machine->succeed("curl --fail http://localhost:8096/"); + machine.wait_for_unit("jellyfin.service") + machine.wait_for_open_port(8096) + machine.succeed("curl --fail http://localhost:8096/") ''; }) diff --git a/nixpkgs/nixos/tests/jenkins.nix b/nixpkgs/nixos/tests/jenkins.nix index a6eec411ff28..cd64ff512878 100644 --- a/nixpkgs/nixos/tests/jenkins.nix +++ b/nixpkgs/nixos/tests/jenkins.nix @@ -3,7 +3,7 @@ # 2. jenkins user can be extended on both master and slave # 3. jenkins service not started on slave node -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "jenkins"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ bjornfor coconnor domenkozar eelco ]; @@ -33,18 +33,17 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $master->waitForUnit("jenkins"); + master.wait_for_unit("jenkins") - $master->mustSucceed("curl http://localhost:8080 | grep 'Authentication required'"); + assert "Authentication required" in master.succeed("curl http://localhost:8080") - print $master->execute("sudo -u jenkins groups"); - $master->mustSucceed("sudo -u jenkins groups | grep jenkins | grep users"); + for host in master, slave: + groups = host.succeed("sudo -u jenkins groups") + assert "jenkins" in groups + assert "users" in groups - print $slave->execute("sudo -u jenkins groups"); - $slave->mustSucceed("sudo -u jenkins groups | grep jenkins | grep users"); - - $slave->mustFail("systemctl is-enabled jenkins.service"); + slave.fail("systemctl is-enabled jenkins.service") ''; }) diff --git a/nixpkgs/nixos/tests/jormungandr.nix b/nixpkgs/nixos/tests/jormungandr.nix deleted file mode 100644 index 2abafc53ce51..000000000000 --- a/nixpkgs/nixos/tests/jormungandr.nix +++ /dev/null @@ -1,77 +0,0 @@ -import ./make-test.nix ({ pkgs, ... }: { - name = "jormungandr"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ mmahut ]; - }; - - nodes = { - # Testing the Byzantine Fault Tolerant protocol - bft = { ... }: { - environment.systemPackages = [ pkgs.jormungandr ]; - services.jormungandr.enable = true; - services.jormungandr.genesisBlockFile = "/var/lib/jormungandr/block-0.bin"; - services.jormungandr.secretFile = "/etc/secrets/jormungandr.yaml"; - }; - - # Testing the Ouroboros Genesis Praos protocol - genesis = { ... }: { - environment.systemPackages = [ pkgs.jormungandr ]; - services.jormungandr.enable = true; - services.jormungandr.genesisBlockFile = "/var/lib/jormungandr/block-0.bin"; - services.jormungandr.secretFile = "/etc/secrets/jormungandr.yaml"; - }; - }; - - testScript = '' - startAll; - - ## Testing BFT - # Let's wait for the StateDirectory - $bft->waitForFile("/var/lib/jormungandr/"); - - # First, we generate the genesis file for our new blockchain - $bft->succeed("jcli genesis init > /root/genesis.yaml"); - - # We need to generate our secret key - $bft->succeed("jcli key generate --type=Ed25519 > /root/key.prv"); - - # We include the secret key into our services.jormungandr.secretFile - $bft->succeed("mkdir -p /etc/secrets"); - $bft->succeed("echo -e \"bft:\\n signing_key:\" \$(cat /root/key.prv) > /etc/secrets/jormungandr.yaml"); - - # After that, we generate our public key from it - $bft->succeed("cat /root/key.prv | jcli key to-public > /root/key.pub"); - - # We add our public key as a consensus leader in the genesis configration file - $bft->succeed("sed -ie \"s/ed25519_pk1vvwp2s0n5jl5f4xcjurp2e92sj2awehkrydrlas4vgqr7xzt33jsadha32/\$(cat /root/key.pub)/\" /root/genesis.yaml"); - - # Now we can generate the genesis block from it - $bft->succeed("jcli genesis encode --input /root/genesis.yaml --output /var/lib/jormungandr/block-0.bin"); - - # We should have everything to start the service now - $bft->succeed("systemctl restart jormungandr"); - $bft->waitForUnit("jormungandr.service"); - - # Now we can test if we are able to reach the REST API - $bft->waitUntilSucceeds("curl -L http://localhost:8607/api/v0/node/stats | grep uptime"); - - ## Testing Genesis - # Let's wait for the StateDirectory - $genesis->waitForFile("/var/lib/jormungandr/"); - - # Bootstraping the configuration - $genesis->succeed("jormungandr-bootstrap -g -p 8607 -s 1"); - - # Moving generated files in place - $genesis->succeed("mkdir -p /etc/secrets"); - $genesis->succeed("mv pool-secret1.yaml /etc/secrets/jormungandr.yaml"); - $genesis->succeed("mv block-0.bin /var/lib/jormungandr/"); - - # We should have everything to start the service now - $genesis->succeed("systemctl restart jormungandr"); - $genesis->waitForUnit("jormungandr.service"); - - # Now we can create and delegate an account - $genesis->succeed("./create-account-and-delegate.sh | tee -a /tmp/delegate.log"); - ''; -}) diff --git a/nixpkgs/nixos/tests/kafka.nix b/nixpkgs/nixos/tests/kafka.nix index f526d18befee..48ca98da8fa1 100644 --- a/nixpkgs/nixos/tests/kafka.nix +++ b/nixpkgs/nixos/tests/kafka.nix @@ -73,4 +73,5 @@ in with pkgs; { kafka_2_0 = makeKafkaTest "kafka_2_0" apacheKafka_2_0; kafka_2_1 = makeKafkaTest "kafka_2_1" apacheKafka_2_1; kafka_2_2 = makeKafkaTest "kafka_2_2" apacheKafka_2_2; + kafka_2_3 = makeKafkaTest "kafka_2_3" apacheKafka_2_3; } diff --git a/nixpkgs/nixos/tests/keepalived.nix b/nixpkgs/nixos/tests/keepalived.nix new file mode 100644 index 000000000000..d0bf9d465200 --- /dev/null +++ b/nixpkgs/nixos/tests/keepalived.nix @@ -0,0 +1,42 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "keepalived"; + + nodes = { + node1 = { pkgs, ... }: { + networking.firewall.extraCommands = "iptables -A INPUT -p vrrp -j ACCEPT"; + services.keepalived.enable = true; + services.keepalived.vrrpInstances.test = { + interface = "eth1"; + state = "MASTER"; + priority = 50; + virtualIps = [{ addr = "192.168.1.200"; }]; + virtualRouterId = 1; + }; + environment.systemPackages = [ pkgs.tcpdump ]; + }; + node2 = { pkgs, ... }: { + networking.firewall.extraCommands = "iptables -A INPUT -p vrrp -j ACCEPT"; + services.keepalived.enable = true; + services.keepalived.vrrpInstances.test = { + interface = "eth1"; + state = "MASTER"; + priority = 100; + virtualIps = [{ addr = "192.168.1.200"; }]; + virtualRouterId = 1; + }; + environment.systemPackages = [ pkgs.tcpdump ]; + }; + }; + + testScript = '' + # wait for boot time delay to pass + for node in [node1, node2]: + node.wait_until_succeeds( + "systemctl show -p LastTriggerUSecMonotonic keepalived-boot-delay.timer | grep -vq 'LastTriggerUSecMonotonic=0'" + ) + node.wait_for_unit("keepalived") + node2.wait_until_succeeds("ip addr show dev eth1 | grep -q 192.168.1.200") + node1.fail("ip addr show dev eth1 | grep -q 192.168.1.200") + node1.succeed("ping -c1 192.168.1.200") + ''; +}) diff --git a/nixpkgs/nixos/tests/kerberos/heimdal.nix b/nixpkgs/nixos/tests/kerberos/heimdal.nix index a0551b131e91..8abae667d043 100644 --- a/nixpkgs/nixos/tests/kerberos/heimdal.nix +++ b/nixpkgs/nixos/tests/kerberos/heimdal.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({pkgs, ...}: { +import ../make-test-python.nix ({pkgs, ...}: { name = "kerberos_server-heimdal"; machine = { config, libs, pkgs, ...}: { services.kerberos_server = @@ -23,31 +23,20 @@ import ../make-test.nix ({pkgs, ...}: { }; testScript = '' - $machine->start; + machine.succeed( + "kadmin -l init --realm-max-ticket-life='8 day' --realm-max-renewable-life='10 day' FOO.BAR", + "systemctl restart kadmind.service kdc.service", + ) - $machine->succeed( - "kadmin -l init --realm-max-ticket-life='8 day' \\ - --realm-max-renewable-life='10 day' FOO.BAR" - ); + for unit in ["kadmind", "kdc", "kpasswdd"]: + machine.wait_for_unit(f"{unit}.service") - $machine->succeed("systemctl restart kadmind.service kdc.service"); - $machine->waitForUnit("kadmind.service"); - $machine->waitForUnit("kdc.service"); - $machine->waitForUnit("kpasswdd.service"); - - $machine->succeed( - "kadmin -l add --password=admin_pw --use-defaults admin" - ); - $machine->succeed( - "kadmin -l ext_keytab --keytab=admin.keytab admin" - ); - $machine->succeed( - "kadmin -p admin -K admin.keytab add --password=alice_pw --use-defaults \\ - alice" - ); - $machine->succeed( - "kadmin -l ext_keytab --keytab=alice.keytab alice" - ); - $machine->succeed("kinit -kt alice.keytab alice"); + machine.succeed( + "kadmin -l add --password=admin_pw --use-defaults admin", + "kadmin -l ext_keytab --keytab=admin.keytab admin", + "kadmin -p admin -K admin.keytab add --password=alice_pw --use-defaults alice", + "kadmin -l ext_keytab --keytab=alice.keytab alice", + "kinit -kt alice.keytab alice", + ) ''; }) diff --git a/nixpkgs/nixos/tests/kerberos/mit.nix b/nixpkgs/nixos/tests/kerberos/mit.nix index 6da3a384aa99..93b4020d4994 100644 --- a/nixpkgs/nixos/tests/kerberos/mit.nix +++ b/nixpkgs/nixos/tests/kerberos/mit.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({pkgs, ...}: { +import ../make-test-python.nix ({pkgs, ...}: { name = "kerberos_server-mit"; machine = { config, libs, pkgs, ...}: { services.kerberos_server = @@ -24,22 +24,18 @@ import ../make-test.nix ({pkgs, ...}: { }; testScript = '' - $machine->start; + machine.succeed( + "kdb5_util create -s -r FOO.BAR -P master_key", + "systemctl restart kadmind.service kdc.service", + ) - $machine->succeed( - "kdb5_util create -s -r FOO.BAR -P master_key" - ); + for unit in ["kadmind", "kdc"]: + machine.wait_for_unit(f"{unit}.service") - $machine->succeed("systemctl restart kadmind.service kdc.service"); - $machine->waitForUnit("kadmind.service"); - $machine->waitForUnit("kdc.service"); - - $machine->succeed( - "kadmin.local add_principal -pw admin_pw admin" - ); - $machine->succeed( - "kadmin -p admin -w admin_pw addprinc -pw alice_pw alice" - ); - $machine->succeed("echo alice_pw | sudo -u alice kinit"); + machine.succeed( + "kadmin.local add_principal -pw admin_pw admin", + "kadmin -p admin -w admin_pw addprinc -pw alice_pw alice", + "echo alice_pw | sudo -u alice kinit", + ) ''; }) diff --git a/nixpkgs/nixos/tests/kernel-latest.nix b/nixpkgs/nixos/tests/kernel-latest.nix index f30bd2e2e760..f09d0926d223 100644 --- a/nixpkgs/nixos/tests/kernel-latest.nix +++ b/nixpkgs/nixos/tests/kernel-latest.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "kernel-latest"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -11,7 +11,7 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - $machine->succeed("uname -s | grep 'Linux'"); - $machine->succeed("uname -a | grep '${pkgs.linuxPackages_latest.kernel.version}'"); + assert "Linux" in machine.succeed("uname -s") + assert "${pkgs.linuxPackages_latest.kernel.version}" in machine.succeed("uname -a") ''; }) diff --git a/nixpkgs/nixos/tests/kernel-lts.nix b/nixpkgs/nixos/tests/kernel-lts.nix index 28717fa6a844..bad706d63c03 100644 --- a/nixpkgs/nixos/tests/kernel-lts.nix +++ b/nixpkgs/nixos/tests/kernel-lts.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "kernel-lts"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -11,7 +11,7 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - $machine->succeed("uname -s | grep 'Linux'"); - $machine->succeed("uname -a | grep '${pkgs.linuxPackages.kernel.version}'"); + assert "Linux" in machine.succeed("uname -s") + assert "${pkgs.linuxPackages.kernel.version}" in machine.succeed("uname -a") ''; }) diff --git a/nixpkgs/nixos/tests/kernel-testing.nix b/nixpkgs/nixos/tests/kernel-testing.nix index 276d2de12bb5..b7e10ebd5bd1 100644 --- a/nixpkgs/nixos/tests/kernel-testing.nix +++ b/nixpkgs/nixos/tests/kernel-testing.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "kernel-testing"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -11,7 +11,7 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - $machine->succeed("uname -s | grep 'Linux'"); - $machine->succeed("uname -a | grep '${pkgs.linuxPackages_testing.kernel.modDirVersion}'"); + assert "Linux" in machine.succeed("uname -s") + assert "${pkgs.linuxPackages_testing.kernel.modDirVersion}" in machine.succeed("uname -a") ''; }) diff --git a/nixpkgs/nixos/tests/kexec.nix b/nixpkgs/nixos/tests/kexec.nix index b13b4131091f..ec0cd9796b0e 100644 --- a/nixpkgs/nixos/tests/kexec.nix +++ b/nixpkgs/nixos/tests/kexec.nix @@ -1,9 +1,15 @@ # Test whether fast reboots via kexec work. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ...} : { name = "kexec"; - meta = with pkgs.stdenv.lib.maintainers; { + meta = with lib.maintainers; { maintainers = [ eelco ]; + # Currently hangs forever; last output is: + # machine # [ 10.239914] dhcpcd[707]: eth0: adding default route via fe80::2 + # machine: waiting for the VM to finish booting + # machine # Cannot find the ESP partition mount point. + # machine # [ 28.681197] nscd[692]: 692 checking for monitored file `/etc/netgroup': No such file or directory + broken = true; }; machine = { ... }: @@ -11,9 +17,9 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - $machine->waitForUnit("multi-user.target"); - $machine->execute("systemctl kexec &"); - $machine->{connected} = 0; - $machine->waitForUnit("multi-user.target"); + machine.wait_for_unit("multi-user.target") + machine.execute("systemctl kexec &") + machine.connected = False + machine.wait_for_unit("multi-user.target") ''; }) diff --git a/nixpkgs/nixos/tests/knot.nix b/nixpkgs/nixos/tests/knot.nix index e46159836ccc..0588cf86ac09 100644 --- a/nixpkgs/nixos/tests/knot.nix +++ b/nixpkgs/nixos/tests/knot.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ...} : +import ./make-test-python.nix ({ pkgs, lib, ...} : let common = { networking.firewall.enable = false; @@ -30,6 +30,10 @@ let }; in { name = "knot"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ hexa ]; + }; + nodes = { master = { lib, ... }: { @@ -161,37 +165,35 @@ in { slave4 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv4.addresses).address; slave6 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv6.addresses).address; in '' - startAll; - - $client->waitForUnit("network.target"); - $master->waitForUnit("knot.service"); - $slave->waitForUnit("knot.service"); - - sub assertResponse { - my ($knot, $query_type, $query, $expected) = @_; - my $out = $client->succeed("khost -t $query_type $query $knot"); - $client->log("$knot replies with: $out"); - chomp $out; - die "DNS query for $query ($query_type) against $knot gave '$out' instead of '$expected'" - if ($out !~ $expected); - } - - foreach ("${master4}", "${master6}", "${slave4}", "${slave6}") { - subtest $_, sub { - assertResponse($_, "SOA", "example.com", qr/start of authority.*?noc\.example\.com/); - assertResponse($_, "A", "example.com", qr/has no [^ ]+ record/); - assertResponse($_, "AAAA", "example.com", qr/has no [^ ]+ record/); - - assertResponse($_, "A", "www.example.com", qr/address 192.0.2.1$/); - assertResponse($_, "AAAA", "www.example.com", qr/address 2001:db8::1$/); - - assertResponse($_, "NS", "sub.example.com", qr/nameserver is ns\d\.example\.com.$/); - assertResponse($_, "A", "sub.example.com", qr/address 192.0.2.2$/); - assertResponse($_, "AAAA", "sub.example.com", qr/address 2001:db8::2$/); - - assertResponse($_, "RRSIG", "www.example.com", qr/RR set signature is/); - assertResponse($_, "DNSKEY", "example.com", qr/DNSSEC key is/); - }; - } + import re + + start_all() + + client.wait_for_unit("network.target") + master.wait_for_unit("knot.service") + slave.wait_for_unit("knot.service") + + + def test(host, query_type, query, pattern): + out = client.succeed(f"khost -t {query_type} {query} {host}").strip() + client.log(f"{host} replied with: {out}") + assert re.search(pattern, out), f'Did not match "{pattern}"' + + + for host in ("${master4}", "${master6}", "${slave4}", "${slave6}"): + with subtest(f"Interrogate {host}"): + test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.") + test(host, "A", "example.com", r"has no [^ ]+ record") + test(host, "AAAA", "example.com", r"has no [^ ]+ record") + + test(host, "A", "www.example.com", r"address 192.0.2.1$") + test(host, "AAAA", "www.example.com", r"address 2001:db8::1$") + + test(host, "NS", "sub.example.com", r"nameserver is ns\d\.example\.com.$") + test(host, "A", "sub.example.com", r"address 192.0.2.2$") + test(host, "AAAA", "sub.example.com", r"address 2001:db8::2$") + + test(host, "RRSIG", "www.example.com", r"RR set signature is") + test(host, "DNSKEY", "example.com", r"DNSSEC key is") ''; }) diff --git a/nixpkgs/nixos/tests/kubernetes/base.nix b/nixpkgs/nixos/tests/kubernetes/base.nix index f21634c4ffbf..adb736506895 100644 --- a/nixpkgs/nixos/tests/kubernetes/base.nix +++ b/nixpkgs/nixos/tests/kubernetes/base.nix @@ -53,6 +53,7 @@ let services.flannel.iface = "eth1"; services.kubernetes = { addons.dashboard.enable = true; + proxy.hostname = "${masterName}.${domain}"; easyCerts = true; inherit (machine) roles; diff --git a/nixpkgs/nixos/tests/ldap.nix b/nixpkgs/nixos/tests/ldap.nix index 665b9ee09b55..74b002fc00ee 100644 --- a/nixpkgs/nixos/tests/ldap.nix +++ b/nixpkgs/nixos/tests/ldap.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ...} : +import ./make-test-python.nix ({ pkgs, lib, ...} : let unlines = lib.concatStringsSep "\n"; @@ -288,108 +288,118 @@ in client1 = mkClient true; # use nss_pam_ldapd client2 = mkClient false; # use nss_ldap and pam_ldap - }; testScript = '' - $server->start; - $server->waitForUnit("default.target"); - - subtest "slapd", sub { - subtest "auth as database admin with SASL and check a POSIX account", sub { - $server->succeed(join ' ', 'test', - '"$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL', - '-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ', - '-s base uidNumber |', - 'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ', - ')" -eq ${toString ldapUserId}'); - }; - subtest "auth as database admin with password and check a POSIX account", sub { - $server->succeed(join ' ', 'test', - '"$(ldapsearch -LLL -H ldap://server', - '-D \'cn=admin,${dbSuffix}\' -w \'${dbAdminPwd}\' ', - '-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ', - '-s base uidNumber |', - 'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ', - ')" -eq ${toString ldapUserId}'); - }; - }; - - $client1->start; - $client1->waitForUnit("default.target"); - - subtest "password", sub { - subtest "su with password to a POSIX account", sub { - $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', - 'spawn su "${ldapUser}"', - 'expect "Password:"', - 'send "${ldapUserPwd}\n"', - 'expect "*"', - 'send "whoami\n"', - 'expect -ex "${ldapUser}" {exit}', - 'exit 1' . "'"); - }; - subtest "change password of a POSIX account as root", sub { - $client1->succeed("chpasswd <<<'${ldapUser}:new-password'"); - $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', - 'spawn su "${ldapUser}"', - 'expect "Password:"', - 'send "new-password\n"', - 'expect "*"', - 'send "whoami\n"', - 'expect -ex "${ldapUser}" {exit}', - 'exit 1' . "'"); - $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' '); - }; - subtest "change password of a POSIX account from itself", sub { - $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' '); - $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', - 'spawn su --login ${ldapUser} -c passwd', - 'expect "Password: "', - 'send "${ldapUserPwd}\n"', - 'expect "(current) UNIX password: "', - 'send "${ldapUserPwd}\n"', - 'expect "New password: "', - 'send "new-password\n"', - 'expect "Retype new password: "', - 'send "new-password\n"', - 'expect "passwd: password updated successfully" {exit}', - 'exit 1' . "'"); - $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', - 'spawn su "${ldapUser}"', - 'expect "Password:"', - 'send "${ldapUserPwd}\n"', - 'expect "su: Authentication failure" {exit}', - 'exit 1' . "'"); - $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', - 'spawn su "${ldapUser}"', - 'expect "Password:"', - 'send "new-password\n"', - 'expect "*"', - 'send "whoami\n"', - 'expect -ex "${ldapUser}" {exit}', - 'exit 1' . "'"); - $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' '); - }; - }; - - $client2->start; - $client2->waitForUnit("default.target"); - - subtest "NSS", sub { - $client1->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}"); - $client1->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'"); - $client1->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}"); - $client1->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'"); - $client2->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}"); - $client2->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'"); - $client2->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}"); - $client2->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'"); - }; - - subtest "PAM", sub { - $client1->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true"); - $client2->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true"); - }; + def expect_script(*commands): + script = ";".join(commands) + return f"${pkgs.expect}/bin/expect -c '{script}'" + + + server.start() + server.wait_for_unit("default.target") + + with subtest("slapd: auth as database admin with SASL and check a POSIX account"): + server.succeed( + 'test "$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL ' + + "-b 'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}' " + + "-s base uidNumber | " + + "sed -ne 's/^uidNumber: \\(.*\\)/\\1/p')\" -eq ${toString ldapUserId}" + ) + + with subtest("slapd: auth as database admin with password and check a POSIX account"): + server.succeed( + "test \"$(ldapsearch -LLL -H ldap://server -D 'cn=admin,${dbSuffix}' " + + "-w '${dbAdminPwd}' -b 'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}' " + + "-s base uidNumber | " + + "sed -ne 's/^uidNumber: \\(.*\\)/\\1/p')\" -eq ${toString ldapUserId}" + ) + + client1.start() + client1.wait_for_unit("default.target") + + with subtest("password: su with password to a POSIX account"): + client1.succeed( + expect_script( + 'spawn su "${ldapUser}"', + 'expect "Password:"', + 'send "${ldapUserPwd}\n"', + 'expect "*"', + 'send "whoami\n"', + 'expect -ex "${ldapUser}" {exit}', + "exit 1", + ) + ) + + with subtest("password: change password of a POSIX account as root"): + client1.succeed( + "chpasswd <<<'${ldapUser}:new-password'", + expect_script( + 'spawn su "${ldapUser}"', + 'expect "Password:"', + 'send "new-password\n"', + 'expect "*"', + 'send "whoami\n"', + 'expect -ex "${ldapUser}" {exit}', + "exit 1", + ), + "chpasswd <<<'${ldapUser}:${ldapUserPwd}'", + ) + + with subtest("password: change password of a POSIX account from itself"): + client1.succeed( + "chpasswd <<<'${ldapUser}:${ldapUserPwd}' ", + expect_script( + "spawn su --login ${ldapUser} -c passwd", + 'expect "Password: "', + 'send "${ldapUserPwd}\n"', + 'expect "(current) UNIX password: "', + 'send "${ldapUserPwd}\n"', + 'expect "New password: "', + 'send "new-password\n"', + 'expect "Retype new password: "', + 'send "new-password\n"', + 'expect "passwd: password updated successfully" {exit}', + "exit 1", + ), + expect_script( + 'spawn su "${ldapUser}"', + 'expect "Password:"', + 'send "${ldapUserPwd}\n"', + 'expect "su: Authentication failure" {exit}', + "exit 1", + ), + expect_script( + 'spawn su "${ldapUser}"', + 'expect "Password:"', + 'send "new-password\n"', + 'expect "*"', + 'send "whoami\n"', + 'expect -ex "${ldapUser}" {exit}', + "exit 1", + ), + "chpasswd <<<'${ldapUser}:${ldapUserPwd}'", + ) + + client2.start() + client2.wait_for_unit("default.target") + + with subtest("NSS"): + client1.succeed( + "test \"$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}", + "test \"$(id -u -n '${ldapUser}')\" = '${ldapUser}'", + "test \"$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}", + "test \"$(id -g -n '${ldapUser}')\" = '${ldapGroup}'", + "test \"$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}", + "test \"$(id -u -n '${ldapUser}')\" = '${ldapUser}'", + "test \"$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}", + "test \"$(id -g -n '${ldapUser}')\" = '${ldapGroup}'", + ) + + with subtest("PAM"): + client1.succeed( + "echo ${ldapUserPwd} | su -l '${ldapUser}' -c true", + "echo ${ldapUserPwd} | su -l '${ldapUser}' -c true", + ) ''; }) diff --git a/nixpkgs/nixos/tests/leaps.nix b/nixpkgs/nixos/tests/leaps.nix index 6163fed56b6f..65b475d734ec 100644 --- a/nixpkgs/nixos/tests/leaps.nix +++ b/nixpkgs/nixos/tests/leaps.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "leaps"; @@ -22,9 +22,11 @@ import ./make-test.nix ({ pkgs, ... }: testScript = '' - startAll; - $server->waitForOpenPort(6666); - $client->waitForUnit("network.target"); - $client->succeed("${pkgs.curl}/bin/curl http://server:6666/leaps/ | grep -i 'leaps'"); + start_all() + server.wait_for_open_port(6666) + client.wait_for_unit("network.target") + assert "leaps" in client.succeed( + "${pkgs.curl}/bin/curl http://server:6666/leaps/" + ) ''; }) diff --git a/nixpkgs/nixos/tests/libgdata.nix b/nixpkgs/nixos/tests/libgdata.nix deleted file mode 100644 index 10a3ca97dd22..000000000000 --- a/nixpkgs/nixos/tests/libgdata.nix +++ /dev/null @@ -1,21 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "libgdata"; - - meta = { - maintainers = pkgs.libgdata.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - # # GLib-GIO-DEBUG: _g_io_module_get_default: Found default implementation dummy (GDummyTlsBackend) for ‘gio-tls-backend’ - # Bail out! libgdata:ERROR:../gdata/tests/common.c:134:gdata_test_init: assertion failed (child_error == NULL): TLS support is not available (g-tls-error-quark, 0) - services.gnome3.glib-networking.enable = true; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.libgdata.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/libxmlb.nix b/nixpkgs/nixos/tests/libxmlb.nix deleted file mode 100644 index 3bee568ac5a2..000000000000 --- a/nixpkgs/nixos/tests/libxmlb.nix +++ /dev/null @@ -1,17 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "libxmlb"; - meta = { - maintainers = pkgs.libxmlb.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.libxmlb.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/lidarr.nix b/nixpkgs/nixos/tests/lidarr.nix index 85fcbd21d8c0..d3f83e5d9145 100644 --- a/nixpkgs/nixos/tests/lidarr.nix +++ b/nixpkgs/nixos/tests/lidarr.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: with lib; @@ -11,8 +11,10 @@ with lib; { services.lidarr.enable = true; }; testScript = '' - $machine->waitForUnit('lidarr.service'); - $machine->waitForOpenPort('8686'); - $machine->succeed("curl --fail http://localhost:8686/"); + start_all() + + machine.wait_for_unit("lidarr.service") + machine.wait_for_open_port("8686") + machine.succeed("curl --fail http://localhost:8686/") ''; }) diff --git a/nixpkgs/nixos/tests/lightdm.nix b/nixpkgs/nixos/tests/lightdm.nix index c805f1ed9f3c..46c2ed7ccc59 100644 --- a/nixpkgs/nixos/tests/lightdm.nix +++ b/nixpkgs/nixos/tests/lightdm.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "lightdm"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ aszlig worldofpeace ]; @@ -8,9 +8,8 @@ import ./make-test.nix ({ pkgs, ...} : { imports = [ ./common/user-account.nix ]; services.xserver.enable = true; services.xserver.displayManager.lightdm.enable = true; - services.xserver.windowManager.default = "icewm"; + services.xserver.displayManager.defaultSession = "none+icewm"; services.xserver.windowManager.icewm.enable = true; - services.xserver.desktopManager.default = "none"; }; enableOCR = true; @@ -18,12 +17,12 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; in '' - startAll; - $machine->waitForText(qr/${user.description}/); - $machine->screenshot("lightdm"); - $machine->sendChars("${user.password}\n"); - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow("^IceWM "); + start_all() + machine.wait_for_text("${user.description}") + machine.screenshot("lightdm") + machine.send_chars("${user.password}\n") + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + machine.wait_for_window("^IceWM ") ''; }) diff --git a/nixpkgs/nixos/tests/login.nix b/nixpkgs/nixos/tests/login.nix index 2a7c063d3033..d36c1a91be43 100644 --- a/nixpkgs/nixos/tests/login.nix +++ b/nixpkgs/nixos/tests/login.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, latestKernel ? false, ... }: +import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... }: { name = "login"; @@ -12,62 +12,48 @@ import ./make-test.nix ({ pkgs, latestKernel ? false, ... }: sound.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then }; - testScript = - '' - $machine->waitForUnit('multi-user.target'); - $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty1'"); - $machine->screenshot("postboot"); - - subtest "create user", sub { - $machine->succeed("useradd -m alice"); - $machine->succeed("(echo foobar; echo foobar) | passwd alice"); - }; - - # Check whether switching VTs works. - subtest "virtual console switching", sub { - $machine->fail("pgrep -f 'agetty.*tty2'"); - $machine->sendKeys("alt-f2"); - $machine->waitUntilSucceeds("[ \$(fgconsole) = 2 ]"); - $machine->waitForUnit('getty@tty2.service'); - $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty2'"); - }; - - # Log in as alice on a virtual console. - subtest "virtual console login", sub { - $machine->waitUntilTTYMatches(2, "login: "); - $machine->sendChars("alice\n"); - $machine->waitUntilTTYMatches(2, "login: alice"); - $machine->waitUntilSucceeds("pgrep login"); - $machine->waitUntilTTYMatches(2, "Password: "); - $machine->sendChars("foobar\n"); - $machine->waitUntilSucceeds("pgrep -u alice bash"); - $machine->sendChars("touch done\n"); - $machine->waitForFile("/home/alice/done"); - }; - - # Check whether systemd gives and removes device ownership as - # needed. - subtest "device permissions", sub { - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); - $machine->sendKeys("alt-f1"); - $machine->waitUntilSucceeds("[ \$(fgconsole) = 1 ]"); - $machine->fail("getfacl /dev/snd/timer | grep -q alice"); - $machine->succeed("chvt 2"); - $machine->waitUntilSucceeds("getfacl /dev/snd/timer | grep -q alice"); - }; - - # Log out. - subtest "virtual console logout", sub { - $machine->sendChars("exit\n"); - $machine->waitUntilFails("pgrep -u alice bash"); - $machine->screenshot("mingetty"); - }; - - # Check whether ctrl-alt-delete works. - subtest "ctrl-alt-delete", sub { - $machine->sendKeys("ctrl-alt-delete"); - $machine->waitForShutdown; - }; - ''; - + testScript = '' + machine.wait_for_unit("multi-user.target") + machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'") + machine.screenshot("postboot") + + with subtest("create user"): + machine.succeed("useradd -m alice") + machine.succeed("(echo foobar; echo foobar) | passwd alice") + + with subtest("Check whether switching VTs works"): + machine.fail("pgrep -f 'agetty.*tty2'") + machine.send_key("alt-f2") + machine.wait_until_succeeds("[ $(fgconsole) = 2 ]") + machine.wait_for_unit("getty@tty2.service") + machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'") + + with subtest("Log in as alice on a virtual console"): + machine.wait_until_tty_matches(2, "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches(2, "login: alice") + machine.wait_until_succeeds("pgrep login") + machine.wait_until_tty_matches(2, "Password: ") + machine.send_chars("foobar\n") + machine.wait_until_succeeds("pgrep -u alice bash") + machine.send_chars("touch done\n") + machine.wait_for_file("/home/alice/done") + + with subtest("Systemd gives and removes device ownership as needed"): + machine.succeed("getfacl /dev/snd/timer | grep -q alice") + machine.send_key("alt-f1") + machine.wait_until_succeeds("[ $(fgconsole) = 1 ]") + machine.fail("getfacl /dev/snd/timer | grep -q alice") + machine.succeed("chvt 2") + machine.wait_until_succeeds("getfacl /dev/snd/timer | grep -q alice") + + with subtest("Virtual console logout"): + machine.send_chars("exit\n") + machine.wait_until_fails("pgrep -u alice bash") + machine.screenshot("mingetty") + + with subtest("Check whether ctrl-alt-delete works"): + machine.send_key("ctrl-alt-delete") + machine.wait_for_shutdown() + ''; }) diff --git a/nixpkgs/nixos/tests/loki.nix b/nixpkgs/nixos/tests/loki.nix index 9c3058d02f84..dbf1e8a650f5 100644 --- a/nixpkgs/nixos/tests/loki.nix +++ b/nixpkgs/nixos/tests/loki.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, pkgs, ... }: +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "loki"; @@ -26,12 +26,14 @@ import ./make-test.nix ({ lib, pkgs, ... }: }; testScript = '' - $machine->start; - $machine->waitForUnit("loki.service"); - $machine->waitForUnit("promtail.service"); - $machine->waitForOpenPort(3100); - $machine->waitForOpenPort(9080); - $machine->succeed("echo 'Loki Ingestion Test' > /var/log/testlog"); - $machine->waitUntilSucceeds("${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'"); + machine.start + machine.wait_for_unit("loki.service") + machine.wait_for_unit("promtail.service") + machine.wait_for_open_port(3100) + machine.wait_for_open_port(9080) + machine.succeed("echo 'Loki Ingestion Test' > /var/log/testlog") + machine.wait_until_succeeds( + "${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/lorri/builder.sh b/nixpkgs/nixos/tests/lorri/builder.sh new file mode 100644 index 000000000000..b586b2bf7985 --- /dev/null +++ b/nixpkgs/nixos/tests/lorri/builder.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +printf "%s" "${name:?}" > "${out:?}" diff --git a/nixpkgs/nixos/tests/lorri/default.nix b/nixpkgs/nixos/tests/lorri/default.nix new file mode 100644 index 000000000000..53074385a652 --- /dev/null +++ b/nixpkgs/nixos/tests/lorri/default.nix @@ -0,0 +1,26 @@ +import ../make-test-python.nix { + machine = { pkgs, ... }: { + imports = [ ../../modules/profiles/minimal.nix ]; + environment.systemPackages = [ pkgs.lorri ]; + }; + + testScript = '' + # Copy files over + machine.succeed( + "cp '${./fake-shell.nix}' shell.nix" + ) + machine.succeed( + "cp '${./builder.sh}' builder.sh" + ) + + # Start the daemon and wait until it is ready + machine.execute("lorri daemon > lorri.stdout 2> lorri.stderr &") + machine.wait_until_succeeds("grep --fixed-strings 'lorri: ready' lorri.stdout") + + # Ping the daemon + machine.execute("lorri ping_ $(readlink -f shell.nix)") + + # Wait for the daemon to finish the build + machine.wait_until_succeeds("grep --fixed-strings 'OutputPaths' lorri.stdout") + ''; +} diff --git a/nixpkgs/nixos/tests/lorri/fake-shell.nix b/nixpkgs/nixos/tests/lorri/fake-shell.nix new file mode 100644 index 000000000000..9de9d247e542 --- /dev/null +++ b/nixpkgs/nixos/tests/lorri/fake-shell.nix @@ -0,0 +1,5 @@ +derivation { + system = builtins.currentSystem; + name = "fake-shell"; + builder = ./builder.sh; +} diff --git a/nixpkgs/nixos/tests/magnetico.nix b/nixpkgs/nixos/tests/magnetico.nix index bc7aef653ee5..6770d32358e8 100644 --- a/nixpkgs/nixos/tests/magnetico.nix +++ b/nixpkgs/nixos/tests/magnetico.nix @@ -1,4 +1,9 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : + +let + port = 8081; +in +{ name = "magnetico"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ rnhmjoj ]; @@ -12,17 +17,24 @@ import ./make-test.nix ({ pkgs, ...} : { services.magnetico = { enable = true; crawler.port = 9000; + web.port = port; web.credentials.user = "$2y$12$P88ZF6soFthiiAeXnz64aOWDsY3Dw7Yw8fZ6GtiqFNjknD70zDmNe"; }; }; testScript = '' - startAll; - $machine->waitForUnit("magneticod"); - $machine->waitForUnit("magneticow"); - $machine->succeed("${pkgs.curl}/bin/curl -u user:password http://localhost:8080"); - $machine->succeed("${pkgs.curl}/bin/curl -u user:wrongpwd http://localhost:8080") =~ "Unauthorised." or die; - $machine->shutdown(); + start_all() + machine.wait_for_unit("magneticod") + machine.wait_for_unit("magneticow") + machine.succeed( + "${pkgs.curl}/bin/curl " + + "-u user:password http://localhost:${toString port}" + ) + assert "Unauthorised." in machine.succeed( + "${pkgs.curl}/bin/curl " + + "-u user:wrongpwd http://localhost:${toString port}" + ) + machine.shutdown() ''; }) diff --git a/nixpkgs/nixos/tests/mailcatcher.nix b/nixpkgs/nixos/tests/mailcatcher.nix index d45b5d4edfc5..2ef38544fe0a 100644 --- a/nixpkgs/nixos/tests/mailcatcher.nix +++ b/nixpkgs/nixos/tests/mailcatcher.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: { name = "mailcatcher"; @@ -9,18 +9,22 @@ import ./make-test.nix ({ lib, ... }: { services.mailcatcher.enable = true; - networking.defaultMailServer.directDelivery = true; - networking.defaultMailServer.hostName = "localhost:1025"; + services.ssmtp.enable = true; + services.ssmtp.hostName = "localhost:1025"; environment.systemPackages = [ pkgs.mailutils ]; }; testScript = '' - startAll; + start_all() - $machine->waitForUnit('mailcatcher.service'); - $machine->waitForOpenPort('1025'); - $machine->succeed('echo "this is the body of the email" | mail -s "subject" root@example.org'); - $machine->succeed('curl http://localhost:1080/messages/1.source') =~ /this is the body of the email/ or die; + machine.wait_for_unit("mailcatcher.service") + machine.wait_for_open_port("1025") + machine.succeed( + 'echo "this is the body of the email" | mail -s "subject" root@example.org' + ) + assert "this is the body of the email" in machine.succeed( + "curl http://localhost:1080/messages/1.source" + ) ''; }) diff --git a/nixpkgs/nixos/tests/make-test-python.nix b/nixpkgs/nixos/tests/make-test-python.nix new file mode 100644 index 000000000000..89897fe7e61b --- /dev/null +++ b/nixpkgs/nixos/tests/make-test-python.nix @@ -0,0 +1,9 @@ +f: { + system ? builtins.currentSystem, + pkgs ? import ../.. { inherit system; config = {}; }, + ... +} @ args: + +with import ../lib/testing-python.nix { inherit system pkgs; }; + +makeTest (if pkgs.lib.isFunction f then f (args // { inherit pkgs; inherit (pkgs) lib; }) else f) diff --git a/nixpkgs/nixos/tests/matomo.nix b/nixpkgs/nixos/tests/matomo.nix new file mode 100644 index 000000000000..2bea237c8bdd --- /dev/null +++ b/nixpkgs/nixos/tests/matomo.nix @@ -0,0 +1,48 @@ +{ system ? builtins.currentSystem, config ? { } +, pkgs ? import ../.. { inherit system config; } }: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +let + matomoTest = package: + makeTest { + machine = { config, pkgs, ... }: { + services.matomo = { + package = package; + enable = true; + nginx = { + forceSSL = false; + enableACME = false; + }; + }; + services.mysql = { + enable = true; + package = pkgs.mysql; + }; + services.nginx.enable = true; + }; + + testScript = '' + start_all() + machine.wait_for_unit("mysql.service") + machine.wait_for_unit("phpfpm-matomo.service") + machine.wait_for_unit("nginx.service") + + # without the grep the command does not produce valid utf-8 for some reason + with subtest("welcome screen loads"): + machine.succeed( + "curl -sSfL http://localhost/ | grep '<title>Matomo[^<]*Installation'" + ) + ''; + }; +in { + matomo = matomoTest pkgs.matomo // { + name = "matomo"; + meta.maintainers = with maintainers; [ florianjacob kiwi mmilata ]; + }; + matomo-beta = matomoTest pkgs.matomo-beta // { + name = "matomo-beta"; + meta.maintainers = with maintainers; [ florianjacob kiwi mmilata ]; + }; +} diff --git a/nixpkgs/nixos/tests/matrix-synapse.nix b/nixpkgs/nixos/tests/matrix-synapse.nix index 882e4b75814b..fca53009083a 100644 --- a/nixpkgs/nixos/tests/matrix-synapse.nix +++ b/nixpkgs/nixos/tests/matrix-synapse.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... } : let +import ./make-test-python.nix ({ pkgs, ... } : let runWithOpenSSL = file: cmd: pkgs.runCommand file { @@ -55,13 +55,17 @@ in { }; testScript = '' - startAll; - $serverpostgres->waitForUnit("matrix-synapse.service"); - $serverpostgres->waitUntilSucceeds("curl -L --cacert ${ca_pem} https://localhost:8448/"); - $serverpostgres->requireActiveUnit("postgresql.service"); - $serversqlite->waitForUnit("matrix-synapse.service"); - $serversqlite->waitUntilSucceeds("curl -L --cacert ${ca_pem} https://localhost:8448/"); - $serversqlite->mustSucceed("[ -e /var/lib/matrix-synapse/homeserver.db ]"); + start_all() + serverpostgres.wait_for_unit("matrix-synapse.service") + serverpostgres.wait_until_succeeds( + "curl -L --cacert ${ca_pem} https://localhost:8448/" + ) + serverpostgres.require_unit_state("postgresql.service") + serversqlite.wait_for_unit("matrix-synapse.service") + serversqlite.wait_until_succeeds( + "curl -L --cacert ${ca_pem} https://localhost:8448/" + ) + serversqlite.succeed("[ -e /var/lib/matrix-synapse/homeserver.db ]") ''; }) diff --git a/nixpkgs/nixos/tests/mediawiki.nix b/nixpkgs/nixos/tests/mediawiki.nix index 6293e8a2f465..9468c1de8ccb 100644 --- a/nixpkgs/nixos/tests/mediawiki.nix +++ b/nixpkgs/nixos/tests/mediawiki.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "mediawiki"; meta.maintainers = [ lib.maintainers.aanderse ]; @@ -11,9 +11,11 @@ import ./make-test.nix ({ pkgs, lib, ... }: { }; testScript = '' - startAll; + start_all() - $machine->waitForUnit('phpfpm-mediawiki.service'); - $machine->succeed('curl -L http://localhost/') =~ /MediaWiki has been installed/ or die; + machine.wait_for_unit("phpfpm-mediawiki.service") + + page = machine.succeed("curl -L http://localhost/") + assert "MediaWiki has been installed" in page ''; }) diff --git a/nixpkgs/nixos/tests/memcached.nix b/nixpkgs/nixos/tests/memcached.nix index b120599c51dd..31f5627d25ce 100644 --- a/nixpkgs/nixos/tests/memcached.nix +++ b/nixpkgs/nixos/tests/memcached.nix @@ -1,28 +1,24 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ... }: { name = "memcached"; - nodes = { - machine = - { ... }: - { - imports = [ ../modules/profiles/minimal.nix ]; - services.memcached.enable = true; - }; + machine = { + imports = [ ../modules/profiles/minimal.nix ]; + services.memcached.enable = true; }; testScript = let - testScript = pkgs.writeScript "testScript.py" '' - #!${pkgs.python3.withPackages (p: [p.memcached])}/bin/python - + testScript = pkgs.writers.writePython3 "test_memcache" { + libraries = with pkgs.python3Packages; [ memcached ]; + } '' import memcache c = memcache.Client(['localhost:11211']) c.set('key', 'value') assert 'value' == c.get('key') ''; in '' - startAll; - $machine->waitForUnit("memcached.service"); - $machine->waitForOpenPort("11211"); - $machine->succeed("${testScript}"); + machine.start() + machine.wait_for_unit("memcached.service") + machine.wait_for_open_port(11211) + machine.succeed("${testScript}") ''; }) diff --git a/nixpkgs/nixos/tests/metabase.nix b/nixpkgs/nixos/tests/metabase.nix index be9e5ed5b1e8..1450a4e9086f 100644 --- a/nixpkgs/nixos/tests/metabase.nix +++ b/nixpkgs/nixos/tests/metabase.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "metabase"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ mmahut ]; @@ -12,9 +12,9 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - startAll; - $machine->waitForUnit("metabase.service"); - $machine->waitForOpenPort(3000); - $machine->waitUntilSucceeds("curl -L http://localhost:3000/setup | grep Metabase"); + start_all() + machine.wait_for_unit("metabase.service") + machine.wait_for_open_port(3000) + machine.wait_until_succeeds("curl -L http://localhost:3000/setup | grep Metabase") ''; }) diff --git a/nixpkgs/nixos/tests/minidlna.nix b/nixpkgs/nixos/tests/minidlna.nix index 7bf1bed69d06..d852c7f60bc4 100644 --- a/nixpkgs/nixos/tests/minidlna.nix +++ b/nixpkgs/nixos/tests/minidlna.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "minidlna"; nodes = { @@ -29,11 +29,11 @@ import ./make-test.nix ({ pkgs, ... }: { testScript = '' - startAll; - $server->succeed("mkdir -p /tmp/stuff && chown minidlna: /tmp/stuff"); - $server->waitForUnit("minidlna"); - $server->waitForOpenPort("8200"); - $server->succeed("curl --fail http://localhost:8200/"); - $client->succeed("curl --fail http://server:8200/"); + start_all() + server.succeed("mkdir -p /tmp/stuff && chown minidlna: /tmp/stuff") + server.wait_for_unit("minidlna") + server.wait_for_open_port("8200") + server.succeed("curl --fail http://localhost:8200/") + client.succeed("curl --fail http://server:8200/") ''; }) diff --git a/nixpkgs/nixos/tests/miniflux.nix b/nixpkgs/nixos/tests/miniflux.nix index 19ab4803a1d3..7d83d061a9df 100644 --- a/nixpkgs/nixos/tests/miniflux.nix +++ b/nixpkgs/nixos/tests/miniflux.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let port = 3142; @@ -37,16 +37,20 @@ with lib; }; }; testScript = '' - startAll; + start_all() - $default->waitForUnit('miniflux.service'); - $default->waitForOpenPort(${toString defaultPort}); - $default->succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep -q OK"); - $default->succeed("curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'"); + default.wait_for_unit("miniflux.service") + default.wait_for_open_port(${toString defaultPort}) + default.succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep -q OK") + default.succeed( + "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'" + ) - $customized->waitForUnit('miniflux.service'); - $customized->waitForOpenPort(${toString port}); - $customized->succeed("curl --fail 'http://localhost:${toString port}/healthcheck' | grep -q OK"); - $customized->succeed("curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep -q '\"is_admin\":true'"); + customized.wait_for_unit("miniflux.service") + customized.wait_for_open_port(${toString port}) + customized.succeed("curl --fail 'http://localhost:${toString port}/healthcheck' | grep -q OK") + customized.succeed( + "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep -q '\"is_admin\":true'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/minio.nix b/nixpkgs/nixos/tests/minio.nix index f1218b537711..3b0619742671 100644 --- a/nixpkgs/nixos/tests/minio.nix +++ b/nixpkgs/nixos/tests/minio.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : let accessKey = "BKIKJAA5BMMU2RHO6IBB"; secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12"; @@ -18,7 +18,7 @@ let sio.seek(0) minioClient.put_object('test-bucket', 'test.txt', sio, sio_len, content_type='text/plain') ''; - in { +in { name = "minio"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ bachp ]; @@ -37,19 +37,19 @@ let }; }; - testScript = - '' - startAll; - $machine->waitForUnit("minio.service"); - $machine->waitForOpenPort(9000); + testScript = '' + start_all() + machine.wait_for_unit("minio.service") + machine.wait_for_open_port(9000) - # Create a test bucket on the server - $machine->succeed("mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} S3v4"); - $machine->succeed("mc mb minio/test-bucket"); - $machine->succeed("${minioPythonScript}"); - $machine->succeed("mc ls minio") =~ /test-bucket/ or die; - $machine->succeed("mc cat minio/test-bucket/test.txt") =~ /Test from Python/ or die; - $machine->shutdown; - - ''; + # Create a test bucket on the server + machine.succeed( + "mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} S3v4" + ) + machine.succeed("mc mb minio/test-bucket") + machine.succeed("${minioPythonScript}") + assert "test-bucket" in machine.succeed("mc ls minio") + assert "Test from Python" in machine.succeed("mc cat minio/test-bucket/test.txt") + machine.shutdown() + ''; }) diff --git a/nixpkgs/nixos/tests/moinmoin.nix b/nixpkgs/nixos/tests/moinmoin.nix new file mode 100644 index 000000000000..ac327498eba0 --- /dev/null +++ b/nixpkgs/nixos/tests/moinmoin.nix @@ -0,0 +1,28 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "moinmoin"; + meta.maintainers = with lib.maintainers; [ mmilata ]; + + machine = + { ... }: + { services.moinmoin.enable = true; + services.moinmoin.wikis.ExampleWiki.superUsers = [ "admin" ]; + services.moinmoin.wikis.ExampleWiki.webHost = "localhost"; + + services.nginx.virtualHosts.localhost.enableACME = false; + services.nginx.virtualHosts.localhost.forceSSL = false; + }; + + testScript = '' + start_all() + + machine.wait_for_unit("moin-ExampleWiki.service") + machine.wait_for_unit("nginx.service") + machine.wait_for_file("/run/moin/ExampleWiki/gunicorn.sock") + + assert "If you have just installed" in machine.succeed("curl -L http://localhost/") + + assert "status success" in machine.succeed( + "moin-ExampleWiki account create --name=admin --email=admin@example.com --password=foo 2>&1" + ) + ''; +}) diff --git a/nixpkgs/nixos/tests/mongodb.nix b/nixpkgs/nixos/tests/mongodb.nix index 0ccbeb062f92..9ebf84eed232 100644 --- a/nixpkgs/nixos/tests/mongodb.nix +++ b/nixpkgs/nixos/tests/mongodb.nix @@ -1,6 +1,6 @@ # This test start mongodb, runs a query using mongo shell -import ./make-test.nix ({ pkgs, ...} : let +import ./make-test-python.nix ({ pkgs, ...} : let testQuery = pkgs.writeScript "nixtest.js" '' db.greetings.insert({ "greeting": "hello" }); print(db.greetings.findOne().greeting); @@ -33,8 +33,10 @@ in { }; testScript = '' - startAll; - $one->waitForUnit("mongodb.service"); - $one->succeed("mongo -u nixtest -p nixtest nixtest ${testQuery}") =~ /hello/ or die; + start_all() + one.wait_for_unit("mongodb.service") + one.succeed( + "mongo -u nixtest -p nixtest nixtest ${testQuery} | grep -q hello" + ) ''; }) diff --git a/nixpkgs/nixos/tests/moodle.nix b/nixpkgs/nixos/tests/moodle.nix index 565a6b636949..56aa62596c07 100644 --- a/nixpkgs/nixos/tests/moodle.nix +++ b/nixpkgs/nixos/tests/moodle.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "moodle"; meta.maintainers = [ lib.maintainers.aanderse ]; @@ -15,8 +15,8 @@ import ./make-test.nix ({ pkgs, lib, ... }: { }; testScript = '' - startAll; - $machine->waitForUnit('phpfpm-moodle.service'); - $machine->succeed('curl http://localhost/') =~ /You are not logged in/ or die; + start_all() + machine.wait_for_unit("phpfpm-moodle.service") + machine.wait_until_succeeds("curl http://localhost/ | grep 'You are not logged in'") ''; }) diff --git a/nixpkgs/nixos/tests/morty.nix b/nixpkgs/nixos/tests/morty.nix index eab123bd50f8..64c5a27665d6 100644 --- a/nixpkgs/nixos/tests/morty.nix +++ b/nixpkgs/nixos/tests/morty.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "morty"; @@ -22,11 +22,9 @@ import ./make-test.nix ({ pkgs, ... }: testScript = { ... }: '' - $mortyProxyWithKey->waitForUnit("default.target"); - - $mortyProxyWithKey->waitForOpenPort(3001); - $mortyProxyWithKey->succeed("curl -L 127.0.0.1:3001 | grep MortyProxy"); - + mortyProxyWithKey.wait_for_unit("default.target") + mortyProxyWithKey.wait_for_open_port(3001) + mortyProxyWithKey.succeed("curl -L 127.0.0.1:3001 | grep MortyProxy") ''; }) diff --git a/nixpkgs/nixos/tests/mosquitto.nix b/nixpkgs/nixos/tests/mosquitto.nix index b4c897c3ab5d..1f2fdf4237fa 100644 --- a/nixpkgs/nixos/tests/mosquitto.nix +++ b/nixpkgs/nixos/tests/mosquitto.nix @@ -1,21 +1,10 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let port = 1888; username = "mqtt"; password = "VERY_secret"; topic = "test/foo"; - - cmd = bin: pkgs.lib.concatStringsSep " " [ - "${pkgs.mosquitto}/bin/mosquitto_${bin}" - "-V mqttv311" - "-h server" - "-p ${toString port}" - "-u ${username}" - "-P '${password}'" - "-t ${topic}" - ]; - in { name = "mosquitto"; meta = with pkgs.stdenv.lib; { @@ -49,40 +38,53 @@ in { testScript = let file = "/tmp/msg"; - sub = args: - "(${cmd "sub"} -C 1 ${args} | tee ${file} &)"; in '' - startAll; - $server->waitForUnit("mosquitto.service"); + def mosquitto_cmd(binary): + return ( + "${pkgs.mosquitto}/bin/mosquitto_{} " + "-V mqttv311 " + "-h server " + "-p ${toString port} " + "-u ${username} " + "-P '${password}' " + "-t ${topic}" + ).format(binary) + + + def publish(args): + return "{} {}".format(mosquitto_cmd("pub"), args) + - $server->fail("test -f ${file}"); - $client1->fail("test -f ${file}"); - $client2->fail("test -f ${file}"); + def subscribe(args): + return "({} -C 1 {} | tee ${file} &)".format(mosquitto_cmd("sub"), args) + start_all() + server.wait_for_unit("mosquitto.service") + + for machine in server, client1, client2: + machine.fail("test -f ${file}") + # QoS = 0, so only one subscribers should get it - $server->execute("${sub "-q 0"}"); + server.execute(subscribe("-q 0")) # we need to give the subscribers some time to connect - $client2->execute("sleep 5"); - $client2->succeed("${cmd "pub"} -m FOO -q 0"); - - $server->waitUntilSucceeds("grep -q FOO ${file}"); - $server->execute("rm ${file}"); + client2.execute("sleep 5") + client2.succeed(publish("-m FOO -q 0")) + server.wait_until_succeeds("grep -q FOO ${file}") + server.execute("rm ${file}") # QoS = 1, so both subscribers should get it - $server->execute("${sub "-q 1"}"); - $client1->execute("${sub "-q 1"}"); + server.execute(subscribe("-q 1")) + client1.execute(subscribe("-q 1")) # we need to give the subscribers some time to connect - $client2->execute("sleep 5"); - $client2->succeed("${cmd "pub"} -m BAR -q 1"); - - $server->waitUntilSucceeds("grep -q BAR ${file}"); - $server->execute("rm ${file}"); + client2.execute("sleep 5") + client2.succeed(publish("-m BAR -q 1")) - $client1->waitUntilSucceeds("grep -q BAR ${file}"); - $client1->execute("rm ${file}"); + for machine in server, client1: + machine.wait_until_succeeds("grep -q BAR ${file}") + machine.execute("rm ${file}") ''; }) diff --git a/nixpkgs/nixos/tests/mpd.nix b/nixpkgs/nixos/tests/mpd.nix index ac2b810defe3..895b7e2014c8 100644 --- a/nixpkgs/nixos/tests/mpd.nix +++ b/nixpkgs/nixos/tests/mpd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let track = pkgs.fetchurl { # Sourced from http://freemusicarchive.org/music/Blue_Wave_Theory/Surf_Music_Month_Challenge/Skyhawk_Beach_fade_in @@ -46,74 +46,87 @@ import ./make-test.nix ({ pkgs, ... }: }; nodes = - { client = + { client = { ... }: { }; serverALSA = - { ... }: (mkServer { - mpd = defaultMpdCfg // { - network.listenAddress = "any"; - extraConfig = '' - audio_output { - type "alsa" - name "ALSA" - mixer_type "null" - } - ''; - }; - - musicService = with defaultMpdCfg; musicService { inherit user group musicDirectory; }; - }) // { networking.firewall.allowedTCPPorts = [ 6600 ]; }; + { ... }: lib.mkMerge [ + (mkServer { + mpd = defaultMpdCfg // { + network.listenAddress = "any"; + extraConfig = '' + audio_output { + type "alsa" + name "ALSA" + mixer_type "null" + } + ''; + }; + musicService = with defaultMpdCfg; musicService { inherit user group musicDirectory; }; + }) + { networking.firewall.allowedTCPPorts = [ 6600 ]; } + ]; serverPulseAudio = - { ... }: (mkServer { - mpd = defaultMpdCfg // { - extraConfig = '' - audio_output { - type "pulse" - name "The Pulse" - } - ''; - }; - - musicService = with defaultCfg; musicService { inherit user group musicDirectory; }; - }) // { hardware.pulseaudio.enable = true; }; + { ... }: lib.mkMerge [ + (mkServer { + mpd = defaultMpdCfg // { + extraConfig = '' + audio_output { + type "pulse" + name "The Pulse" + } + ''; + }; + + musicService = with defaultCfg; musicService { inherit user group musicDirectory; }; + }) + { + hardware.pulseaudio = { + enable = true; + systemWide = true; + tcp.enable = true; + tcp.anonymousClients.allowAll = true; + }; + systemd.services.mpd.environment.PULSE_SERVER = "localhost"; + } + ]; }; testScript = '' - my $mpc = "${pkgs.mpc_cli}/bin/mpc --wait"; + mpc = "${pkgs.mpc_cli}/bin/mpc --wait" # Connects to the given server and attempts to play a tune. - sub play_some_music { - my $server = $_[0]; + def play_some_music(server): + server.wait_for_unit("mpd.service") + server.succeed(f"{mpc} update") + _, tracks = server.execute(f"{mpc} ls") - $server->waitForUnit("mpd.service"); - $server->succeed("$mpc update"); - my @tracks = $server->execute("$mpc ls"); + for track in tracks.splitlines(): + server.succeed(f"{mpc} add {track}") - for my $track (split(/\n/, $tracks[1])) { - $server->succeed("$mpc add $track"); - }; + _, added_tracks = server.execute(f"{mpc} listall") - my @added_tracks = $server->execute("$mpc listall"); - (length $added_tracks[1]) > 0 or die "Failed to add audio tracks to the playlist."; + # Check we succeeded adding audio tracks to the playlist + assert len(added_tracks.splitlines()) > 0 - $server->succeed("$mpc play"); + server.succeed(f"{mpc} play") - my @status = $server->execute("$mpc status"); - my @output = split(/\n/, $status[1]); - $output[1] =~ /.*playing.*/ or die "Audio track is not playing, as expected."; + _, output = server.execute(f"{mpc} status") + # Assure audio track is playing + assert "playing" in output + + server.succeed(f"{mpc} stop") - $server->succeed("$mpc stop"); - }; - play_some_music($serverALSA); - play_some_music($serverPulseAudio); + play_some_music(serverALSA) + play_some_music(serverPulseAudio) - $client->succeed("$mpc -h serverALSA status"); + client.wait_for_unit("multi-user.target") + client.succeed(f"{mpc} -h serverALSA status") # The PulseAudio-based server is configured not to accept external client connections # to perform the following test: - $client->fail("$mpc -h serverPulseAudio status"); + client.fail(f"{mpc} -h serverPulseAudio status") ''; }) diff --git a/nixpkgs/nixos/tests/mumble.nix b/nixpkgs/nixos/tests/mumble.nix index 652d49a24b1c..e9b6d14c6a1f 100644 --- a/nixpkgs/nixos/tests/mumble.nix +++ b/nixpkgs/nixos/tests/mumble.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : let client = { pkgs, ... }: { @@ -24,50 +24,50 @@ in }; testScript = '' - startAll; + start_all() - $server->waitForUnit("murmur.service"); - $client1->waitForX; - $client2->waitForX; + server.wait_for_unit("murmur.service") + client1.wait_for_x() + client2.wait_for_x() - $client1->execute("mumble mumble://client1\@server/test &"); - $client2->execute("mumble mumble://client2\@server/test &"); + client1.execute("mumble mumble://client1\@server/test &") + client2.execute("mumble mumble://client2\@server/test &") # cancel client audio configuration - $client1->waitForWindow(qr/Audio Tuning Wizard/); - $client2->waitForWindow(qr/Audio Tuning Wizard/); - $server->sleep(5); # wait because mumble is slow to register event handlers - $client1->sendKeys("esc"); - $client2->sendKeys("esc"); + client1.wait_for_window(r"Audio Tuning Wizard") + client2.wait_for_window(r"Audio Tuning Wizard") + server.sleep(5) # wait because mumble is slow to register event handlers + client1.send_key("esc") + client2.send_key("esc") # cancel client cert configuration - $client1->waitForWindow(qr/Certificate Management/); - $client2->waitForWindow(qr/Certificate Management/); - $server->sleep(5); # wait because mumble is slow to register event handlers - $client1->sendKeys("esc"); - $client2->sendKeys("esc"); + client1.wait_for_window(r"Certificate Management") + client2.wait_for_window(r"Certificate Management") + server.sleep(5) # wait because mumble is slow to register event handlers + client1.send_key("esc") + client2.send_key("esc") # accept server certificate - $client1->waitForWindow(qr/^Mumble$/); - $client2->waitForWindow(qr/^Mumble$/); - $server->sleep(5); # wait because mumble is slow to register event handlers - $client1->sendChars("y"); - $client2->sendChars("y"); - $server->sleep(5); # wait because mumble is slow to register event handlers + client1.wait_for_window(r"^Mumble$") + client2.wait_for_window(r"^Mumble$") + server.sleep(5) # wait because mumble is slow to register event handlers + client1.send_chars("y") + client2.send_chars("y") + server.sleep(5) # wait because mumble is slow to register event handlers # sometimes the wrong of the 2 windows is focused, we switch focus and try pressing "y" again - $client1->sendKeys("alt-tab"); - $client2->sendKeys("alt-tab"); - $server->sleep(5); # wait because mumble is slow to register event handlers - $client1->sendChars("y"); - $client2->sendChars("y"); + client1.send_key("alt-tab") + client2.send_key("alt-tab") + server.sleep(5) # wait because mumble is slow to register event handlers + client1.send_chars("y") + client2.send_chars("y") # Find clients in logs - $server->waitUntilSucceeds("journalctl -eu murmur -o cat | grep -q client1"); - $server->waitUntilSucceeds("journalctl -eu murmur -o cat | grep -q client2"); + server.wait_until_succeeds("journalctl -eu murmur -o cat | grep -q client1") + server.wait_until_succeeds("journalctl -eu murmur -o cat | grep -q client2") - $server->sleep(5); # wait to get screenshot - $client1->screenshot("screen1"); - $client2->screenshot("screen2"); + server.sleep(5) # wait to get screenshot + client1.screenshot("screen1") + client2.screenshot("screen2") ''; }) diff --git a/nixpkgs/nixos/tests/munin.nix b/nixpkgs/nixos/tests/munin.nix index 31374aaf77e7..7b674db7768d 100644 --- a/nixpkgs/nixos/tests/munin.nix +++ b/nixpkgs/nixos/tests/munin.nix @@ -1,7 +1,7 @@ # This test runs basic munin setup with node and cron job running on the same # machine. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "munin"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ domenkozar eelco ]; @@ -12,33 +12,33 @@ import ./make-test.nix ({ pkgs, ...} : { { config, ... }: { services = { - munin-node = { + munin-node = { + enable = true; + # disable a failing plugin to prevent irrelevant error message, see #23049 + disabledPlugins = [ "apc_nis" ]; + }; + munin-cron = { enable = true; - # disable a failing plugin to prevent irrelevant error message, see #23049 - disabledPlugins = [ "apc_nis" ]; - }; - munin-cron = { - enable = true; - hosts = '' - [${config.networking.hostName}] - address localhost - ''; - }; + hosts = '' + [${config.networking.hostName}] + address localhost + ''; + }; }; - # long timeout to prevent hydra failure on high load - systemd.services.munin-node.serviceConfig.TimeoutStartSec = "10min"; + + # increase the systemd timer interval so it fires more often + systemd.timers.munin-cron.timerConfig.OnCalendar = pkgs.stdenv.lib.mkForce "*:*:0/10"; }; }; testScript = '' - startAll; + start_all() - $one->waitForUnit("munin-node.service"); - # make sure the node is actually listening - $one->waitForOpenPort(4949); - $one->succeed('systemctl start munin-cron'); - # wait for munin-cron output - $one->waitForFile("/var/lib/munin/one/one-uptime-uptime-g.rrd"); - $one->waitForFile("/var/www/munin/one/index.html"); + with subtest("ensure munin-node starts and listens on 4949"): + one.wait_for_unit("munin-node.service") + one.wait_for_open_port(4949) + with subtest("ensure munin-cron output is correct"): + one.wait_for_file("/var/lib/munin/one/one-uptime-uptime-g.rrd") + one.wait_for_file("/var/www/munin/one/index.html") ''; }) diff --git a/nixpkgs/nixos/tests/mutable-users.nix b/nixpkgs/nixos/tests/mutable-users.nix index e590703ab2f4..49c7f78b82ed 100644 --- a/nixpkgs/nixos/tests/mutable-users.nix +++ b/nixpkgs/nixos/tests/mutable-users.nix @@ -1,6 +1,6 @@ # Mutable users tests. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "mutable-users"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ gleber ]; @@ -19,21 +19,27 @@ import ./make-test.nix ({ pkgs, ...} : { immutableSystem = nodes.machine.config.system.build.toplevel; mutableSystem = nodes.mutable.config.system.build.toplevel; in '' - $machine->start(); - $machine->waitForUnit("default.target"); + machine.start() + machine.wait_for_unit("default.target") # Machine starts in immutable mode. Add a user and test if reactivating # configuration removes the user. - $machine->fail("cat /etc/passwd | grep ^foobar:"); - $machine->succeed("sudo useradd foobar"); - $machine->succeed("cat /etc/passwd | grep ^foobar:"); - $machine->succeed("${immutableSystem}/bin/switch-to-configuration test"); - $machine->fail("cat /etc/passwd | grep ^foobar:"); + with subtest("Machine in immutable mode"): + assert "foobar" not in machine.succeed("cat /etc/passwd") + machine.succeed("sudo useradd foobar") + assert "foobar" in machine.succeed("cat /etc/passwd") + machine.succeed( + "${immutableSystem}/bin/switch-to-configuration test" + ) + assert "foobar" not in machine.succeed("cat /etc/passwd") # In immutable mode passwd is not wrapped, while in mutable mode it is # wrapped. - $machine->succeed('which passwd | grep /run/current-system/'); - $machine->succeed("${mutableSystem}/bin/switch-to-configuration test"); - $machine->succeed('which passwd | grep /run/wrappers/'); + with subtest("Password is wrapped in mutable mode"): + assert "/run/current-system/" in machine.succeed("which passwd") + machine.succeed( + "${mutableSystem}/bin/switch-to-configuration test" + ) + assert "/run/wrappers/" in machine.succeed("which passwd") ''; }) diff --git a/nixpkgs/nixos/tests/mxisd.nix b/nixpkgs/nixos/tests/mxisd.nix index 3d03a5a53e38..b2b60db4d822 100644 --- a/nixpkgs/nixos/tests/mxisd.nix +++ b/nixpkgs/nixos/tests/mxisd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "mxisd"; meta = with pkgs.stdenv.lib.maintainers; { @@ -10,12 +10,21 @@ import ./make-test.nix ({ pkgs, ... } : { services.mxisd.enable = true; services.mxisd.matrix.domain = "example.org"; }; + + server_ma1sd = args : { + services.mxisd.enable = true; + services.mxisd.matrix.domain = "example.org"; + services.mxisd.package = pkgs.ma1sd; + }; }; testScript = '' - startAll; - $server_mxisd->waitForUnit("mxisd.service"); - $server_mxisd->waitForOpenPort(8090); - $server_mxisd->succeed("curl -Ssf \"http://127.0.0.1:8090/_matrix/identity/api/v1\"") + start_all() + server_mxisd.wait_for_unit("mxisd.service") + server_mxisd.wait_for_open_port(8090) + server_mxisd.succeed("curl -Ssf 'http://127.0.0.1:8090/_matrix/identity/api/v1'") + server_ma1sd.wait_for_unit("mxisd.service") + server_ma1sd.wait_for_open_port(8090) + server_ma1sd.succeed("curl -Ssf 'http://127.0.0.1:8090/_matrix/identity/api/v1'") ''; }) diff --git a/nixpkgs/nixos/tests/mysql-backup.nix b/nixpkgs/nixos/tests/mysql-backup.nix index 81482dfef7e5..a0595e4d5539 100644 --- a/nixpkgs/nixos/tests/mysql-backup.nix +++ b/nixpkgs/nixos/tests/mysql-backup.nix @@ -1,5 +1,5 @@ # Test whether mysqlBackup option works -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "mysql-backup"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ rvl ]; @@ -20,31 +20,37 @@ import ./make-test.nix ({ pkgs, ... } : { }; }; - testScript = - '' startAll; + testScript = '' + start_all() - # Delete backup file that may be left over from a previous test run. - # This is not needed on Hydra but useful for repeated local test runs. - $master->execute("rm -f /var/backup/mysql/testdb.gz"); + # Delete backup file that may be left over from a previous test run. + # This is not needed on Hydra but useful for repeated local test runs. + master.execute("rm -f /var/backup/mysql/testdb.gz") - # Need to have mysql started so that it can be populated with data. - $master->waitForUnit("mysql.service"); + # Need to have mysql started so that it can be populated with data. + master.wait_for_unit("mysql.service") - # Wait for testdb to be fully populated (5 rows). - $master->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); + # Wait for testdb to be fully populated (5 rows). + master.wait_until_succeeds( + "mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5" + ) - # Do a backup and wait for it to start - $master->startJob("mysql-backup.service"); - $master->waitForJob("mysql-backup.service"); + # Do a backup and wait for it to start + master.start_job("mysql-backup.service") + master.wait_for_unit("mysql-backup.service") - # wait for backup to fail, because of database 'doesnotexist' - $master->waitUntilFails("systemctl is-active -q mysql-backup.service"); + # wait for backup to fail, because of database 'doesnotexist' + master.wait_until_fails("systemctl is-active -q mysql-backup.service") - # wait for backup file and check that data appears in backup - $master->waitForFile("/var/backup/mysql/testdb.gz"); - $master->succeed("${pkgs.gzip}/bin/zcat /var/backup/mysql/testdb.gz | grep hello"); + # wait for backup file and check that data appears in backup + master.wait_for_file("/var/backup/mysql/testdb.gz") + master.succeed( + "${pkgs.gzip}/bin/zcat /var/backup/mysql/testdb.gz | grep hello" + ) - # Check that a failed backup is logged - $master->succeed("journalctl -u mysql-backup.service | grep 'fail.*doesnotexist' > /dev/null"); - ''; + # Check that a failed backup is logged + master.succeed( + "journalctl -u mysql-backup.service | grep 'fail.*doesnotexist' > /dev/null" + ) + ''; }) diff --git a/nixpkgs/nixos/tests/mysql-replication.nix b/nixpkgs/nixos/tests/mysql-replication.nix index c75a862106f6..a2654f041add 100644 --- a/nixpkgs/nixos/tests/mysql-replication.nix +++ b/nixpkgs/nixos/tests/mysql-replication.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : let replicateUser = "replicate"; @@ -54,28 +54,36 @@ in }; testScript = '' - $master->start; - $master->waitForUnit("mysql"); - $master->waitForOpenPort(3306); + master.start() + master.wait_for_unit("mysql") + master.wait_for_open_port(3306) # Wait for testdb to be fully populated (5 rows). - $master->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); + master.wait_until_succeeds( + "mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5" + ) - $slave1->start; - $slave2->start; - $slave1->waitForUnit("mysql"); - $slave1->waitForOpenPort(3306); - $slave2->waitForUnit("mysql"); - $slave2->waitForOpenPort(3306); + slave1.start() + slave2.start() + slave1.wait_for_unit("mysql") + slave1.wait_for_open_port(3306) + slave2.wait_for_unit("mysql") + slave2.wait_for_open_port(3306) # wait for replications to finish - $slave1->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); - $slave2->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); + slave1.wait_until_succeeds( + "mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5" + ) + slave2.wait_until_succeeds( + "mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5" + ) - $slave2->succeed("systemctl stop mysql"); - $master->succeed("echo 'insert into testdb.tests values (123, 456);' | mysql -u root -N"); - $slave2->succeed("systemctl start mysql"); - $slave2->waitForUnit("mysql"); - $slave2->waitForOpenPort(3306); - $slave2->waitUntilSucceeds("echo 'select * from testdb.tests where Id = 123;' | mysql -u root -N | grep 456"); + slave2.succeed("systemctl stop mysql") + master.succeed("echo 'insert into testdb.tests values (123, 456);' | mysql -u root -N") + slave2.succeed("systemctl start mysql") + slave2.wait_for_unit("mysql") + slave2.wait_for_open_port(3306) + slave2.wait_until_succeeds( + "echo 'select * from testdb.tests where Id = 123;' | mysql -u root -N | grep 456" + ) ''; }) diff --git a/nixpkgs/nixos/tests/mysql.nix b/nixpkgs/nixos/tests/mysql.nix index 05bd968de02d..924bac84e26c 100644 --- a/nixpkgs/nixos/tests/mysql.nix +++ b/nixpkgs/nixos/tests/mysql.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "mysql"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco shlevy ]; @@ -27,6 +27,7 @@ import ./make-test.nix ({ pkgs, ...} : { { users.users.testuser = { }; + users.users.testuser2 = { }; services.mysql.enable = true; services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' ALTER USER root@localhost IDENTIFIED WITH unix_socket; @@ -34,12 +35,17 @@ import ./make-test.nix ({ pkgs, ...} : { DELETE FROM mysql.user WHERE user = '''; FLUSH PRIVILEGES; ''; - services.mysql.ensureDatabases = [ "testdb" ]; + services.mysql.ensureDatabases = [ "testdb" "testdb2" ]; services.mysql.ensureUsers = [{ name = "testuser"; ensurePermissions = { "testdb.*" = "ALL PRIVILEGES"; }; + } { + name = "testuser2"; + ensurePermissions = { + "testdb2.*" = "ALL PRIVILEGES"; + }; }]; services.mysql.package = pkgs.mariadb; }; @@ -47,17 +53,31 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $mysql->waitForUnit("mysql"); - $mysql->succeed("echo 'use empty_testdb;' | mysql -u root"); - $mysql->succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4"); + mysql.wait_for_unit("mysql") + mysql.succeed("echo 'use empty_testdb;' | mysql -u root") + mysql.succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4") # ';' acts as no-op, just check whether login succeeds with the user created from the initialScript - $mysql->succeed("echo ';' | mysql -u passworduser --password=password123"); + mysql.succeed("echo ';' | mysql -u passworduser --password=password123") - $mariadb->waitForUnit("mysql"); - $mariadb->succeed("echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser"); - $mariadb->succeed("echo 'use testdb; insert into tests values (42);' | sudo -u testuser mysql -u testuser"); - $mariadb->succeed("echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42"); + mariadb.wait_for_unit("mysql") + mariadb.succeed( + "echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser" + ) + mariadb.succeed( + "echo 'use testdb; insert into tests values (42);' | sudo -u testuser mysql -u testuser" + ) + # Ensure testuser2 is not able to insert into testdb as mysql testuser2 + mariadb.fail( + "echo 'use testdb; insert into tests values (23);' | sudo -u testuser2 mysql -u testuser2" + ) + # Ensure testuser2 is not able to authenticate as mysql testuser + mariadb.fail( + "echo 'use testdb; insert into tests values (23);' | sudo -u testuser2 mysql -u testuser" + ) + mariadb.succeed( + "echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42" + ) ''; }) diff --git a/nixpkgs/nixos/tests/nagios.nix b/nixpkgs/nixos/tests/nagios.nix new file mode 100644 index 000000000000..6f5d44472878 --- /dev/null +++ b/nixpkgs/nixos/tests/nagios.nix @@ -0,0 +1,116 @@ +import ./make-test-python.nix ( + { pkgs, ... }: { + name = "nagios"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ symphorien ]; + }; + + machine = { lib, ... }: let + writer = pkgs.writeShellScript "write" '' + set -x + echo "$@" >> /tmp/notifications + ''; + in + { + # tested service + services.sshd.enable = true; + # nagios + services.nagios = { + enable = true; + # make state transitions faster + extraConfig.interval_length = "5"; + objectDefs = + (map (x: "${pkgs.nagios}/etc/objects/${x}.cfg") [ "templates" "timeperiods" "commands" ]) ++ [ + ( + pkgs.writeText "objects.cfg" '' + # notifications are written to /tmp/notifications + define command { + command_name notify-host-by-file + command_line ${writer} "$HOSTNAME is $HOSTSTATE$" + } + define command { + command_name notify-service-by-file + command_line ${writer} "$SERVICEDESC$ is $SERVICESTATE$" + } + + # nagios boilerplate + define contact { + contact_name alice + alias alice + host_notifications_enabled 1 + service_notifications_enabled 1 + service_notification_period 24x7 + host_notification_period 24x7 + service_notification_options w,u,c,r,f,s + host_notification_options d,u,r,f,s + service_notification_commands notify-service-by-file + host_notification_commands notify-host-by-file + email foo@example.com + } + define contactgroup { + contactgroup_name admins + alias Admins + members alice + } + define hostgroup{ + hostgroup_name allhosts + alias All hosts + } + + # monitored objects + define host { + use generic-host + host_name localhost + alias localhost + address localhost + hostgroups allhosts + contact_groups admins + # make state transitions faster. + max_check_attempts 2 + check_interval 1 + retry_interval 1 + } + define service { + use generic-service + host_name localhost + service_description ssh + check_command check_ssh + # make state transitions faster. + max_check_attempts 2 + check_interval 1 + retry_interval 1 + } + '' + ) + ]; + }; + }; + + testScript = { ... }: '' + with subtest("ensure sshd starts"): + machine.wait_for_unit("sshd.service") + + + with subtest("ensure nagios starts"): + machine.wait_for_file("/var/log/nagios/current") + + + def assert_notify(text): + machine.wait_for_file("/tmp/notifications") + real = machine.succeed("cat /tmp/notifications").strip() + print(f"got {real!r}, expected {text!r}") + assert text == real + + + with subtest("ensure we get a notification when sshd is down"): + machine.succeed("systemctl stop sshd") + assert_notify("ssh is CRITICAL") + + + with subtest("ensure tests can succeed"): + machine.succeed("systemctl start sshd") + machine.succeed("rm /tmp/notifications") + assert_notify("ssh is OK") + ''; + } +) diff --git a/nixpkgs/nixos/tests/nat.nix b/nixpkgs/nixos/tests/nat.nix index 51d9cf166bb6..0d1f7aaedfa2 100644 --- a/nixpkgs/nixos/tests/nat.nix +++ b/nixpkgs/nixos/tests/nat.nix @@ -3,7 +3,7 @@ # client on the inside network, a server on the outside network, and a # router connected to both that performs Network Address Translation # for the client. -import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }: +import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }: let unit = if withFirewall then "firewall" else "nat"; @@ -69,49 +69,52 @@ import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, routerDummyNoNatClosure = nodes.routerDummyNoNat.config.system.build.toplevel; routerClosure = nodes.router.config.system.build.toplevel; in '' - $client->start; - $router->start; - $server->start; + client.start() + router.start() + server.start() # The router should have access to the server. - $server->waitForUnit("network.target"); - $server->waitForUnit("httpd"); - $router->waitForUnit("network.target"); - $router->succeed("curl --fail http://server/ >&2"); + server.wait_for_unit("network.target") + server.wait_for_unit("httpd") + router.wait_for_unit("network.target") + router.succeed("curl --fail http://server/ >&2") # The client should be also able to connect via the NAT router. - $router->waitForUnit("${unit}"); - $client->waitForUnit("network.target"); - $client->succeed("curl --fail http://server/ >&2"); - $client->succeed("ping -c 1 server >&2"); + router.wait_for_unit("${unit}") + client.wait_for_unit("network.target") + client.succeed("curl --fail http://server/ >&2") + client.succeed("ping -c 1 server >&2") # Test whether passive FTP works. - $server->waitForUnit("vsftpd"); - $server->succeed("echo Hello World > /home/ftp/foo.txt"); - $client->succeed("curl -v ftp://server/foo.txt >&2"); + server.wait_for_unit("vsftpd") + server.succeed("echo Hello World > /home/ftp/foo.txt") + client.succeed("curl -v ftp://server/foo.txt >&2") # Test whether active FTP works. - $client->${if withConntrackHelpers then "succeed" else "fail"}( - "curl -v -P - ftp://server/foo.txt >&2"); + client.${if withConntrackHelpers then "succeed" else "fail"}("curl -v -P - ftp://server/foo.txt >&2") # Test ICMP. - $client->succeed("ping -c 1 router >&2"); - $router->succeed("ping -c 1 client >&2"); + client.succeed("ping -c 1 router >&2") + router.succeed("ping -c 1 client >&2") # If we turn off NAT, the client shouldn't be able to reach the server. - $router->succeed("${routerDummyNoNatClosure}/bin/switch-to-configuration test 2>&1"); - $client->fail("curl --fail --connect-timeout 5 http://server/ >&2"); - $client->fail("ping -c 1 server >&2"); + router.succeed( + "${routerDummyNoNatClosure}/bin/switch-to-configuration test 2>&1" + ) + client.fail("curl --fail --connect-timeout 5 http://server/ >&2") + client.fail("ping -c 1 server >&2") # And make sure that reloading the NAT job works. - $router->succeed("${routerClosure}/bin/switch-to-configuration test 2>&1"); + router.succeed( + "${routerClosure}/bin/switch-to-configuration test 2>&1" + ) # FIXME: this should not be necessary, but nat.service is not started because # network.target is not triggered # (https://github.com/NixOS/nixpkgs/issues/16230#issuecomment-226408359) ${lib.optionalString (!withFirewall) '' - $router->succeed("systemctl start nat.service"); + router.succeed("systemctl start nat.service") ''} - $client->succeed("curl --fail http://server/ >&2"); - $client->succeed("ping -c 1 server >&2"); + client.succeed("curl --fail http://server/ >&2") + client.succeed("ping -c 1 server >&2") ''; }) diff --git a/nixpkgs/nixos/tests/ndppd.nix b/nixpkgs/nixos/tests/ndppd.nix index 6a6f602726de..b67b26a79341 100644 --- a/nixpkgs/nixos/tests/ndppd.nix +++ b/nixpkgs/nixos/tests/ndppd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ...} : { name = "ndppd"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ fpletz ]; @@ -52,9 +52,9 @@ import ./make-test.nix ({ pkgs, lib, ...} : { }; testScript = '' - startAll; - $server->waitForUnit("multi-user.target"); - $upstream->waitForUnit("multi-user.target"); - $upstream->waitUntilSucceeds("ping -c5 fd42::2"); + start_all() + server.wait_for_unit("multi-user.target") + upstream.wait_for_unit("multi-user.target") + upstream.wait_until_succeeds("ping -c5 fd42::2") ''; }) diff --git a/nixpkgs/nixos/tests/neo4j.nix b/nixpkgs/nixos/tests/neo4j.nix index 86ed8970517c..32ee7f501b8b 100644 --- a/nixpkgs/nixos/tests/neo4j.nix +++ b/nixpkgs/nixos/tests/neo4j.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "neo4j"; nodes = { @@ -11,10 +11,10 @@ import ./make-test.nix { }; testScript = '' - startAll; + start_all() - $master->waitForUnit("neo4j"); - $master->sleep(20); # Hopefully this is long enough!! - $master->succeed("curl http://localhost:7474/"); + master.wait_for_unit("neo4j") + master.wait_for_open_port(7474) + master.succeed("curl http://localhost:7474/") ''; } diff --git a/nixpkgs/nixos/tests/nesting.nix b/nixpkgs/nixos/tests/nesting.nix index 1306d6f8e0c5..6388b67a6e40 100644 --- a/nixpkgs/nixos/tests/nesting.nix +++ b/nixpkgs/nixos/tests/nesting.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "nesting"; nodes = { clone = { pkgs, ... }: { @@ -19,24 +19,26 @@ import ./make-test.nix { }; }; testScript = '' - $clone->waitForUnit("default.target"); - $clone->succeed("cowsay hey"); - $clone->fail("hello"); + clone.wait_for_unit("default.target") + clone.succeed("cowsay hey") + clone.fail("hello") - # Nested clones do inherit from parent - $clone->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test"); - $clone->succeed("cowsay hey"); - $clone->succeed("hello"); + with subtest("Nested clones do inherit from parent"): + clone.succeed( + "/run/current-system/fine-tune/child-1/bin/switch-to-configuration test" + ) + clone.succeed("cowsay hey") + clone.succeed("hello") + children.wait_for_unit("default.target") + children.succeed("cowsay hey") + children.fail("hello") - $children->waitForUnit("default.target"); - $children->succeed("cowsay hey"); - $children->fail("hello"); - - # Nested children do not inherit from parent - $children->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test"); - $children->fail("cowsay hey"); - $children->succeed("hello"); - + with subtest("Nested children do not inherit from parent"): + children.succeed( + "/run/current-system/fine-tune/child-1/bin/switch-to-configuration test" + ) + children.fail("cowsay hey") + children.succeed("hello") ''; } diff --git a/nixpkgs/nixos/tests/netdata.nix b/nixpkgs/nixos/tests/netdata.nix index 9bd147968e4b..4ddc96e8bc22 100644 --- a/nixpkgs/nixos/tests/netdata.nix +++ b/nixpkgs/nixos/tests/netdata.nix @@ -1,6 +1,6 @@ # This test runs netdata and checks for data via apps.plugin -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "netdata"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ cransom ]; @@ -16,23 +16,23 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $netdata->waitForUnit("netdata.service"); + netdata.wait_for_unit("netdata.service") # wait for the service to listen before sending a request - $netdata->waitForOpenPort(19999); + netdata.wait_for_open_port(19999) # check if the netdata main page loads. - $netdata->succeed("curl --fail http://localhost:19999/"); + netdata.succeed("curl --fail http://localhost:19999/") + netdata.succeed("sleep 4") # check if netdata can read disk ops for root owned processes. # if > 0, successful. verifies both netdata working and # apps.plugin has elevated capabilities. - my $cmd = <<'CMD'; - curl -s http://localhost:19999/api/v1/data\?chart=users.pwrites | \ - jq -e '[.data[range(10)][.labels | indices("root")[0]]] | add | . > 0' - CMD - $netdata->waitUntilSucceeds($cmd); + url = "http://localhost:19999/api/v1/data\?chart=users.pwrites" + filter = '[.data[range(10)][.labels | indices("root")[0]]] | add | . > 0' + cmd = f"curl -s {url} | jq -e '{filter}'" + netdata.wait_until_succeeds(cmd) ''; }) diff --git a/nixpkgs/nixos/tests/networking.nix b/nixpkgs/nixos/tests/networking.nix index 7452768033ab..9448a104073f 100644 --- a/nixpkgs/nixos/tests/networking.nix +++ b/nixpkgs/nixos/tests/networking.nix @@ -4,7 +4,7 @@ # bool: whether to use networkd in the tests , networkd }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let @@ -72,12 +72,14 @@ let testCases = { loopback = { name = "Loopback"; + machine.networking.useDHCP = false; machine.networking.useNetworkd = networkd; testScript = '' - startAll; - $machine->waitForUnit("network.target"); - $machine->succeed("ip addr show lo | grep -q 'inet 127.0.0.1/8 '"); - $machine->succeed("ip addr show lo | grep -q 'inet6 ::1/128 '"); + start_all() + machine.wait_for_unit("network.target") + loopback_addresses = machine.succeed("ip addr show lo") + assert "inet 127.0.0.1/8" in loopback_addresses + assert "inet6 ::1/128" in loopback_addresses ''; }; static = { @@ -101,35 +103,35 @@ let }; testScript = { ... }: '' - startAll; + start_all() - $client->waitForUnit("network.target"); - $router->waitForUnit("network-online.target"); + client.wait_for_unit("network.target") + router.wait_for_unit("network-online.target") - # Make sure dhcpcd is not started - $client->fail("systemctl status dhcpcd.service"); + with subtest("Make sure dhcpcd is not started"): + client.fail("systemctl status dhcpcd.service") - # Test vlan 1 - $client->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $client->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $client->waitUntilSucceeds("ping -c 1 192.168.1.3"); - $client->waitUntilSucceeds("ping -c 1 192.168.1.10"); + with subtest("Test vlan 1"): + client.wait_until_succeeds("ping -c 1 192.168.1.1") + client.wait_until_succeeds("ping -c 1 192.168.1.2") + client.wait_until_succeeds("ping -c 1 192.168.1.3") + client.wait_until_succeeds("ping -c 1 192.168.1.10") - $router->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $router->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $router->waitUntilSucceeds("ping -c 1 192.168.1.3"); - $router->waitUntilSucceeds("ping -c 1 192.168.1.10"); + router.wait_until_succeeds("ping -c 1 192.168.1.1") + router.wait_until_succeeds("ping -c 1 192.168.1.2") + router.wait_until_succeeds("ping -c 1 192.168.1.3") + router.wait_until_succeeds("ping -c 1 192.168.1.10") - # Test vlan 2 - $client->waitUntilSucceeds("ping -c 1 192.168.2.1"); - $client->waitUntilSucceeds("ping -c 1 192.168.2.2"); + with subtest("Test vlan 2"): + client.wait_until_succeeds("ping -c 1 192.168.2.1") + client.wait_until_succeeds("ping -c 1 192.168.2.2") - $router->waitUntilSucceeds("ping -c 1 192.168.2.1"); - $router->waitUntilSucceeds("ping -c 1 192.168.2.2"); + router.wait_until_succeeds("ping -c 1 192.168.2.1") + router.wait_until_succeeds("ping -c 1 192.168.2.2") - # Test default gateway - $router->waitUntilSucceeds("ping -c 1 192.168.3.1"); - $client->waitUntilSucceeds("ping -c 1 192.168.3.1"); + with subtest("Test default gateway"): + router.wait_until_succeeds("ping -c 1 192.168.3.1") + client.wait_until_succeeds("ping -c 1 192.168.3.1") ''; }; dhcpSimple = { @@ -139,51 +141,53 @@ let virtualisation.vlans = [ 1 2 ]; networking = { useNetworkd = networkd; - useDHCP = true; + useDHCP = false; interfaces.eth1 = { ipv4.addresses = mkOverride 0 [ ]; ipv6.addresses = mkOverride 0 [ ]; + useDHCP = true; }; interfaces.eth2 = { ipv4.addresses = mkOverride 0 [ ]; ipv6.addresses = mkOverride 0 [ ]; + useDHCP = true; }; }; }; testScript = { ... }: '' - startAll; - - $client->waitForUnit("network.target"); - $router->waitForUnit("network-online.target"); - - # Wait until we have an ip address on each interface - $client->waitUntilSucceeds("ip addr show dev eth1 | grep -q '192.168.1'"); - $client->waitUntilSucceeds("ip addr show dev eth1 | grep -q 'fd00:1234:5678:1:'"); - $client->waitUntilSucceeds("ip addr show dev eth2 | grep -q '192.168.2'"); - $client->waitUntilSucceeds("ip addr show dev eth2 | grep -q 'fd00:1234:5678:2:'"); - - # Test vlan 1 - $client->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $client->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $client->waitUntilSucceeds("ping -c 1 fd00:1234:5678:1::1"); - $client->waitUntilSucceeds("ping -c 1 fd00:1234:5678:1::2"); - - $router->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $router->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $router->waitUntilSucceeds("ping -c 1 fd00:1234:5678:1::1"); - $router->waitUntilSucceeds("ping -c 1 fd00:1234:5678:1::2"); - - # Test vlan 2 - $client->waitUntilSucceeds("ping -c 1 192.168.2.1"); - $client->waitUntilSucceeds("ping -c 1 192.168.2.2"); - $client->waitUntilSucceeds("ping -c 1 fd00:1234:5678:2::1"); - $client->waitUntilSucceeds("ping -c 1 fd00:1234:5678:2::2"); - - $router->waitUntilSucceeds("ping -c 1 192.168.2.1"); - $router->waitUntilSucceeds("ping -c 1 192.168.2.2"); - $router->waitUntilSucceeds("ping -c 1 fd00:1234:5678:2::1"); - $router->waitUntilSucceeds("ping -c 1 fd00:1234:5678:2::2"); + start_all() + + client.wait_for_unit("network.target") + router.wait_for_unit("network-online.target") + + with subtest("Wait until we have an ip address on each interface"): + client.wait_until_succeeds("ip addr show dev eth1 | grep -q '192.168.1'") + client.wait_until_succeeds("ip addr show dev eth1 | grep -q 'fd00:1234:5678:1:'") + client.wait_until_succeeds("ip addr show dev eth2 | grep -q '192.168.2'") + client.wait_until_succeeds("ip addr show dev eth2 | grep -q 'fd00:1234:5678:2:'") + + with subtest("Test vlan 1"): + client.wait_until_succeeds("ping -c 1 192.168.1.1") + client.wait_until_succeeds("ping -c 1 192.168.1.2") + client.wait_until_succeeds("ping -c 1 fd00:1234:5678:1::1") + client.wait_until_succeeds("ping -c 1 fd00:1234:5678:1::2") + + router.wait_until_succeeds("ping -c 1 192.168.1.1") + router.wait_until_succeeds("ping -c 1 192.168.1.2") + router.wait_until_succeeds("ping -c 1 fd00:1234:5678:1::1") + router.wait_until_succeeds("ping -c 1 fd00:1234:5678:1::2") + + with subtest("Test vlan 2"): + client.wait_until_succeeds("ping -c 1 192.168.2.1") + client.wait_until_succeeds("ping -c 1 192.168.2.2") + client.wait_until_succeeds("ping -c 1 fd00:1234:5678:2::1") + client.wait_until_succeeds("ping -c 1 fd00:1234:5678:2::2") + + router.wait_until_succeeds("ping -c 1 192.168.2.1") + router.wait_until_succeeds("ping -c 1 192.168.2.2") + router.wait_until_succeeds("ping -c 1 fd00:1234:5678:2::1") + router.wait_until_succeeds("ping -c 1 fd00:1234:5678:2::2") ''; }; dhcpOneIf = { @@ -203,28 +207,28 @@ let }; testScript = { ... }: '' - startAll; + start_all() - # Wait for networking to come up - $client->waitForUnit("network.target"); - $router->waitForUnit("network.target"); + with subtest("Wait for networking to come up"): + client.wait_for_unit("network.target") + router.wait_for_unit("network.target") - # Wait until we have an ip address on each interface - $client->waitUntilSucceeds("ip addr show dev eth1 | grep -q '192.168.1'"); + with subtest("Wait until we have an ip address on each interface"): + client.wait_until_succeeds("ip addr show dev eth1 | grep -q '192.168.1'") - # Test vlan 1 - $client->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $client->waitUntilSucceeds("ping -c 1 192.168.1.2"); + with subtest("Test vlan 1"): + client.wait_until_succeeds("ping -c 1 192.168.1.1") + client.wait_until_succeeds("ping -c 1 192.168.1.2") - $router->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $router->waitUntilSucceeds("ping -c 1 192.168.1.2"); + router.wait_until_succeeds("ping -c 1 192.168.1.1") + router.wait_until_succeeds("ping -c 1 192.168.1.2") - # Test vlan 2 - $client->waitUntilSucceeds("ping -c 1 192.168.2.1"); - $client->fail("ping -c 1 192.168.2.2"); + with subtest("Test vlan 2"): + client.wait_until_succeeds("ping -c 1 192.168.2.1") + client.fail("ping -c 1 192.168.2.2") - $router->waitUntilSucceeds("ping -c 1 192.168.2.1"); - $router->fail("ping -c 1 192.168.2.2"); + router.wait_until_succeeds("ping -c 1 192.168.2.1") + router.fail("ping -c 1 192.168.2.2") ''; }; bond = let @@ -249,18 +253,18 @@ let nodes.client2 = node "192.168.1.2"; testScript = { ... }: '' - startAll; + start_all() - # Wait for networking to come up - $client1->waitForUnit("network.target"); - $client2->waitForUnit("network.target"); + with subtest("Wait for networking to come up"): + client1.wait_for_unit("network.target") + client2.wait_for_unit("network.target") - # Test bonding - $client1->waitUntilSucceeds("ping -c 2 192.168.1.1"); - $client1->waitUntilSucceeds("ping -c 2 192.168.1.2"); + with subtest("Test bonding"): + client1.wait_until_succeeds("ping -c 2 192.168.1.1") + client1.wait_until_succeeds("ping -c 2 192.168.1.2") - $client2->waitUntilSucceeds("ping -c 2 192.168.1.1"); - $client2->waitUntilSucceeds("ping -c 2 192.168.1.2"); + client2.wait_until_succeeds("ping -c 2 192.168.1.1") + client2.wait_until_succeeds("ping -c 2 192.168.1.2") ''; }; bridge = let @@ -291,25 +295,24 @@ let }; testScript = { ... }: '' - startAll; + start_all() - # Wait for networking to come up - $client1->waitForUnit("network.target"); - $client2->waitForUnit("network.target"); - $router->waitForUnit("network.target"); + with subtest("Wait for networking to come up"): + for machine in client1, client2, router: + machine.wait_for_unit("network.target") - # Test bridging - $client1->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $client1->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $client1->waitUntilSucceeds("ping -c 1 192.168.1.3"); + with subtest("Test bridging"): + client1.wait_until_succeeds("ping -c 1 192.168.1.1") + client1.wait_until_succeeds("ping -c 1 192.168.1.2") + client1.wait_until_succeeds("ping -c 1 192.168.1.3") - $client2->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $client2->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $client2->waitUntilSucceeds("ping -c 1 192.168.1.3"); + client2.wait_until_succeeds("ping -c 1 192.168.1.1") + client2.wait_until_succeeds("ping -c 1 192.168.1.2") + client2.wait_until_succeeds("ping -c 1 192.168.1.3") - $router->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $router->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $router->waitUntilSucceeds("ping -c 1 192.168.1.3"); + router.wait_until_succeeds("ping -c 1 192.168.1.1") + router.wait_until_succeeds("ping -c 1 192.168.1.2") + router.wait_until_succeeds("ping -c 1 192.168.1.3") ''; }; macvlan = { @@ -320,46 +323,52 @@ let virtualisation.vlans = [ 1 ]; networking = { useNetworkd = networkd; + useDHCP = false; firewall.logReversePathDrops = true; # to debug firewall rules # reverse path filtering rules for the macvlan interface seem # to be incorrect, causing the test to fail. Disable temporarily. firewall.checkReversePath = false; - useDHCP = true; macvlans.macvlan.interface = "eth1"; - interfaces.eth1.ipv4.addresses = mkOverride 0 [ ]; + interfaces.eth1 = { + ipv4.addresses = mkOverride 0 [ ]; + useDHCP = true; + }; + interfaces.macvlan = { + useDHCP = true; + }; }; }; testScript = { ... }: '' - startAll; - - # Wait for networking to come up - $client->waitForUnit("network.target"); - $router->waitForUnit("network.target"); - - # Wait until we have an ip address on each interface - $client->waitUntilSucceeds("ip addr show dev eth1 | grep -q '192.168.1'"); - $client->waitUntilSucceeds("ip addr show dev macvlan | grep -q '192.168.1'"); - - # Print lots of diagnostic information - $router->log('**********************************************'); - $router->succeed("ip addr >&2"); - $router->succeed("ip route >&2"); - $router->execute("iptables-save >&2"); - $client->log('=============================================='); - $client->succeed("ip addr >&2"); - $client->succeed("ip route >&2"); - $client->execute("iptables-save >&2"); - $client->log('##############################################'); - - # Test macvlan creates routable ips - $client->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $client->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $client->waitUntilSucceeds("ping -c 1 192.168.1.3"); - - $router->waitUntilSucceeds("ping -c 1 192.168.1.1"); - $router->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $router->waitUntilSucceeds("ping -c 1 192.168.1.3"); + start_all() + + with subtest("Wait for networking to come up"): + client.wait_for_unit("network.target") + router.wait_for_unit("network.target") + + with subtest("Wait until we have an ip address on each interface"): + client.wait_until_succeeds("ip addr show dev eth1 | grep -q '192.168.1'") + client.wait_until_succeeds("ip addr show dev macvlan | grep -q '192.168.1'") + + with subtest("Print lots of diagnostic information"): + router.log("**********************************************") + router.succeed("ip addr >&2") + router.succeed("ip route >&2") + router.execute("iptables-save >&2") + client.log("==============================================") + client.succeed("ip addr >&2") + client.succeed("ip route >&2") + client.execute("iptables-save >&2") + client.log("##############################################") + + with subtest("Test macvlan creates routable ips"): + client.wait_until_succeeds("ping -c 1 192.168.1.1") + client.wait_until_succeeds("ping -c 1 192.168.1.2") + client.wait_until_succeeds("ping -c 1 192.168.1.3") + + router.wait_until_succeeds("ping -c 1 192.168.1.1") + router.wait_until_succeeds("ping -c 1 192.168.1.2") + router.wait_until_succeeds("ping -c 1 192.168.1.3") ''; }; sit = let @@ -386,22 +395,22 @@ let nodes.client2 = node { address4 = "192.168.1.2"; remote = "192.168.1.1"; address6 = "fc00::2"; }; testScript = { ... }: '' - startAll; + start_all() - # Wait for networking to be configured - $client1->waitForUnit("network.target"); - $client2->waitForUnit("network.target"); + with subtest("Wait for networking to be configured"): + client1.wait_for_unit("network.target") + client2.wait_for_unit("network.target") - # Print diagnostic information - $client1->succeed("ip addr >&2"); - $client2->succeed("ip addr >&2"); + # Print diagnostic information + client1.succeed("ip addr >&2") + client2.succeed("ip addr >&2") - # Test ipv6 - $client1->waitUntilSucceeds("ping -c 1 fc00::1"); - $client1->waitUntilSucceeds("ping -c 1 fc00::2"); + with subtest("Test ipv6"): + client1.wait_until_succeeds("ping -c 1 fc00::1") + client1.wait_until_succeeds("ping -c 1 fc00::2") - $client2->waitUntilSucceeds("ping -c 1 fc00::1"); - $client2->waitUntilSucceeds("ping -c 1 fc00::2"); + client2.wait_until_succeeds("ping -c 1 fc00::1") + client2.wait_until_succeeds("ping -c 1 fc00::2") ''; }; vlan = let @@ -426,20 +435,22 @@ let nodes.client2 = node "192.168.1.2"; testScript = { ... }: '' - startAll; + start_all() - # Wait for networking to be configured - $client1->waitForUnit("network.target"); - $client2->waitForUnit("network.target"); + with subtest("Wait for networking to be configured"): + client1.wait_for_unit("network.target") + client2.wait_for_unit("network.target") - # Test vlan is setup - $client1->succeed("ip addr show dev vlan >&2"); - $client2->succeed("ip addr show dev vlan >&2"); + with subtest("Test vlan is setup"): + client1.succeed("ip addr show dev vlan >&2") + client2.succeed("ip addr show dev vlan >&2") ''; }; virtual = { name = "Virtual"; machine = { + networking.useNetworkd = networkd; + networking.useDHCP = false; networking.interfaces.tap0 = { ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 24; } ]; ipv6.addresses = [ { address = "2001:1470:fffd:2096::"; prefixLength = 64; } ]; @@ -453,33 +464,38 @@ let }; testScript = '' - my $targetList = <<'END'; + targetList = """ tap0: tap persist user 0 tun0: tun persist user 0 - END - - # Wait for networking to come up - $machine->start; - $machine->waitForUnit("network-online.target"); - - # Test interfaces set up - my $list = $machine->succeed("ip tuntap list | sort"); - "$list" eq "$targetList" or die( - "The list of virtual interfaces does not match the expected one:\n", - "Result:\n", "$list\n", - "Expected:\n", "$targetList\n" - ); - - # Test interfaces clean up - $machine->succeed("systemctl stop network-addresses-tap0"); - $machine->sleep(10); - $machine->succeed("systemctl stop network-addresses-tun0"); - $machine->sleep(10); - my $residue = $machine->succeed("ip tuntap list"); - $residue eq "" or die( - "Some virtual interface has not been properly cleaned:\n", - "$residue\n" - ); + """.strip() + + with subtest("Wait for networking to come up"): + machine.start() + machine.wait_for_unit("network-online.target") + + with subtest("Test interfaces set up"): + list = machine.succeed("ip tuntap list | sort").strip() + assert ( + list == targetList + ), """ + The list of virtual interfaces does not match the expected one: + Result: + {} + Expected: + {} + """.format( + list, targetList + ) + + with subtest("Test interfaces clean up"): + machine.succeed("systemctl stop network-addresses-tap0") + machine.sleep(10) + machine.succeed("systemctl stop network-addresses-tun0") + machine.sleep(10) + residue = machine.succeed("ip tuntap list") + assert ( + residue is "" + ), "Some virtual interface has not been properly cleaned:\n{}".format(residue) ''; }; privacy = { @@ -489,6 +505,7 @@ let boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true; networking = { useNetworkd = networkd; + useDHCP = false; interfaces.eth1.ipv6.addresses = singleton { address = "fd00:1234:5678:1::1"; prefixLength = 64; @@ -510,15 +527,16 @@ let ''; }; }; - nodes.clientWithPrivacy = { pkgs, ... }: with pkgs.lib; { + nodes.client_with_privacy = { pkgs, ... }: with pkgs.lib; { virtualisation.vlans = [ 1 ]; networking = { useNetworkd = networkd; - useDHCP = true; + useDHCP = false; interfaces.eth1 = { preferTempAddress = true; ipv4.addresses = mkOverride 0 [ ]; ipv6.addresses = mkOverride 0 [ ]; + useDHCP = true; }; }; }; @@ -526,35 +544,42 @@ let virtualisation.vlans = [ 1 ]; networking = { useNetworkd = networkd; - useDHCP = true; + useDHCP = false; interfaces.eth1 = { preferTempAddress = false; ipv4.addresses = mkOverride 0 [ ]; ipv6.addresses = mkOverride 0 [ ]; + useDHCP = true; }; }; }; testScript = { ... }: '' - startAll; - - $client->waitForUnit("network.target"); - $clientWithPrivacy->waitForUnit("network.target"); - $router->waitForUnit("network-online.target"); - - # Wait until we have an ip address - $clientWithPrivacy->waitUntilSucceeds("ip addr show dev eth1 | grep -q 'fd00:1234:5678:1:'"); - $client->waitUntilSucceeds("ip addr show dev eth1 | grep -q 'fd00:1234:5678:1:'"); - - # Test vlan 1 - $clientWithPrivacy->waitUntilSucceeds("ping -c 1 fd00:1234:5678:1::1"); - $client->waitUntilSucceeds("ping -c 1 fd00:1234:5678:1::1"); - - # Test address used is temporary - $clientWithPrivacy->waitUntilSucceeds("! ip route get fd00:1234:5678:1::1 | grep -q ':[a-f0-9]*ff:fe[a-f0-9]*:'"); - - # Test address used is EUI-64 - $client->waitUntilSucceeds("ip route get fd00:1234:5678:1::1 | grep -q ':[a-f0-9]*ff:fe[a-f0-9]*:'"); + start_all() + + client.wait_for_unit("network.target") + client_with_privacy.wait_for_unit("network.target") + router.wait_for_unit("network-online.target") + + with subtest("Wait until we have an ip address"): + client_with_privacy.wait_until_succeeds( + "ip addr show dev eth1 | grep -q 'fd00:1234:5678:1:'" + ) + client.wait_until_succeeds("ip addr show dev eth1 | grep -q 'fd00:1234:5678:1:'") + + with subtest("Test vlan 1"): + client_with_privacy.wait_until_succeeds("ping -c 1 fd00:1234:5678:1::1") + client.wait_until_succeeds("ping -c 1 fd00:1234:5678:1::1") + + with subtest("Test address used is temporary"): + client_with_privacy.wait_until_succeeds( + "! ip route get fd00:1234:5678:1::1 | grep -q ':[a-f0-9]*ff:fe[a-f0-9]*:'" + ) + + with subtest("Test address used is EUI-64"): + client.wait_until_succeeds( + "ip route get fd00:1234:5678:1::1 | grep -q ':[a-f0-9]*ff:fe[a-f0-9]*:'" + ) ''; }; routes = { @@ -577,47 +602,57 @@ let }; testScript = '' - my $targetIPv4Table = <<'END'; + targetIPv4Table = """ 10.0.0.0/16 proto static scope link mtu 1500 192.168.1.0/24 proto kernel scope link src 192.168.1.2 192.168.2.0/24 via 192.168.1.1 proto static - END + """.strip() - my $targetIPv6Table = <<'END'; + targetIPv6Table = """ 2001:1470:fffd:2097::/64 proto kernel metric 256 pref medium 2001:1470:fffd:2098::/64 via fdfd:b3f0::1 proto static metric 1024 pref medium fdfd:b3f0::/48 proto static metric 1024 pref medium - END - - $machine->start; - $machine->waitForUnit("network.target"); - - # test routing tables - my $ipv4Table = $machine->succeed("ip -4 route list dev eth0 | head -n3"); - my $ipv6Table = $machine->succeed("ip -6 route list dev eth0 | head -n3"); - "$ipv4Table" eq "$targetIPv4Table" or die( - "The IPv4 routing table does not match the expected one:\n", - "Result:\n", "$ipv4Table\n", - "Expected:\n", "$targetIPv4Table\n" - ); - "$ipv6Table" eq "$targetIPv6Table" or die( - "The IPv6 routing table does not match the expected one:\n", - "Result:\n", "$ipv6Table\n", - "Expected:\n", "$targetIPv6Table\n" - ); - - # test clean-up of the tables - $machine->succeed("systemctl stop network-addresses-eth0"); - my $ipv4Residue = $machine->succeed("ip -4 route list dev eth0 | head -n-3"); - my $ipv6Residue = $machine->succeed("ip -6 route list dev eth0 | head -n-3"); - $ipv4Residue eq "" or die( - "The IPv4 routing table has not been properly cleaned:\n", - "$ipv4Residue\n" - ); - $ipv6Residue eq "" or die( - "The IPv6 routing table has not been properly cleaned:\n", - "$ipv6Residue\n" - ); + """.strip() + + machine.start() + machine.wait_for_unit("network.target") + + with subtest("test routing tables"): + ipv4Table = machine.succeed("ip -4 route list dev eth0 | head -n3").strip() + ipv6Table = machine.succeed("ip -6 route list dev eth0 | head -n3").strip() + assert ( + ipv4Table == targetIPv4Table + ), """ + The IPv4 routing table does not match the expected one: + Result: + {} + Expected: + {} + """.format( + ipv4Table, targetIPv4Table + ) + assert ( + ipv6Table == targetIPv6Table + ), """ + The IPv6 routing table does not match the expected one: + Result: + {} + Expected: + {} + """.format( + ipv6Table, targetIPv6Table + ) + + with subtest("test clean-up of the tables"): + machine.succeed("systemctl stop network-addresses-eth0") + ipv4Residue = machine.succeed("ip -4 route list dev eth0 | head -n-3").strip() + ipv6Residue = machine.succeed("ip -6 route list dev eth0 | head -n-3").strip() + assert ( + ipv4Residue is "" + ), "The IPv4 routing table has not been properly cleaned:\n{}".format(ipv4Residue) + assert ( + ipv6Residue is "" + ), "The IPv6 routing table has not been properly cleaned:\n{}".format(ipv6Residue) ''; }; }; diff --git a/nixpkgs/nixos/tests/nextcloud/basic.nix b/nixpkgs/nixos/tests/nextcloud/basic.nix index bfb97ec3f230..75862feb202d 100644 --- a/nixpkgs/nixos/tests/nextcloud/basic.nix +++ b/nixpkgs/nixos/tests/nextcloud/basic.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ...}: let +import ../make-test-python.nix ({ pkgs, ...}: let adminpass = "notproduction"; adminuser = "root"; in { @@ -50,11 +50,15 @@ in { diff <(echo 'hi') <(${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file) ''; in '' - startAll(); - $nextcloud->waitForUnit("multi-user.target"); - $nextcloud->succeed("curl -sSf http://nextcloud/login"); - $nextcloud->succeed("${withRcloneEnv} ${copySharedFile}"); - $client->waitForUnit("multi-user.target"); - $client->succeed("${withRcloneEnv} ${diffSharedFile}"); + start_all() + nextcloud.wait_for_unit("multi-user.target") + nextcloud.succeed("curl -sSf http://nextcloud/login") + nextcloud.succeed( + "${withRcloneEnv} ${copySharedFile}" + ) + client.wait_for_unit("multi-user.target") + client.succeed( + "${withRcloneEnv} ${diffSharedFile}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix b/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix index aaf37ee4c810..b9ba5888187d 100644 --- a/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix +++ b/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ...}: let +import ../make-test-python.nix ({ pkgs, ...}: let adminpass = "hunter2"; adminuser = "root"; in { @@ -85,13 +85,16 @@ in { diff <(echo 'hi') <(${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file) ''; in '' - startAll(); - $nextcloud->waitForUnit("multi-user.target"); - $nextcloud->succeed("${configureMemcached}"); - $nextcloud->succeed("curl -sSf http://nextcloud/login"); - $nextcloud->succeed("${withRcloneEnv} ${copySharedFile}"); - $client->waitForUnit("multi-user.target"); - $client->succeed("${withRcloneEnv} ${diffSharedFile}"); - + start_all() + nextcloud.wait_for_unit("multi-user.target") + nextcloud.succeed("${configureMemcached}") + nextcloud.succeed("curl -sSf http://nextcloud/login") + nextcloud.succeed( + "${withRcloneEnv} ${copySharedFile}" + ) + client.wait_for_unit("multi-user.target") + client.succeed( + "${withRcloneEnv} ${diffSharedFile}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix b/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix index 81c269c23788..324853350af6 100644 --- a/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix +++ b/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ...}: let +import ../make-test-python.nix ({ pkgs, ...}: let adminpass = "hunter2"; adminuser = "custom-admin-username"; in { @@ -36,49 +36,16 @@ in { }; services.redis = { - unixSocket = "/var/run/redis/redis.sock"; enable = true; - extraConfig = '' - unixsocketperm 770 - ''; - }; - - systemd.services.redis = { - preStart = '' - mkdir -p /var/run/redis - chown ${config.services.redis.user}:${config.services.nginx.group} /var/run/redis - ''; - serviceConfig.PermissionsStartOnly = true; }; systemd.services.nextcloud-setup= { requires = ["postgresql.service"]; after = [ "postgresql.service" - "chown-redis-socket.service" ]; }; - # At the time of writing, redis creates its socket with the "nobody" - # group. I figure this is slightly less bad than making the socket world - # readable. - systemd.services.chown-redis-socket = { - enable = true; - script = '' - until ${pkgs.redis}/bin/redis-cli ping; do - echo "waiting for redis..." - sleep 1 - done - chown ${config.services.redis.user}:${config.services.nginx.group} /var/run/redis/redis.sock - ''; - after = [ "redis.service" ]; - requires = [ "redis.service" ]; - wantedBy = [ "redis.service" ]; - serviceConfig = { - Type = "oneshot"; - }; - }; - services.postgresql = { enable = true; ensureDatabases = [ "nextcloud" ]; @@ -94,8 +61,8 @@ in { testScript = let configureRedis = pkgs.writeScript "configure-redis" '' #!${pkgs.stdenv.shell} - nextcloud-occ config:system:set redis 'host' --value '/var/run/redis/redis.sock' --type string - nextcloud-occ config:system:set redis 'port' --value 0 --type integer + nextcloud-occ config:system:set redis 'host' --value 'localhost' --type string + nextcloud-occ config:system:set redis 'port' --value 6379 --type integer nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string ''; @@ -118,12 +85,16 @@ in { diff <(echo 'hi') <(${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file) ''; in '' - startAll(); - $nextcloud->waitForUnit("multi-user.target"); - $nextcloud->succeed("${configureRedis}"); - $nextcloud->succeed("curl -sSf http://nextcloud/login"); - $nextcloud->succeed("${withRcloneEnv} ${copySharedFile}"); - $client->waitForUnit("multi-user.target"); - $client->succeed("${withRcloneEnv} ${diffSharedFile}"); + start_all() + nextcloud.wait_for_unit("multi-user.target") + nextcloud.succeed("${configureRedis}") + nextcloud.succeed("curl -sSf http://nextcloud/login") + nextcloud.succeed( + "${withRcloneEnv} ${copySharedFile}" + ) + client.wait_for_unit("multi-user.target") + client.succeed( + "${withRcloneEnv} ${diffSharedFile}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/nexus.nix b/nixpkgs/nixos/tests/nexus.nix index 783c9f5c019f..1ec5c40476a6 100644 --- a/nixpkgs/nixos/tests/nexus.nix +++ b/nixpkgs/nixos/tests/nexus.nix @@ -3,7 +3,7 @@ # 2. nexus service can startup on server (creating database and all other initial stuff) # 3. the web application is reachable via HTTP -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "nexus"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ironpinguin ma27 ]; @@ -22,11 +22,11 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $server->waitForUnit("nexus"); - $server->waitForOpenPort(8081); + server.wait_for_unit("nexus") + server.wait_for_open_port(8081) - $server->succeed("curl -f 127.0.0.1:8081"); + server.succeed("curl -f 127.0.0.1:8081") ''; }) diff --git a/nixpkgs/nixos/tests/nfs.nix b/nixpkgs/nixos/tests/nfs.nix deleted file mode 100644 index 2f655336e757..000000000000 --- a/nixpkgs/nixos/tests/nfs.nix +++ /dev/null @@ -1,90 +0,0 @@ -import ./make-test.nix ({ pkgs, version ? 4, ... }: - -let - - client = - { pkgs, ... }: - { fileSystems = pkgs.lib.mkVMOverride - [ { mountPoint = "/data"; - # nfs4 exports the export with fsid=0 as a virtual root directory - device = if (version == 4) then "server:/" else "server:/data"; - fsType = "nfs"; - options = [ "vers=${toString version}" ]; - } - ]; - networking.firewall.enable = false; # FIXME: only open statd - }; - -in - -{ - name = "nfs"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ eelco ]; - }; - - nodes = - { client1 = client; - client2 = client; - - server = - { ... }: - { services.nfs.server.enable = true; - services.nfs.server.exports = - '' - /data 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0) - ''; - services.nfs.server.createMountPoints = true; - networking.firewall.enable = false; # FIXME: figure out what ports need to be allowed - }; - }; - - testScript = - '' - $server->waitForUnit("nfs-server"); - $server->succeed("systemctl start network-online.target"); - $server->waitForUnit("network-online.target"); - - startAll; - - $client1->waitForUnit("data.mount"); - $client1->succeed("echo bla > /data/foo"); - $server->succeed("test -e /data/foo"); - - $client2->waitForUnit("data.mount"); - $client2->succeed("echo bla > /data/bar"); - $server->succeed("test -e /data/bar"); - - # Test whether restarting ‘nfs-server’ works correctly. - $server->succeed("systemctl restart nfs-server"); - $client2->succeed("echo bla >> /data/bar"); # will take 90 seconds due to the NFS grace period - - # Test whether we can get a lock. - $client2->succeed("time flock -n -s /data/lock true"); - - # Test locking: client 1 acquires an exclusive lock, so client 2 - # should then fail to acquire a shared lock. - $client1->succeed("flock -x /data/lock -c 'touch locked; sleep 100000' &"); - $client1->waitForFile("locked"); - $client2->fail("flock -n -s /data/lock true"); - - # Test whether client 2 obtains the lock if we reset client 1. - $client2->succeed("flock -x /data/lock -c 'echo acquired; touch locked; sleep 100000' >&2 &"); - $client1->crash; - $client1->start; - $client2->waitForFile("locked"); - - # Test whether locks survive a reboot of the server. - $client1->waitForUnit("data.mount"); - $server->shutdown; - $server->start; - $client1->succeed("touch /data/xyzzy"); - $client1->fail("time flock -n -s /data/lock true"); - - # Test whether unmounting during shutdown happens quickly. - my $t1 = time; - $client1->shutdown; - my $duration = time - $t1; - die "shutdown took too long ($duration seconds)" if $duration > 30; - ''; -}) diff --git a/nixpkgs/nixos/tests/nfs/default.nix b/nixpkgs/nixos/tests/nfs/default.nix new file mode 100644 index 000000000000..6bc803c91b46 --- /dev/null +++ b/nixpkgs/nixos/tests/nfs/default.nix @@ -0,0 +1,9 @@ +{ version ? 4 +, system ? builtins.currentSystem +, pkgs ? import ../../.. { inherit system; } +}: { + simple = import ./simple.nix { inherit version system pkgs; }; +} // pkgs.lib.optionalAttrs (version == 4) { + # TODO: Test kerberos + nfsv3 + kerberos = import ./kerberos.nix { inherit version system pkgs; }; +} diff --git a/nixpkgs/nixos/tests/nfs/kerberos.nix b/nixpkgs/nixos/tests/nfs/kerberos.nix new file mode 100644 index 000000000000..1f2d0d453ea0 --- /dev/null +++ b/nixpkgs/nixos/tests/nfs/kerberos.nix @@ -0,0 +1,133 @@ +import ../make-test-python.nix ({ pkgs, lib, ... }: + +with lib; + +let + krb5 = + { enable = true; + domain_realm."nfs.test" = "NFS.TEST"; + libdefaults.default_realm = "NFS.TEST"; + realms."NFS.TEST" = + { admin_server = "server.nfs.test"; + kdc = "server.nfs.test"; + }; + }; + + hosts = + '' + 192.168.1.1 client.nfs.test + 192.168.1.2 server.nfs.test + ''; + + users = { + users.alice = { + isNormalUser = true; + name = "alice"; + uid = 1000; + }; + }; + +in + +{ + name = "nfsv4-with-kerberos"; + + nodes = { + client = { lib, ... }: + { inherit krb5 users; + + networking.extraHosts = hosts; + networking.domain = "nfs.test"; + networking.hostName = "client"; + + fileSystems = lib.mkVMOverride + { "/data" = { + device = "server.nfs.test:/"; + fsType = "nfs"; + options = [ "nfsvers=4" "sec=krb5p" "noauto" ]; + }; + }; + }; + + server = { lib, ...}: + { inherit krb5 users; + + networking.extraHosts = hosts; + networking.domain = "nfs.test"; + networking.hostName = "server"; + + networking.firewall.allowedTCPPorts = [ + 111 # rpc + 2049 # nfs + 88 # kerberos + 749 # kerberos admin + ]; + + services.kerberos_server.enable = true; + services.kerberos_server.realms = + { "NFS.TEST".acl = + [ { access = "all"; principal = "admin/admin"; } ]; + }; + + services.nfs.server.enable = true; + services.nfs.server.createMountPoints = true; + services.nfs.server.exports = + '' + /data *(rw,no_root_squash,fsid=0,sec=krb5p) + ''; + }; + }; + + testScript = + '' + server.succeed("mkdir -p /data/alice") + server.succeed("chown alice:users /data/alice") + + # set up kerberos database + server.succeed( + "kdb5_util create -s -r NFS.TEST -P master_key", + "systemctl restart kadmind.service kdc.service", + ) + server.wait_for_unit(f"kadmind.service") + server.wait_for_unit(f"kdc.service") + + # create principals + server.succeed( + "kadmin.local add_principal -randkey nfs/server.nfs.test", + "kadmin.local add_principal -randkey nfs/client.nfs.test", + "kadmin.local add_principal -pw admin_pw admin/admin", + "kadmin.local add_principal -pw alice_pw alice", + ) + + # add principals to server keytab + server.succeed("kadmin.local ktadd nfs/server.nfs.test") + server.succeed("systemctl start rpc-gssd.service rpc-svcgssd.service") + server.wait_for_unit(f"rpc-gssd.service") + server.wait_for_unit(f"rpc-svcgssd.service") + + client.wait_for_unit("network-online.target") + + # add principals to client keytab + client.succeed("echo admin_pw | kadmin -p admin/admin ktadd nfs/client.nfs.test") + client.succeed("systemctl start rpc-gssd.service") + client.wait_for_unit("rpc-gssd.service") + + with subtest("nfs share mounts"): + client.succeed("systemctl restart data.mount") + client.wait_for_unit("data.mount") + + with subtest("permissions on nfs share are enforced"): + client.fail("su alice -c 'ls /data'") + client.succeed("su alice -c 'echo alice_pw | kinit'") + client.succeed("su alice -c 'ls /data'") + + client.fail("su alice -c 'echo bla >> /data/foo'") + client.succeed("su alice -c 'echo bla >> /data/alice/foo'") + server.succeed("test -e /data/alice/foo") + + with subtest("uids/gids are mapped correctly on nfs share"): + ids = client.succeed("stat -c '%U %G' /data/alice").split() + expected = ["alice", "users"] + assert ids == expected, f"ids incorrect: got {ids} expected {expected}" + ''; +}) diff --git a/nixpkgs/nixos/tests/nfs/simple.nix b/nixpkgs/nixos/tests/nfs/simple.nix new file mode 100644 index 000000000000..a1a09ee0f45c --- /dev/null +++ b/nixpkgs/nixos/tests/nfs/simple.nix @@ -0,0 +1,94 @@ +import ../make-test-python.nix ({ pkgs, version ? 4, ... }: + +let + + client = + { pkgs, ... }: + { fileSystems = pkgs.lib.mkVMOverride + [ { mountPoint = "/data"; + # nfs4 exports the export with fsid=0 as a virtual root directory + device = if (version == 4) then "server:/" else "server:/data"; + fsType = "nfs"; + options = [ "vers=${toString version}" ]; + } + ]; + networking.firewall.enable = false; # FIXME: only open statd + }; + +in + +{ + name = "nfs"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ eelco ]; + }; + + nodes = + { client1 = client; + client2 = client; + + server = + { ... }: + { services.nfs.server.enable = true; + services.nfs.server.exports = + '' + /data 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0) + ''; + services.nfs.server.createMountPoints = true; + networking.firewall.enable = false; # FIXME: figure out what ports need to be allowed + }; + }; + + testScript = + '' + import time + + server.wait_for_unit("nfs-server") + server.succeed("systemctl start network-online.target") + server.wait_for_unit("network-online.target") + + start_all() + + client1.wait_for_unit("data.mount") + client1.succeed("echo bla > /data/foo") + server.succeed("test -e /data/foo") + + client2.wait_for_unit("data.mount") + client2.succeed("echo bla > /data/bar") + server.succeed("test -e /data/bar") + + with subtest("restarting 'nfs-server' works correctly"): + server.succeed("systemctl restart nfs-server") + # will take 90 seconds due to the NFS grace period + client2.succeed("echo bla >> /data/bar") + + with subtest("can get a lock"): + client2.succeed("time flock -n -s /data/lock true") + + with subtest("client 2 fails to acquire lock held by client 1"): + client1.succeed("flock -x /data/lock -c 'touch locked; sleep 100000' &") + client1.wait_for_file("locked") + client2.fail("flock -n -s /data/lock true") + + with subtest("client 2 obtains lock after resetting client 1"): + client2.succeed( + "flock -x /data/lock -c 'echo acquired; touch locked; sleep 100000' >&2 &" + ) + client1.crash() + client1.start() + client2.wait_for_file("locked") + + with subtest("locks survive server reboot"): + client1.wait_for_unit("data.mount") + server.shutdown() + server.start() + client1.succeed("touch /data/xyzzy") + client1.fail("time flock -n -s /data/lock true") + + with subtest("unmounting during shutdown happens quickly"): + t1 = time.monotonic() + client1.shutdown() + duration = time.monotonic() - t1 + assert duration < 30, f"shutdown took too long ({duration} seconds)" + ''; +}) diff --git a/nixpkgs/nixos/tests/nghttpx.nix b/nixpkgs/nixos/tests/nghttpx.nix index 11611bfe1063..d83c1c4cae63 100644 --- a/nixpkgs/nixos/tests/nghttpx.nix +++ b/nixpkgs/nixos/tests/nghttpx.nix @@ -1,7 +1,7 @@ let nginxRoot = "/run/nginx"; in - import ./make-test.nix ({...}: { + import ./make-test-python.nix ({...}: { name = "nghttpx"; nodes = { webserver = { @@ -52,10 +52,10 @@ in }; testScript = '' - startAll; + start_all() - $webserver->waitForOpenPort("80"); - $proxy->waitForOpenPort("80"); - $client->waitUntilSucceeds("curl -s --fail http://proxy/hello-world.txt"); + webserver.wait_for_open_port("80") + proxy.wait_for_open_port("80") + client.wait_until_succeeds("curl -s --fail http://proxy/hello-world.txt") ''; }) diff --git a/nixpkgs/nixos/tests/nginx-etag.nix b/nixpkgs/nixos/tests/nginx-etag.nix new file mode 100644 index 000000000000..e357309d166a --- /dev/null +++ b/nixpkgs/nixos/tests/nginx-etag.nix @@ -0,0 +1,89 @@ +import ./make-test-python.nix { + name = "nginx-etag"; + + nodes = { + server = { pkgs, lib, ... }: { + networking.firewall.enable = false; + services.nginx.enable = true; + services.nginx.virtualHosts.server = { + root = pkgs.runCommandLocal "testdir" {} '' + mkdir "$out" + cat > "$out/test.js" <<EOF + document.getElementById('foobar').setAttribute('foo', 'bar'); + EOF + cat > "$out/index.html" <<EOF + <!DOCTYPE html> + <div id="foobar">test</div> + <script src="test.js"></script> + EOF + ''; + }; + + nesting.clone = lib.singleton { + services.nginx.virtualHosts.server = { + root = lib.mkForce (pkgs.runCommandLocal "testdir2" {} '' + mkdir "$out" + cat > "$out/test.js" <<EOF + document.getElementById('foobar').setAttribute('foo', 'yay'); + EOF + cat > "$out/index.html" <<EOF + <!DOCTYPE html> + <div id="foobar">test</div> + <script src="test.js"></script> + EOF + ''); + }; + }; + }; + + client = { pkgs, lib, ... }: { + virtualisation.memorySize = 512; + environment.systemPackages = let + testRunner = pkgs.writers.writePython3Bin "test-runner" { + libraries = [ pkgs.python3Packages.selenium ]; + } '' + import os + import time + + from selenium.webdriver import Firefox + from selenium.webdriver.firefox.options import Options + + options = Options() + options.add_argument('--headless') + driver = Firefox(options=options) + + driver.implicitly_wait(20) + driver.get('http://server/') + driver.find_element_by_xpath('//div[@foo="bar"]') + open('/tmp/passed_stage1', 'w') + + while not os.path.exists('/tmp/proceed'): + time.sleep(0.5) + + driver.get('http://server/') + driver.find_element_by_xpath('//div[@foo="yay"]') + open('/tmp/passed', 'w') + ''; + in [ pkgs.firefox-unwrapped pkgs.geckodriver testRunner ]; + }; + }; + + testScript = { nodes, ... }: let + inherit (nodes.server.config.system.build) toplevel; + newSystem = "${toplevel}/fine-tune/child-1"; + in '' + start_all() + + server.wait_for_unit("nginx.service") + client.wait_for_unit("multi-user.target") + client.execute("test-runner &") + client.wait_for_file("/tmp/passed_stage1") + + server.succeed( + "${newSystem}/bin/switch-to-configuration test >&2" + ) + client.succeed("touch /tmp/proceed") + + client.wait_for_file("/tmp/passed") + ''; +} diff --git a/nixpkgs/nixos/tests/nginx-sso.nix b/nixpkgs/nixos/tests/nginx-sso.nix index e19992cb6bf7..8834fc31c387 100644 --- a/nixpkgs/nixos/tests/nginx-sso.nix +++ b/nixpkgs/nixos/tests/nginx-sso.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "nginx-sso"; meta = { maintainers = with pkgs.stdenv.lib.maintainers; [ delroth ]; @@ -27,18 +27,22 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - startAll; + start_all() - $machine->waitForUnit("nginx-sso.service"); - $machine->waitForOpenPort(8080); + machine.wait_for_unit("nginx-sso.service") + machine.wait_for_open_port(8080) - # No valid user -> 401. - $machine->fail("curl -sSf http://localhost:8080/auth"); + with subtest("No valid user -> 401"): + machine.fail("curl -sSf http://localhost:8080/auth") - # Valid user but no matching ACL -> 403. - $machine->fail("curl -sSf -H 'Authorization: Token MyToken' http://localhost:8080/auth"); + with subtest("Valid user but no matching ACL -> 403"): + machine.fail( + "curl -sSf -H 'Authorization: Token MyToken' http://localhost:8080/auth" + ) - # Valid user and matching ACL -> 200. - $machine->succeed("curl -sSf -H 'Authorization: Token MyToken' -H 'X-Application: MyApp' http://localhost:8080/auth"); + with subtest("Valid user and matching ACL -> 200"): + machine.succeed( + "curl -sSf -H 'Authorization: Token MyToken' -H 'X-Application: MyApp' http://localhost:8080/auth" + ) ''; }) diff --git a/nixpkgs/nixos/tests/nginx.nix b/nixpkgs/nixos/tests/nginx.nix index d0b7306ae83b..7358800a6763 100644 --- a/nixpkgs/nixos/tests/nginx.nix +++ b/nixpkgs/nixos/tests/nginx.nix @@ -4,10 +4,10 @@ # 2. whether the ETag header is properly generated whenever we're serving # files in Nix store paths # 3. nginx doesn't restart on configuration changes (only reloads) -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "nginx"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ mbbx6spp ]; + maintainers = [ mbbx6spp danbst ]; }; nodes = { @@ -59,6 +59,11 @@ import ./make-test.nix ({ pkgs, ... }: { { services.nginx.package = pkgs.nginxUnstable; } + + { + services.nginx.package = pkgs.nginxUnstable; + services.nginx.virtualHosts."!@$$(#*%".locations."~@#*$*!)".proxyPass = ";;;"; + } ]; }; @@ -68,44 +73,60 @@ import ./make-test.nix ({ pkgs, ... }: { etagSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-1"; justReloadSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-2"; reloadRestartSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-3"; + reloadWithErrorsSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-4"; in '' - my $url = 'http://localhost/index.html'; - - sub checkEtag { - my $etag = $webserver->succeed( - 'curl -v '.$url.' 2>&1 | sed -n -e "s/^< [Ee][Tt][Aa][Gg]: *//p"' - ); - $etag =~ s/\r?\n$//; - my $httpCode = $webserver->succeed( - 'curl -w "%{http_code}" -X HEAD -H \'If-None-Match: '.$etag.'\' '.$url - ); - chomp $httpCode; - die "HTTP code is not 304" unless $httpCode == 304; - return $etag; - } - - $webserver->waitForUnit("nginx"); - $webserver->waitForOpenPort("80"); - - subtest "check ETag if serving Nix store paths", sub { - my $oldEtag = checkEtag; - $webserver->succeed("${etagSystem}/bin/switch-to-configuration test >&2"); - $webserver->sleep(1); # race condition - my $newEtag = checkEtag; - die "Old ETag $oldEtag is the same as $newEtag" if $oldEtag eq $newEtag; - }; + url = "http://localhost/index.html" - subtest "config is reloaded on nixos-rebuild switch", sub { - $webserver->succeed("${justReloadSystem}/bin/switch-to-configuration test >&2"); - $webserver->waitForOpenPort("8080"); - $webserver->fail("journalctl -u nginx | grep -q -i stopped"); - $webserver->succeed("journalctl -u nginx | grep -q -i reloaded"); - }; - subtest "restart when nginx package changes", sub { - $webserver->succeed("${reloadRestartSystem}/bin/switch-to-configuration test >&2"); - $webserver->waitForUnit("nginx"); - $webserver->succeed("journalctl -u nginx | grep -q -i stopped"); - }; + def check_etag(): + etag = webserver.succeed( + f'curl -v {url} 2>&1 | sed -n -e "s/^< etag: *//ip"' + ).rstrip() + http_code = webserver.succeed( + f"curl -w '%{{http_code}}' --head --fail -H 'If-None-Match: {etag}' {url}" + ) + assert http_code.split("\n")[-1] == "304" + + return etag + + + webserver.wait_for_unit("nginx") + webserver.wait_for_open_port(80) + + with subtest("check ETag if serving Nix store paths"): + old_etag = check_etag() + webserver.succeed( + "${etagSystem}/bin/switch-to-configuration test >&2" + ) + webserver.sleep(1) + new_etag = check_etag() + assert old_etag != new_etag + + with subtest("config is reloaded on nixos-rebuild switch"): + webserver.succeed( + "${justReloadSystem}/bin/switch-to-configuration test >&2" + ) + webserver.wait_for_open_port(8080) + webserver.fail("journalctl -u nginx | grep -q -i stopped") + webserver.succeed("journalctl -u nginx | grep -q -i reloaded") + + with subtest("restart when nginx package changes"): + webserver.succeed( + "${reloadRestartSystem}/bin/switch-to-configuration test >&2" + ) + webserver.wait_for_unit("nginx") + webserver.succeed("journalctl -u nginx | grep -q -i stopped") + + with subtest("nixos-rebuild --switch should fail when there are configuration errors"): + webserver.fail( + "${reloadWithErrorsSystem}/bin/switch-to-configuration test >&2" + ) + webserver.succeed("[[ $(systemctl is-failed nginx-config-reload) == failed ]]") + webserver.succeed("[[ $(systemctl is-failed nginx) == active ]]") + # just to make sure operation is idempotent. During development I had a situation + # when first time it shows error, but stops showing it on subsequent rebuilds + webserver.fail( + "${reloadWithErrorsSystem}/bin/switch-to-configuration test >&2" + ) ''; }) diff --git a/nixpkgs/nixos/tests/nix-ssh-serve.nix b/nixpkgs/nixos/tests/nix-ssh-serve.nix index 494d55121eb1..03f83542c7c1 100644 --- a/nixpkgs/nixos/tests/nix-ssh-serve.nix +++ b/nixpkgs/nixos/tests/nix-ssh-serve.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; ssh-config = builtins.toFile "ssh.conf" '' @@ -18,22 +18,28 @@ in client.nix.package = pkgs.nix; }; testScript = '' - startAll; + start_all() - $client->succeed("mkdir -m 700 /root/.ssh"); - $client->copyFileFromHost("${ssh-config}", "/root/.ssh/config"); - $client->succeed("cat ${snakeOilPrivateKey} > /root/.ssh/id_ecdsa"); - $client->succeed("chmod 600 /root/.ssh/id_ecdsa"); + client.succeed("mkdir -m 700 /root/.ssh") + client.succeed( + "cat ${ssh-config} > /root/.ssh/config" + ) + client.succeed( + "cat ${snakeOilPrivateKey} > /root/.ssh/id_ecdsa" + ) + client.succeed("chmod 600 /root/.ssh/id_ecdsa") - $client->succeed("nix-store --add /etc/machine-id > mach-id-path"); + client.succeed("nix-store --add /etc/machine-id > mach-id-path") - $server->waitForUnit("sshd"); + server.wait_for_unit("sshd") - $client->fail("diff /root/other-store\$(cat mach-id-path) /etc/machine-id"); + client.fail("diff /root/other-store$(cat mach-id-path) /etc/machine-id") # Currently due to shared store this is a noop :( - $client->succeed("nix copy --to ssh-ng://nix-ssh\@server \$(cat mach-id-path)"); - $client->succeed("nix-store --realise \$(cat mach-id-path) --store /root/other-store --substituters ssh-ng://nix-ssh\@server"); - $client->succeed("diff /root/other-store\$(cat mach-id-path) /etc/machine-id"); + client.succeed("nix copy --to ssh-ng://nix-ssh@server $(cat mach-id-path)") + client.succeed( + "nix-store --realise $(cat mach-id-path) --store /root/other-store --substituters ssh-ng://nix-ssh@server" + ) + client.succeed("diff /root/other-store$(cat mach-id-path) /etc/machine-id") ''; } ) diff --git a/nixpkgs/nixos/tests/nixos-generate-config.nix b/nixpkgs/nixos/tests/nixos-generate-config.nix index 15a173e024b4..6c83ccecc70a 100644 --- a/nixpkgs/nixos/tests/nixos-generate-config.nix +++ b/nixpkgs/nixos/tests/nixos-generate-config.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... } : { +import ./make-test-python.nix ({ lib, ... } : { name = "nixos-generate-config"; meta.maintainers = with lib.maintainers; [ basvandijk ]; machine = { @@ -11,14 +11,16 @@ import ./make-test.nix ({ lib, ... } : { ''; }; testScript = '' - startAll; - $machine->waitForUnit("multi-user.target"); - $machine->succeed("nixos-generate-config"); + start_all() + machine.wait_for_unit("multi-user.target") + machine.succeed("nixos-generate-config") # Test if the configuration really is overridden - $machine->succeed("grep 'OVERRIDDEN' /etc/nixos/configuration.nix"); + machine.succeed("grep 'OVERRIDDEN' /etc/nixos/configuration.nix") # Test of if the Perl variable $bootLoaderConfig is spliced correctly: - $machine->succeed("grep 'boot\\.loader\\.grub\\.enable = true;' /etc/nixos/configuration.nix"); + machine.succeed( + "grep 'boot\\.loader\\.grub\\.enable = true;' /etc/nixos/configuration.nix" + ) ''; }) diff --git a/nixpkgs/nixos/tests/novacomd.nix b/nixpkgs/nixos/tests/novacomd.nix index 4eb60c0feb5c..940210dee235 100644 --- a/nixpkgs/nixos/tests/novacomd.nix +++ b/nixpkgs/nixos/tests/novacomd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "novacomd"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ dtzWill ]; @@ -9,26 +9,20 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - $machine->waitForUnit("multi-user.target"); + machine.wait_for_unit("novacomd.service") - # multi-user.target wants novacomd.service, but let's make sure - $machine->waitForUnit("novacomd.service"); + with subtest("Make sure the daemon is really listening"): + machine.wait_for_open_port(6968) + machine.succeed("novacom -l") - # Check status and try connecting with novacom - $machine->succeed("systemctl status novacomd.service >&2"); - # to prevent non-deterministic failure, - # make sure the daemon is really listening - $machine->waitForOpenPort(6968); - $machine->succeed("novacom -l"); + with subtest("Stop the daemon, double-check novacom fails if daemon isn't working"): + machine.stop_job("novacomd") + machine.fail("novacom -l") - # Stop the daemon, double-check novacom fails if daemon isn't working - $machine->stopJob("novacomd"); - $machine->fail("novacom -l"); - - # And back again for good measure - $machine->startJob("novacomd"); - # make sure the daemon is really listening - $machine->waitForOpenPort(6968); - $machine->succeed("novacom -l"); + with subtest("Make sure the daemon starts back up again"): + machine.start_job("novacomd") + # make sure the daemon is really listening + machine.wait_for_open_port(6968) + machine.succeed("novacom -l") ''; }) diff --git a/nixpkgs/nixos/tests/nzbget.nix b/nixpkgs/nixos/tests/nzbget.nix index 042ccec98cf6..12d8ed6ea8da 100644 --- a/nixpkgs/nixos/tests/nzbget.nix +++ b/nixpkgs/nixos/tests/nzbget.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "nzbget"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ aanderse flokli ]; @@ -15,12 +15,16 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $server->waitForUnit("nzbget.service"); - $server->waitForUnit("network.target"); - $server->waitForOpenPort(6789); - $server->succeed("curl -s -u nzbget:tegbzn6789 http://127.0.0.1:6789 | grep -q 'This file is part of nzbget'"); - $server->succeed("${pkgs.nzbget}/bin/nzbget -n -o ControlIP=127.0.0.1 -o ControlPort=6789 -o ControlPassword=tegbzn6789 -V"); + server.wait_for_unit("nzbget.service") + server.wait_for_unit("network.target") + server.wait_for_open_port(6789) + assert "This file is part of nzbget" in server.succeed( + "curl -s -u nzbget:tegbzn6789 http://127.0.0.1:6789" + ) + server.succeed( + "${pkgs.nzbget}/bin/nzbget -n -o Control_iP=127.0.0.1 -o Control_port=6789 -o Control_password=tegbzn6789 -V" + ) ''; }) diff --git a/nixpkgs/nixos/tests/openarena.nix b/nixpkgs/nixos/tests/openarena.nix new file mode 100644 index 000000000000..b315426532ba --- /dev/null +++ b/nixpkgs/nixos/tests/openarena.nix @@ -0,0 +1,41 @@ +import ./make-test-python.nix ({ pkgs, ...} : { + name = "openarena"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ tomfitzhenry ]; + }; + + machine = + { pkgs, ... }: + + { imports = []; + environment.systemPackages = with pkgs; [ + socat + ]; + services.openarena = { + enable = true; + extraFlags = [ + "+set dedicated 2" + "+set sv_hostname 'My NixOS server'" + "+map oa_dm1" + ]; + }; + }; + + testScript = + '' + machine.wait_for_unit("openarena.service") + machine.wait_until_succeeds("ss --numeric --udp --listening | grep -q 27960") + + # The log line containing 'resolve address' is last and only message that occurs after + # the server starts accepting clients. + machine.wait_until_succeeds( + "journalctl -u openarena.service | grep 'resolve address: dpmaster.deathmask.net'" + ) + + # Check it's possible to join the server. + # Can't use substring match instead of grep because the output is not utf-8 + machine.succeed( + "echo -n -e '\\xff\\xff\\xff\\xffgetchallenge' | socat - UDP4-DATAGRAM:127.0.0.1:27960 | grep -q challengeResponse" + ) + ''; +}) diff --git a/nixpkgs/nixos/tests/openldap.nix b/nixpkgs/nixos/tests/openldap.nix index 3ef90e183479..f8321a2c522d 100644 --- a/nixpkgs/nixos/tests/openldap.nix +++ b/nixpkgs/nixos/tests/openldap.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "openldap"; machine = { pkgs, ... }: { @@ -24,8 +24,10 @@ import ./make-test.nix { }; testScript = '' - $machine->waitForUnit('openldap.service'); - $machine->succeed('systemctl status openldap.service'); - $machine->succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"'); + machine.wait_for_unit("openldap.service") + machine.succeed( + "systemctl status openldap.service", + 'ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"', + ) ''; } diff --git a/nixpkgs/nixos/tests/opensmtpd.nix b/nixpkgs/nixos/tests/opensmtpd.nix index 883ad7604941..e6f52db1d984 100644 --- a/nixpkgs/nixos/tests/opensmtpd.nix +++ b/nixpkgs/nixos/tests/opensmtpd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "opensmtpd"; nodes = { @@ -102,23 +102,23 @@ import ./make-test.nix { }; testScript = '' - startAll; + start_all() - $client->waitForUnit("network-online.target"); - $smtp1->waitForUnit('opensmtpd'); - $smtp2->waitForUnit('opensmtpd'); - $smtp2->waitForUnit('dovecot2'); + client.wait_for_unit("network-online.target") + smtp1.wait_for_unit("opensmtpd") + smtp2.wait_for_unit("opensmtpd") + smtp2.wait_for_unit("dovecot2") # To prevent sporadic failures during daemon startup, make sure # services are listening on their ports before sending requests - $smtp1->waitForOpenPort(25); - $smtp2->waitForOpenPort(25); - $smtp2->waitForOpenPort(143); + smtp1.wait_for_open_port(25) + smtp2.wait_for_open_port(25) + smtp2.wait_for_open_port(143) - $client->succeed('send-a-test-mail'); - $smtp1->waitUntilFails('smtpctl show queue | egrep .'); - $smtp2->waitUntilFails('smtpctl show queue | egrep .'); - $client->succeed('check-mail-landed >&2'); + client.succeed("send-a-test-mail") + smtp1.wait_until_fails("smtpctl show queue | egrep .") + smtp2.wait_until_fails("smtpctl show queue | egrep .") + client.succeed("check-mail-landed >&2") ''; meta.timeout = 30; diff --git a/nixpkgs/nixos/tests/openssh.nix b/nixpkgs/nixos/tests/openssh.nix index 8b9e2170f150..e9692b503272 100644 --- a/nixpkgs/nixos/tests/openssh.nix +++ b/nixpkgs/nixos/tests/openssh.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; @@ -58,47 +58,55 @@ in { }; testScript = '' - startAll; - - my $key=`${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f key -N ""`; - - $server->waitForUnit("sshd"); - - subtest "manual-authkey", sub { - $server->succeed("mkdir -m 700 /root/.ssh"); - $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys"); - $server_lazy->succeed("mkdir -m 700 /root/.ssh"); - $server_lazy->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys"); - - $client->succeed("mkdir -m 700 /root/.ssh"); - $client->copyFileFromHost("key", "/root/.ssh/id_ed25519"); - $client->succeed("chmod 600 /root/.ssh/id_ed25519"); - - $client->waitForUnit("network.target"); - $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2"); - $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024"); - - $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2"); - $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024"); - - }; - - subtest "configured-authkey", sub { - $client->succeed("cat ${snakeOilPrivateKey} > privkey.snakeoil"); - $client->succeed("chmod 600 privkey.snakeoil"); - $client->succeed("ssh -o UserKnownHostsFile=/dev/null" . - " -o StrictHostKeyChecking=no -i privkey.snakeoil" . - " server true"); - - $client->succeed("ssh -o UserKnownHostsFile=/dev/null" . - " -o StrictHostKeyChecking=no -i privkey.snakeoil" . - " server_lazy true"); - - }; - - subtest "localhost-only", sub { - $server_localhost_only->succeed("ss -nlt | grep '127.0.0.1:22'"); - $server_localhost_only_lazy->succeed("ss -nlt | grep '127.0.0.1:22'"); - } + start_all() + + server.wait_for_unit("sshd") + + with subtest("manual-authkey"): + client.succeed("mkdir -m 700 /root/.ssh") + client.succeed( + '${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""' + ) + public_key = client.succeed( + "${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519" + ) + public_key = public_key.strip() + client.succeed("chmod 600 /root/.ssh/id_ed25519") + + server.succeed("mkdir -m 700 /root/.ssh") + server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key)) + server_lazy.succeed("mkdir -m 700 /root/.ssh") + server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key)) + + client.wait_for_unit("network.target") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2" + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024" + ) + + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2" + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024" + ) + + with subtest("configured-authkey"): + client.succeed( + "cat ${snakeOilPrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true" + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server_lazy true" + ) + + with subtest("localhost-only"): + server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'") + server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'") ''; }) diff --git a/nixpkgs/nixos/tests/orangefs.nix b/nixpkgs/nixos/tests/orangefs.nix new file mode 100644 index 000000000000..46d7a6a72f89 --- /dev/null +++ b/nixpkgs/nixos/tests/orangefs.nix @@ -0,0 +1,82 @@ +import ./make-test-python.nix ({ ... } : + +let + server = { pkgs, ... } : { + networking.firewall.allowedTCPPorts = [ 3334 ]; + boot.initrd.postDeviceCommands = '' + ${pkgs.e2fsprogs}/bin/mkfs.ext4 -L data /dev/vdb + ''; + + virtualisation.emptyDiskImages = [ 4096 ]; + + fileSystems = pkgs.lib.mkVMOverride + [ { mountPoint = "/data"; + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + } + ]; + + services.orangefs.server = { + enable = true; + dataStorageSpace = "/data/storage"; + metadataStorageSpace = "/data/meta"; + servers = { + server1 = "tcp://server1:3334"; + server2 = "tcp://server2:3334"; + }; + }; + }; + + client = { lib, ... } : { + networking.firewall.enable = true; + + services.orangefs.client = { + enable = true; + fileSystems = [{ + target = "tcp://server1:3334/orangefs"; + mountPoint = "/orangefs"; + }]; + }; + }; + +in { + name = "orangefs"; + + nodes = { + server1 = server; + server2 = server; + + client1 = client; + client2 = client; + }; + + testScript = '' + # format storage + for server in server1, server2: + server.start() + server.wait_for_unit("multi-user.target") + server.succeed("mkdir -p /data/storage /data/meta") + server.succeed("chown orangefs:orangefs /data/storage /data/meta") + server.succeed("chmod 0770 /data/storage /data/meta") + server.succeed( + "sudo -g orangefs -u orangefs pvfs2-server -f /etc/orangefs/server.conf" + ) + + # start services after storage is formated on all machines + for server in server1, server2: + server.succeed("systemctl start orangefs-server.service") + + with subtest("clients can reach and mount the FS"): + for client in client1, client2: + client.start() + client.wait_for_unit("orangefs-client.service") + # Both servers need to be reachable + client.succeed("pvfs2-check-server -h server1 -f orangefs -n tcp -p 3334") + client.succeed("pvfs2-check-server -h server2 -f orangefs -n tcp -p 3334") + client.wait_for_unit("orangefs.mount") + + with subtest("R/W test between clients"): + client1.succeed("echo test > /orangefs/file1") + client2.succeed("grep test /orangefs/file1") + ''; +}) diff --git a/nixpkgs/nixos/tests/os-prober.nix b/nixpkgs/nixos/tests/os-prober.nix index 9cd9f4ecd150..5407a62339fe 100644 --- a/nixpkgs/nixos/tests/os-prober.nix +++ b/nixpkgs/nixos/tests/os-prober.nix @@ -51,12 +51,11 @@ let hashed-mirrors = connect-timeout = 1 ''; - services.udisks2.enable = lib.mkForce false; }; # /etc/nixos/configuration.nix for the vm configFile = pkgs.writeText "configuration.nix" '' {config, pkgs, ...}: ({ - imports = + imports = [ ./hardware-configuration.nix <nixpkgs/nixos/modules/testing/test-instrumentation.nix> ]; diff --git a/nixpkgs/nixos/tests/osquery.nix b/nixpkgs/nixos/tests/osquery.nix deleted file mode 100644 index d95871ffafc6..000000000000 --- a/nixpkgs/nixos/tests/osquery.nix +++ /dev/null @@ -1,28 +0,0 @@ -import ./make-test.nix ({ pkgs, lib, ... }: - -with lib; - -{ - name = "osquery"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ ma27 ]; - }; - - machine = { - services.osquery.enable = true; - services.osquery.loggerPath = "/var/log/osquery/logs"; - services.osquery.pidfile = "/run/osqueryd.pid"; - }; - - testScript = '' - $machine->start; - $machine->waitForUnit("osqueryd.service"); - - $machine->succeed("echo 'SELECT address FROM etc_hosts LIMIT 1;' | osqueryi | grep '127.0.0.1'"); - $machine->succeed( - "echo 'SELECT value FROM osquery_flags WHERE name = \"logger_path\";' | osqueryi | grep /var/log/osquery/logs" - ); - - $machine->succeed("echo 'SELECT value FROM osquery_flags WHERE name = \"pidfile\";' | osqueryi | grep /run/osqueryd.pid"); - ''; -}) diff --git a/nixpkgs/nixos/tests/osrm-backend.nix b/nixpkgs/nixos/tests/osrm-backend.nix index 6e2d098d4adb..db67a5a589f9 100644 --- a/nixpkgs/nixos/tests/osrm-backend.nix +++ b/nixpkgs/nixos/tests/osrm-backend.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let port = 5000; in { @@ -45,9 +45,13 @@ in { testScript = let query = "http://localhost:${toString port}/route/v1/driving/7.41720,43.73304;7.42463,43.73886?steps=true"; in '' - $machine->waitForUnit("osrm.service"); - $machine->waitForOpenPort(${toString port}); - $machine->succeed("curl --silent '${query}' | jq .waypoints[0].name | grep -F 'Boulevard Rainier III'"); - $machine->succeed("curl --silent '${query}' | jq .waypoints[1].name | grep -F 'Avenue de la Costa'"); + machine.wait_for_unit("osrm.service") + machine.wait_for_open_port(${toString port}) + assert "Boulevard Rainier III" in machine.succeed( + "curl --silent '${query}' | jq .waypoints[0].name" + ) + assert "Avenue de la Costa" in machine.succeed( + "curl --silent '${query}' | jq .waypoints[1].name" + ) ''; }) diff --git a/nixpkgs/nixos/tests/ostree.nix b/nixpkgs/nixos/tests/ostree.nix deleted file mode 100644 index d7ad84a1a5f0..000000000000 --- a/nixpkgs/nixos/tests/ostree.nix +++ /dev/null @@ -1,21 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, lib, ... }: { - name = "ostree"; - - meta = { - maintainers = pkgs.ostree.meta.maintainers; - }; - - # TODO: Wrap/patch the tests directly in the package - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ - gnome-desktop-testing ostree gnupg (python3.withPackages (p: with p; [ pyyaml ])) - ]; - - environment.variables.GI_TYPELIB_PATH = lib.makeSearchPath "lib/girepository-1.0" (with pkgs; [ gtk3 pango.out ostree gdk-pixbuf atk ]); # for GJS tests - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d ${pkgs.ostree.installedTests}/share"); - ''; -}) diff --git a/nixpkgs/nixos/tests/overlayfs.nix b/nixpkgs/nixos/tests/overlayfs.nix index 99bb6b0f5531..33794deb9ed8 100644 --- a/nixpkgs/nixos/tests/overlayfs.nix +++ b/nixpkgs/nixos/tests/overlayfs.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "overlayfs"; meta.maintainers = with pkgs.stdenv.lib.maintainers; [ bachp ]; @@ -9,49 +9,42 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - $machine->succeed("ls /dev"); + machine.succeed("ls /dev") - $machine->succeed("mkdir -p /tmp/mnt"); + machine.succeed("mkdir -p /tmp/mnt") # Test ext4 + overlayfs - $machine->succeed( - - "mkfs.ext4 -F -L overlay-ext4 /dev/vdb", - "mount -t ext4 /dev/vdb /tmp/mnt", - - "mkdir -p /tmp/mnt/upper /tmp/mnt/lower /tmp/mnt/work /tmp/mnt/merged", - - # Setup some existing files - "echo 'Replace' > /tmp/mnt/lower/replace.txt", - "echo 'Append' > /tmp/mnt/lower/append.txt", - "echo 'Overwrite' > /tmp/mnt/lower/overwrite.txt", - - "mount -t overlay overlay -o lowerdir=/tmp/mnt/lower,upperdir=/tmp/mnt/upper,workdir=/tmp/mnt/work /tmp/mnt/merged", - - # Test new - "echo 'New' > /tmp/mnt/merged/new.txt", - "[[ \"\$(cat /tmp/mnt/merged/new.txt)\" == \"New\" ]]", - - # Test replace - "[[ \"\$(cat /tmp/mnt/merged/replace.txt)\" == \"Replace\" ]]", - "echo 'Replaced' > /tmp/mnt/merged/replace-tmp.txt", - "mv /tmp/mnt/merged/replace-tmp.txt /tmp/mnt/merged/replace.txt", - "[[ \"\$(cat /tmp/mnt/merged/replace.txt)\" == \"Replaced\" ]]", - - # Overwrite - "[[ \"\$(cat /tmp/mnt/merged/overwrite.txt)\" == \"Overwrite\" ]]", - "echo 'Overwritten' > /tmp/mnt/merged/overwrite.txt", - "[[ \"\$(cat /tmp/mnt/merged/overwrite.txt)\" == \"Overwritten\" ]]", - - # Test append - "[[ \"\$(cat /tmp/mnt/merged/append.txt)\" == \"Append\" ]]", - "echo 'ed' >> /tmp/mnt/merged/append.txt", - #"cat /tmp/mnt/merged/append.txt && exit 1", - "[[ \"\$(cat /tmp/mnt/merged/append.txt)\" == \"Append\ned\" ]]", - - "umount /tmp/mnt/merged", - "umount /tmp/mnt", - "udevadm settle" - ); + machine.succeed( + """ + mkfs.ext4 -F -L overlay-ext4 /dev/vdb + mount -t ext4 /dev/vdb /tmp/mnt + mkdir -p /tmp/mnt/upper /tmp/mnt/lower /tmp/mnt/work /tmp/mnt/merged + # Setup some existing files + echo 'Replace' > /tmp/mnt/lower/replace.txt + echo 'Append' > /tmp/mnt/lower/append.txt + echo 'Overwrite' > /tmp/mnt/lower/overwrite.txt + mount -t overlay overlay -o lowerdir=/tmp/mnt/lower,upperdir=/tmp/mnt/upper,workdir=/tmp/mnt/work /tmp/mnt/merged + # Test new + echo 'New' > /tmp/mnt/merged/new.txt + [[ "\$(cat /tmp/mnt/merged/new.txt)" == "New" ]] + # Test replace + [[ "\$(cat /tmp/mnt/merged/replace.txt)" == "Replace" ]] + echo 'Replaced' > /tmp/mnt/merged/replace-tmp.txt + mv /tmp/mnt/merged/replace-tmp.txt /tmp/mnt/merged/replace.txt + [[ "\$(cat /tmp/mnt/merged/replace.txt)" == "Replaced" ]] + # Overwrite + [[ "\$(cat /tmp/mnt/merged/overwrite.txt)" == "Overwrite" ]] + echo 'Overwritten' > /tmp/mnt/merged/overwrite.txt + [[ "\$(cat /tmp/mnt/merged/overwrite.txt)" == "Overwritten" ]] + # Test append + [[ "\$(cat /tmp/mnt/merged/append.txt)" == "Append" ]] + echo 'ed' >> /tmp/mnt/merged/append.txt + #"cat /tmp/mnt/merged/append.txt && exit 1 + [[ "\$(cat /tmp/mnt/merged/append.txt)" == "Append\ned" ]] + umount /tmp/mnt/merged + umount /tmp/mnt + udevadm settle + """ + ) ''; }) diff --git a/nixpkgs/nixos/tests/packagekit.nix b/nixpkgs/nixos/tests/packagekit.nix index e2d68af661f8..7e93ad35e80a 100644 --- a/nixpkgs/nixos/tests/packagekit.nix +++ b/nixpkgs/nixos/tests/packagekit.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "packagekit"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ peterhoeg ]; @@ -13,12 +13,14 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - startAll; + start_all() # send a dbus message to activate the service - $machine->succeed("dbus-send --system --type=method_call --print-reply --dest=org.freedesktop.PackageKit /org/freedesktop/PackageKit org.freedesktop.DBus.Introspectable.Introspect"); + machine.succeed( + "dbus-send --system --type=method_call --print-reply --dest=org.freedesktop.PackageKit /org/freedesktop/PackageKit org.freedesktop.DBus.Introspectable.Introspect" + ) # so now it should be running - $machine->succeed("systemctl is-active packagekit.service"); + machine.wait_for_unit("packagekit.service") ''; }) diff --git a/nixpkgs/nixos/tests/pam-oath-login.nix b/nixpkgs/nixos/tests/pam-oath-login.nix index b9d489950e72..6d48199eda97 100644 --- a/nixpkgs/nixos/tests/pam-oath-login.nix +++ b/nixpkgs/nixos/tests/pam-oath-login.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ ... }: +import ./make-test-python.nix ({ ... }: let oathSnakeoilSecret = "cdd4083ef8ff1fa9178c6d46bfb1a3"; @@ -55,70 +55,54 @@ in }; }; - testScript = - '' - $machine->waitForUnit('multi-user.target'); - $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty1'"); - $machine->screenshot("postboot"); - - - subtest "Invalid password", sub { - $machine->fail("pgrep -f 'agetty.*tty2'"); - $machine->sendKeys("alt-f2"); - $machine->waitUntilSucceeds("[ \$(fgconsole) = 2 ]"); - $machine->waitForUnit('getty@tty2.service'); - $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty2'"); - - $machine->waitUntilTTYMatches(2, "login: "); - $machine->sendChars("alice\n"); - $machine->waitUntilTTYMatches(2, "login: alice"); - $machine->waitUntilSucceeds("pgrep login"); - - $machine->waitUntilTTYMatches(2, "One-time password"); - $machine->sendChars("${oathSnakeOilPassword1}\n"); - $machine->waitUntilTTYMatches(2, "Password: "); - $machine->sendChars("blorg\n"); - $machine->waitUntilTTYMatches(2, "Login incorrect"); - }; + testScript = '' + def switch_to_tty(tty_number): + machine.fail(f"pgrep -f 'agetty.*tty{tty_number}'") + machine.send_key(f"alt-f{tty_number}") + machine.wait_until_succeeds(f"[ $(fgconsole) = {tty_number} ]") + machine.wait_for_unit(f"getty@tty{tty_number}.service") + machine.wait_until_succeeds(f"pgrep -f 'agetty.*tty{tty_number}'") - subtest "Invalid oath token", sub { - $machine->fail("pgrep -f 'agetty.*tty3'"); - $machine->sendKeys("alt-f3"); - $machine->waitUntilSucceeds("[ \$(fgconsole) = 3 ]"); - $machine->waitForUnit('getty@tty3.service'); - $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty3'"); - - $machine->waitUntilTTYMatches(3, "login: "); - $machine->sendChars("alice\n"); - $machine->waitUntilTTYMatches(3, "login: alice"); - $machine->waitUntilSucceeds("pgrep login"); - $machine->waitUntilTTYMatches(3, "One-time password"); - $machine->sendChars("000000\n"); - $machine->waitUntilTTYMatches(3, "Login incorrect"); - $machine->waitUntilTTYMatches(3, "login:"); - }; - subtest "Happy path (both passwords are mandatory to get us in)", sub { - $machine->fail("pgrep -f 'agetty.*tty4'"); - $machine->sendKeys("alt-f4"); - $machine->waitUntilSucceeds("[ \$(fgconsole) = 4 ]"); - $machine->waitForUnit('getty@tty4.service'); - $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty4'"); - - $machine->waitUntilTTYMatches(4, "login: "); - $machine->sendChars("alice\n"); - $machine->waitUntilTTYMatches(4, "login: alice"); - $machine->waitUntilSucceeds("pgrep login"); - $machine->waitUntilTTYMatches(4, "One-time password"); - $machine->sendChars("${oathSnakeOilPassword2}\n"); - $machine->waitUntilTTYMatches(4, "Password: "); - $machine->sendChars("${alicePassword}\n"); - - $machine->waitUntilSucceeds("pgrep -u alice bash"); - $machine->sendChars("touch done4\n"); - $machine->waitForFile("/home/alice/done4"); - }; + def enter_user_alice(tty_number): + machine.wait_until_tty_matches(tty_number, "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches(tty_number, "login: alice") + machine.wait_until_succeeds("pgrep login") + machine.wait_until_tty_matches(tty_number, "One-time password") - ''; + machine.wait_for_unit("multi-user.target") + machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'") + machine.screenshot("postboot") + + with subtest("Invalid password"): + switch_to_tty(2) + enter_user_alice(2) + + machine.send_chars("${oathSnakeOilPassword1}\n") + machine.wait_until_tty_matches(2, "Password: ") + machine.send_chars("blorg\n") + machine.wait_until_tty_matches(2, "Login incorrect") + + with subtest("Invalid oath token"): + switch_to_tty(3) + enter_user_alice(3) + + machine.send_chars("000000\n") + machine.wait_until_tty_matches(3, "Login incorrect") + machine.wait_until_tty_matches(3, "login:") + + with subtest("Happy path: Both passwords are mandatory to get us in"): + switch_to_tty(4) + enter_user_alice(4) + + machine.send_chars("${oathSnakeOilPassword2}\n") + machine.wait_until_tty_matches(4, "Password: ") + machine.send_chars("${alicePassword}\n") + + machine.wait_until_succeeds("pgrep -u alice bash") + machine.send_chars("touch done4\n") + machine.wait_for_file("/home/alice/done4") + ''; }) diff --git a/nixpkgs/nixos/tests/pam-u2f.nix b/nixpkgs/nixos/tests/pam-u2f.nix index 1052a2f3b916..f492baa9e139 100644 --- a/nixpkgs/nixos/tests/pam-u2f.nix +++ b/nixpkgs/nixos/tests/pam-u2f.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ ... }: +import ./make-test-python.nix ({ ... }: { name = "pam-u2f"; @@ -17,7 +17,9 @@ import ./make-test.nix ({ ... }: testScript = '' - $machine->waitForUnit('multi-user.target'); - $machine->succeed('egrep "auth required .*/lib/security/pam_u2f.so.*debug.*interactive.*cue" /etc/pam.d/ -R'); + machine.wait_for_unit("multi-user.target") + machine.succeed( + 'egrep "auth required .*/lib/security/pam_u2f.so.*debug.*interactive.*cue" /etc/pam.d/ -R' + ) ''; }) diff --git a/nixpkgs/nixos/tests/pantheon.nix b/nixpkgs/nixos/tests/pantheon.nix index c50f77f86173..c0434f20754c 100644 --- a/nixpkgs/nixos/tests/pantheon.nix +++ b/nixpkgs/nixos/tests/pantheon.nix @@ -1,9 +1,10 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : { name = "pantheon"; + meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ worldofpeace ]; + maintainers = pkgs.pantheon.maintainers; }; machine = { ... }: @@ -21,35 +22,38 @@ import ./make-test.nix ({ pkgs, ...} : testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; + bob = nodes.machine.config.users.users.bob; in '' - startAll; - - # Wait for display manager to start - $machine->waitForText(qr/${user.description}/); - $machine->screenshot("lightdm"); - - # Log in - $machine->sendChars("${user.password}\n"); - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - - # Check if "pantheon-shell" components actually start - $machine->waitUntilSucceeds("pgrep gala"); - $machine->waitForWindow(qr/gala/); - $machine->waitUntilSucceeds("pgrep wingpanel"); - $machine->waitForWindow("wingpanel"); - $machine->waitUntilSucceeds("pgrep plank"); - $machine->waitForWindow(qr/plank/); - - # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); - - # Open elementary terminal - $machine->execute("su - alice -c 'DISPLAY=:0.0 io.elementary.terminal &'"); - $machine->waitForWindow(qr/io.elementary.terminal/); - - # Take a screenshot of the desktop - $machine->sleep(20); - $machine->screenshot("screen"); + machine.wait_for_unit("display-manager.service") + + with subtest("Test we can see usernames in elementary-greeter"): + machine.wait_for_text("${user.description}") + # OCR was struggling with this one. + # machine.wait_for_text("${bob.description}") + machine.screenshot("elementary_greeter_lightdm") + + with subtest("Login with elementary-greeter"): + machine.send_chars("${user.password}\n") + machine.wait_for_x() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + + with subtest("Check that logging in has given the user ownership of devices"): + machine.succeed("getfacl -p /dev/snd/timer | grep -q ${user.name}") + + # TODO: DBus API could eliminate this? Pantheon uses Bamf. + with subtest("Check if pantheon session components actually start"): + machine.wait_until_succeeds("pgrep gala") + machine.wait_for_window("gala") + machine.wait_until_succeeds("pgrep wingpanel") + machine.wait_for_window("wingpanel") + machine.wait_until_succeeds("pgrep plank") + machine.wait_for_window("plank") + + with subtest("Open elementary terminal"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0 io.elementary.terminal &'") + machine.wait_for_window("io.elementary.terminal") + machine.sleep(20) + machine.screenshot("screen") ''; }) diff --git a/nixpkgs/nixos/tests/paperless.nix b/nixpkgs/nixos/tests/paperless.nix index 860ad0a6218f..355e7041d3fe 100644 --- a/nixpkgs/nixos/tests/paperless.nix +++ b/nixpkgs/nixos/tests/paperless.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... } : { +import ./make-test-python.nix ({ lib, ... } : { name = "paperless"; meta = with lib.maintainers; { maintainers = [ earvstedt ]; @@ -13,17 +13,24 @@ import ./make-test.nix ({ lib, ... } : { }; testScript = '' - $machine->waitForUnit("paperless-consumer.service"); + machine.wait_for_unit("paperless-consumer.service") + # Create test doc - $machine->succeed('convert -size 400x40 xc:white -font "DejaVu-Sans" -pointsize 20 -fill black \ - -annotate +5+20 "hello world 16-10-2005" /var/lib/paperless/consume/doc.png'); + machine.succeed( + "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black -annotate +5+20 'hello world 16-10-2005' /var/lib/paperless/consume/doc.png" + ) + + with subtest("Service gets ready"): + machine.wait_for_unit("paperless-server.service") + # Wait until server accepts connections + machine.wait_until_succeeds("curl -s localhost:28981") - $machine->waitForUnit("paperless-server.service"); - # Wait until server accepts connections - $machine->waitUntilSucceeds("curl -s localhost:28981"); - # Wait until document is consumed - $machine->waitUntilSucceeds('(($(curl -s localhost:28981/api/documents/ | jq .count) == 1))'); - $machine->succeed("curl -s localhost:28981/api/documents/ | jq '.results | .[0] | .created'") - =~ /2005-10-16/ or die; + with subtest("Test document is consumed"): + machine.wait_until_succeeds( + "(($(curl -s localhost:28981/api/documents/ | jq .count) == 1))" + ) + assert "2005-10-16" in machine.succeed( + "curl -s localhost:28981/api/documents/ | jq '.results | .[0] | .created'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/pdns-recursor.nix b/nixpkgs/nixos/tests/pdns-recursor.nix index bf6e6093d69c..de1b60e0b1c7 100644 --- a/nixpkgs/nixos/tests/pdns-recursor.nix +++ b/nixpkgs/nixos/tests/pdns-recursor.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "powerdns"; nodes.server = { ... }: { @@ -6,7 +6,7 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - $server->waitForUnit("pdns-recursor"); - $server->waitForOpenPort("53"); + server.wait_for_unit("pdns-recursor") + server.wait_for_open_port("53") ''; }) diff --git a/nixpkgs/nixos/tests/peerflix.nix b/nixpkgs/nixos/tests/peerflix.nix index fae37fedaac7..37628604d49b 100644 --- a/nixpkgs/nixos/tests/peerflix.nix +++ b/nixpkgs/nixos/tests/peerflix.nix @@ -1,6 +1,6 @@ # This test runs peerflix and checks if peerflix starts -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "peerflix"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ offline ]; @@ -15,9 +15,9 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $peerflix->waitForUnit("peerflix.service"); - $peerflix->waitUntilSucceeds("curl localhost:9000"); + peerflix.wait_for_unit("peerflix.service") + peerflix.wait_until_succeeds("curl localhost:9000") ''; }) diff --git a/nixpkgs/nixos/tests/pgjwt.nix b/nixpkgs/nixos/tests/pgjwt.nix index a2d81288c812..4793a3e31503 100644 --- a/nixpkgs/nixos/tests/pgjwt.nix +++ b/nixpkgs/nixos/tests/pgjwt.nix @@ -1,12 +1,5 @@ -import ./make-test.nix ({ pkgs, lib, ...}: -let - test = with pkgs; runCommand "patch-test" { - nativeBuildInputs = [ pgjwt ]; - } - '' - sed -e '12 i CREATE EXTENSION pgcrypto;\nCREATE EXTENSION pgtap;\nSET search_path TO tap,public;' ${pgjwt.src}/test.sql > $out; - ''; -in +import ./make-test-python.nix ({ pkgs, lib, ...}: + with pkgs; { name = "pgjwt"; meta = with lib.maintainers; { @@ -29,9 +22,13 @@ with pkgs; { pgProve = "${pkgs.perlPackages.TAPParserSourceHandlerpgTAP}"; in '' - startAll; - $master->waitForUnit("postgresql"); - $master->copyFileFromHost("${test}","/tmp/test.sql"); - $master->succeed("${pkgs.sudo}/bin/sudo -u ${sqlSU} PGOPTIONS=--search_path=tap,public ${pgProve}/bin/pg_prove -d postgres -v -f /tmp/test.sql"); + start_all() + master.wait_for_unit("postgresql") + master.succeed( + "${pkgs.gnused}/bin/sed -e '12 i CREATE EXTENSION pgcrypto;\\nCREATE EXTENSION pgtap;\\nSET search_path TO tap,public;' ${pgjwt.src}/test.sql > /tmp/test.sql" + ) + master.succeed( + "${pkgs.sudo}/bin/sudo -u ${sqlSU} PGOPTIONS=--search_path=tap,public ${pgProve}/bin/pg_prove -d postgres -v -f /tmp/test.sql" + ) ''; }) diff --git a/nixpkgs/nixos/tests/pgmanage.nix b/nixpkgs/nixos/tests/pgmanage.nix index bacaf3f41588..4f5dbed24a97 100644 --- a/nixpkgs/nixos/tests/pgmanage.nix +++ b/nixpkgs/nixos/tests/pgmanage.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... } : +import ./make-test-python.nix ({ pkgs, ... } : let role = "test"; password = "secret"; @@ -29,11 +29,13 @@ in }; testScript = '' - startAll; - $one->waitForUnit("default.target"); - $one->requireActiveUnit("pgmanage.service"); + start_all() + one.wait_for_unit("default.target") + one.require_unit_state("pgmanage.service", "active") # Test if we can log in. - $one->waitUntilSucceeds("curl 'http://localhost:8080/pgmanage/auth' --data 'action=login&connname=${conn}&username=${role}&password=${password}' --fail"); + one.wait_until_succeeds( + "curl 'http://localhost:8080/pgmanage/auth' --data 'action=login&connname=${conn}&username=${role}&password=${password}' --fail" + ) ''; }) diff --git a/nixpkgs/nixos/tests/php-pcre.nix b/nixpkgs/nixos/tests/php-pcre.nix index ae44aec7944f..d5c22e0582a0 100644 --- a/nixpkgs/nixos/tests/php-pcre.nix +++ b/nixpkgs/nixos/tests/php-pcre.nix @@ -1,7 +1,7 @@ let testString = "can-use-subgroups"; in -import ./make-test.nix ({ ...}: { +import ./make-test-python.nix ({ ...}: { name = "php-httpd-pcre-jit-test"; machine = { lib, pkgs, ... }: { time.timeZone = "UTC"; @@ -31,9 +31,10 @@ import ./make-test.nix ({ ...}: { }; testScript = { ... }: '' - $machine->waitForUnit('httpd.service'); + machine.wait_for_unit("httpd.service") # Ensure php evaluation by matching on the var_dump syntax - $machine->succeed('curl -vvv -s http://127.0.0.1:80/index.php \ - | grep "string(${toString (builtins.stringLength testString)}) \"${testString}\""'); + assert 'string(${toString (builtins.stringLength testString)}) "${testString}"' in machine.succeed( + "curl -vvv -s http://127.0.0.1:80/index.php" + ) ''; }) diff --git a/nixpkgs/nixos/tests/plasma5.nix b/nixpkgs/nixos/tests/plasma5.nix index 88d4ff334369..2eccfdf47f59 100644 --- a/nixpkgs/nixos/tests/plasma5.nix +++ b/nixpkgs/nixos/tests/plasma5.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : { name = "plasma5"; @@ -7,59 +7,53 @@ import ./make-test.nix ({ pkgs, ...} : }; machine = { ... }: - let - sddm_theme = pkgs.stdenv.mkDerivation { - name = "breeze-ocr-theme"; - phases = "buildPhase"; - buildCommand = '' - mkdir -p $out/share/sddm/themes/ - cp -r ${pkgs.plasma-workspace}/share/sddm/themes/breeze $out/share/sddm/themes/breeze-ocr-theme - chmod -R +w $out/share/sddm/themes/breeze-ocr-theme - printf "[General]\ntype=color\ncolor=#1d99f3\nbackground=\n" > $out/share/sddm/themes/breeze-ocr-theme/theme.conf - ''; - }; - in + { imports = [ ./common/user-account.nix ]; services.xserver.enable = true; services.xserver.displayManager.sddm.enable = true; - services.xserver.displayManager.sddm.theme = "breeze-ocr-theme"; + services.xserver.displayManager.defaultSession = "plasma5"; services.xserver.desktopManager.plasma5.enable = true; - services.xserver.desktopManager.default = "plasma5"; services.xserver.displayManager.sddm.autoLogin = { enable = true; user = "alice"; }; hardware.pulseaudio.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then virtualisation.memorySize = 1024; - environment.systemPackages = [ sddm_theme ]; }; testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; xdo = "${pkgs.xdotool}/bin/xdotool"; in '' - startAll; - # wait for log in - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - - $machine->waitUntilSucceeds("pgrep plasmashell"); - $machine->waitForWindow("^Desktop "); - - # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 dolphin &'"); - $machine->waitForWindow(" Dolphin"); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 konsole &'"); - $machine->waitForWindow("Konsole"); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 systemsettings5 &'"); - $machine->waitForWindow("Settings"); - - $machine->execute("${xdo} key Alt+F1 sleep 10"); - $machine->screenshot("screen"); + with subtest("Wait for login"): + start_all() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + + with subtest("Check plasmashell started"): + machine.wait_until_succeeds("pgrep plasmashell") + machine.wait_for_window("^Desktop ") + + with subtest("Check that logging in has given the user ownership of devices"): + machine.succeed("getfacl -p /dev/snd/timer | grep -q ${user.name}") + + with subtest("Run Dolphin"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0.0 dolphin &'") + machine.wait_for_window(" Dolphin") + + with subtest("Run Konsole"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0.0 konsole &'") + machine.wait_for_window("Konsole") + + with subtest("Run systemsettings"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0.0 systemsettings5 &'") + machine.wait_for_window("Settings") + + with subtest("Wait to get a screenshot"): + machine.execute( + "${xdo} key Alt+F1 sleep 10" + ) + machine.screenshot("screen") ''; }) diff --git a/nixpkgs/nixos/tests/postgis.nix b/nixpkgs/nixos/tests/postgis.nix index 294eb50b5fe5..84bbb0bc8ec6 100644 --- a/nixpkgs/nixos/tests/postgis.nix +++ b/nixpkgs/nixos/tests/postgis.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "postgis"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ lsix ]; @@ -20,10 +20,10 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - $master->waitForUnit("postgresql"); - $master->sleep(10); # Hopefully this is long enough!! - $master->succeed("sudo -u postgres psql -c 'CREATE EXTENSION postgis;'"); - $master->succeed("sudo -u postgres psql -c 'CREATE EXTENSION postgis_topology;'"); + start_all() + master.wait_for_unit("postgresql") + master.sleep(10) # Hopefully this is long enough!! + master.succeed("sudo -u postgres psql -c 'CREATE EXTENSION postgis;'") + master.succeed("sudo -u postgres psql -c 'CREATE EXTENSION postgis_topology;'") ''; }) diff --git a/nixpkgs/nixos/tests/postgresql.nix b/nixpkgs/nixos/tests/postgresql.nix index ae5d6d095ea2..e71c38882881 100644 --- a/nixpkgs/nixos/tests/postgresql.nix +++ b/nixpkgs/nixos/tests/postgresql.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let @@ -40,29 +40,33 @@ let backupName = if backup-all then "all" else "postgres"; backupService = if backup-all then "postgresqlBackup" else "postgresqlBackup-postgres"; in '' - sub check_count { - my ($select, $nlines) = @_; - return 'test $(sudo -u postgres psql postgres -tAc "' . $select . '"|wc -l) -eq ' . $nlines; - } + def check_count(statement, lines): + return 'test $(sudo -u postgres psql postgres -tAc "{}"|wc -l) -eq {}'.format( + statement, lines + ) + + + machine.start() + machine.wait_for_unit("postgresql") - $machine->start; - $machine->waitForUnit("postgresql"); # postgresql should be available just after unit start - $machine->succeed("cat ${test-sql} | sudo -u postgres psql"); - $machine->shutdown; # make sure that postgresql survive restart (bug #1735) - sleep(2); - $machine->start; - $machine->waitForUnit("postgresql"); - $machine->fail(check_count("SELECT * FROM sth;", 3)); - $machine->succeed(check_count("SELECT * FROM sth;", 5)); - $machine->fail(check_count("SELECT * FROM sth;", 4)); - $machine->succeed(check_count("SELECT xpath(\'/test/text()\', doc) FROM xmltest;", 1)); + machine.succeed( + "cat ${test-sql} | sudo -u postgres psql" + ) + machine.shutdown() # make sure that postgresql survive restart (bug #1735) + time.sleep(2) + machine.start() + machine.wait_for_unit("postgresql") + machine.fail(check_count("SELECT * FROM sth;", 3)) + machine.succeed(check_count("SELECT * FROM sth;", 5)) + machine.fail(check_count("SELECT * FROM sth;", 4)) + machine.succeed(check_count("SELECT xpath('/test/text()', doc) FROM xmltest;", 1)) # Check backup service - $machine->succeed("systemctl start ${backupService}.service"); - $machine->succeed("zcat /var/backup/postgresql/${backupName}.sql.gz | grep '<test>ok</test>'"); - $machine->succeed("stat -c '%a' /var/backup/postgresql/${backupName}.sql.gz | grep 600"); - $machine->shutdown; + machine.succeed("systemctl start ${backupService}.service") + machine.succeed("zcat /var/backup/postgresql/${backupName}.sql.gz | grep '<test>ok</test>'") + machine.succeed("stat -c '%a' /var/backup/postgresql/${backupName}.sql.gz | grep 600") + machine.shutdown() ''; }; diff --git a/nixpkgs/nixos/tests/powerdns.nix b/nixpkgs/nixos/tests/powerdns.nix index 8addcc784012..75d71315e644 100644 --- a/nixpkgs/nixos/tests/powerdns.nix +++ b/nixpkgs/nixos/tests/powerdns.nix @@ -1,12 +1,13 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "powerdns"; nodes.server = { ... }: { services.powerdns.enable = true; + environment.systemPackages = [ pkgs.dnsutils ]; }; testScript = '' - $server->waitForUnit("pdns"); - $server->succeed("${pkgs.dnsutils}/bin/dig version.bind txt chaos \@127.0.0.1"); + server.wait_for_unit("pdns") + server.succeed("dig version.bind txt chaos \@127.0.0.1") ''; }) diff --git a/nixpkgs/nixos/tests/pppd.nix b/nixpkgs/nixos/tests/pppd.nix new file mode 100644 index 000000000000..bda0aa75bb50 --- /dev/null +++ b/nixpkgs/nixos/tests/pppd.nix @@ -0,0 +1,62 @@ +import ./make-test-python.nix ( + let + chap-secrets = { + text = ''"flynn" * "reindeerflotilla" *''; + mode = "0640"; + }; + in { + nodes = { + server = {config, pkgs, ...}: { + config = { + # Run a PPPoE access concentrator server. It will spawn an + # appropriate PPP server process when a PPPoE client sets up a + # PPPoE session. + systemd.services.pppoe-server = { + restartTriggers = [ + config.environment.etc."ppp/pppoe-server-options".source + config.environment.etc."ppp/chap-secrets".source + ]; + after = ["network.target"]; + serviceConfig = { + ExecStart = "${pkgs.rpPPPoE}/sbin/pppoe-server -F -O /etc/ppp/pppoe-server-options -q ${pkgs.ppp}/sbin/pppd -I eth1 -L 192.0.2.1 -R 192.0.2.2"; + }; + wantedBy = ["multi-user.target"]; + }; + environment.etc = { + "ppp/pppoe-server-options".text = '' + lcp-echo-interval 10 + lcp-echo-failure 2 + plugin rp-pppoe.so + require-chap + nobsdcomp + noccp + novj + ''; + "ppp/chap-secrets" = chap-secrets; + }; + }; + }; + client = {config, pkgs, ...}: { + services.pppd = { + enable = true; + peers.test = { + config = '' + plugin rp-pppoe.so eth1 + name "flynn" + noipdefault + persist + noauth + debug + ''; + }; + }; + environment.etc."ppp/chap-secrets" = chap-secrets; + }; + }; + + testScript = '' + start_all() + client.wait_until_succeeds("ping -c1 -W1 192.0.2.1") + server.wait_until_succeeds("ping -c1 -W1 192.0.2.2") + ''; + }) diff --git a/nixpkgs/nixos/tests/predictable-interface-names.nix b/nixpkgs/nixos/tests/predictable-interface-names.nix index 85047f66f23c..83883477a5cc 100644 --- a/nixpkgs/nixos/tests/predictable-interface-names.nix +++ b/nixpkgs/nixos/tests/predictable-interface-names.nix @@ -4,7 +4,7 @@ }: let - inherit (import ../lib/testing.nix { inherit system pkgs; }) makeTest; + inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest; in pkgs.lib.listToAttrs (pkgs.lib.crossLists (predictable: withNetworkd: { name = pkgs.lib.optionalString (!predictable) "un" + "predictable" + pkgs.lib.optionalString withNetworkd "Networkd"; @@ -16,11 +16,12 @@ in pkgs.lib.listToAttrs (pkgs.lib.crossLists (predictable: withNetworkd: { networking.usePredictableInterfaceNames = lib.mkForce predictable; networking.useNetworkd = withNetworkd; networking.dhcpcd.enable = !withNetworkd; + networking.useDHCP = !withNetworkd; }; testScript = '' - print $machine->succeed("ip link"); - $machine->${if predictable then "fail" else "succeed"}("ip link show eth0 "); + print(machine.succeed("ip link")) + machine.${if predictable then "fail" else "succeed"}("ip link show eth0") ''; }; }) [[true false] [true false]]) diff --git a/nixpkgs/nixos/tests/prometheus-exporters.nix b/nixpkgs/nixos/tests/prometheus-exporters.nix index 9826b56b74d7..563f24726477 100644 --- a/nixpkgs/nixos/tests/prometheus-exporters.nix +++ b/nixpkgs/nixos/tests/prometheus-exporters.nix @@ -4,12 +4,10 @@ }: let - inherit (import ../lib/testing.nix { inherit system pkgs; }) makeTest; + inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest; inherit (pkgs.lib) concatStringsSep maintainers mapAttrs mkMerge removeSuffix replaceChars singleton splitString; - escape' = str: replaceChars [''"'' "$" "\n"] [''\\\"'' "\\$" ""] str; - /* * The attrset `exporterTests` contains one attribute * for each exporter test. Each of these attributes @@ -33,9 +31,9 @@ let * services.<metricProvider>.enable = true; * }; * exporterTest = '' - * waitForUnit("prometheus-<exporterName>-exporter.service"); - * waitForOpenPort("1234"); - * succeed("curl -sSf 'localhost:1234/metrics'"); + * wait_for_unit("prometheus-<exporterName>-exporter.service") + * wait_for_open_port("1234") + * succeed("curl -sSf 'localhost:1234/metrics'") * ''; * }; * @@ -49,11 +47,11 @@ let * }; * * testScript = '' - * $<exporterName>->start(); - * $<exporterName>->waitForUnit("prometheus-<exporterName>-exporter.service"); - * $<exporterName>->waitForOpenPort("1234"); - * $<exporterName>->succeed("curl -sSf 'localhost:1234/metrics'"); - * $<exporterName>->shutdown(); + * <exporterName>.start() + * <exporterName>.wait_for_unit("prometheus-<exporterName>-exporter.service") + * <exporterName>.wait_for_open_port("1234") + * <exporterName>.succeed("curl -sSf 'localhost:1234/metrics'") + * <exporterName>.shutdown() * ''; */ @@ -72,9 +70,11 @@ let ''; }; exporterTest = '' - waitForUnit("prometheus-bind-exporter.service"); - waitForOpenPort(9119); - succeed("curl -sSf http://localhost:9119/metrics | grep -q 'bind_query_recursions_total 0'"); + wait_for_unit("prometheus-bind-exporter.service") + wait_for_open_port(9119) + succeed( + "curl -sSf http://localhost:9119/metrics | grep -q 'bind_query_recursions_total 0'" + ) ''; }; @@ -89,9 +89,11 @@ let }); }; exporterTest = '' - waitForUnit("prometheus-blackbox-exporter.service"); - waitForOpenPort(9115); - succeed("curl -sSf 'http://localhost:9115/probe?target=localhost&module=icmp_v6' | grep -q 'probe_success 1'"); + wait_for_unit("prometheus-blackbox-exporter.service") + wait_for_open_port(9115) + succeed( + "curl -sSf 'http://localhost:9115/probe?target=localhost&module=icmp_v6' | grep -q 'probe_success 1'" + ) ''; }; @@ -100,7 +102,7 @@ let enable = true; extraFlags = [ "--web.collectd-push-path /collectd" ]; }; - exporterTest =let postData = escape' '' + exporterTest = let postData = replaceChars [ "\n" ] [ "" ] '' [{ "values":[23], "dstypes":["gauge"], @@ -108,13 +110,21 @@ let "interval":1000, "host":"testhost", "plugin":"testplugin", - "time":$(date +%s) + "time":DATE }] ''; in '' - waitForUnit("prometheus-collectd-exporter.service"); - waitForOpenPort(9103); - succeed("curl -sSfH 'Content-Type: application/json' -X POST --data \"${postData}\" localhost:9103/collectd"); - succeed("curl -sSf localhost:9103/metrics | grep -q 'collectd_testplugin_gauge{instance=\"testhost\"} 23'"); + wait_for_unit("prometheus-collectd-exporter.service") + wait_for_open_port(9103) + succeed( + 'echo \'${postData}\'> /tmp/data.json' + ) + succeed('sed -ie "s DATE $(date +%s) " /tmp/data.json') + succeed( + "curl -sSfH 'Content-Type: application/json' -X POST --data @/tmp/data.json localhost:9103/collectd" + ) + succeed( + "curl -sSf localhost:9103/metrics | grep -q 'collectd_testplugin_gauge{instance=\"testhost\"} 23'" + ) ''; }; @@ -127,9 +137,9 @@ let services.dnsmasq.enable = true; }; exporterTest = '' - waitForUnit("prometheus-dnsmasq-exporter.service"); - waitForOpenPort(9153); - succeed("curl -sSf http://localhost:9153/metrics | grep -q 'dnsmasq_leases 0'"); + wait_for_unit("prometheus-dnsmasq-exporter.service") + wait_for_open_port(9153) + succeed("curl -sSf http://localhost:9153/metrics | grep -q 'dnsmasq_leases 0'") ''; }; @@ -144,9 +154,11 @@ let services.dovecot2.enable = true; }; exporterTest = '' - waitForUnit("prometheus-dovecot-exporter.service"); - waitForOpenPort(9166); - succeed("curl -sSf http://localhost:9166/metrics | grep -q 'dovecot_up{scope=\"global\"} 1'"); + wait_for_unit("prometheus-dovecot-exporter.service") + wait_for_open_port(9166) + succeed( + "curl -sSf http://localhost:9166/metrics | grep -q 'dovecot_up{scope=\"global\"} 1'" + ) ''; }; @@ -155,9 +167,11 @@ let enable = true; }; exporterTest = '' - waitForUnit("prometheus-fritzbox-exporter.service"); - waitForOpenPort(9133); - succeed("curl -sSf http://localhost:9133/metrics | grep -q 'fritzbox_exporter_collect_errors 0'"); + wait_for_unit("prometheus-fritzbox-exporter.service") + wait_for_open_port(9133) + succeed( + "curl -sSf http://localhost:9133/metrics | grep -q 'fritzbox_exporter_collect_errors 0'" + ) ''; }; @@ -180,11 +194,11 @@ let }; }; exporterTest = '' - waitForUnit("nginx.service"); - waitForOpenPort(80); - waitForUnit("prometheus-json-exporter.service"); - waitForOpenPort(7979); - succeed("curl -sSf localhost:7979/metrics | grep -q 'json_test_metric 1'"); + wait_for_unit("nginx.service") + wait_for_open_port(80) + wait_for_unit("prometheus-json-exporter.service") + wait_for_open_port(7979) + succeed("curl -sSf localhost:7979/metrics | grep -q 'json_test_metric 1'") ''; }; @@ -222,10 +236,46 @@ let users.users.mailexporter.isSystemUser = true; }; exporterTest = '' - waitForUnit("postfix.service") - waitForUnit("prometheus-mail-exporter.service") - waitForOpenPort(9225) - waitUntilSucceeds("curl -sSf http://localhost:9225/metrics | grep -q 'mail_deliver_success{configname=\"testserver\"} 1'") + wait_for_unit("postfix.service") + wait_for_unit("prometheus-mail-exporter.service") + wait_for_open_port(9225) + wait_until_succeeds( + "curl -sSf http://localhost:9225/metrics | grep -q 'mail_deliver_success{configname=\"testserver\"} 1'" + ) + ''; + }; + + nextcloud = { + exporterConfig = { + enable = true; + passwordFile = "/var/nextcloud-pwfile"; + url = "http://localhost/negative-space.xml"; + }; + metricProvider = { + systemd.services.nc-pwfile = let + passfile = (pkgs.writeText "pwfile" "snakeoilpw"); + in { + requiredBy = [ "prometheus-nextcloud-exporter.service" ]; + before = [ "prometheus-nextcloud-exporter.service" ]; + serviceConfig.ExecStart = '' + ${pkgs.coreutils}/bin/install -o nextcloud-exporter -m 0400 ${passfile} /var/nextcloud-pwfile + ''; + }; + services.nginx = { + enable = true; + virtualHosts."localhost" = { + basicAuth.nextcloud-exporter = "snakeoilpw"; + locations."/" = { + root = "${pkgs.prometheus-nextcloud-exporter.src}/serverinfo/testdata"; + }; + }; + }; + }; + exporterTest = '' + wait_for_unit("nginx.service") + wait_for_unit("prometheus-nextcloud-exporter.service") + wait_for_open_port(9205) + succeed("curl -sSf http://localhost:9205/metrics | grep -q 'nextcloud_up 1'") ''; }; @@ -241,9 +291,9 @@ let }; }; exporterTest = '' - waitForUnit("nginx.service") - waitForUnit("prometheus-nginx-exporter.service") - waitForOpenPort(9113) + wait_for_unit("nginx.service") + wait_for_unit("prometheus-nginx-exporter.service") + wait_for_open_port(9113) succeed("curl -sSf http://localhost:9113/metrics | grep -q 'nginx_up 1'") ''; }; @@ -253,9 +303,11 @@ let enable = true; }; exporterTest = '' - waitForUnit("prometheus-node-exporter.service"); - waitForOpenPort(9100); - succeed("curl -sSf http://localhost:9100/metrics | grep -q 'node_exporter_build_info{.\\+} 1'"); + wait_for_unit("prometheus-node-exporter.service") + wait_for_open_port(9100) + succeed( + "curl -sSf http://localhost:9100/metrics | grep -q 'node_exporter_build_info{.\\+} 1'" + ) ''; }; @@ -267,9 +319,11 @@ let services.postfix.enable = true; }; exporterTest = '' - waitForUnit("prometheus-postfix-exporter.service"); - waitForOpenPort(9154); - succeed("curl -sSf http://localhost:9154/metrics | grep -q 'postfix_smtpd_connects_total 0'"); + wait_for_unit("prometheus-postfix-exporter.service") + wait_for_open_port(9154) + succeed( + "curl -sSf http://localhost:9154/metrics | grep -q 'postfix_smtpd_connects_total 0'" + ) ''; }; @@ -282,18 +336,24 @@ let services.postgresql.enable = true; }; exporterTest = '' - waitForUnit("prometheus-postgres-exporter.service"); - waitForOpenPort(9187); - waitForUnit("postgresql.service"); - succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_exporter_last_scrape_error 0'"); - succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 1'"); - systemctl("stop postgresql.service"); - succeed("curl -sSf http://localhost:9187/metrics | grep -qv 'pg_exporter_last_scrape_error 0'"); - succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 0'"); - systemctl("start postgresql.service"); - waitForUnit("postgresql.service"); - succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_exporter_last_scrape_error 0'"); - succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 1'"); + wait_for_unit("prometheus-postgres-exporter.service") + wait_for_open_port(9187) + wait_for_unit("postgresql.service") + succeed( + "curl -sSf http://localhost:9187/metrics | grep -q 'pg_exporter_last_scrape_error 0'" + ) + succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 1'") + systemctl("stop postgresql.service") + succeed( + "curl -sSf http://localhost:9187/metrics | grep -qv 'pg_exporter_last_scrape_error 0'" + ) + succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 0'") + systemctl("start postgresql.service") + wait_for_unit("postgresql.service") + succeed( + "curl -sSf http://localhost:9187/metrics | grep -q 'pg_exporter_last_scrape_error 0'" + ) + succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 1'") ''; }; @@ -305,11 +365,13 @@ let services.rspamd.enable = true; }; exporterTest = '' - waitForUnit("rspamd.service"); - waitForUnit("prometheus-rspamd-exporter.service"); - waitForOpenPort(11334); - waitForOpenPort(7980); - waitUntilSucceeds("curl -sSf localhost:7980/metrics | grep -q 'rspamd_scanned{host=\"rspamd\"} 0'"); + wait_for_unit("rspamd.service") + wait_for_unit("prometheus-rspamd-exporter.service") + wait_for_open_port(11334) + wait_for_open_port(7980) + wait_until_succeeds( + "curl -sSf localhost:7980/metrics | grep -q 'rspamd_scanned{host=\"rspamd\"} 0'" + ) ''; }; @@ -322,9 +384,9 @@ let }; }; exporterTest = '' - waitForUnit("prometheus-snmp-exporter.service"); - waitForOpenPort(9116); - succeed("curl -sSf localhost:9116/metrics | grep -q 'snmp_request_errors_total 0'"); + wait_for_unit("prometheus-snmp-exporter.service") + wait_for_open_port(9116) + succeed("curl -sSf localhost:9116/metrics | grep -q 'snmp_request_errors_total 0'") ''; }; @@ -343,11 +405,11 @@ let }; }; exporterTest = '' - waitForUnit("nginx.service"); - waitForOpenPort(80); - waitForUnit("prometheus-surfboard-exporter.service"); - waitForOpenPort(9239); - succeed("curl -sSf localhost:9239/metrics | grep -q 'surfboard_up 1'"); + wait_for_unit("nginx.service") + wait_for_open_port(80) + wait_for_unit("prometheus-surfboard-exporter.service") + wait_for_open_port(9239) + succeed("curl -sSf localhost:9239/metrics | grep -q 'surfboard_up 1'") ''; }; @@ -362,11 +424,11 @@ let services.tor.controlPort = 9051; }; exporterTest = '' - waitForUnit("tor.service"); - waitForOpenPort(9051); - waitForUnit("prometheus-tor-exporter.service"); - waitForOpenPort(9130); - succeed("curl -sSf localhost:9130/metrics | grep -q 'tor_version{.\\+} 1'"); + wait_for_unit("tor.service") + wait_for_open_port(9051) + wait_for_unit("prometheus-tor-exporter.service") + wait_for_open_port(9130) + succeed("curl -sSf localhost:9130/metrics | grep -q 'tor_version{.\\+} 1'") ''; }; @@ -392,10 +454,10 @@ let }; }; exporterTest = '' - waitForUnit("prometheus-varnish-exporter.service"); - waitForOpenPort(6081); - waitForOpenPort(9131); - succeed("curl -sSf http://localhost:9131/metrics | grep -q 'varnish_up 1'"); + wait_for_unit("prometheus-varnish-exporter.service") + wait_for_open_port(6081) + wait_for_open_port(9131) + succeed("curl -sSf http://localhost:9131/metrics | grep -q 'varnish_up 1'") ''; }; @@ -417,9 +479,11 @@ let systemd.services.prometheus-wireguard-exporter.after = [ "wireguard-wg0.service" ]; }; exporterTest = '' - waitForUnit("prometheus-wireguard-exporter.service"); - waitForOpenPort(9586); - waitUntilSucceeds("curl -sSf http://localhost:9586/metrics | grep '${snakeoil.peer1.publicKey}'"); + wait_for_unit("prometheus-wireguard-exporter.service") + wait_for_open_port(9586) + wait_until_succeeds( + "curl -sSf http://localhost:9586/metrics | grep '${snakeoil.peer1.publicKey}'" + ) ''; }; }; @@ -432,11 +496,13 @@ mapAttrs (exporter: testConfig: (makeTest { } testConfig.metricProvider or {}]; testScript = '' - ${"$"+exporter}->start(); - ${concatStringsSep " " (map (line: '' - ${"$"+exporter}->${line}; - '') (splitString "\n" (removeSuffix "\n" testConfig.exporterTest)))} - ${"$"+exporter}->shutdown(); + ${exporter}.start() + ${concatStringsSep "\n" (map (line: + if (builtins.substring 0 1 line == " " || builtins.substring 0 1 line == ")") + then line + else "${exporter}.${line}" + ) (splitString "\n" (removeSuffix "\n" testConfig.exporterTest)))} + ${exporter}.shutdown() ''; meta = with maintainers; { diff --git a/nixpkgs/nixos/tests/prometheus.nix b/nixpkgs/nixos/tests/prometheus.nix index 52f61046be39..8bfd0c131e61 100644 --- a/nixpkgs/nixos/tests/prometheus.nix +++ b/nixpkgs/nixos/tests/prometheus.nix @@ -31,7 +31,7 @@ let }; }; -in import ./make-test.nix { +in import ./make-test-python.nix { name = "prometheus"; nodes = { @@ -173,67 +173,73 @@ in import ./make-test.nix { testScript = { nodes, ... } : '' # Before starting the other machines we first make sure that our S3 service is online # and has a bucket added for thanos: - $s3->start; - $s3->waitForUnit("minio.service"); - $s3->waitForOpenPort(${toString minioPort}); - $s3->succeed( - "mc config host add minio " . - "http://localhost:${toString minioPort} ${s3.accessKey} ${s3.secretKey} S3v4"); - $s3->succeed("mc mb minio/thanos-bucket"); + s3.start() + s3.wait_for_unit("minio.service") + s3.wait_for_open_port(${toString minioPort}) + s3.succeed( + "mc config host add minio " + + "http://localhost:${toString minioPort} " + + "${s3.accessKey} ${s3.secretKey} S3v4", + "mc mb minio/thanos-bucket", + ) # Now that s3 has started we can start the other machines: - $prometheus->start; - $query->start; - $store->start; + for machine in prometheus, query, store: + machine.start() # Check if prometheus responds to requests: - $prometheus->waitForUnit("prometheus.service"); - $prometheus->waitForOpenPort(${toString queryPort}); - $prometheus->succeed("curl -s http://127.0.0.1:${toString queryPort}/metrics"); + prometheus.wait_for_unit("prometheus.service") + prometheus.wait_for_open_port(${toString queryPort}) + prometheus.succeed("curl -s http://127.0.0.1:${toString queryPort}/metrics") # Let's test if pushing a metric to the pushgateway succeeds: - $prometheus->waitForUnit("pushgateway.service"); - $prometheus->succeed( - "echo 'some_metric 3.14' | " . - "curl --data-binary \@- http://127.0.0.1:${toString pushgwPort}/metrics/job/some_job"); + prometheus.wait_for_unit("pushgateway.service") + prometheus.succeed( + "echo 'some_metric 3.14' | " + + "curl --data-binary \@- " + + "http://127.0.0.1:${toString pushgwPort}/metrics/job/some_job" + ) # Now check whether that metric gets ingested by prometheus. # Since we'll check for the metric several times on different machines # we abstract the test using the following function: # Function to check if the metric "some_metric" has been received and returns the correct value. - local *Machine::waitForMetric = sub { - my ($self) = @_; - $self->waitUntilSucceeds( - "curl -sf 'http://127.0.0.1:${toString queryPort}/api/v1/query?query=some_metric' " . - "| jq '.data.result[0].value[1]' | grep '\"3.14\"'"); - }; + def wait_for_metric(machine): + return machine.wait_until_succeeds( + "curl -sf 'http://127.0.0.1:${toString queryPort}/api/v1/query?query=some_metric' | " + + "jq '.data.result[0].value[1]' | grep '\"3.14\"'" + ) + - $prometheus->waitForMetric; + wait_for_metric(prometheus) # Let's test if the pushgateway persists metrics to the configured location. - $prometheus->waitUntilSucceeds("test -e /var/lib/prometheus-pushgateway/metrics"); + prometheus.wait_until_succeeds("test -e /var/lib/prometheus-pushgateway/metrics") # Test thanos - $prometheus->waitForUnit("thanos-sidecar.service"); + prometheus.wait_for_unit("thanos-sidecar.service") # Test if the Thanos query service can correctly retrieve the metric that was send above. - $query->waitForUnit("thanos-query.service"); - $query->waitForMetric; + query.wait_for_unit("thanos-query.service") + wait_for_metric(query) # Test if the Thanos sidecar has correctly uploaded its TSDB to S3, if the # Thanos storage service has correctly downloaded it from S3 and if the Thanos # query service running on $store can correctly retrieve the metric: - $store->waitForUnit("thanos-store.service"); - $store->waitForMetric; + store.wait_for_unit("thanos-store.service") + wait_for_metric(store) - $store->waitForUnit("thanos-compact.service"); + store.wait_for_unit("thanos-compact.service") # Test if the Thanos bucket command is able to retrieve blocks from the S3 bucket # and check if the blocks have the correct labels: - $store->succeed( - "thanos bucket ls" . - " --objstore.config-file=${nodes.store.config.services.thanos.store.objstore.config-file}" . - " --output=json | jq .thanos.labels.some_label | grep 'required by thanos'"); + store.succeed( + "thanos bucket ls " + + "--objstore.config-file=${nodes.store.config.services.thanos.store.objstore.config-file} " + + "--output=json | " + + "jq .thanos.labels.some_label | " + + "grep 'required by thanos'" + ) ''; } diff --git a/nixpkgs/nixos/tests/proxy.nix b/nixpkgs/nixos/tests/proxy.nix index 1f39e903cddb..3859d429c21b 100644 --- a/nixpkgs/nixos/tests/proxy.nix +++ b/nixpkgs/nixos/tests/proxy.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test.nix ({ pkgs, ...} : let @@ -7,7 +7,7 @@ let { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; - services.httpd.documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html"; + services.httpd.virtualHosts.localhost.documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html"; networking.firewall.allowedTCPPorts = [ 80 ]; }; @@ -26,11 +26,11 @@ in { services.httpd.enable = true; services.httpd.adminAddr = "bar@example.org"; services.httpd.extraModules = [ "proxy_balancer" "lbmethod_byrequests" ]; - - services.httpd.extraConfig = - '' - ExtendedStatus on - + services.httpd.extraConfig = '' + ExtendedStatus on + ''; + services.httpd.virtualHosts.localhost = { + extraConfig = '' <Location /server-status> Require all granted SetHandler server-status @@ -50,6 +50,7 @@ in # For testing; don't want to wait forever for dead backend servers. ProxyTimeout 5 ''; + }; networking.firewall.allowedTCPPorts = [ 80 ]; }; diff --git a/nixpkgs/nixos/tests/quagga.nix b/nixpkgs/nixos/tests/quagga.nix index 6aee7ea57f03..04590aa0eb38 100644 --- a/nixpkgs/nixos/tests/quagga.nix +++ b/nixpkgs/nixos/tests/quagga.nix @@ -5,7 +5,7 @@ # # All interfaces are in OSPF Area 0. -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let ifAddr = node: iface: (pkgs.lib.head node.config.networking.interfaces.${iface}.ipv4.addresses).address; @@ -74,23 +74,23 @@ import ./make-test.nix ({ pkgs, ... }: testScript = { ... }: '' - startAll; + start_all() # Wait for the networking to start on all machines - $_->waitForUnit("network.target") foreach values %vms; + for machine in client, router1, router2, server: + machine.wait_for_unit("network.target") - # Wait for OSPF to form adjacencies - for my $gw ($router1, $router2) { - $gw->waitForUnit("ospfd"); - $gw->waitUntilSucceeds("vtysh -c 'show ip ospf neighbor' | grep Full"); - $gw->waitUntilSucceeds("vtysh -c 'show ip route' | grep '^O>'"); - } + with subtest("Wait for OSPF to form adjacencies"): + for gw in router1, router2: + gw.wait_for_unit("ospfd") + gw.wait_until_succeeds("vtysh -c 'show ip ospf neighbor' | grep Full") + gw.wait_until_succeeds("vtysh -c 'show ip route' | grep '^O>'") - # Test ICMP. - $client->succeed("ping -c 3 server >&2"); + with subtest("Test ICMP"): + client.wait_until_succeeds("ping -c 3 server >&2") - # Test whether HTTP works. - $server->waitForUnit("httpd"); - $client->succeed("curl --fail http://server/ >&2"); + with subtest("Test whether HTTP works"): + server.wait_for_unit("httpd") + client.succeed("curl --fail http://server/ >&2") ''; }) diff --git a/nixpkgs/nixos/tests/quake3.nix b/nixpkgs/nixos/tests/quake3.nix deleted file mode 100644 index 4253ce4a8672..000000000000 --- a/nixpkgs/nixos/tests/quake3.nix +++ /dev/null @@ -1,95 +0,0 @@ -import ./make-test.nix ({ pkgs, ...} : - -let - - # Build Quake with coverage instrumentation. - overrides = pkgs: - { - quake3game = pkgs.quake3game.override (args: { - stdenv = pkgs.stdenvAdapters.addCoverageInstrumentation args.stdenv; - }); - }; - - # Only allow the demo data to be used (only if it's unfreeRedistributable). - unfreePredicate = pkg: with pkgs.lib; let - allowPackageNames = [ "quake3-demodata" "quake3-pointrelease" ]; - allowLicenses = [ pkgs.lib.licenses.unfreeRedistributable ]; - in elem pkg.pname allowPackageNames && - elem (pkg.meta.license or null) allowLicenses; - -in - -rec { - name = "quake3"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ domenkozar eelco ]; - }; - - # TODO: lcov doesn't work atm - #makeCoverageReport = true; - - client = - { pkgs, ... }: - - { imports = [ ./common/x11.nix ]; - hardware.opengl.driSupport = true; - environment.systemPackages = [ pkgs.quake3demo ]; - nixpkgs.config.packageOverrides = overrides; - nixpkgs.config.allowUnfreePredicate = unfreePredicate; - }; - - nodes = - { server = - { pkgs, ... }: - - { systemd.services.quake3-server = - { wantedBy = [ "multi-user.target" ]; - script = - "${pkgs.quake3demo}/bin/quake3-server +set g_gametype 0 " + - "+map q3dm7 +addbot grunt +addbot daemia 2> /tmp/log"; - }; - nixpkgs.config.packageOverrides = overrides; - nixpkgs.config.allowUnfreePredicate = unfreePredicate; - networking.firewall.allowedUDPPorts = [ 27960 ]; - }; - - client1 = client; - client2 = client; - }; - - testScript = - '' - startAll; - - $server->waitForUnit("quake3-server"); - $client1->waitForX; - $client2->waitForX; - - $client1->execute("quake3 +set r_fullscreen 0 +set name Foo +connect server &"); - $client2->execute("quake3 +set r_fullscreen 0 +set name Bar +connect server &"); - - $server->waitUntilSucceeds("grep -q 'Foo.*entered the game' /tmp/log"); - $server->waitUntilSucceeds("grep -q 'Bar.*entered the game' /tmp/log"); - - $server->sleep(10); # wait for a while to get a nice screenshot - - $client1->block(); - - $server->sleep(20); - - $client1->screenshot("screen1"); - $client2->screenshot("screen2"); - - $client1->unblock(); - - $server->sleep(10); - - $client1->screenshot("screen3"); - $client2->screenshot("screen4"); - - $client1->shutdown(); - $client2->shutdown(); - $server->stopJob("quake3-server"); - ''; - -}) diff --git a/nixpkgs/nixos/tests/rabbitmq.nix b/nixpkgs/nixos/tests/rabbitmq.nix index bb5932c36417..8e7f34d06e32 100644 --- a/nixpkgs/nixos/tests/rabbitmq.nix +++ b/nixpkgs/nixos/tests/rabbitmq.nix @@ -1,21 +1,21 @@ # This test runs rabbitmq and checks if rabbitmq is up and running. -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "rabbitmq"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco offline ]; }; - nodes = { - one = { ... }: { - services.rabbitmq.enable = true; - }; + machine = { + services.rabbitmq.enable = true; }; testScript = '' - startAll; + machine.start() - $one->waitForUnit("rabbitmq.service"); - $one->waitUntilSucceeds("su -s ${pkgs.stdenv.shell} rabbitmq -c \"rabbitmqctl status\""); + machine.wait_for_unit("rabbitmq.service") + machine.wait_until_succeeds( + 'su -s ${pkgs.stdenv.shell} rabbitmq -c "rabbitmqctl status"' + ) ''; }) diff --git a/nixpkgs/nixos/tests/radarr.nix b/nixpkgs/nixos/tests/radarr.nix index 9bc5607ccd5a..ed90025ac420 100644 --- a/nixpkgs/nixos/tests/radarr.nix +++ b/nixpkgs/nixos/tests/radarr.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: with lib; @@ -11,8 +11,8 @@ with lib; { services.radarr.enable = true; }; testScript = '' - $machine->waitForUnit('radarr.service'); - $machine->waitForOpenPort('7878'); - $machine->succeed("curl --fail http://localhost:7878/"); + machine.wait_for_unit("radarr.service") + machine.wait_for_open_port("7878") + machine.succeed("curl --fail http://localhost:7878/") ''; }) diff --git a/nixpkgs/nixos/tests/radicale.nix b/nixpkgs/nixos/tests/radicale.nix index 607964255640..c81e78a8f994 100644 --- a/nixpkgs/nixos/tests/radicale.nix +++ b/nixpkgs/nixos/tests/radicale.nix @@ -28,7 +28,7 @@ let in - import ./make-test.nix ({ lib, ... }@args: { + import ./make-test-python.nix ({ lib, ... }@args: { name = "radicale"; meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ]; @@ -64,43 +64,59 @@ in newSystem = nodes.${nodeName}.config.system.build.toplevel; in "${newSystem}/bin/switch-to-configuration test"; in '' - # Check Radicale 1 functionality - $radicale->succeed('${switchToConfig "radicale1"} >&2'); - $radicale->waitForUnit('radicale.service'); - $radicale->waitForOpenPort(${port}); - $radicale->succeed('curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/'); + with subtest("Check Radicale 1 functionality"): + radicale.succeed( + "${switchToConfig "radicale1"} >&2" + ) + radicale.wait_for_unit("radicale.service") + radicale.wait_for_open_port(${port}) + radicale.succeed( + "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/" + ) - # Export data in Radicale 2 format - $radicale->succeed('systemctl stop radicale'); - $radicale->succeed('ls -al /tmp/collections'); - $radicale->fail('ls -al /tmp/collections-new'); - # Radicale exits immediately after exporting storage - $radicale->succeed('${switchToConfig "radicale1_export"} >&2'); - $radicale->waitUntilFails('systemctl status radicale'); - $radicale->succeed('ls -al /tmp/collections'); - $radicale->succeed('ls -al /tmp/collections-new'); + with subtest("Export data in Radicale 2 format"): + radicale.succeed("systemctl stop radicale") + radicale.succeed("ls -al /tmp/collections") + radicale.fail("ls -al /tmp/collections-new") - # Verify data in Radicale 2 format - $radicale->succeed('rm -r /tmp/collections/${user}'); - $radicale->succeed('mv /tmp/collections-new/collection-root /tmp/collections'); - $radicale->succeed('${switchToConfig "radicale2_verify"} >&2'); - $radicale->waitUntilFails('systemctl status radicale'); - my ($retcode, $logs) = $radicale->execute('journalctl -u radicale -n 10'); - if ($retcode != 0 || index($logs, 'Verifying storage') == -1) { - die "Radicale 2 didn't verify storage" - } - if (index($logs, 'failed') != -1 || index($logs, 'exception') != -1) { - die "storage verification failed" - } + with subtest("Radicale exits immediately after exporting storage"): + radicale.succeed( + "${switchToConfig "radicale1_export"} >&2" + ) + radicale.wait_until_fails("systemctl status radicale") + radicale.succeed("ls -al /tmp/collections") + radicale.succeed("ls -al /tmp/collections-new") - # Check Radicale 2 functionality - $radicale->succeed('${switchToConfig "radicale2"} >&2'); - $radicale->waitForUnit('radicale.service'); - $radicale->waitForOpenPort(${port}); - my ($retcode, $output) = $radicale->execute('curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/'); - if ($retcode != 0 || index($output, 'VCALENDAR') == -1) { - die "Could not read calendar from Radicale 2" - } - $radicale->succeed('curl --fail http://${user}:${password}@localhost:${port}/.web/'); + with subtest("Verify data in Radicale 2 format"): + radicale.succeed("rm -r /tmp/collections/${user}") + radicale.succeed("mv /tmp/collections-new/collection-root /tmp/collections") + radicale.succeed( + "${switchToConfig "radicale2_verify"} >&2" + ) + radicale.wait_until_fails("systemctl status radicale") + + (retcode, logs) = radicale.execute("journalctl -u radicale -n 10") + assert ( + retcode == 0 and "Verifying storage" in logs + ), "Radicale 2 didn't verify storage" + assert ( + "failed" not in logs and "exception" not in logs + ), "storage verification failed" + + with subtest("Check Radicale 2 functionality"): + radicale.succeed( + "${switchToConfig "radicale2"} >&2" + ) + radicale.wait_for_unit("radicale.service") + radicale.wait_for_open_port(${port}) + + (retcode, output) = radicale.execute( + "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/" + ) + assert ( + retcode == 0 and "VCALENDAR" in output + ), "Could not read calendar from Radicale 2" + + radicale.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/") ''; }) diff --git a/nixpkgs/nixos/tests/redis.nix b/nixpkgs/nixos/tests/redis.nix index 325d93424dd7..529965d7acde 100644 --- a/nixpkgs/nixos/tests/redis.nix +++ b/nixpkgs/nixos/tests/redis.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "redis"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ flokli ]; @@ -15,12 +15,10 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - - $machine->waitForUnit("redis"); - $machine->waitForOpenPort("6379"); - - $machine->succeed("redis-cli ping | grep PONG"); - $machine->succeed("redis-cli -s /run/redis/redis.sock ping | grep PONG"); + start_all() + machine.wait_for_unit("redis") + machine.wait_for_open_port("6379") + machine.succeed("redis-cli ping | grep PONG") + machine.succeed("redis-cli -s /run/redis/redis.sock ping | grep PONG") ''; }) diff --git a/nixpkgs/nixos/tests/redmine.nix b/nixpkgs/nixos/tests/redmine.nix index 2d4df288b055..f0f4cbf6a21c 100644 --- a/nixpkgs/nixos/tests/redmine.nix +++ b/nixpkgs/nixos/tests/redmine.nix @@ -64,18 +64,13 @@ let }; in { - v3-mysql = mysqlTest pkgs.redmine // { - name = "v3-mysql"; + mysql = mysqlTest pkgs.redmine // { + name = "mysql"; meta.maintainers = [ maintainers.aanderse ]; }; - v4-mysql = mysqlTest pkgs.redmine_4 // { - name = "v4-mysql"; - meta.maintainers = [ maintainers.aanderse ]; - }; - - v4-pgsql = pgsqlTest pkgs.redmine_4 // { - name = "v4-pgsql"; + pgsql = pgsqlTest pkgs.redmine // { + name = "pgsql"; meta.maintainers = [ maintainers.aanderse ]; }; } diff --git a/nixpkgs/nixos/tests/resolv.nix b/nixpkgs/nixos/tests/resolv.nix new file mode 100644 index 000000000000..b506f87451ee --- /dev/null +++ b/nixpkgs/nixos/tests/resolv.nix @@ -0,0 +1,46 @@ +# Test whether DNS resolving returns multiple records and all address families. +import ./make-test-python.nix ({ pkgs, ... } : { + name = "resolv"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ckauhaus ]; + }; + + nodes.resolv = { ... }: { + networking.extraHosts = '' + # IPv4 only + 192.0.2.1 host-ipv4.example.net + 192.0.2.2 host-ipv4.example.net + # IP6 only + 2001:db8::2:1 host-ipv6.example.net + 2001:db8::2:2 host-ipv6.example.net + # dual stack + 192.0.2.1 host-dual.example.net + 192.0.2.2 host-dual.example.net + 2001:db8::2:1 host-dual.example.net + 2001:db8::2:2 host-dual.example.net + ''; + }; + + testScript = '' + def addrs_in(hostname, addrs): + res = resolv.succeed("getent ahosts {}".format(hostname)) + for addr in addrs: + assert addr in res, "Expected output '{}' not found in\n{}".format(addr, res) + + + start_all() + resolv.wait_for_unit("nscd") + + ipv4 = ["192.0.2.1", "192.0.2.2"] + ipv6 = ["2001:db8::2:1", "2001:db8::2:2"] + + with subtest("IPv4 resolves"): + addrs_in("host-ipv4.example.net", ipv4) + + with subtest("IPv6 resolves"): + addrs_in("host-ipv6.example.net", ipv6) + + with subtest("Dual stack resolves"): + addrs_in("host-dual.example.net", ipv4 + ipv6) + ''; +}) diff --git a/nixpkgs/nixos/tests/roundcube.nix b/nixpkgs/nixos/tests/roundcube.nix index ed0ebd7dd19d..1897b53e283a 100644 --- a/nixpkgs/nixos/tests/roundcube.nix +++ b/nixpkgs/nixos/tests/roundcube.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "roundcube"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ globin ]; @@ -9,7 +9,7 @@ import ./make-test.nix ({ pkgs, ...} : { services.roundcube = { enable = true; hostName = "roundcube"; - database.password = "notproduction"; + database.password = "not production"; package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]); plugins = [ "persistent_login" ]; }; @@ -21,10 +21,10 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - $roundcube->start; - $roundcube->waitForUnit("postgresql.service"); - $roundcube->waitForUnit("phpfpm-roundcube.service"); - $roundcube->waitForUnit("nginx.service"); - $roundcube->succeed("curl -sSfL http://roundcube/ | grep 'Keep me logged in'"); + roundcube.start + roundcube.wait_for_unit("postgresql.service") + roundcube.wait_for_unit("phpfpm-roundcube.service") + roundcube.wait_for_unit("nginx.service") + roundcube.succeed("curl -sSfL http://roundcube/ | grep 'Keep me logged in'") ''; }) diff --git a/nixpkgs/nixos/tests/rspamd.nix b/nixpkgs/nixos/tests/rspamd.nix index 0cc94728f80a..bf3f0de62044 100644 --- a/nixpkgs/nixos/tests/rspamd.nix +++ b/nixpkgs/nixos/tests/rspamd.nix @@ -3,20 +3,20 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let initMachine = '' - startAll - $machine->waitForUnit("rspamd.service"); - $machine->succeed("id \"rspamd\" >/dev/null"); + start_all() + machine.wait_for_unit("rspamd.service") + machine.succeed("id rspamd >/dev/null") ''; checkSocket = socket: user: group: mode: '' - $machine->succeed("ls ${socket} >/dev/null"); - $machine->succeed("[[ \"\$(stat -c %U ${socket})\" == \"${user}\" ]]"); - $machine->succeed("[[ \"\$(stat -c %G ${socket})\" == \"${group}\" ]]"); - $machine->succeed("[[ \"\$(stat -c %a ${socket})\" == \"${mode}\" ]]"); + machine.succeed("ls ${socket} >/dev/null") + machine.succeed('[[ "$(stat -c %U ${socket})" == "${user}" ]]') + machine.succeed('[[ "$(stat -c %G ${socket})" == "${group}" ]]') + machine.succeed('[[ "$(stat -c %a ${socket})" == "${mode}" ]]') ''; simple = name: enableIPv6: makeTest { name = "rspamd-${name}"; @@ -25,22 +25,23 @@ let networking.enableIPv6 = enableIPv6; }; testScript = '' - startAll - $machine->waitForUnit("multi-user.target"); - $machine->waitForOpenPort(11334); - $machine->waitForUnit("rspamd.service"); - $machine->succeed("id \"rspamd\" >/dev/null"); + start_all() + machine.wait_for_unit("multi-user.target") + machine.wait_for_open_port(11334) + machine.wait_for_unit("rspamd.service") + machine.succeed("id rspamd >/dev/null") ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "660" } - sleep 10; - $machine->log($machine->succeed("cat /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("systemctl cat rspamd.service")); - $machine->log($machine->succeed("curl http://localhost:11334/auth")); - $machine->log($machine->succeed("curl http://127.0.0.1:11334/auth")); - ${optionalString enableIPv6 '' - $machine->log($machine->succeed("curl http://[::1]:11334/auth")); - ''} + machine.sleep(10) + machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf")) + machine.log( + machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf") + ) + machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf")) + machine.log(machine.succeed("systemctl cat rspamd.service")) + machine.log(machine.succeed("curl http://localhost:11334/auth")) + machine.log(machine.succeed("curl http://127.0.0.1:11334/auth")) + ${optionalString enableIPv6 ''machine.log(machine.succeed("curl http://[::1]:11334/auth"))''} + # would not reformat ''; }; in @@ -69,14 +70,18 @@ in testScript = '' ${initMachine} - $machine->waitForFile("/run/rspamd.sock"); + machine.wait_for_file("/run/rspamd.sock") ${checkSocket "/run/rspamd.sock" "root" "root" "600" } ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } - $machine->log($machine->succeed("cat /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("rspamc -h /run/rspamd-worker.sock stat")); - $machine->log($machine->succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")); + machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf")) + machine.log( + machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf") + ) + machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf")) + machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat")) + machine.log( + machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping") + ) ''; }; @@ -111,18 +116,32 @@ in testScript = '' ${initMachine} - $machine->waitForFile("/run/rspamd.sock"); + machine.wait_for_file("/run/rspamd.sock") ${checkSocket "/run/rspamd.sock" "root" "root" "600" } ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } - $machine->log($machine->succeed("cat /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("grep 'LOCAL_CONFDIR/override.d/worker-controller2.inc' /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("grep 'verysecretpassword' /etc/rspamd/override.d/worker-controller2.inc")); - $machine->waitUntilSucceeds("journalctl -u rspamd | grep -i 'starting controller process' >&2"); - $machine->log($machine->succeed("rspamc -h /run/rspamd-worker.sock stat")); - $machine->log($machine->succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")); - $machine->log($machine->succeed("curl http://localhost:11335/ping")); + machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf")) + machine.log( + machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf") + ) + machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf")) + machine.log( + machine.succeed( + "grep 'LOCAL_CONFDIR/override.d/worker-controller2.inc' /etc/rspamd/rspamd.conf" + ) + ) + machine.log( + machine.succeed( + "grep 'verysecretpassword' /etc/rspamd/override.d/worker-controller2.inc" + ) + ) + machine.wait_until_succeeds( + "journalctl -u rspamd | grep -i 'starting controller process' >&2" + ) + machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat")) + machine.log( + machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping") + ) + machine.log(machine.succeed("curl http://localhost:11335/ping")) ''; }; customLuaRules = makeTest { @@ -199,22 +218,34 @@ in }; testScript = '' ${initMachine} - $machine->waitForOpenPort(11334); - $machine->log($machine->succeed("cat /etc/rspamd/rspamd.conf")); - $machine->log($machine->succeed("cat /etc/rspamd/rspamd.local.lua")); - $machine->log($machine->succeed("cat /etc/rspamd/local.d/groups.conf")); + machine.wait_for_open_port(11334) + machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf")) + machine.log(machine.succeed("cat /etc/rspamd/rspamd.local.lua")) + machine.log(machine.succeed("cat /etc/rspamd/local.d/groups.conf")) # Verify that redis.conf was not written - $machine->fail("cat /etc/rspamd/local.d/redis.conf >&2"); + machine.fail("cat /etc/rspamd/local.d/redis.conf >&2") # Verify that antivirus.conf was not written - $machine->fail("cat /etc/rspamd/local.d/antivirus.conf >&2"); + machine.fail("cat /etc/rspamd/local.d/antivirus.conf >&2") ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "660" } - $machine->log($machine->succeed("curl --unix-socket /run/rspamd/rspamd.sock http://localhost/ping")); - $machine->log($machine->succeed("rspamc -h 127.0.0.1:11334 stat")); - $machine->log($machine->succeed("cat /etc/tests/no-muh.eml | rspamc -h 127.0.0.1:11334")); - $machine->log($machine->succeed("cat /etc/tests/muh.eml | rspamc -h 127.0.0.1:11334 symbols")); - $machine->waitUntilSucceeds("journalctl -u rspamd | grep -i muh >&2"); - $machine->log($machine->fail("cat /etc/tests/no-muh.eml | rspamc -h 127.0.0.1:11334 symbols | grep NO_MUH")); - $machine->log($machine->succeed("cat /etc/tests/muh.eml | rspamc -h 127.0.0.1:11334 symbols | grep NO_MUH")); + machine.log( + machine.succeed("curl --unix-socket /run/rspamd/rspamd.sock http://localhost/ping") + ) + machine.log(machine.succeed("rspamc -h 127.0.0.1:11334 stat")) + machine.log(machine.succeed("cat /etc/tests/no-muh.eml | rspamc -h 127.0.0.1:11334")) + machine.log( + machine.succeed("cat /etc/tests/muh.eml | rspamc -h 127.0.0.1:11334 symbols") + ) + machine.wait_until_succeeds("journalctl -u rspamd | grep -i muh >&2") + machine.log( + machine.fail( + "cat /etc/tests/no-muh.eml | rspamc -h 127.0.0.1:11334 symbols | grep NO_MUH" + ) + ) + machine.log( + machine.succeed( + "cat /etc/tests/muh.eml | rspamc -h 127.0.0.1:11334 symbols | grep NO_MUH" + ) + ) ''; }; postfixIntegration = makeTest { @@ -250,16 +281,24 @@ in }; testScript = '' ${initMachine} - $machine->waitForOpenPort(11334); - $machine->waitForOpenPort(25); + machine.wait_for_open_port(11334) + machine.wait_for_open_port(25) ${checkSocket "/run/rspamd/rspamd-milter.sock" "rspamd" "postfix" "660" } - $machine->log($machine->succeed("rspamc -h 127.0.0.1:11334 stat")); - $machine->log($machine->succeed("msmtp --host=localhost -t --read-envelope-from < /etc/tests/example.eml")); - $machine->log($machine->fail("msmtp --host=localhost -t --read-envelope-from < /etc/tests/gtube.eml")); + machine.log(machine.succeed("rspamc -h 127.0.0.1:11334 stat")) + machine.log( + machine.succeed( + "msmtp --host=localhost -t --read-envelope-from < /etc/tests/example.eml" + ) + ) + machine.log( + machine.fail( + "msmtp --host=localhost -t --read-envelope-from < /etc/tests/gtube.eml" + ) + ) - $machine->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]'); - $machine->fail("journalctl -u postfix | grep -i error >&2"); - $machine->fail("journalctl -u postfix | grep -i warning >&2"); + machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]') + machine.fail("journalctl -u postfix | grep -i error >&2") + machine.fail("journalctl -u postfix | grep -i warning >&2") ''; }; } diff --git a/nixpkgs/nixos/tests/rss2email.nix b/nixpkgs/nixos/tests/rss2email.nix index 492d47da9f56..d62207a417b8 100644 --- a/nixpkgs/nixos/tests/rss2email.nix +++ b/nixpkgs/nixos/tests/rss2email.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "opensmtpd"; nodes = { @@ -53,14 +53,14 @@ import ./make-test.nix { }; testScript = '' - startAll; + start_all() - $server->waitForUnit("network-online.target"); - $server->waitForUnit("opensmtpd"); - $server->waitForUnit("dovecot2"); - $server->waitForUnit("nginx"); - $server->waitForUnit("rss2email"); + server.wait_for_unit("network-online.target") + server.wait_for_unit("opensmtpd") + server.wait_for_unit("dovecot2") + server.wait_for_unit("nginx") + server.wait_for_unit("rss2email") - $server->waitUntilSucceeds('check-mail-landed >&2'); + server.wait_until_succeeds("check-mail-landed >&2") ''; } diff --git a/nixpkgs/nixos/tests/rxe.nix b/nixpkgs/nixos/tests/rxe.nix index d0b53db8eeb6..194a2e3d2b94 100644 --- a/nixpkgs/nixos/tests/rxe.nix +++ b/nixpkgs/nixos/tests/rxe.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ ... } : +import ./make-test-python.nix ({ ... } : let node = { pkgs, ... } : { @@ -26,27 +26,21 @@ in { testScript = '' # Test if rxe interface comes up - $server->waitForUnit("default.target"); - $server->succeed("systemctl status rxe.service"); - $server->succeed("ibv_devices | grep rxe0"); + server.wait_for_unit("default.target") + server.succeed("systemctl status rxe.service") + server.succeed("ibv_devices | grep rxe0") - $client->waitForUnit("default.target"); + client.wait_for_unit("default.target") - # ping pong test - $server->succeed("screen -dmS rc_pingpong ibv_rc_pingpong -p 4800 -g0"); - $client->succeed("sleep 2; ibv_rc_pingpong -p 4800 -g0 server"); + # ping pong tests + for proto in "rc", "uc", "ud", "srq": + server.succeed( + "screen -dmS {0}_pingpong ibv_{0}_pingpong -p 4800 -s 1024 -g0".format(proto) + ) + client.succeed("sleep 2; ibv_{}_pingpong -p 4800 -s 1024 -g0 server".format(proto)) - $server->succeed("screen -dmS uc_pingpong ibv_uc_pingpong -p 4800 -g0"); - $client->succeed("sleep 2; ibv_uc_pingpong -p 4800 -g0 server"); - - $server->succeed("screen -dmS ud_pingpong ibv_ud_pingpong -p 4800 -s 1024 -g0"); - $client->succeed("sleep 2; ibv_ud_pingpong -p 4800 -s 1024 -g0 server"); - - $server->succeed("screen -dmS srq_pingpong ibv_srq_pingpong -p 4800 -g0"); - $client->succeed("sleep 2; ibv_srq_pingpong -p 4800 -g0 server"); - - $server->succeed("screen -dmS rping rping -s -a server -C 10"); - $client->succeed("sleep 2; rping -c -a server -C 10"); + server.succeed("screen -dmS rping rping -s -a server -C 10") + client.succeed("sleep 2; rping -c -a server -C 10") ''; }) diff --git a/nixpkgs/nixos/tests/samba.nix b/nixpkgs/nixos/tests/samba.nix index 2802e00a5b1a..142269752b34 100644 --- a/nixpkgs/nixos/tests/samba.nix +++ b/nixpkgs/nixos/tests/samba.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "samba"; @@ -36,12 +36,12 @@ import ./make-test.nix ({ pkgs, ... }: testScript = '' - $server->start; - $server->waitForUnit("samba.target"); - $server->succeed("mkdir -p /public; echo bar > /public/foo"); + server.start() + server.wait_for_unit("samba.target") + server.succeed("mkdir -p /public; echo bar > /public/foo") - $client->start; - $client->waitForUnit("remote-fs.target"); - $client->succeed("[[ \$(cat /public/foo) = bar ]]"); + client.start() + client.wait_for_unit("remote-fs.target") + client.succeed("[[ $(cat /public/foo) = bar ]]") ''; }) diff --git a/nixpkgs/nixos/tests/sddm.nix b/nixpkgs/nixos/tests/sddm.nix index 678bcbeab20a..a145705250f7 100644 --- a/nixpkgs/nixos/tests/sddm.nix +++ b/nixpkgs/nixos/tests/sddm.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; let inherit (pkgs) lib; @@ -16,9 +16,8 @@ let imports = [ ./common/user-account.nix ]; services.xserver.enable = true; services.xserver.displayManager.sddm.enable = true; - services.xserver.windowManager.default = "icewm"; + services.xserver.displayManager.defaultSession = "none+icewm"; services.xserver.windowManager.icewm.enable = true; - services.xserver.desktopManager.default = "none"; }; enableOCR = true; @@ -26,13 +25,13 @@ let testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; in '' - startAll; - $machine->waitForText(qr/select your user/i); - $machine->screenshot("sddm"); - $machine->sendChars("${user.password}\n"); - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow("^IceWM "); + start_all() + machine.wait_for_text("(?i)select your user") + machine.screenshot("sddm") + machine.send_chars("${user.password}\n") + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + machine.wait_for_window("^IceWM ") ''; }; @@ -52,16 +51,17 @@ let user = "alice"; }; }; - services.xserver.windowManager.default = "icewm"; + services.xserver.displayManager.defaultSession = "none+icewm"; services.xserver.windowManager.icewm.enable = true; - services.xserver.desktopManager.default = "none"; }; - testScript = { ... }: '' - startAll; - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow("^IceWM "); + testScript = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + in '' + start_all() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + machine.wait_for_window("^IceWM ") ''; }; }; diff --git a/nixpkgs/nixos/tests/shiori.nix b/nixpkgs/nixos/tests/shiori.nix new file mode 100644 index 000000000000..a5771262c6f2 --- /dev/null +++ b/nixpkgs/nixos/tests/shiori.nix @@ -0,0 +1,81 @@ +import ./make-test-python.nix ({ pkgs, lib, ...}: + +{ + name = "shiori"; + meta.maintainers = with lib.maintainers; [ minijackson ]; + + machine = + { ... }: + { services.shiori.enable = true; }; + + testScript = let + authJSON = pkgs.writeText "auth.json" (builtins.toJSON { + username = "shiori"; + password = "gopher"; + remember = 1; # hour + owner = true; + }); + + insertBookmark = { + url = "http://example.org"; + title = "Example Bookmark"; + }; + + insertBookmarkJSON = pkgs.writeText "insertBookmark.json" (builtins.toJSON insertBookmark); + in '' + import json + + machine.wait_for_unit("shiori.service") + machine.wait_for_open_port(8080) + machine.succeed("curl --fail http://localhost:8080/") + machine.succeed("curl --fail --location http://localhost:8080/ | grep -qi shiori") + + with subtest("login"): + auth_json = machine.succeed( + "curl --fail --location http://localhost:8080/api/login " + "-X POST -H 'Content-Type:application/json' -d @${authJSON}" + ) + auth_ret = json.loads(auth_json) + session_id = auth_ret["session"] + + with subtest("bookmarks"): + with subtest("first use no bookmarks"): + bookmarks_json = machine.succeed( + ( + "curl --fail --location http://localhost:8080/api/bookmarks " + "-H 'X-Session-Id:{}'" + ).format(session_id) + ) + + if json.loads(bookmarks_json)["bookmarks"] != []: + raise Exception("Shiori have a bookmark on first use") + + with subtest("insert bookmark"): + machine.succeed( + ( + "curl --fail --location http://localhost:8080/api/bookmarks " + "-X POST -H 'X-Session-Id:{}' " + "-H 'Content-Type:application/json' -d @${insertBookmarkJSON}" + ).format(session_id) + ) + + with subtest("get inserted bookmark"): + bookmarks_json = machine.succeed( + ( + "curl --fail --location http://localhost:8080/api/bookmarks " + "-H 'X-Session-Id:{}'" + ).format(session_id) + ) + + bookmarks = json.loads(bookmarks_json)["bookmarks"] + if len(bookmarks) != 1: + raise Exception("Shiori didn't save the bookmark") + + bookmark = bookmarks[0] + if ( + bookmark["url"] != "${insertBookmark.url}" + or bookmark["title"] != "${insertBookmark.title}" + ): + raise Exception("Inserted bookmark doesn't have same URL or title") + ''; +}) diff --git a/nixpkgs/nixos/tests/signal-desktop.nix b/nixpkgs/nixos/tests/signal-desktop.nix index 605b9c3e1301..c746d46dc550 100644 --- a/nixpkgs/nixos/tests/signal-desktop.nix +++ b/nixpkgs/nixos/tests/signal-desktop.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : { name = "signal-desktop"; @@ -24,14 +24,14 @@ import ./make-test.nix ({ pkgs, ...} : testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; in '' - startAll; - $machine->waitForX; + start_all() + machine.wait_for_x() # start signal desktop - $machine->execute("su - alice -c signal-desktop &"); + machine.execute("su - alice -c signal-desktop &") # wait for the "Link your phone to Signal Desktop" message - $machine->waitForText(qr/Link your phone to Signal Desktop/); - $machine->screenshot("signal_desktop"); + machine.wait_for_text("Link your phone to Signal Desktop") + machine.screenshot("signal_desktop") ''; }) diff --git a/nixpkgs/nixos/tests/simple.nix b/nixpkgs/nixos/tests/simple.nix index 84c5621d962f..3810a2cd3a58 100644 --- a/nixpkgs/nixos/tests/simple.nix +++ b/nixpkgs/nixos/tests/simple.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "simple"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco ]; @@ -10,8 +10,8 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - startAll; - $machine->waitForUnit("multi-user.target"); - $machine->shutdown; + start_all() + machine.wait_for_unit("multi-user.target") + machine.shutdown() ''; }) diff --git a/nixpkgs/nixos/tests/slim.nix b/nixpkgs/nixos/tests/slim.nix deleted file mode 100644 index 42c87dfa039d..000000000000 --- a/nixpkgs/nixos/tests/slim.nix +++ /dev/null @@ -1,66 +0,0 @@ -import ./make-test.nix ({ pkgs, ...} : { - name = "slim"; - - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ aszlig ]; - }; - - machine = { pkgs, ... }: { - imports = [ ./common/user-account.nix ]; - services.xserver.enable = true; - services.xserver.windowManager.default = "icewm"; - services.xserver.windowManager.icewm.enable = true; - services.xserver.desktopManager.default = "none"; - services.xserver.displayManager.slim = { - enable = true; - - # Use a custom theme in order to get best OCR results - theme = pkgs.runCommand "slim-theme-ocr" { - nativeBuildInputs = [ pkgs.imagemagick ]; - } '' - mkdir "$out" - convert -size 1x1 xc:white "$out/background.jpg" - convert -size 200x100 xc:white "$out/panel.jpg" - cat > "$out/slim.theme" <<EOF - background_color #ffffff - background_style tile - - input_fgcolor #000000 - msg_color #000000 - - session_color #000000 - session_font Verdana:size=16:bold - - username_msg Username: - username_font Verdana:size=16:bold - username_color #000000 - username_x 50% - username_y 40% - - password_msg Password: - password_x 50% - password_y 40% - EOF - ''; - }; - }; - - enableOCR = true; - - testScript = { nodes, ... }: let - user = nodes.machine.config.users.users.alice; - in '' - startAll; - $machine->waitForText(qr/Username:/); - $machine->sendChars("${user.name}\n"); - $machine->waitForText(qr/Password:/); - $machine->sendChars("${user.password}\n"); - - $machine->waitForFile('${user.home}/.Xauthority'); - $machine->succeed('xauth merge ${user.home}/.Xauthority'); - $machine->waitForWindow('^IceWM '); - - # Make sure SLiM doesn't create a log file - $machine->fail('test -e /var/log/slim.log'); - ''; -}) diff --git a/nixpkgs/nixos/tests/slurm.nix b/nixpkgs/nixos/tests/slurm.nix index 4c2cd3c3d264..d0e62d15437c 100644 --- a/nixpkgs/nixos/tests/slurm.nix +++ b/nixpkgs/nixos/tests/slurm.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: let mungekey = "mungeverryweakkeybuteasytointegratoinatest"; @@ -54,10 +54,15 @@ in { networking.firewall.enable = false; services.slurm.dbdserver = { enable = true; + storagePass = "password123"; }; services.mysql = { enable = true; - package = pkgs.mysql; + package = pkgs.mariadb; + initialScript = pkgs.writeText "mysql-init.sql" '' + CREATE USER 'slurm'@'localhost' IDENTIFIED BY 'password123'; + GRANT ALL PRIVILEGES ON slurm_acct_db.* TO 'slurm'@'localhost'; + ''; ensureDatabases = [ "slurm_acct_db" ]; ensureUsers = [{ ensurePermissions = { "slurm_acct_db.*" = "ALL PRIVILEGES"; }; @@ -80,63 +85,57 @@ in { testScript = '' - startAll; + start_all() # Set up authentification across the cluster - foreach my $node (($submit,$control,$dbd,$node1,$node2,$node3)) - { - $node->waitForUnit("default.target"); + for node in [submit, control, dbd, node1, node2, node3]: - $node->succeed("mkdir /etc/munge"); - $node->succeed("echo '${mungekey}' > /etc/munge/munge.key"); - $node->succeed("chmod 0400 /etc/munge/munge.key"); - $node->succeed("chown munge:munge /etc/munge/munge.key"); - $node->succeed("systemctl restart munged"); + node.wait_for_unit("default.target") + + node.succeed("mkdir /etc/munge") + node.succeed( + "echo '${mungekey}' > /etc/munge/munge.key" + ) + node.succeed("chmod 0400 /etc/munge/munge.key") + node.succeed("chown munge:munge /etc/munge/munge.key") + node.succeed("systemctl restart munged") + + node.wait_for_unit("munged") - $node->waitForUnit("munged"); - }; # Restart the services since they have probably failed due to the munge init # failure - subtest "can_start_slurmdbd", sub { - $dbd->succeed("systemctl restart slurmdbd"); - $dbd->waitForUnit("slurmdbd.service"); - $dbd->waitForOpenPort(6819); - }; + with subtest("can_start_slurmdbd"): + dbd.succeed("systemctl restart slurmdbd") + dbd.wait_for_unit("slurmdbd.service") + dbd.wait_for_open_port(6819) # there needs to be an entry for the current # cluster in the database before slurmctld is restarted - subtest "add_account", sub { - $control->succeed("sacctmgr -i add cluster default"); - # check for cluster entry - $control->succeed("sacctmgr list cluster | awk '{ print \$1 }' | grep default"); - }; + with subtest("add_account"): + control.succeed("sacctmgr -i add cluster default") + # check for cluster entry + control.succeed("sacctmgr list cluster | awk '{ print $1 }' | grep default") - subtest "can_start_slurmctld", sub { - $control->succeed("systemctl restart slurmctld"); - $control->waitForUnit("slurmctld.service"); - }; + with subtest("can_start_slurmctld"): + control.succeed("systemctl restart slurmctld") + control.wait_for_unit("slurmctld.service") - subtest "can_start_slurmd", sub { - foreach my $node (($node1,$node2,$node3)) - { - $node->succeed("systemctl restart slurmd.service"); - $node->waitForUnit("slurmd"); - } - }; + with subtest("can_start_slurmd"): + for node in [node1, node2, node3]: + node.succeed("systemctl restart slurmd.service") + node.wait_for_unit("slurmd") # Test that the cluster works and can distribute jobs; - subtest "run_distributed_command", sub { - # Run `hostname` on 3 nodes of the partition (so on all the 3 nodes). - # The output must contain the 3 different names - $submit->succeed("srun -N 3 hostname | sort | uniq | wc -l | xargs test 3 -eq"); - }; + with subtest("run_distributed_command"): + # Run `hostname` on 3 nodes of the partition (so on all the 3 nodes). + # The output must contain the 3 different names + submit.succeed("srun -N 3 hostname | sort | uniq | wc -l | xargs test 3 -eq") - subtest "check_slurm_dbd", sub { - # find the srun job from above in the database - sleep 5; - $control->succeed("sacct | grep hostname"); - }; + with subtest("check_slurm_dbd"): + # find the srun job from above in the database + control.succeed("sleep 5") + control.succeed("sacct | grep hostname") ''; }) diff --git a/nixpkgs/nixos/tests/smokeping.nix b/nixpkgs/nixos/tests/smokeping.nix index 07d228051127..4f8f0fcc9fe2 100644 --- a/nixpkgs/nixos/tests/smokeping.nix +++ b/nixpkgs/nixos/tests/smokeping.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "smokeping"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ cransom ]; @@ -22,12 +22,12 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - $sm->waitForUnit("smokeping"); - $sm->waitForUnit("thttpd"); - $sm->waitForFile("/var/lib/smokeping/data/Local/LocalMachine.rrd"); - $sm->succeed("curl -s -f localhost:8081/smokeping.fcgi?target=Local"); - $sm->succeed("ls /var/lib/smokeping/cache/Local/LocalMachine_mini.png"); - $sm->succeed("ls /var/lib/smokeping/cache/index.html"); + start_all() + sm.wait_for_unit("smokeping") + sm.wait_for_unit("thttpd") + sm.wait_for_file("/var/lib/smokeping/data/Local/LocalMachine.rrd") + sm.succeed("curl -s -f localhost:8081/smokeping.fcgi?target=Local") + sm.succeed("ls /var/lib/smokeping/cache/Local/LocalMachine_mini.png") + sm.succeed("ls /var/lib/smokeping/cache/index.html") ''; }) diff --git a/nixpkgs/nixos/tests/snapper.nix b/nixpkgs/nixos/tests/snapper.nix index 74ec22fd3499..018102d7f640 100644 --- a/nixpkgs/nixos/tests/snapper.nix +++ b/nixpkgs/nixos/tests/snapper.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ ... }: +import ./make-test-python.nix ({ ... }: { name = "snapper"; @@ -20,24 +20,16 @@ import ./make-test.nix ({ ... }: }; testScript = '' - $machine->succeed("btrfs subvolume create /home/.snapshots"); - - $machine->succeed("snapper -c home list"); - - $machine->succeed("snapper -c home create --description empty"); - - $machine->succeed("echo test > /home/file"); - $machine->succeed("snapper -c home create --description file"); - - $machine->succeed("snapper -c home status 1..2"); - - $machine->succeed("snapper -c home undochange 1..2"); - $machine->fail("ls /home/file"); - - $machine->succeed("snapper -c home delete 2"); - - $machine->succeed("systemctl --wait start snapper-timeline.service"); - - $machine->succeed("systemctl --wait start snapper-cleanup.service"); + machine.succeed("btrfs subvolume create /home/.snapshots") + machine.succeed("snapper -c home list") + machine.succeed("snapper -c home create --description empty") + machine.succeed("echo test > /home/file") + machine.succeed("snapper -c home create --description file") + machine.succeed("snapper -c home status 1..2") + machine.succeed("snapper -c home undochange 1..2") + machine.fail("ls /home/file") + machine.succeed("snapper -c home delete 2") + machine.succeed("systemctl --wait start snapper-timeline.service") + machine.succeed("systemctl --wait start snapper-cleanup.service") ''; }) diff --git a/nixpkgs/nixos/tests/sonarr.nix b/nixpkgs/nixos/tests/sonarr.nix index 3e84445099ab..764a4d05b381 100644 --- a/nixpkgs/nixos/tests/sonarr.nix +++ b/nixpkgs/nixos/tests/sonarr.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: with lib; @@ -11,8 +11,8 @@ with lib; { services.sonarr.enable = true; }; testScript = '' - $machine->waitForUnit('sonarr.service'); - $machine->waitForOpenPort('8989'); - $machine->succeed("curl --fail http://localhost:8989/"); + machine.wait_for_unit("sonarr.service") + machine.wait_for_open_port("8989") + machine.succeed("curl --fail http://localhost:8989/") ''; }) diff --git a/nixpkgs/nixos/tests/spacecookie.nix b/nixpkgs/nixos/tests/spacecookie.nix new file mode 100644 index 000000000000..6eff32a2e75d --- /dev/null +++ b/nixpkgs/nixos/tests/spacecookie.nix @@ -0,0 +1,51 @@ +let + gopherRoot = "/tmp/gopher"; + gopherHost = "gopherd"; + fileContent = "Hello Gopher!"; + fileName = "file.txt"; +in + import ./make-test-python.nix ({...}: { + name = "spacecookie"; + nodes = { + ${gopherHost} = { + networking.firewall.allowedTCPPorts = [ 70 ]; + systemd.services.spacecookie = { + preStart = '' + mkdir -p ${gopherRoot}/directory + echo "${fileContent}" > ${gopherRoot}/${fileName} + ''; + }; + + services.spacecookie = { + enable = true; + root = gopherRoot; + hostname = gopherHost; + }; + }; + + client = {}; + }; + + testScript = '' + start_all() + ${gopherHost}.wait_for_open_port(70) + ${gopherHost}.wait_for_unit("spacecookie.service") + client.wait_for_unit("network.target") + + fileResponse = client.succeed("curl -s gopher://${gopherHost}//${fileName}") + + # the file response should return our created file exactly + if not (fileResponse == "${fileContent}\n"): + raise Exception("Unexpected file response") + + # sanity check on the directory listing: we serve a directory and a file + # via gopher, so the directory listing should have exactly two entries, + # one with gopher file type 0 (file) and one with file type 1 (directory). + dirResponse = client.succeed("curl -s gopher://${gopherHost}") + dirEntries = [l[0] for l in dirResponse.split("\n") if len(l) > 0] + dirEntries.sort() + + if not (["0", "1"] == dirEntries): + raise Exception("Unexpected directory response") + ''; + }) diff --git a/nixpkgs/nixos/tests/spike.nix b/nixpkgs/nixos/tests/spike.nix new file mode 100644 index 000000000000..47763e75ffa2 --- /dev/null +++ b/nixpkgs/nixos/tests/spike.nix @@ -0,0 +1,22 @@ +import ./make-test-python.nix ({ pkgs, ... }: + +let + riscvPkgs = import ../.. { crossSystem = pkgs.stdenv.lib.systems.examples.riscv64-embedded; }; +in +{ + name = "spike"; + meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ blitz ]; }; + + machine = { pkgs, lib, ... }: { + environment.systemPackages = [ pkgs.spike riscvPkgs.riscv-pk riscvPkgs.hello ]; + }; + + # Run the RISC-V hello applications using the proxy kernel on the + # Spike emulator and see whether we get the expected output. + testScript = + '' + machine.wait_for_unit("multi-user.target") + output = machine.succeed("spike -m64 $(which pk) $(which hello)") + assert output == "Hello, world!\n" + ''; +}) diff --git a/nixpkgs/nixos/tests/strongswan-swanctl.nix b/nixpkgs/nixos/tests/strongswan-swanctl.nix index 9bab9349ea73..152c0d61c543 100644 --- a/nixpkgs/nixos/tests/strongswan-swanctl.nix +++ b/nixpkgs/nixos/tests/strongswan-swanctl.nix @@ -16,7 +16,7 @@ # See the NixOS manual for how to run this test: # https://nixos.org/nixos/manual/index.html#sec-running-nixos-tests-interactively -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : let allowESP = "iptables --insert INPUT --protocol ESP --jump ACCEPT"; @@ -142,7 +142,7 @@ in { }; testScript = '' - startAll(); - $carol->waitUntilSucceeds("ping -c 1 alice"); + start_all() + carol.wait_until_succeeds("ping -c 1 alice") ''; }) diff --git a/nixpkgs/nixos/tests/sudo.nix b/nixpkgs/nixos/tests/sudo.nix index fc16b99cc19c..5bbec3d57269 100644 --- a/nixpkgs/nixos/tests/sudo.nix +++ b/nixpkgs/nixos/tests/sudo.nix @@ -4,7 +4,7 @@ let password = "helloworld"; in - import ./make-test.nix ({ pkgs, ...} : { + import ./make-test-python.nix ({ pkgs, ...} : { name = "sudo"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ lschuermann ]; @@ -50,44 +50,34 @@ in testScript = '' - subtest "users in wheel group should have passwordless sudo", sub { - $machine->succeed("su - test0 -c \"sudo -u root true\""); - }; + with subtest("users in wheel group should have passwordless sudo"): + machine.succeed('su - test0 -c "sudo -u root true"') - subtest "test1 user should have sudo with password", sub { - $machine->succeed("su - test1 -c \"echo ${password} | sudo -S -u root true\""); - }; + with subtest("test1 user should have sudo with password"): + machine.succeed('su - test1 -c "echo ${password} | sudo -S -u root true"') - subtest "test1 user should not be able to use sudo without password", sub { - $machine->fail("su - test1 -c \"sudo -n -u root true\""); - }; + with subtest("test1 user should not be able to use sudo without password"): + machine.fail('su - test1 -c "sudo -n -u root true"') - subtest "users in group 'foobar' should be able to use sudo with password", sub { - $machine->succeed("sudo -u test2 echo ${password} | sudo -S -u root true"); - }; + with subtest("users in group 'foobar' should be able to use sudo with password"): + machine.succeed("sudo -u test2 echo ${password} | sudo -S -u root true") - subtest "users in group 'barfoo' should be able to use sudo without password", sub { - $machine->succeed("sudo -u test3 sudo -n -u root true"); - }; + with subtest("users in group 'barfoo' should be able to use sudo without password"): + machine.succeed("sudo -u test3 sudo -n -u root true") - subtest "users in group 'baz' (GID 1337) should be able to use sudo without password", sub { - $machine->succeed("sudo -u test4 sudo -n -u root echo true"); - }; + with subtest("users in group 'baz' (GID 1337)"): + machine.succeed("sudo -u test4 sudo -n -u root echo true") - subtest "test5 user should be able to run commands under test1", sub { - $machine->succeed("sudo -u test5 sudo -n -u test1 true"); - }; + with subtest("test5 user should be able to run commands under test1"): + machine.succeed("sudo -u test5 sudo -n -u test1 true") - subtest "test5 user should not be able to run commands under root", sub { - $machine->fail("sudo -u test5 sudo -n -u root true"); - }; + with subtest("test5 user should not be able to run commands under root"): + machine.fail("sudo -u test5 sudo -n -u root true") - subtest "test5 user should be able to keep his environment", sub { - $machine->succeed("sudo -u test5 sudo -n -E -u test1 true"); - }; + with subtest("test5 user should be able to keep his environment"): + machine.succeed("sudo -u test5 sudo -n -E -u test1 true") - subtest "users in group 'barfoo' should not be able to keep their environment", sub { - $machine->fail("sudo -u test3 sudo -n -E -u root true"); - }; + with subtest("users in group 'barfoo' should not be able to keep their environment"): + machine.fail("sudo -u test3 sudo -n -E -u root true") ''; }) diff --git a/nixpkgs/nixos/tests/switch-test.nix b/nixpkgs/nixos/tests/switch-test.nix index 0dba3697980f..7076bd77b770 100644 --- a/nixpkgs/nixos/tests/switch-test.nix +++ b/nixpkgs/nixos/tests/switch-test.nix @@ -1,6 +1,6 @@ # Test configuration switching. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "switch-test"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ gleber ]; @@ -28,7 +28,11 @@ import ./make-test.nix ({ pkgs, ...} : { exec env -i "$@" | tee /dev/stderr ''; in '' - $machine->succeed("${stderrRunner} ${originalSystem}/bin/switch-to-configuration test"); - $machine->succeed("${stderrRunner} ${otherSystem}/bin/switch-to-configuration test"); + machine.succeed( + "${stderrRunner} ${originalSystem}/bin/switch-to-configuration test" + ) + machine.succeed( + "${stderrRunner} ${otherSystem}/bin/switch-to-configuration test" + ) ''; }) diff --git a/nixpkgs/nixos/tests/syncthing-init.nix b/nixpkgs/nixos/tests/syncthing-init.nix index 0de76b688bdc..9c8e0a3d087e 100644 --- a/nixpkgs/nixos/tests/syncthing-init.nix +++ b/nixpkgs/nixos/tests/syncthing-init.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, pkgs, ... }: let +import ./make-test-python.nix ({ lib, pkgs, ... }: let testId = "7CFNTQM-IMTJBHJ-3UWRDIU-ZGQJFR6-VCXZ3NB-XUH3KZO-N52ITXR-LAIYUAU"; @@ -22,13 +22,11 @@ in { }; testScript = '' - my $config; - - $machine->waitForUnit("syncthing-init.service"); - $config = $machine->succeed("cat /var/lib/syncthing/.config/syncthing/config.xml"); + machine.wait_for_unit("syncthing-init.service") + config = machine.succeed("cat /var/lib/syncthing/.config/syncthing/config.xml") - $config =~ /${testId}/ or die; - $config =~ /testFolder/ or die; + assert "testFolder" in config + assert "${testId}" in config ''; }) diff --git a/nixpkgs/nixos/tests/syncthing-relay.nix b/nixpkgs/nixos/tests/syncthing-relay.nix index f1ceb4993337..cd72ef1cbe1d 100644 --- a/nixpkgs/nixos/tests/syncthing-relay.nix +++ b/nixpkgs/nixos/tests/syncthing-relay.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, pkgs, ... }: { +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "syncthing-relay"; meta.maintainers = with pkgs.stdenv.lib.maintainers; [ delroth ]; @@ -14,9 +14,13 @@ import ./make-test.nix ({ lib, pkgs, ... }: { }; testScript = '' - $machine->waitForUnit("syncthing-relay.service"); - $machine->waitForOpenPort(12345); - $machine->waitForOpenPort(12346); - $machine->succeed("curl http://localhost:12346/status | jq -r '.options.\"provided-by\"'") =~ /nixos-test/ or die; + machine.wait_for_unit("syncthing-relay.service") + machine.wait_for_open_port(12345) + machine.wait_for_open_port(12346) + + out = machine.succeed( + "curl -sS http://localhost:12346/status | jq -r '.options.\"provided-by\"'" + ) + assert "nixos-test" in out ''; }) diff --git a/nixpkgs/nixos/tests/systemd-analyze.nix b/nixpkgs/nixos/tests/systemd-analyze.nix new file mode 100644 index 000000000000..a78ba08cd55c --- /dev/null +++ b/nixpkgs/nixos/tests/systemd-analyze.nix @@ -0,0 +1,46 @@ +import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... }: + +{ + name = "systemd-analyze"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ raskin ]; + }; + + machine = + { pkgs, lib, ... }: + { boot.kernelPackages = lib.mkIf latestKernel pkgs.linuxPackages_latest; + sound.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then + }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + + # We create a special output directory to copy it as a whole + with subtest("Prepare output dir"): + machine.succeed("mkdir systemd-analyze") + + + # Save the output into a file with given name inside the common + # output directory + def run_systemd_analyze(args, name): + tgt_dir = "systemd-analyze" + machine.succeed( + "systemd-analyze {} > {}/{} 2> {}/{}.err".format( + " ".join(args), tgt_dir, name, tgt_dir, name + ) + ) + + + with subtest("Print statistics"): + run_systemd_analyze(["blame"], "blame.txt") + run_systemd_analyze(["critical-chain"], "critical-chain.txt") + run_systemd_analyze(["dot"], "dependencies.dot") + run_systemd_analyze(["plot"], "systemd-analyze.svg") + + # We copy the main graph into the $out (toplevel), and we also copy + # the entire output directory with additional data + with subtest("Copying the resulting data into $out"): + machine.copy_from_vm("systemd-analyze/", "") + machine.copy_from_vm("systemd-analyze/systemd-analyze.svg", "") + ''; +}) diff --git a/nixpkgs/nixos/tests/systemd-networkd-wireguard.nix b/nixpkgs/nixos/tests/systemd-networkd-wireguard.nix index f1ce1e791ce3..be5c0da981d2 100644 --- a/nixpkgs/nixos/tests/systemd-networkd-wireguard.nix +++ b/nixpkgs/nixos/tests/systemd-networkd-wireguard.nix @@ -1,18 +1,22 @@ -let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ...}: { +let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { imports = [ common/user-account.nix ]; systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug"; networking.useNetworkd = true; + networking.useDHCP = false; networking.firewall.enable = false; virtualisation.vlans = [ 1 ]; environment.systemPackages = with pkgs; [ wireguard-tools ]; boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + systemd.tmpfiles.rules = [ + "f /run/wg_priv 0640 root systemd-network - ${privk}" + ]; systemd.network = { enable = true; netdevs = { "90-wg0" = { netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; wireguardConfig = { - PrivateKeyFile = privkpath ; + PrivateKeyFile = "/run/wg_priv"; ListenPort = 51820; FwMark = 42; }; @@ -44,7 +48,7 @@ let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ... }; }; }; -in import ./make-test.nix ({pkgs, ... }: { +in import ./make-test-python.nix ({pkgs, ... }: { name = "networkd-wireguard"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ninjatrappeur ]; @@ -52,7 +56,7 @@ in import ./make-test.nix ({pkgs, ... }: { nodes = { node1 = { pkgs, ... }@attrs: let localConf = { - privkpath = pkgs.writeText "priv.key" "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00="; + privk = "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00="; pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE="; nodeId = "1"; peerId = "2"; @@ -61,7 +65,7 @@ in import ./make-test.nix ({pkgs, ... }: { node2 = { pkgs, ... }@attrs: let localConf = { - privkpath = pkgs.writeText "priv.key" "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k="; + privk = "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k="; pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g="; nodeId = "2"; peerId = "1"; @@ -69,12 +73,12 @@ in import ./make-test.nix ({pkgs, ... }: { in generateNodeConf (attrs // localConf); }; testScript = '' - startAll; - $node1->waitForUnit('systemd-networkd-wait-online.service'); - $node2->waitForUnit('systemd-networkd-wait-online.service'); - $node1->succeed('ping -c 5 10.0.0.2'); - $node2->succeed('ping -c 5 10.0.0.1'); + start_all() + node1.wait_for_unit("systemd-networkd-wait-online.service") + node2.wait_for_unit("systemd-networkd-wait-online.service") + node1.succeed("ping -c 5 10.0.0.2") + node2.succeed("ping -c 5 10.0.0.1") # Is the fwmark set? - $node2->succeed('wg | grep -q 42'); + node2.succeed("wg | grep -q 42") ''; }) diff --git a/nixpkgs/nixos/tests/systemd-nspawn.nix b/nixpkgs/nixos/tests/systemd-nspawn.nix new file mode 100644 index 000000000000..5bf55060d2e0 --- /dev/null +++ b/nixpkgs/nixos/tests/systemd-nspawn.nix @@ -0,0 +1,60 @@ +import ./make-test-python.nix ({pkgs, lib, ...}: +let + gpgKeyring = (pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } '' + mkdir -p $out + export GNUPGHOME=$out + cat > foo <<EOF + %echo Generating a basic OpenPGP key + %no-protection + Key-Type: DSA + Key-Length: 1024 + Subkey-Type: ELG-E + Subkey-Length: 1024 + Name-Real: Joe Tester + Name-Email: joe@foo.bar + Expire-Date: 0 + # Do a commit here, so that we can later print "done" + %commit + %echo done + EOF + gpg --batch --generate-key foo + rm $out/S.gpg-agent $out/S.gpg-agent.* + gpg --export joe@foo.bar -a > $out/pubkey.gpg + ''); + + nspawnImages = (pkgs.runCommand "localhost" { buildInputs = [ pkgs.coreutils pkgs.gnupg ]; } '' + mkdir -p $out + cd $out + dd if=/dev/urandom of=$out/testimage.raw bs=$((1024*1024+7)) count=5 + sha256sum testimage.raw > SHA256SUMS + export GNUPGHOME="$(mktemp -d)" + cp -R ${gpgKeyring}/* $GNUPGHOME + gpg --batch --sign --detach-sign --output SHA256SUMS.gpg SHA256SUMS + ''); +in { + name = "systemd-nspawn"; + + nodes = { + server = { pkgs, ... }: { + networking.firewall.allowedTCPPorts = [ 80 ]; + services.nginx = { + enable = true; + virtualHosts."server".root = nspawnImages; + }; + }; + client = { pkgs, ... }: { + environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/pubkey.gpg"; + }; + }; + + testScript = '' + start_all() + + server.wait_for_unit("nginx.service") + client.wait_for_unit("network-online.target") + client.succeed("machinectl pull-raw --verify=signature http://server/testimage.raw") + client.succeed( + "cmp /var/lib/machines/testimage.raw ${nspawnImages}/testimage.raw" + ) + ''; +}) diff --git a/nixpkgs/nixos/tests/systemd-timesyncd.nix b/nixpkgs/nixos/tests/systemd-timesyncd.nix index d12b8eb2bf7e..ad5b9a47383b 100644 --- a/nixpkgs/nixos/tests/systemd-timesyncd.nix +++ b/nixpkgs/nixos/tests/systemd-timesyncd.nix @@ -1,7 +1,7 @@ # Regression test for systemd-timesync having moved the state directory without # upstream providing a migration path. https://github.com/systemd/systemd/issues/12131 -import ./make-test.nix (let +import ./make-test-python.nix (let common = { lib, ... }: { # override the `false` value from the qemu-vm base profile services.timesyncd.enable = lib.mkForce true; @@ -25,28 +25,28 @@ in { }; testScript = '' - startAll; - $current->succeed('systemctl status systemd-timesyncd.service'); + start_all() + current.succeed("systemctl status systemd-timesyncd.service") # on a new install with a recent systemd there should not be any # leftovers from the dynamic user mess - $current->succeed('test -e /var/lib/systemd/timesync'); - $current->succeed('test ! -L /var/lib/systemd/timesync'); + current.succeed("test -e /var/lib/systemd/timesync") + current.succeed("test ! -L /var/lib/systemd/timesync") # timesyncd should be running on the upgrading system since we fixed the # file bits in the activation script - $pre1909->succeed('systemctl status systemd-timesyncd.service'); + pre1909.succeed("systemctl status systemd-timesyncd.service") # the path should be gone after the migration - $pre1909->succeed('test ! -e /var/lib/private/systemd/timesync'); + pre1909.succeed("test ! -e /var/lib/private/systemd/timesync") # and the new path should no longer be a symlink - $pre1909->succeed('test -e /var/lib/systemd/timesync'); - $pre1909->succeed('test ! -L /var/lib/systemd/timesync'); + pre1909.succeed("test -e /var/lib/systemd/timesync") + pre1909.succeed("test ! -L /var/lib/systemd/timesync") # after a restart things should still work and not fail in the activation # scripts and cause the boot to fail.. - $pre1909->shutdown; - $pre1909->start; - $pre1909->succeed('systemctl status systemd-timesyncd.service'); + pre1909.shutdown() + pre1909.start() + pre1909.succeed("systemctl status systemd-timesyncd.service") ''; }) diff --git a/nixpkgs/nixos/tests/telegraf.nix b/nixpkgs/nixos/tests/telegraf.nix index 6776f8d8c37f..73f741b11357 100644 --- a/nixpkgs/nixos/tests/telegraf.nix +++ b/nixpkgs/nixos/tests/telegraf.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "telegraf"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ mic92 ]; @@ -22,9 +22,9 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $machine->waitForUnit("telegraf.service"); - $machine->waitUntilSucceeds("grep -q example /tmp/metrics.out"); + machine.wait_for_unit("telegraf.service") + machine.wait_until_succeeds("grep -q example /tmp/metrics.out") ''; }) diff --git a/nixpkgs/nixos/tests/tiddlywiki.nix b/nixpkgs/nixos/tests/tiddlywiki.nix index 4a2014a4ec91..cf45578b0f98 100644 --- a/nixpkgs/nixos/tests/tiddlywiki.nix +++ b/nixpkgs/nixos/tests/tiddlywiki.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ ... }: { +import ./make-test-python.nix ({ ... }: { name = "tiddlywiki"; nodes = { default = { @@ -20,48 +20,50 @@ import ./make-test.nix ({ ... }: { }; }; - testScript = '' - startAll; + testScript = + '' + start_all() - subtest "by default works without configuration", sub { - $default->waitForUnit("tiddlywiki.service"); - }; - - subtest "by default available on port 8080 without auth", sub { - $default->waitForUnit("tiddlywiki.service"); - $default->waitForOpenPort(8080); - $default->succeed("curl --fail 127.0.0.1:8080"); - }; - - subtest "by default creates empty wiki", sub { - $default->succeed("test -f /var/lib/tiddlywiki/tiddlywiki.info"); - }; + with subtest("by default works without configuration"): + default.wait_for_unit("tiddlywiki.service") - subtest "configured on port 3000 with basic auth", sub { - $configured->waitForUnit("tiddlywiki.service"); - $configured->waitForOpenPort(3000); - $configured->fail("curl --fail 127.0.0.1:3000"); - $configured->succeed("curl --fail 127.0.0.1:3000 --user somelogin:somesecret"); - }; + with subtest("by default available on port 8080 without auth"): + default.wait_for_unit("tiddlywiki.service") + default.wait_for_open_port(8080) + # we output to /dev/null here to avoid a python UTF-8 decode error + # but the check will still fail if the service doesn't respond + default.succeed("curl --fail -o /dev/null 127.0.0.1:8080") - subtest "configured with different wikifolder", sub { - $configured->succeed("test -f /var/lib/tiddlywiki/tiddlywiki.info"); - }; + with subtest("by default creates empty wiki"): + default.succeed("test -f /var/lib/tiddlywiki/tiddlywiki.info") - subtest "restart preserves changes", sub { - # given running wiki - $default->waitForUnit("tiddlywiki.service"); - # with some changes - $default->succeed("curl --fail --request PUT --header 'X-Requested-With:TiddlyWiki' --data '{ \"title\": \"title\", \"text\": \"content\" }' --url 127.0.0.1:8080/recipes/default/tiddlers/somepage "); - $default->succeed("sleep 2"); # server syncs to filesystem on timer + with subtest("configured on port 3000 with basic auth"): + configured.wait_for_unit("tiddlywiki.service") + configured.wait_for_open_port(3000) + configured.fail("curl --fail -o /dev/null 127.0.0.1:3000") + configured.succeed( + "curl --fail -o /dev/null 127.0.0.1:3000 --user somelogin:somesecret" + ) + + with subtest("restart preserves changes"): + # given running wiki + default.wait_for_unit("tiddlywiki.service") + # with some changes + default.succeed( + 'curl --fail --request PUT --header \'X-Requested-With:TiddlyWiki\' \ + --data \'{ "title": "title", "text": "content" }\' \ + --url 127.0.0.1:8080/recipes/default/tiddlers/somepage ' + ) + default.succeed("sleep 2") - # when wiki is cycled - $default->systemctl("restart tiddlywiki.service"); - $default->waitForUnit("tiddlywiki.service"); - $default->waitForOpenPort(8080); + # when wiki is cycled + default.systemctl("restart tiddlywiki.service") + default.wait_for_unit("tiddlywiki.service") + default.wait_for_open_port(8080) - # the change is preserved - $default->succeed("curl --fail 127.0.0.1:8080/recipes/default/tiddlers/somepage"); - }; - ''; + # the change is preserved + default.succeed( + "curl --fail -o /dev/null 127.0.0.1:8080/recipes/default/tiddlers/somepage" + ) + ''; }) diff --git a/nixpkgs/nixos/tests/timezone.nix b/nixpkgs/nixos/tests/timezone.nix index 2204649a3fc4..7fc9a5058eee 100644 --- a/nixpkgs/nixos/tests/timezone.nix +++ b/nixpkgs/nixos/tests/timezone.nix @@ -1,45 +1,50 @@ -{ - timezone-static = import ./make-test.nix ({ pkgs, ... }: { - name = "timezone-static"; - meta.maintainers = with pkgs.lib.maintainers; [ lheckemann ]; - - machine.time.timeZone = "Europe/Amsterdam"; - - testScript = '' - $machine->waitForUnit("dbus.socket"); - $machine->fail("timedatectl set-timezone Asia/Tokyo"); - my @dateResult = $machine->execute('date -d @0 "+%Y-%m-%d %H:%M:%S"'); - $dateResult[1] eq "1970-01-01 01:00:00\n" or die "Timezone seems to be wrong"; - ''; - }); - - timezone-imperative = import ./make-test.nix ({ pkgs, ... }: { - name = "timezone-imperative"; - meta.maintainers = with pkgs.lib.maintainers; [ lheckemann ]; - - machine.time.timeZone = null; - - testScript = '' - $machine->waitForUnit("dbus.socket"); - - # Should default to UTC - my @dateResult = $machine->execute('date -d @0 "+%Y-%m-%d %H:%M:%S"'); - print $dateResult[1]; - $dateResult[1] eq "1970-01-01 00:00:00\n" or die "Timezone seems to be wrong"; - - $machine->succeed("timedatectl set-timezone Asia/Tokyo"); - - # Adjustment should be taken into account - my @dateResult = $machine->execute('date -d @0 "+%Y-%m-%d %H:%M:%S"'); - print $dateResult[1]; - $dateResult[1] eq "1970-01-01 09:00:00\n" or die "Timezone was not adjusted"; - - # Adjustment should persist across a reboot - $machine->shutdown; - $machine->waitForUnit("dbus.socket"); - my @dateResult = $machine->execute('date -d @0 "+%Y-%m-%d %H:%M:%S"'); - print $dateResult[1]; - $dateResult[1] eq "1970-01-01 09:00:00\n" or die "Timezone adjustment was not persisted"; - ''; - }); -} +import ./make-test-python.nix ({ pkgs, ...} : { + name = "timezone"; + meta.maintainers = with pkgs.lib.maintainers; [ lheckemann ]; + + nodes = { + node_eutz = { pkgs, ... }: { + time.timeZone = "Europe/Amsterdam"; + }; + + node_nulltz = { pkgs, ... }: { + time.timeZone = null; + }; + }; + + testScript = { nodes, ... }: '' + node_eutz.wait_for_unit("dbus.socket") + + with subtest("static - Ensure timezone change gives the correct result"): + node_eutz.fail("timedatectl set-timezone Asia/Tokyo") + date_result = node_eutz.succeed('date -d @0 "+%Y-%m-%d %H:%M:%S"') + assert date_result == "1970-01-01 01:00:00\n", "Timezone seems to be wrong" + + node_nulltz.wait_for_unit("dbus.socket") + + with subtest("imperative - Ensure timezone defaults to UTC"): + date_result = node_nulltz.succeed('date -d @0 "+%Y-%m-%d %H:%M:%S"') + print(date_result) + assert ( + date_result == "1970-01-01 00:00:00\n" + ), "Timezone seems to be wrong (not UTC)" + + with subtest("imperative - Ensure timezone adjustment produces expected result"): + node_nulltz.succeed("timedatectl set-timezone Asia/Tokyo") + + # Adjustment should be taken into account + date_result = node_nulltz.succeed('date -d @0 "+%Y-%m-%d %H:%M:%S"') + print(date_result) + assert date_result == "1970-01-01 09:00:00\n", "Timezone was not adjusted" + + with subtest("imperative - Ensure timezone adjustment persists across reboot"): + # Adjustment should persist across a reboot + node_nulltz.shutdown() + node_nulltz.wait_for_unit("dbus.socket") + date_result = node_nulltz.succeed('date -d @0 "+%Y-%m-%d %H:%M:%S"') + print(date_result) + assert ( + date_result == "1970-01-01 09:00:00\n" + ), "Timezone adjustment was not persisted" + ''; +}) diff --git a/nixpkgs/nixos/tests/tinydns.nix b/nixpkgs/nixos/tests/tinydns.nix index cb7ee0c5fb5e..c7740d5ade35 100644 --- a/nixpkgs/nixos/tests/tinydns.nix +++ b/nixpkgs/nixos/tests/tinydns.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ...} : { +import ./make-test-python.nix ({ lib, ...} : { name = "tinydns"; meta = { maintainers = with lib.maintainers; [ basvandijk ]; @@ -19,8 +19,8 @@ import ./make-test.nix ({ lib, ...} : { }; }; testScript = '' - $nameserver->start; - $nameserver->waitForUnit("tinydns.service"); - $nameserver->succeed("host bla.foo.bar | grep '1\.2\.3\.4'"); + nameserver.start() + nameserver.wait_for_unit("tinydns.service") + nameserver.succeed("host bla.foo.bar | grep '1\.2\.3\.4'") ''; }) diff --git a/nixpkgs/nixos/tests/tor.nix b/nixpkgs/nixos/tests/tor.nix index 0cb44ddff248..ad07231557c3 100644 --- a/nixpkgs/nixos/tests/tor.nix +++ b/nixpkgs/nixos/tests/tor.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: with lib; +import ./make-test-python.nix ({ lib, ... }: with lib; rec { name = "tor"; @@ -21,8 +21,10 @@ rec { }; testScript = '' - $client->waitForUnit("tor.service"); - $client->waitForOpenPort(9051); - $client->succeed("echo GETINFO version | nc 127.0.0.1 9051") =~ /514 Authentication required./ or die; + client.wait_for_unit("tor.service") + client.wait_for_open_port(9051) + assert "514 Authentication required." in client.succeed( + "echo GETINFO version | nc 127.0.0.1 9051" + ) ''; }) diff --git a/nixpkgs/nixos/tests/trac.nix b/nixpkgs/nixos/tests/trac.nix new file mode 100644 index 000000000000..7953f8d41f77 --- /dev/null +++ b/nixpkgs/nixos/tests/trac.nix @@ -0,0 +1,19 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "trac"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ mmahut ]; + }; + + nodes = { + machine = { ... }: { + services.trac.enable = true; + }; + }; + + testScript = '' + start_all() + machine.wait_for_unit("trac.service") + machine.wait_for_open_port(8000) + machine.wait_until_succeeds("curl -L http://localhost:8000/ | grep 'Trac Powered'") + ''; +}) diff --git a/nixpkgs/nixos/tests/transmission.nix b/nixpkgs/nixos/tests/transmission.nix index f1c238730ebb..f4f2186be1ff 100644 --- a/nixpkgs/nixos/tests/transmission.nix +++ b/nixpkgs/nixos/tests/transmission.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "transmission"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ coconnor ]; @@ -14,8 +14,8 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - startAll; - $machine->waitForUnit("transmission"); - $machine->shutdown; + start_all() + machine.wait_for_unit("transmission") + machine.shutdown() ''; }) diff --git a/nixpkgs/nixos/tests/trezord.nix b/nixpkgs/nixos/tests/trezord.nix index 1c85bf539345..8d908a522492 100644 --- a/nixpkgs/nixos/tests/trezord.nix +++ b/nixpkgs/nixos/tests/trezord.nix @@ -1,7 +1,7 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "trezord"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ mmahut ]; + maintainers = [ mmahut "1000101" ]; }; nodes = { @@ -12,9 +12,9 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - startAll; - $machine->waitForUnit("trezord.service"); - $machine->waitForOpenPort(21325); - $machine->waitUntilSucceeds("curl -L http://localhost:21325/status/ | grep Version"); + start_all() + machine.wait_for_unit("trezord.service") + machine.wait_for_open_port(21325) + machine.wait_until_succeeds("curl -L http://localhost:21325/status/ | grep Version") ''; }) diff --git a/nixpkgs/nixos/tests/trickster.nix b/nixpkgs/nixos/tests/trickster.nix new file mode 100644 index 000000000000..e2ca00980d53 --- /dev/null +++ b/nixpkgs/nixos/tests/trickster.nix @@ -0,0 +1,37 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "trickster"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ "1000101" ]; + }; + + nodes = { + prometheus = { ... }: { + services.prometheus.enable = true; + networking.firewall.allowedTCPPorts = [ 9090 ]; + }; + trickster = { ... }: { + services.trickster.enable = true; + }; + }; + + testScript = '' + start_all() + prometheus.wait_for_unit("prometheus.service") + prometheus.wait_for_open_port(9090) + prometheus.wait_until_succeeds( + "curl -L http://localhost:9090/metrics | grep 'promhttp_metric_handler_requests_total{code=\"500\"} 0'" + ) + trickster.wait_for_unit("trickster.service") + trickster.wait_for_open_port(8082) + trickster.wait_for_open_port(9090) + trickster.wait_until_succeeds( + "curl -L http://localhost:8082/metrics | grep 'promhttp_metric_handler_requests_total{code=\"500\"} 0'" + ) + trickster.wait_until_succeeds( + "curl -L http://prometheus:9090/metrics | grep 'promhttp_metric_handler_requests_total{code=\"500\"} 0'" + ) + trickster.wait_until_succeeds( + "curl -L http://localhost:9090/metrics | grep 'promhttp_metric_handler_requests_total{code=\"500\"} 0'" + ) + ''; +}) \ No newline at end of file diff --git a/nixpkgs/nixos/tests/trilium-server.nix b/nixpkgs/nixos/tests/trilium-server.nix new file mode 100644 index 000000000000..6346575b33da --- /dev/null +++ b/nixpkgs/nixos/tests/trilium-server.nix @@ -0,0 +1,53 @@ +import ./make-test-python.nix ({ ... }: { + name = "trilium-server"; + nodes = { + default = { + services.trilium-server.enable = true; + }; + configured = { + services.trilium-server = { + enable = true; + dataDir = "/data/trilium"; + }; + }; + + nginx = { + services.trilium-server = { + enable = true; + nginx.enable = true; + nginx.hostName = "trilium.example.com"; + }; + }; + }; + + testScript = + '' + start_all() + + with subtest("by default works without configuration"): + default.wait_for_unit("trilium-server.service") + + with subtest("by default available on port 8080"): + default.wait_for_unit("trilium-server.service") + default.wait_for_open_port(8080) + # we output to /dev/null here to avoid a python UTF-8 decode error + # but the check will still fail if the service doesn't respond + default.succeed("curl --fail -o /dev/null 127.0.0.1:8080") + + with subtest("by default creates empty document"): + default.wait_for_unit("trilium-server.service") + default.succeed("test -f /var/lib/trilium/document.db") + + with subtest("configured with custom data store"): + configured.wait_for_unit("trilium-server.service") + configured.succeed("test -f /data/trilium/document.db") + + with subtest("nginx with custom host name"): + nginx.wait_for_unit("trilium-server.service") + nginx.wait_for_unit("nginx.service") + + nginx.succeed( + "curl --resolve 'trilium.example.com:80:127.0.0.1' http://trilium.example.com/" + ) + ''; +}) diff --git a/nixpkgs/nixos/tests/udisks2.nix b/nixpkgs/nixos/tests/udisks2.nix index dcf869908d82..0cbfa0c4c7be 100644 --- a/nixpkgs/nixos/tests/udisks2.nix +++ b/nixpkgs/nixos/tests/udisks2.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let @@ -30,32 +30,40 @@ in testScript = '' - my $stick = $machine->stateDir . "/usbstick.img"; - system("xz -d < ${stick} > $stick") == 0 or die; + import lzma - $machine->succeed("udisksctl info -b /dev/vda >&2"); - $machine->fail("udisksctl info -b /dev/sda1"); + with lzma.open( + "${stick}" + ) as data, open(machine.state_dir + "/usbstick.img", "wb") as stick: + stick.write(data.read()) + + machine.succeed("udisksctl info -b /dev/vda >&2") + machine.fail("udisksctl info -b /dev/sda1") # Attach a USB stick and wait for it to show up. - $machine->sendMonitorCommand("drive_add 0 id=stick,if=none,file=$stick,format=raw"); - $machine->sendMonitorCommand("device_add usb-storage,id=stick,drive=stick"); - $machine->waitUntilSucceeds("udisksctl info -b /dev/sda1"); - $machine->succeed("udisksctl info -b /dev/sda1 | grep 'IdLabel:.*USBSTICK'"); + machine.send_monitor_command( + f"drive_add 0 id=stick,if=none,file={stick.name},format=raw" + ) + machine.send_monitor_command("device_add usb-storage,id=stick,drive=stick") + machine.wait_until_succeeds("udisksctl info -b /dev/sda1") + machine.succeed("udisksctl info -b /dev/sda1 | grep 'IdLabel:.*USBSTICK'") # Mount the stick as a non-root user and do some stuff with it. - $machine->succeed("su - alice -c 'udisksctl info -b /dev/sda1'"); - $machine->succeed("su - alice -c 'udisksctl mount -b /dev/sda1'"); - $machine->succeed("su - alice -c 'cat /run/media/alice/USBSTICK/test.txt'") =~ /Hello World/ or die; - $machine->succeed("su - alice -c 'echo foo > /run/media/alice/USBSTICK/bar.txt'"); + machine.succeed("su - alice -c 'udisksctl info -b /dev/sda1'") + machine.succeed("su - alice -c 'udisksctl mount -b /dev/sda1'") + machine.succeed( + "su - alice -c 'cat /run/media/alice/USBSTICK/test.txt' | grep -q 'Hello World'" + ) + machine.succeed("su - alice -c 'echo foo > /run/media/alice/USBSTICK/bar.txt'") # Unmounting the stick should make the mountpoint disappear. - $machine->succeed("su - alice -c 'udisksctl unmount -b /dev/sda1'"); - $machine->fail("[ -d /run/media/alice/USBSTICK ]"); + machine.succeed("su - alice -c 'udisksctl unmount -b /dev/sda1'") + machine.fail("[ -d /run/media/alice/USBSTICK ]") # Remove the USB stick. - $machine->sendMonitorCommand("device_del stick"); - $machine->waitUntilFails("udisksctl info -b /dev/sda1"); - $machine->fail("[ -e /dev/sda ]"); + machine.send_monitor_command("device_del stick") + machine.wait_until_fails("udisksctl info -b /dev/sda1") + machine.fail("[ -e /dev/sda ]") ''; }) diff --git a/nixpkgs/nixos/tests/upnp.nix b/nixpkgs/nixos/tests/upnp.nix index 98344aee3efa..a7d837ea0708 100644 --- a/nixpkgs/nixos/tests/upnp.nix +++ b/nixpkgs/nixos/tests/upnp.nix @@ -5,7 +5,7 @@ # this succeeds an external client will try to connect to the port # mapping. -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let internalRouterAddress = "192.168.3.1"; @@ -56,9 +56,11 @@ in networking.firewall.enable = false; services.httpd.enable = true; - services.httpd.listen = [{ ip = "*"; port = 9000; }]; - services.httpd.adminAddr = "foo@example.org"; - services.httpd.documentRoot = "/tmp"; + services.httpd.virtualHosts.localhost = { + listen = [{ ip = "*"; port = 9000; }]; + adminAddr = "foo@example.org"; + documentRoot = "/tmp"; + }; }; client2 = @@ -75,20 +77,20 @@ in testScript = { nodes, ... }: '' - startAll; + start_all() # Wait for network and miniupnpd. - $router->waitForUnit("network-online.target"); - # $router->waitForUnit("nat"); - $router->waitForUnit("firewall.service"); - $router->waitForUnit("miniupnpd"); + router.wait_for_unit("network-online.target") + # $router.wait_for_unit("nat") + router.wait_for_unit("firewall.service") + router.wait_for_unit("miniupnpd") - $client1->waitForUnit("network-online.target"); + client1.wait_for_unit("network-online.target") - $client1->succeed("upnpc -a ${internalClient1Address} 9000 9000 TCP"); + client1.succeed("upnpc -a ${internalClient1Address} 9000 9000 TCP") - $client1->waitForUnit("httpd"); - $client2->waitUntilSucceeds("curl http://${externalRouterAddress}:9000/"); + client1.wait_for_unit("httpd") + client2.wait_until_succeeds("curl http://${externalRouterAddress}:9000/") ''; }) diff --git a/nixpkgs/nixos/tests/uwsgi.nix b/nixpkgs/nixos/tests/uwsgi.nix index afc03e74ed7e..78a87147f55c 100644 --- a/nixpkgs/nixos/tests/uwsgi.nix +++ b/nixpkgs/nixos/tests/uwsgi.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "uwsgi"; meta = with pkgs.stdenv.lib.maintainers; { @@ -30,9 +30,9 @@ import ./make-test.nix ({ pkgs, ... }: testScript = '' - $machine->waitForUnit('multi-user.target'); - $machine->waitForUnit('uwsgi.service'); - $machine->waitForOpenPort(8000); - $machine->succeed('curl -v 127.0.0.1:8000 | grep "Hello World!"'); + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("uwsgi.service") + machine.wait_for_open_port(8000) + assert "Hello World" in machine.succeed("curl -v 127.0.0.1:8000") ''; }) diff --git a/nixpkgs/nixos/tests/vault.nix b/nixpkgs/nixos/tests/vault.nix index caf0cbb2abfe..ac8cf0703da5 100644 --- a/nixpkgs/nixos/tests/vault.nix +++ b/nixpkgs/nixos/tests/vault.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "vault"; meta = with pkgs.stdenv.lib.maintainers; { @@ -12,12 +12,12 @@ import ./make-test.nix ({ pkgs, ... }: testScript = '' - startAll; + start_all() - $machine->waitForUnit('multi-user.target'); - $machine->waitForUnit('vault.service'); - $machine->waitForOpenPort(8200); - $machine->succeed('vault operator init'); - $machine->succeed('vault status | grep Sealed | grep true'); + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("vault.service") + machine.wait_for_open_port(8200) + machine.succeed("vault operator init") + machine.succeed("vault status | grep Sealed | grep true") ''; }) diff --git a/nixpkgs/nixos/tests/wireguard/default.nix b/nixpkgs/nixos/tests/wireguard/default.nix index b0797b963235..8206823a9181 100644 --- a/nixpkgs/nixos/tests/wireguard/default.nix +++ b/nixpkgs/nixos/tests/wireguard/default.nix @@ -2,7 +2,7 @@ let wg-snakeoil-keys = import ./snakeoil-keys.nix; in -import ../make-test.nix ({ pkgs, ...} : { +import ../make-test-python.nix ({ pkgs, ...} : { name = "wireguard"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ma27 ]; @@ -86,12 +86,12 @@ import ../make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $peer0->waitForUnit("wireguard-wg0.service"); - $peer1->waitForUnit("wireguard-wg0.service"); + peer0.wait_for_unit("wireguard-wg0.service") + peer1.wait_for_unit("wireguard-wg0.service") - $peer1->succeed("ping -c5 fc00::1"); - $peer1->succeed("ping -c5 10.23.42.1") + peer1.succeed("ping -c5 fc00::1") + peer1.succeed("ping -c5 10.23.42.1") ''; }) diff --git a/nixpkgs/nixos/tests/wireguard/generated.nix b/nixpkgs/nixos/tests/wireguard/generated.nix index 897feafe3ff2..a29afd2d4666 100644 --- a/nixpkgs/nixos/tests/wireguard/generated.nix +++ b/nixpkgs/nixos/tests/wireguard/generated.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ...} : { +import ../make-test-python.nix ({ pkgs, ...} : { name = "wireguard-generated"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ma27 grahamc ]; @@ -28,30 +28,34 @@ import ../make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - - $peer1->waitForUnit("wireguard-wg0.service"); - $peer2->waitForUnit("wireguard-wg0.service"); - - my ($retcode, $peer1pubkey) = $peer1->execute("wg pubkey < /etc/wireguard/private"); - $peer1pubkey =~ s/\s+$//; - if ($retcode != 0) { - die "Could not read public key from peer1"; - } - - my ($retcode, $peer2pubkey) = $peer2->execute("wg pubkey < /etc/wireguard/private"); - $peer2pubkey =~ s/\s+$//; - if ($retcode != 0) { - die "Could not read public key from peer2"; - } - - $peer1->succeed("wg set wg0 peer $peer2pubkey allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1"); - $peer1->succeed("ip route replace 10.10.10.2/32 dev wg0 table main"); - - $peer2->succeed("wg set wg0 peer $peer1pubkey allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1"); - $peer2->succeed("ip route replace 10.10.10.1/32 dev wg0 table main"); - - $peer1->succeed("ping -c1 10.10.10.2"); - $peer2->succeed("ping -c1 10.10.10.1"); + start_all() + + peer1.wait_for_unit("wireguard-wg0.service") + peer2.wait_for_unit("wireguard-wg0.service") + + retcode, peer1pubkey = peer1.execute("wg pubkey < /etc/wireguard/private") + if retcode != 0: + raise Exception("Could not read public key from peer1") + + retcode, peer2pubkey = peer2.execute("wg pubkey < /etc/wireguard/private") + if retcode != 0: + raise Exception("Could not read public key from peer2") + + peer1.succeed( + "wg set wg0 peer {} allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1".format( + peer2pubkey.strip() + ) + ) + peer1.succeed("ip route replace 10.10.10.2/32 dev wg0 table main") + + peer2.succeed( + "wg set wg0 peer {} allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1".format( + peer1pubkey.strip() + ) + ) + peer2.succeed("ip route replace 10.10.10.1/32 dev wg0 table main") + + peer1.succeed("ping -c1 10.10.10.2") + peer2.succeed("ping -c1 10.10.10.1") ''; }) diff --git a/nixpkgs/nixos/tests/wireguard/namespaces.nix b/nixpkgs/nixos/tests/wireguard/namespaces.nix new file mode 100644 index 000000000000..c8a4e3bb52a1 --- /dev/null +++ b/nixpkgs/nixos/tests/wireguard/namespaces.nix @@ -0,0 +1,78 @@ +let + listenPort = 12345; + socketNamespace = "foo"; + interfaceNamespace = "bar"; + node = { + networking.wireguard.interfaces.wg0 = { + listenPort = listenPort; + ips = [ "10.10.10.1/24" ]; + privateKeyFile = "/etc/wireguard/private"; + generatePrivateKeyFile = true; + }; + }; + +in + +import ../make-test-python.nix ({ pkgs, ...} : { + name = "wireguard-with-namespaces"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ asymmetric ]; + }; + + nodes = { + # interface should be created in the socketNamespace + # and not moved from there + peer0 = pkgs.lib.attrsets.recursiveUpdate node { + networking.wireguard.interfaces.wg0 = { + preSetup = '' + ip netns add ${socketNamespace} + ''; + inherit socketNamespace; + }; + }; + # interface should be created in the init namespace + # and moved to the interfaceNamespace + peer1 = pkgs.lib.attrsets.recursiveUpdate node { + networking.wireguard.interfaces.wg0 = { + preSetup = '' + ip netns add ${interfaceNamespace} + ''; + inherit interfaceNamespace; + }; + }; + # interface should be created in the socketNamespace + # and moved to the interfaceNamespace + peer2 = pkgs.lib.attrsets.recursiveUpdate node { + networking.wireguard.interfaces.wg0 = { + preSetup = '' + ip netns add ${socketNamespace} + ip netns add ${interfaceNamespace} + ''; + inherit socketNamespace interfaceNamespace; + }; + }; + # interface should be created in the socketNamespace + # and moved to the init namespace + peer3 = pkgs.lib.attrsets.recursiveUpdate node { + networking.wireguard.interfaces.wg0 = { + preSetup = '' + ip netns add ${socketNamespace} + ''; + inherit socketNamespace; + interfaceNamespace = "init"; + }; + }; + }; + + testScript = '' + start_all() + + for machine in peer0, peer1, peer2, peer3: + machine.wait_for_unit("wireguard-wg0.service") + + peer0.succeed("ip -n ${socketNamespace} link show wg0") + peer1.succeed("ip -n ${interfaceNamespace} link show wg0") + peer2.succeed("ip -n ${interfaceNamespace} link show wg0") + peer3.succeed("ip link show wg0") + ''; +}) diff --git a/nixpkgs/nixos/tests/wordpress.nix b/nixpkgs/nixos/tests/wordpress.nix index c6acfa6c1f3d..b7449859f7e6 100644 --- a/nixpkgs/nixos/tests/wordpress.nix +++ b/nixpkgs/nixos/tests/wordpress.nix @@ -1,9 +1,13 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "wordpress"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ grahamc ]; # under duress! + maintainers = [ + flokli + grahamc # under duress! + mmilata + ]; }; machine = @@ -23,19 +27,31 @@ import ./make-test.nix ({ pkgs, ... }: }; testScript = '' - startAll; + import re - $machine->waitForUnit("httpd"); - $machine->waitForUnit("phpfpm-wordpress-site1.local"); - $machine->waitForUnit("phpfpm-wordpress-site2.local"); + start_all() - $machine->succeed("curl -L site1.local | grep 'Welcome to the famous'"); - $machine->succeed("curl -L site2.local | grep 'Welcome to the famous'"); + machine.wait_for_unit("httpd") - $machine->succeed("systemctl --no-pager show wordpress-init-site1.local.service | grep 'ExecStart=.*status=0'"); - $machine->succeed("systemctl --no-pager show wordpress-init-site2.local.service | grep 'ExecStart=.*status=0'"); - $machine->succeed("grep -E '^define.*NONCE_SALT.{64,};\$' /var/lib/wordpress/site1.local/secret-keys.php"); - $machine->succeed("grep -E '^define.*NONCE_SALT.{64,};\$' /var/lib/wordpress/site2.local/secret-keys.php"); - ''; + machine.wait_for_unit("phpfpm-wordpress-site1.local") + machine.wait_for_unit("phpfpm-wordpress-site2.local") + + site_names = ["site1.local", "site2.local"] + + with subtest("website returns welcome screen"): + for site_name in site_names: + assert "Welcome to the famous" in machine.succeed(f"curl -L {site_name}") + with subtest("wordpress-init went through"): + for site_name in site_names: + info = machine.get_unit_info(f"wordpress-init-{site_name}") + assert info["Result"] == "success" + + with subtest("secret keys are set"): + pattern = re.compile(r"^define.*NONCE_SALT.{64,};$", re.MULTILINE) + for site_name in site_names: + assert pattern.search( + machine.succeed(f"cat /var/lib/wordpress/{site_name}/secret-keys.php") + ) + ''; }) diff --git a/nixpkgs/nixos/tests/xautolock.nix b/nixpkgs/nixos/tests/xautolock.nix index ee46d9e05b06..10e92b40e956 100644 --- a/nixpkgs/nixos/tests/xautolock.nix +++ b/nixpkgs/nixos/tests/xautolock.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: with lib; @@ -15,10 +15,10 @@ with lib; }; testScript = '' - $machine->start; - $machine->waitForX; - $machine->mustFail("pgrep xlock"); - $machine->sleep(120); - $machine->mustSucceed("pgrep xlock"); + machine.start() + machine.wait_for_x() + machine.fail("pgrep xlock") + machine.sleep(120) + machine.succeed("pgrep xlock") ''; }) diff --git a/nixpkgs/nixos/tests/xdg-desktop-portal.nix b/nixpkgs/nixos/tests/xdg-desktop-portal.nix deleted file mode 100644 index 79ebb83c49a5..000000000000 --- a/nixpkgs/nixos/tests/xdg-desktop-portal.nix +++ /dev/null @@ -1,17 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "xdg-desktop-portal"; - meta = { - maintainers = pkgs.xdg-desktop-portal.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.xdg-desktop-portal.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/xfce.nix b/nixpkgs/nixos/tests/xfce.nix index 6cb4fae2021f..3ea96b383631 100644 --- a/nixpkgs/nixos/tests/xfce.nix +++ b/nixpkgs/nixos/tests/xfce.nix @@ -1,8 +1,5 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "xfce"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ eelco shlevy ]; - }; machine = { pkgs, ... }: @@ -16,31 +13,26 @@ import ./make-test.nix ({ pkgs, ...} : { services.xserver.desktopManager.xfce.enable = true; - environment.systemPackages = [ pkgs.xorg.xmessage ]; - hardware.pulseaudio.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then virtualisation.memorySize = 1024; }; - testScript = - '' - $machine->waitForX; - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow(qr/xfce4-panel/); - $machine->sleep(10); + testScript = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + in '' + machine.wait_for_x() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + machine.wait_for_window("xfce4-panel") + machine.sleep(10) # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); - - $machine->succeed("su - alice -c 'DISPLAY=:0.0 xfce4-terminal &'"); - $machine->waitForWindow(qr/Terminal/); - $machine->sleep(10); - $machine->screenshot("screen"); + machine.succeed("getfacl -p /dev/snd/timer | grep -q ${user.name}") - # Ensure that the X server does proper access control. - $machine->mustFail("su - bob -c 'DISPLAY=:0.0 xmessage Foo'"); - $machine->mustFail("su - bob -c 'DISPLAY=:0 xmessage Foo'"); + machine.succeed("su - ${user.name} -c 'DISPLAY=:0.0 xfce4-terminal &'") + machine.wait_for_window("Terminal") + machine.sleep(10) + machine.screenshot("screen") ''; }) diff --git a/nixpkgs/nixos/tests/xfce4-14.nix b/nixpkgs/nixos/tests/xfce4-14.nix deleted file mode 100644 index 94378f0c8d34..000000000000 --- a/nixpkgs/nixos/tests/xfce4-14.nix +++ /dev/null @@ -1,37 +0,0 @@ -import ./make-test.nix ({ pkgs, ...} : { - name = "xfce4-14"; - - machine = - { pkgs, ... }: - - { imports = [ ./common/user-account.nix ]; - - services.xserver.enable = true; - - services.xserver.displayManager.auto.enable = true; - services.xserver.displayManager.auto.user = "alice"; - - services.xserver.desktopManager.xfce4-14.enable = true; - - hardware.pulseaudio.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then - - virtualisation.memorySize = 1024; - }; - - testScript = - '' - $machine->waitForX; - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow(qr/xfce4-panel/); - $machine->sleep(10); - - # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); - - $machine->succeed("su - alice -c 'DISPLAY=:0.0 xfce4-terminal &'"); - $machine->waitForWindow(qr/Terminal/); - $machine->sleep(10); - $machine->screenshot("screen"); - ''; -}) diff --git a/nixpkgs/nixos/tests/xmonad.nix b/nixpkgs/nixos/tests/xmonad.nix index 79c15ccffecd..ef711f8dcf6a 100644 --- a/nixpkgs/nixos/tests/xmonad.nix +++ b/nixpkgs/nixos/tests/xmonad.nix @@ -1,13 +1,13 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "xmonad"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; }; - machine = { lib, pkgs, ... }: { + machine = { pkgs, ... }: { imports = [ ./common/x11.nix ./common/user-account.nix ]; services.xserver.displayManager.auto.user = "alice"; - services.xserver.windowManager.default = lib.mkForce "xmonad"; + services.xserver.displayManager.defaultSession = "none+xmonad"; services.xserver.windowManager.xmonad = { enable = true; enableContribAndExtras = true; @@ -21,19 +21,21 @@ import ./make-test.nix ({ pkgs, ...} : { }; }; - testScript = { ... }: '' - $machine->waitForX; - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->sendKeys("alt-ctrl-x"); - $machine->waitForWindow(qr/alice.*machine/); - $machine->sleep(1); - $machine->screenshot("terminal"); - $machine->waitUntilSucceeds("xmonad --restart"); - $machine->sleep(3); - $machine->sendKeys("alt-shift-ret"); - $machine->waitForWindow(qr/alice.*machine/); - $machine->sleep(1); - $machine->screenshot("terminal"); + testScript = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + in '' + machine.wait_for_x() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + machine.send_key("alt-ctrl-x") + machine.wait_for_window("${user.name}.*machine") + machine.sleep(1) + machine.screenshot("terminal") + machine.wait_until_succeeds("xmonad --restart") + machine.sleep(3) + machine.send_key("alt-shift-ret") + machine.wait_for_window("${user.name}.*machine") + machine.sleep(1) + machine.screenshot("terminal") ''; }) diff --git a/nixpkgs/nixos/tests/xmpp/ejabberd.nix b/nixpkgs/nixos/tests/xmpp/ejabberd.nix index 196a04aca300..1518aaacc8ab 100644 --- a/nixpkgs/nixos/tests/xmpp/ejabberd.nix +++ b/nixpkgs/nixos/tests/xmpp/ejabberd.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ... }: { +import ../make-test-python.nix ({ pkgs, ... }: { name = "ejabberd"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ajs124 ]; @@ -248,13 +248,21 @@ import ../make-test.nix ({ pkgs, ... }: { }; testScript = { nodes, ... }: '' - $server->waitForUnit('ejabberd.service'); - $server->succeed('su ejabberd -s $(which ejabberdctl) status|grep started') =~ /ejabberd is running/; - $server->succeed('su ejabberd -s $(which ejabberdctl) register azurediamond example.com hunter2'); - $server->succeed('su ejabberd -s $(which ejabberdctl) register cthon98 example.com nothunter2'); - $server->fail('su ejabberd -s $(which ejabberdctl) register asdf wrong.domain'); - $client->succeed('send-message'); - $server->succeed('su ejabberd -s $(which ejabberdctl) unregister cthon98 example.com'); - $server->succeed('su ejabberd -s $(which ejabberdctl) unregister azurediamond example.com'); + ejabberd_prefix = "su ejabberd -s $(which ejabberdctl) " + + server.wait_for_unit("ejabberd.service") + + assert "status: started" in server.succeed(ejabberd_prefix + "status") + + server.succeed( + ejabberd_prefix + "register azurediamond example.com hunter2", + ejabberd_prefix + "register cthon98 example.com nothunter2", + ) + server.fail(ejabberd_prefix + "register asdf wrong.domain") + client.succeed("send-message") + server.succeed( + ejabberd_prefix + "unregister cthon98 example.com", + ejabberd_prefix + "unregister azurediamond example.com", + ) ''; }) diff --git a/nixpkgs/nixos/tests/xmpp/prosody-mysql.nix b/nixpkgs/nixos/tests/xmpp/prosody-mysql.nix index 62b4a17421e5..0507227021b2 100644 --- a/nixpkgs/nixos/tests/xmpp/prosody-mysql.nix +++ b/nixpkgs/nixos/tests/xmpp/prosody-mysql.nix @@ -1,4 +1,4 @@ -import ../make-test.nix { +import ../make-test-python.nix { name = "prosody-mysql"; nodes = { @@ -57,21 +57,21 @@ import ../make-test.nix { }; testScript = { nodes, ... }: '' - $mysql->waitForUnit('mysql.service'); - $server->waitForUnit('prosody.service'); - $server->succeed('prosodyctl status') =~ /Prosody is running/; + mysql.wait_for_unit("mysql.service") + server.wait_for_unit("prosody.service") + server.succeed('prosodyctl status | grep "Prosody is running"') # set password to 'nothunter2' (it's asked twice) - $server->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com'); + server.succeed("yes nothunter2 | prosodyctl adduser cthon98@example.com") # set password to 'y' - $server->succeed('yes | prosodyctl adduser azurediamond@example.com'); + server.succeed("yes | prosodyctl adduser azurediamond@example.com") # correct password to 'hunter2' - $server->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com'); + server.succeed("yes hunter2 | prosodyctl passwd azurediamond@example.com") - $client->succeed("send-message"); + client.succeed("send-message") - $server->succeed('prosodyctl deluser cthon98@example.com'); - $server->succeed('prosodyctl deluser azurediamond@example.com'); + server.succeed("prosodyctl deluser cthon98@example.com") + server.succeed("prosodyctl deluser azurediamond@example.com") ''; } diff --git a/nixpkgs/nixos/tests/xmpp/prosody.nix b/nixpkgs/nixos/tests/xmpp/prosody.nix index 8331c7b6d331..9d1374bff6bd 100644 --- a/nixpkgs/nixos/tests/xmpp/prosody.nix +++ b/nixpkgs/nixos/tests/xmpp/prosody.nix @@ -1,4 +1,4 @@ -import ../make-test.nix { +import ../make-test-python.nix { name = "prosody"; nodes = { @@ -28,19 +28,19 @@ import ../make-test.nix { }; testScript = { nodes, ... }: '' - $server->waitForUnit('prosody.service'); - $server->succeed('prosodyctl status') =~ /Prosody is running/; + server.wait_for_unit("prosody.service") + server.succeed('prosodyctl status | grep "Prosody is running"') # set password to 'nothunter2' (it's asked twice) - $server->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com'); + server.succeed("yes nothunter2 | prosodyctl adduser cthon98@example.com") # set password to 'y' - $server->succeed('yes | prosodyctl adduser azurediamond@example.com'); - # correct password to 'hunter2' - $server->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com'); + server.succeed("yes | prosodyctl adduser azurediamond@example.com") + # correct password to "hunter2" + server.succeed("yes hunter2 | prosodyctl passwd azurediamond@example.com") - $client->succeed("send-message"); + client.succeed("send-message") - $server->succeed('prosodyctl deluser cthon98@example.com'); - $server->succeed('prosodyctl deluser azurediamond@example.com'); + server.succeed("prosodyctl deluser cthon98@example.com") + server.succeed("prosodyctl deluser azurediamond@example.com") ''; } diff --git a/nixpkgs/nixos/tests/xrdp.nix b/nixpkgs/nixos/tests/xrdp.nix index 0106aefe8318..1aceeffb955d 100644 --- a/nixpkgs/nixos/tests/xrdp.nix +++ b/nixpkgs/nixos/tests/xrdp.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "xrdp"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ volth ]; @@ -21,25 +21,27 @@ import ./make-test.nix ({ pkgs, ...} : { }; }; - testScript = { ... }: '' - startAll; + testScript = { nodes, ... }: let + user = nodes.client.config.users.users.alice; + in '' + start_all() - $client->waitForX; - $client->waitForFile("/home/alice/.Xauthority"); - $client->succeed("xauth merge ~alice/.Xauthority"); + client.wait_for_x() + client.wait_for_file("${user.home}/.Xauthority") + client.succeed("xauth merge ${user.home}/.Xauthority") - $client->sleep(5); + client.sleep(5) - $client->execute("xterm &"); - $client->sleep(1); - $client->sendChars("xfreerdp /cert-tofu /w:640 /h:480 /v:127.0.0.1 /u:alice /p:foobar\n"); - $client->sleep(5); - $client->screenshot("localrdp"); + client.execute("xterm &") + client.sleep(1) + client.send_chars("xfreerdp /cert-tofu /w:640 /h:480 /v:127.0.0.1 /u:${user.name} /p:${user.password}\n") + client.sleep(5) + client.screenshot("localrdp") - $client->execute("xterm &"); - $client->sleep(1); - $client->sendChars("xfreerdp /cert-tofu /w:640 /h:480 /v:server /u:alice /p:foobar\n"); - $client->sleep(5); - $client->screenshot("remoterdp"); + client.execute("xterm &") + client.sleep(1) + client.send_chars("xfreerdp /cert-tofu /w:640 /h:480 /v:server /u:${user.name} /p:${user.password}\n") + client.sleep(5) + client.screenshot("remoterdp") ''; }) diff --git a/nixpkgs/nixos/tests/xss-lock.nix b/nixpkgs/nixos/tests/xss-lock.nix index 0d757e8cef3f..3a7dea07d53a 100644 --- a/nixpkgs/nixos/tests/xss-lock.nix +++ b/nixpkgs/nixos/tests/xss-lock.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: with lib; @@ -26,15 +26,19 @@ with lib; }; testScript = '' - startAll; - - ${concatStringsSep "\n" (mapAttrsToList (name: lockCmd: '' - ${"$"+name}->start; - ${"$"+name}->waitForX; - ${"$"+name}->waitForUnit("xss-lock.service", "alice"); - ${"$"+name}->fail("pgrep ${lockCmd}"); - ${"$"+name}->succeed("su -l alice -c 'xset dpms force standby'"); - ${"$"+name}->waitUntilSucceeds("pgrep ${lockCmd}"); - '') { simple = "i3lock"; custom_lockcmd = "xlock"; })} + def perform_xsslock_test(machine, lockCmd): + machine.start() + machine.wait_for_x() + machine.wait_for_unit("xss-lock.service", "alice") + machine.fail(f"pgrep {lockCmd}") + machine.succeed("su -l alice -c 'xset dpms force standby'") + machine.wait_until_succeeds(f"pgrep {lockCmd}") + + + with subtest("simple"): + perform_xsslock_test(simple, "i3lock") + + with subtest("custom_cmd"): + perform_xsslock_test(custom_lockcmd, "xlock") ''; }) diff --git a/nixpkgs/nixos/tests/yabar.nix b/nixpkgs/nixos/tests/yabar.nix index bbc0cf4c7dd7..9108004d4df9 100644 --- a/nixpkgs/nixos/tests/yabar.nix +++ b/nixpkgs/nixos/tests/yabar.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: with lib; @@ -20,14 +20,14 @@ with lib; }; testScript = '' - $machine->start; - $machine->waitForX; + machine.start() + machine.wait_for_x() # confirm proper startup - $machine->waitForUnit("yabar.service", "bob"); - $machine->sleep(10); - $machine->waitForUnit("yabar.service", "bob"); + machine.wait_for_unit("yabar.service", "bob") + machine.sleep(10) + machine.wait_for_unit("yabar.service", "bob") - $machine->screenshot("top_bar"); + machine.screenshot("top_bar") ''; }) diff --git a/nixpkgs/nixos/tests/yggdrasil.nix b/nixpkgs/nixos/tests/yggdrasil.nix new file mode 100644 index 000000000000..468fcf671274 --- /dev/null +++ b/nixpkgs/nixos/tests/yggdrasil.nix @@ -0,0 +1,125 @@ +let + aliceIp6 = "200:3b91:b2d8:e708:fbf3:f06:fdd5:90d0"; + aliceKeys = { + EncryptionPublicKey = "13e23986fe76bc3966b42453f479bc563348b7ff76633b7efcb76e185ec7652f"; + EncryptionPrivateKey = "9f86947b15e86f9badac095517a1982e39a2db37ca726357f95987b898d82208"; + SigningPublicKey = "e2c43349083bc1e998e4ec4535b4c6a8f44ca9a5a8e07336561267253b2be5f4"; + SigningPrivateKey = "fe3add8da35316c05f6d90d3ca79bd2801e6ccab6d37e5339fef4152589398abe2c43349083bc1e998e4ec4535b4c6a8f44ca9a5a8e07336561267253b2be5f4"; + }; + bobIp6 = "201:ebbd:bde9:f138:c302:4afa:1fb6:a19a"; + bobConfig = { + InterfacePeers = { + eth1 = [ "tcp://192.168.1.200:12345" ]; + }; + MulticastInterfaces = [ "eth1" ]; + LinkLocalTCPPort = 54321; + EncryptionPublicKey = "c99d6830111e12d1b004c52fe9e5a2eef0f6aefca167aca14589a370b7373279"; + EncryptionPrivateKey = "2e698a53d3fdce5962d2ff37de0fe77742a5c8b56cd8259f5da6aa792f6e8ba3"; + SigningPublicKey = "de111da0ec781e45bf6c63ecb45a78c24d7d4655abfaeea83b26c36eb5c0fd5b"; + SigningPrivateKey = "2a6c21550f3fca0331df50668ffab66b6dce8237bcd5728e571e8033b363e247de111da0ec781e45bf6c63ecb45a78c24d7d4655abfaeea83b26c36eb5c0fd5b"; + }; + +in import ./make-test-python.nix ({ pkgs, ...} : { + name = "yggdrasil"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ gazally ]; + }; + + nodes = rec { + # Alice is listening for peerings on a specified port, + # but has multicast peering disabled. Alice has part of her + # yggdrasil config in Nix and part of it in a file. + alice = + { ... }: + { + networking = { + interfaces.eth1.ipv4.addresses = [{ + address = "192.168.1.200"; + prefixLength = 24; + }]; + firewall.allowedTCPPorts = [ 80 12345 ]; + }; + services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + + services.yggdrasil = { + enable = true; + config = { + Listen = ["tcp://0.0.0.0:12345"]; + MulticastInterfaces = [ ]; + }; + configFile = toString (pkgs.writeTextFile { + name = "yggdrasil-alice-conf"; + text = builtins.toJSON aliceKeys; + }); + }; + }; + + # Bob is set up to peer with Alice, and also to do local multicast + # peering. Bob's yggdrasil config is in a file. + bob = + { ... }: + { + networking.firewall.allowedTCPPorts = [ 54321 ]; + services.yggdrasil = { + enable = true; + openMulticastPort = true; + configFile = toString (pkgs.writeTextFile { + name = "yggdrasil-bob-conf"; + text = builtins.toJSON bobConfig; + }); + }; + }; + + # Carol only does local peering. Carol's yggdrasil config is all Nix. + carol = + { ... }: + { + networking.firewall.allowedTCPPorts = [ 43210 ]; + services.yggdrasil = { + enable = true; + denyDhcpcdInterfaces = [ "ygg0" ]; + config = { + IfTAPMode = true; + IfName = "ygg0"; + MulticastInterfaces = [ "eth1" ]; + LinkLocalTCPPort = 43210; + }; + }; + }; + }; + + testScript = + '' + import re + + # Give Alice a head start so she is ready when Bob calls. + alice.start() + alice.wait_for_unit("yggdrasil.service") + + bob.start() + carol.start() + bob.wait_for_unit("yggdrasil.service") + carol.wait_for_unit("yggdrasil.service") + + ip_addr_show = "ip -o -6 addr show dev ygg0 scope global" + carol.wait_until_succeeds(f"[ `{ip_addr_show} | grep -v tentative | wc -l` -ge 1 ]") + carol_ip6 = re.split(" +|/", carol.succeed(ip_addr_show))[3] + + # If Alice can talk to Carol, then Bob's outbound peering and Carol's + # local peering have succeeded and everybody is connected. + alice.wait_until_succeeds(f"ping -c 1 {carol_ip6}") + alice.succeed(f"ping -c 1 ${bobIp6}") + + bob.succeed("ping -c 1 ${aliceIp6}") + bob.succeed(f"ping -c 1 {carol_ip6}") + + carol.succeed("ping -c 1 ${aliceIp6}") + carol.succeed("ping -c 1 ${bobIp6}") + + carol.fail("journalctl -u dhcpcd | grep ygg0") + + alice.wait_for_unit("httpd.service") + carol.succeed("curl --fail -g http://[${aliceIp6}]") + ''; +}) diff --git a/nixpkgs/nixos/tests/zfs.nix b/nixpkgs/nixos/tests/zfs.nix index d7a08268e984..8f844aca4160 100644 --- a/nixpkgs/nixos/tests/zfs.nix +++ b/nixpkgs/nixos/tests/zfs.nix @@ -7,7 +7,7 @@ with import ../lib/testing.nix { inherit system pkgs; }; let - makeTest = import ./make-test.nix; + makeTest = import ./make-test-python.nix; makeZfsTest = name: { kernelPackage ? pkgs.linuxPackages_latest @@ -34,12 +34,12 @@ let }; testScript = '' - $machine->succeed("modprobe zfs"); - $machine->succeed("zpool status"); + machine.succeed("modprobe zfs") + machine.succeed("zpool status") - $machine->succeed("ls /dev"); + machine.succeed("ls /dev") - $machine->succeed( + machine.succeed( "mkdir /tmp/mnt", "udevadm settle", @@ -55,9 +55,7 @@ let "umount /tmp/mnt", "zpool destroy rpool", "udevadm settle" - - ); - + ) '' + extraTest; }; @@ -70,8 +68,8 @@ in { unstable = makeZfsTest "unstable" { enableUnstable = true; extraTest = '' - $machine->succeed( - "echo password | zpool create -o altroot='/tmp/mnt' -O encryption=aes-256-gcm -O keyformat=passphrase rpool /dev/vdb1", + machine.succeed( + "echo password | zpool create -o altroot=\"/tmp/mnt\" -O encryption=aes-256-gcm -O keyformat=passphrase rpool /dev/vdb1", "zfs create -o mountpoint=legacy rpool/root", "mount -t zfs rpool/root /tmp/mnt", "udevadm settle", @@ -79,7 +77,7 @@ in { "umount /tmp/mnt", "zpool destroy rpool", "udevadm settle" - ); + ) ''; }; diff --git a/nixpkgs/nixos/tests/zookeeper.nix b/nixpkgs/nixos/tests/zookeeper.nix index f343ebd39e44..42cf20b39c52 100644 --- a/nixpkgs/nixos/tests/zookeeper.nix +++ b/nixpkgs/nixos/tests/zookeeper.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "zookeeper"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -15,14 +15,20 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $server->waitForUnit("zookeeper"); - $server->waitForUnit("network.target"); - $server->waitForOpenPort(2181); + server.wait_for_unit("zookeeper") + server.wait_for_unit("network.target") + server.wait_for_open_port(2181) - $server->waitUntilSucceeds("${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 create /foo bar"); - $server->waitUntilSucceeds("${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 set /foo hello"); - $server->waitUntilSucceeds("${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 get /foo | grep hello"); + server.wait_until_succeeds( + "${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 create /foo bar" + ) + server.wait_until_succeeds( + "${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 set /foo hello" + ) + server.wait_until_succeeds( + "${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 get /foo | grep hello" + ) ''; }) diff --git a/nixpkgs/nixos/tests/zsh-history.nix b/nixpkgs/nixos/tests/zsh-history.nix new file mode 100644 index 000000000000..4380ec9adfd2 --- /dev/null +++ b/nixpkgs/nixos/tests/zsh-history.nix @@ -0,0 +1,35 @@ +import ./make-test-python.nix ({ pkgs, ...} : { + name = "zsh-history"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ kampka ]; + }; + + nodes.default = { ... }: { + programs = { + zsh.enable = true; + }; + environment.systemPackages = [ pkgs.zsh-history ]; + programs.zsh.interactiveShellInit = '' + source ${pkgs.zsh-history.out}/share/zsh/init.zsh + ''; + users.users.root.shell = "${pkgs.zsh}/bin/zsh"; + }; + + testScript = '' + start_all() + default.wait_for_unit("multi-user.target") + default.wait_until_succeeds("pgrep -f 'agetty.*tty1'") + + # Login + default.wait_until_tty_matches(1, "login: ") + default.send_chars("root\n") + default.wait_until_tty_matches(1, "root@default>") + + # Generate some history + default.send_chars("echo foobar\n") + default.wait_until_tty_matches(1, "foobar") + + # Ensure that command was recorded in history + default.succeed("/run/current-system/sw/bin/history list | grep -q foobar") + ''; +}) |