diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-09-01 11:51:02 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-09-01 11:51:02 +0000 |
| commit | aa4353b499e6950b7333578f936455a628145c31 (patch) | |
| tree | c6332cedece2327a18d08794755b3fc0f9f1905b /nixpkgs/nixos | |
| parent | ac456d475f4e50818499b804359355c0f3b4bbf7 (diff) | |
| parent | 52185f4d76c18d8348f963795dfed1de018e8dfe (diff) | |
| download | nixlib-aa4353b499e6950b7333578f936455a628145c31.tar nixlib-aa4353b499e6950b7333578f936455a628145c31.tar.gz nixlib-aa4353b499e6950b7333578f936455a628145c31.tar.bz2 nixlib-aa4353b499e6950b7333578f936455a628145c31.tar.lz nixlib-aa4353b499e6950b7333578f936455a628145c31.tar.xz nixlib-aa4353b499e6950b7333578f936455a628145c31.tar.zst nixlib-aa4353b499e6950b7333578f936455a628145c31.zip | |
Merge https://github.com/NixOS/nixpkgs
Diffstat (limited to 'nixpkgs/nixos')
44 files changed, 1267 insertions, 197 deletions
diff --git a/nixpkgs/nixos/doc/manual/development/unit-handling.section.md b/nixpkgs/nixos/doc/manual/development/unit-handling.section.md index a7ccb3dbd042..32d44dbfff05 100644 --- a/nixpkgs/nixos/doc/manual/development/unit-handling.section.md +++ b/nixpkgs/nixos/doc/manual/development/unit-handling.section.md @@ -25,8 +25,11 @@ checks: since changes in their values are applied by systemd when systemd is reloaded. - - `.mount` units are **reload**ed. These mostly come from the `/etc/fstab` - parser. + - `.mount` units are **reload**ed if only their `Options` changed. If anything + else changed (like `What`), they are **restart**ed unless they are the mount + unit for `/` or `/nix` in which case they are reloaded to prevent the system + from crashing. Note that this is the case for `.mount` units and not for + mounts from `/etc/fstab`. These are explained in [](#sec-switching-systems). - `.socket` units are currently ignored. This is to be fixed at a later point. diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md index 623576ce4ff2..c4ed81e0b5b6 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md @@ -30,6 +30,8 @@ - [Anuko Time Tracker](https://github.com/anuko/timetracker), a simple, easy to use, open source time tracking system. Available as [services.anuko-time-tracker](#opt-services.anuko-time-tracker.enable). +- [Prometheus MySQL exporter](https://github.com/prometheus/mysqld_exporter), a MySQL server exporter for Prometheus. Available as [services.prometheus.exporters.mysqld](#opt-services.prometheus.exporters.mysqld.enable). + - [sitespeed-io](https://sitespeed.io), a tool that can generate metrics (timings, diagnostics) for websites. Available as [services.sitespeed-io](#opt-services.sitespeed-io.enable). - [Jool](https://nicmx.github.io/Jool/en/index.html), an Open Source implementation of IPv4/IPv6 translation on Linux. Available as [networking.jool.enable](#opt-networking.jool.enable). @@ -48,6 +50,11 @@ - [eris-server](https://codeberg.org/eris/eris-go). [ERIS](https://eris.codeberg.page/) is an encoding for immutable storage and this server provides block exchange as well as content decoding over HTTP and through a FUSE file-system. Available as [services.eris-server](#opt-services.eris-server.enable). +- [Honk](https://humungus.tedunangst.com/r/honk), a complete ActivityPub server with minimal setup and support costs. + Available as [services.honk](#opt-services.honk.enable). + +- [NNCP](http://www.nncpgo.org/). Added nncp-daemon and nncp-caller services. Configuration is set with [programs.nncp.settings](#opt-programs.nncp.settings) and the daemons are enabled at [services.nncp](#opt-services.nncp.caller.enable). + ## Backward Incompatibilities {#sec-release-23.11-incompatibilities} - The `boot.loader.raspberryPi` options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs ([before mid-2019](https://github.com/NixOS/nixpkgs/pull/62462)) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices. @@ -66,6 +73,8 @@ - `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`. +- `pass` now does not contain `password-store.el`. Users should get `password-store.el` from Emacs lisp package set `emacs.pkgs.password-store`. + - `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues. - `getent` has been moved from `glibc`'s `bin` output to its own dedicated output, reducing closure size for many dependents. Dependents using the `getent` alias should not be affected; others should move from using `glibc.bin` or `getBin glibc` to `getent` (which also improves compatibility with non-glibc platforms). @@ -109,10 +118,17 @@ - The ISC DHCP package and corresponding module have been removed, because they are end of life upstream. See https://www.isc.org/blogs/isc-dhcp-eol/ for details and switch to a different DHCP implementation like kea or dnsmasq. +- `prometheus-unbound-exporter` has been replaced by the Let's Encrypt maintained version, since the previous version was archived. This requires some changes to the module configuration, most notable `controlInterface` needs migration + towards `unbound.host` and requires either the `tcp://` or `unix://` URI scheme. + +- `odoo` now defaults to 16, updated from 15. + - `util-linux` is now supported on Darwin and is no longer an alias to `unixtools`. Use the `unixtools.util-linux` package for access to the Apple variants of the utilities. - `services.keyd` changed API. Now you can create multiple configuration files. +- `baloo`, the file indexer/search engine used by KDE now has a patch to prevent files from constantly being reindexed when the device ids of the their underlying storage changes. This happens frequently when using btrfs or LVM. The patch has not yet been accepted upstream but it provides a significantly improved experience. When upgrading, reset baloo to get a clean index: `balooctl disable ; balooctl purge ; balooctl enable`. + - `services.ddclient` has been removed on the request of the upstream maintainer because it is unmaintained and has bugs. Please switch to a different software like `inadyn` or `knsupdate`. - The `vlock` program from the `kbd` package has been moved into its own package output and should now be referenced explicitly as `kbd.vlock` or replaced with an alternative such as the standalone `vlock` package or `physlock`. @@ -143,6 +159,8 @@ - The `go-ethereum` package has been updated to v1.12.0. This drops support for proof-of-work. Its GraphQL API now encodes all numeric values as hex strings and the GraphQL UI is updated to version 2.0. The default database has changed from `leveldb` to `pebble` but `leveldb` can be forced with the --db.engine=leveldb flag. The `checkpoint-admin` command was [removed along with trusted checkpoints](https://github.com/ethereum/go-ethereum/pull/27147). +- The `aseprite-unfree` package has been upgraded from 1.2.16.3 to 1.2.40. The free version of aseprite has been dropped because it is EOL and the package attribute now points to the unfree version. A maintained fork of the last free version of Aseprite, named 'LibreSprite', is available in the `libresprite` package. + - The default `kops` version is now 1.27.0 and support for 1.24 and older has been dropped. - `pharo` has been updated to latest stable (PharoVM 10.0.5), which is compatible with the latest stable and oldstable images (Pharo 10 and 11). The VM in question is the 64bit Spur. The 32bit version has been dropped due to lack of maintenance. The Cog VM has been deleted because it is severily outdated. Finally, the `pharo-launcher` package has been deleted because it was not compatible with the newer VM, and due to lack of maintenance. @@ -197,6 +215,8 @@ The module update takes care of the new config syntax and the data itself (user - `services.prometheus.exporters` has a new exporter to monitor electrical power consumption based on PowercapRAPL sensor called [Scaphandre](https://github.com/hubblo-org/scaphandre), see [#239803](https://github.com/NixOS/nixpkgs/pull/239803) for more details. +- The MariaDB C client library was upgraded from 3.2.x to 3.3.x. It is recomended to review the [upstream release notes](https://mariadb.com/kb/en/mariadb-connector-c-33-release-notes/). + - The module `services.calibre-server` has new options to configure the `host`, `port`, `auth.enable`, `auth.mode` and `auth.userDb` path, see [#216497](https://github.com/NixOS/nixpkgs/pull/216497/) for more details. - `services.prometheus.exporters` has a new [exporter](https://github.com/hipages/php-fpm_exporter) to monitor PHP-FPM processes, see [#240394](https://github.com/NixOS/nixpkgs/pull/240394) for more details. @@ -211,6 +231,12 @@ The module update takes care of the new config syntax and the data itself (user - Suricata was upgraded from 6.0 to 7.0 and no longer considers HTTP/2 support as experimental, see [upstream release notes](https://forum.suricata.io/t/suricata-7-0-0-released/3715) for more details. +- `networking.nftables` now has the option `networking.nftables.table.<table>` to create tables + and have them be updated atomically, instead of flushing the ruleset. + +- `networking.nftables` is no longer flushing all rulesets on every reload. + Use `networking.nftables.flushRuleset = true;` to get back the old behaviour. + ## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals} - The use of `sourceRoot = "source";`, `sourceRoot = "source/subdir";`, and similar lines in package derivations using the default `unpackPhase` is deprecated as it requires `unpackPhase` to always produce a directory named "source". Use `sourceRoot = src.name`, `sourceRoot = "${src.name}/subdir";`, or `setSourceRoot = "sourceRoot=$(echo */subdir)";` or similar instead. diff --git a/nixpkgs/nixos/modules/config/update-users-groups.pl b/nixpkgs/nixos/modules/config/update-users-groups.pl index 301fd0026400..5f6b65fcd1e1 100644 --- a/nixpkgs/nixos/modules/config/update-users-groups.pl +++ b/nixpkgs/nixos/modules/config/update-users-groups.pl @@ -5,6 +5,7 @@ use File::Path qw(make_path); use File::Slurp; use Getopt::Long; use JSON; +use DateTime; # Keep track of deleted uids and gids. my $uidMapFile = "/var/lib/nixos/uid-map"; @@ -23,6 +24,22 @@ sub updateFile { write_file($path, { atomic => 1, binmode => ':utf8', perms => $perms // 0644 }, $contents) or die; } +# Converts an ISO date to number of days since 1970-01-01 +sub dateToDays { + my ($date) = @_; + my ($year, $month, $day) = split('-', $date, -3); + my $dt = DateTime->new( + year => $year, + month => $month, + day => $day, + hour => 0, + minute => 0, + second => 0, + time_zone => 'UTC', + ); + return $dt->epoch / 86400; +} + sub nscdInvalidate { system("nscd", "--invalidate", $_[0]) unless $is_dry; } @@ -287,22 +304,26 @@ my %shadowSeen; foreach my $line (-f "/etc/shadow" ? read_file("/etc/shadow", { binmode => ":utf8" }) : ()) { chomp $line; - my ($name, $hashedPassword, @rest) = split(':', $line, -9); - my $u = $usersOut{$name};; + # struct name copied from `man 3 shadow` + my ($sp_namp, $sp_pwdp, $sp_lstch, $sp_min, $sp_max, $sp_warn, $sp_inact, $sp_expire, $sp_flag) = split(':', $line, -9); + my $u = $usersOut{$sp_namp};; next if !defined $u; - $hashedPassword = "!" if !$spec->{mutableUsers}; - $hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword} && !$spec->{mutableUsers}; # FIXME - chomp $hashedPassword; - push @shadowNew, join(":", $name, $hashedPassword, @rest) . "\n"; - $shadowSeen{$name} = 1; + $sp_pwdp = "!" if !$spec->{mutableUsers}; + $sp_pwdp = $u->{hashedPassword} if defined $u->{hashedPassword} && !$spec->{mutableUsers}; # FIXME + $sp_expire = dateToDays($u->{expires}) if defined $u->{expires}; + chomp $sp_pwdp; + push @shadowNew, join(":", $sp_namp, $sp_pwdp, $sp_lstch, $sp_min, $sp_max, $sp_warn, $sp_inact, $sp_expire, $sp_flag) . "\n"; + $shadowSeen{$sp_namp} = 1; } foreach my $u (values %usersOut) { next if defined $shadowSeen{$u->{name}}; my $hashedPassword = "!"; $hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword}; + my $expires = ""; + $expires = dateToDays($u->{expires}) if defined $u->{expires}; # FIXME: set correct value for sp_lstchg. - push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::::") . "\n"; + push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::", $expires, "") . "\n"; } updateFile("/etc/shadow", \@shadowNew, 0640); diff --git a/nixpkgs/nixos/modules/config/users-groups.nix b/nixpkgs/nixos/modules/config/users-groups.nix index 4c9e286ea5fd..9629e3964c96 100644 --- a/nixpkgs/nixos/modules/config/users-groups.nix +++ b/nixpkgs/nixos/modules/config/users-groups.nix @@ -311,6 +311,17 @@ let ''; }; + expires = mkOption { + type = types.nullOr (types.strMatching "[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}"); + default = null; + description = lib.mdDoc '' + Set the date on which the user's account will no longer be + accessible. The date is expressed in the format YYYY-MM-DD, or null + to disable the expiry. + A user whose account is locked must contact the system + administrator before being able to use the system again. + ''; + }; }; config = mkMerge @@ -438,7 +449,7 @@ let name uid group description home homeMode createHome isSystemUser password passwordFile hashedPassword autoSubUidGidRange subUidRanges subGidRanges - initialPassword initialHashedPassword; + initialPassword initialHashedPassword expires; shell = utils.toShellPath u.shell; }) cfg.users; groups = attrValues cfg.groups; @@ -637,7 +648,7 @@ in { install -m 0700 -d /root install -m 0755 -d /home - ${pkgs.perl.withPackages (p: [ p.FileSlurp p.JSON ])}/bin/perl \ + ${pkgs.perl.withPackages (p: [ p.FileSlurp p.JSON p.DateTime ])}/bin/perl \ -w ${./update-users-groups.pl} ${spec} ''; }; diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index aec12ab21a75..dc4eb41bcddf 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -982,6 +982,7 @@ ./services/networking/nix-serve.nix ./services/networking/nix-store-gcs-proxy.nix ./services/networking/nixops-dns.nix + ./services/networking/nncp.nix ./services/networking/nntp-proxy.nix ./services/networking/nomad.nix ./services/networking/nsd.nix @@ -1228,6 +1229,7 @@ ./services/web-apps/healthchecks.nix ./services/web-apps/hedgedoc.nix ./services/web-apps/hledger-web.nix + ./services/web-apps/honk.nix ./services/web-apps/icingaweb2/icingaweb2.nix ./services/web-apps/icingaweb2/module-monitoring.nix ./services/web-apps/invidious.nix diff --git a/nixpkgs/nixos/modules/programs/dconf.nix b/nixpkgs/nixos/modules/programs/dconf.nix index 7261a143528f..cf53658c4fad 100644 --- a/nixpkgs/nixos/modules/programs/dconf.nix +++ b/nixpkgs/nixos/modules/programs/dconf.nix @@ -1,55 +1,217 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.dconf; - cfgDir = pkgs.symlinkJoin { - name = "dconf-system-config"; - paths = map (x: "${x}/etc/dconf") cfg.packages; - postBuild = '' - mkdir -p $out/profile - mkdir -p $out/db - '' + ( - concatStringsSep "\n" ( - mapAttrsToList ( - name: path: '' - ln -s ${path} $out/profile/${name} - '' - ) cfg.profiles - ) - ) + '' - ${pkgs.dconf}/bin/dconf update $out/db - ''; + + # Compile keyfiles to dconf DB + compileDconfDb = dir: pkgs.runCommand "dconf-db" + { + nativeBuildInputs = [ (lib.getBin pkgs.dconf) ]; + } "dconf compile $out ${dir}"; + + # Check if dconf keyfiles are valid + checkDconfKeyfiles = dir: pkgs.runCommand "check-dconf-keyfiles" + { + nativeBuildInputs = [ (lib.getBin pkgs.dconf) ]; + } '' + if [[ -f ${dir} ]]; then + echo "dconf keyfiles should be a directory but a file is provided: ${dir}" + exit 1 + fi + + dconf compile db ${dir} || ( + echo "The dconf keyfiles are invalid: ${dir}" + exit 1 + ) + cp -R ${dir} $out + ''; + + mkAllLocks = settings: lib.flatten ( + lib.mapAttrsToList (k: v: lib.mapAttrsToList (k': _: "/${k}/${k'}") v) settings); + + # Generate dconf DB from dconfDatabase and keyfiles + mkDconfDb = val: compileDconfDb (pkgs.symlinkJoin { + name = "nixos-generated-dconf-keyfiles"; + paths = [ + (pkgs.writeTextDir "nixos-generated-dconf-keyfiles" (lib.generators.toDconfINI val.settings)) + (pkgs.writeTextDir "locks/nixos-generated-dconf-locks" (lib.concatStringsSep "\n" + (if val.lockAll then mkAllLocks val.settings else val.locks) + )) + ] ++ (map checkDconfKeyfiles val.keyfiles); + }); + + # Check if a dconf DB file is valid. The dconf cli doesn't return 1 when it can't + # open the database file so we have to check if the output is empty. + checkDconfDb = file: pkgs.runCommand "check-dconf-db" + { + nativeBuildInputs = [ (lib.getBin pkgs.dconf) ]; + } '' + if [[ -d ${file} ]]; then + echo "dconf DB should be a file but a directory is provided: ${file}" + exit 1 + fi + + echo "file-db:${file}" > profile + DCONF_PROFILE=$(pwd)/profile dconf dump / > output 2> error + if [[ ! -s output ]] && [[ -s error ]]; then + cat error + echo "The dconf DB file is invalid: ${file}" + exit 1 + fi + + cp ${file} $out + ''; + + # Generate dconf profile + mkDconfProfile = name: value: + if lib.isDerivation value || lib.isPath value then + pkgs.runCommand "dconf-profile" { } '' + if [[ -d ${value} ]]; then + echo "Dconf profile should be a file but a directory is provided." + exit 1 + fi + mkdir -p $out/etc/dconf/profile/ + cp ${value} $out/etc/dconf/profile/${name} + '' + else + pkgs.writeTextDir "etc/dconf/profile/${name}" ( + lib.concatMapStrings (x: "${x}\n") (( + lib.optional value.enableUserDb "user-db:user" + ) ++ ( + map + (value: + let + db = if lib.isAttrs value && !lib.isDerivation value then mkDconfDb value else checkDconfDb value; + in + "file-db:${db}") + value.databases + )) + ); + + dconfDatabase = with lib.types; submodule { + options = { + keyfiles = lib.mkOption { + type = listOf (oneOf [ path package ]); + default = [ ]; + description = lib.mdDoc "A list of dconf keyfile directories."; + }; + settings = lib.mkOption { + type = attrs; + default = { }; + description = lib.mdDoc "An attrset used to generate dconf keyfile."; + example = literalExpression '' + with lib.gvariant; + { + "com/raggesilver/BlackBox" = { + scrollback-lines = mkUint32 10000; + theme-dark = "Tommorow Night"; + }; + } + ''; + }; + locks = lib.mkOption { + type = with lib.types; listOf str; + default = [ ]; + description = lib.mdDoc '' + A list of dconf keys to be lockdown. This doesn't take effect if `lockAll` + is set. + ''; + example = literalExpression '' + [ "/org/gnome/desktop/background/picture-uri" ] + ''; + }; + lockAll = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc "Lockdown all dconf keys in `settings`."; + }; + }; + }; + + dconfProfile = with lib.types; submodule { + options = { + enableUserDb = lib.mkOption { + type = bool; + default = true; + description = lib.mdDoc "Add `user-db:user` at the beginning of the profile."; + }; + + databases = lib.mkOption { + type = with lib.types; listOf (oneOf [ + path + package + dconfDatabase + ]); + default = [ ]; + description = lib.mdDoc '' + List of data sources for the profile. An element can be an attrset, + or the path of an already compiled database. Each element is converted + to a file-db. + + A key is searched from up to down and the first result takes the + priority. If a lock for a particular key is installed then the value from + the last database in the profile where the key is locked will be used. + This can be used to enforce mandatory settings. + ''; + }; + }; }; + in { - ###### interface - options = { programs.dconf = { - enable = mkEnableOption (lib.mdDoc "dconf"); + enable = lib.mkEnableOption (lib.mdDoc "dconf"); - profiles = mkOption { - type = types.attrsOf types.path; - default = {}; - description = lib.mdDoc "Set of dconf profile files, installed at {file}`/etc/dconf/profiles/«name»`."; - internal = true; + profiles = lib.mkOption { + type = with lib.types; attrsOf (oneOf [ + path + package + dconfProfile + ]); + default = { }; + description = lib.mdDoc '' + Attrset of dconf profiles. By default the `user` profile is used which + ends up in `/etc/dconf/profile/user`. + ''; + example = lib.literalExpression '' + { + # A "user" profile with a database + user.databases = [ + { + settings = { }; + } + ]; + # A "bar" profile from a package + bar = pkgs.bar-dconf-profile; + # A "foo" profile from a path + foo = ''${./foo} + }; + ''; }; - packages = mkOption { - type = types.listOf types.package; - default = []; + packages = lib.mkOption { + type = lib.types.listOf lib.types.package; + default = [ ]; description = lib.mdDoc "A list of packages which provide dconf profiles and databases in {file}`/etc/dconf`."; }; }; }; - ###### implementation + config = lib.mkIf (cfg.profiles != { } || cfg.enable) { + programs.dconf.packages = lib.mapAttrsToList mkDconfProfile cfg.profiles; - config = mkIf (cfg.profiles != {} || cfg.enable) { - environment.etc.dconf = mkIf (cfg.profiles != {} || cfg.packages != []) { - source = cfgDir; + environment.etc.dconf = lib.mkIf (cfg.packages != [ ]) { + source = pkgs.symlinkJoin { + name = "dconf-system-config"; + paths = map (x: "${x}/etc/dconf") cfg.packages; + nativeBuildInputs = [ (lib.getBin pkgs.dconf) ]; + postBuild = '' + if test -d $out/db; then + dconf update $out/db + fi + ''; + }; }; services.dbus.packages = [ pkgs.dconf ]; @@ -59,8 +221,9 @@ in # For dconf executable environment.systemPackages = [ pkgs.dconf ]; - # Needed for unwrapped applications - environment.sessionVariables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ]; + environment.sessionVariables = lib.mkIf cfg.enable { + # Needed for unwrapped applications + GIO_EXTRA_MODULES = [ "${pkgs.dconf.lib}/lib/gio/modules" ]; + }; }; - } diff --git a/nixpkgs/nixos/modules/programs/tmux.nix b/nixpkgs/nixos/modules/programs/tmux.nix index 4f452f1d7f9b..0d1c7c9cdf0f 100644 --- a/nixpkgs/nixos/modules/programs/tmux.nix +++ b/nixpkgs/nixos/modules/programs/tmux.nix @@ -52,6 +52,8 @@ let set -s escape-time ${toString cfg.escapeTime} set -g history-limit ${toString cfg.historyLimit} + ${cfg.extraConfigBeforePlugins} + ${lib.optionalString (cfg.plugins != []) '' # Run plugins ${lib.concatMapStringsSep "\n" (x: "run-shell ${x.rtp}") cfg.plugins} @@ -108,10 +110,18 @@ in { description = lib.mdDoc "Time in milliseconds for which tmux waits after an escape is input."; }; + extraConfigBeforePlugins = mkOption { + default = ""; + description = lib.mdDoc '' + Additional contents of /etc/tmux.conf, to be run before sourcing plugins. + ''; + type = types.lines; + }; + extraConfig = mkOption { default = ""; description = lib.mdDoc '' - Additional contents of /etc/tmux.conf + Additional contents of /etc/tmux.conf, to be run after sourcing plugins. ''; type = types.lines; }; diff --git a/nixpkgs/nixos/modules/services/backup/restic.nix b/nixpkgs/nixos/modules/services/backup/restic.nix index 1620770e5b56..6f4cbab81726 100644 --- a/nixpkgs/nixos/modules/services/backup/restic.nix +++ b/nixpkgs/nixos/modules/services/backup/restic.nix @@ -333,6 +333,8 @@ in backup.rcloneConfig); path = [ pkgs.openssh ]; restartIfChanged = false; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; serviceConfig = { Type = "oneshot"; ExecStart = (optionals (backupPaths != "") [ "${resticCmd} backup ${concatStringsSep " " (backup.extraBackupArgs ++ excludeFlags)} ${backupPaths}" ]) diff --git a/nixpkgs/nixos/modules/services/editors/emacs.md b/nixpkgs/nixos/modules/services/editors/emacs.md index 72364b295144..9db1bd594175 100644 --- a/nixpkgs/nixos/modules/services/editors/emacs.md +++ b/nixpkgs/nixos/modules/services/editors/emacs.md @@ -286,11 +286,11 @@ The server should now be ready to serve Emacs clients. ### Starting the client {#module-services-emacs-starting-client} -Ensure that the emacs server is enabled, either by customizing the +Ensure that the Emacs server is enabled, either by customizing the {var}`server-mode` variable, or by adding `(server-start)` to {file}`~/.emacs`. -To connect to the emacs daemon, run one of the following: +To connect to the Emacs daemon, run one of the following: ``` emacsclient FILENAME emacsclient --create-frame # opens a new frame (window) @@ -339,24 +339,10 @@ This will add the symlink ## Configuring Emacs {#module-services-emacs-configuring} -The Emacs init file should be changed to load the extension packages at -startup: +If you want to only use extension packages from Nixpkgs, you can add +`(setq package-archives nil)` to your init file. -::: {.example #module-services-emacs-package-initialisation} -### Package initialization in `.emacs` - -``` -(require 'package) - -;; optional. makes unpure packages archives unavailable -(setq package-archives nil) - -(setq package-enable-at-startup nil) -(package-initialize) -``` -::: - -After the declarative emacs package configuration has been tested, +After the declarative Emacs package configuration has been tested, previously downloaded packages can be cleaned up by removing {file}`~/.emacs.d/elpa` (do make a backup first, in case you forgot a package). diff --git a/nixpkgs/nixos/modules/services/finance/odoo.nix b/nixpkgs/nixos/modules/services/finance/odoo.nix index fee9af574b5d..eec7c4e30cc4 100644 --- a/nixpkgs/nixos/modules/services/finance/odoo.nix +++ b/nixpkgs/nixos/modules/services/finance/odoo.nix @@ -31,6 +31,12 @@ in description = lib.mdDoc '' Odoo configuration settings. For more details see <https://www.odoo.com/documentation/15.0/administration/install/deploy.html> ''; + example = literalExpression '' + options = { + db_user = "odoo"; + db_password="odoo"; + }; + ''; }; domain = mkOption { @@ -112,11 +118,11 @@ in services.postgresql = { enable = true; + ensureDatabases = [ "odoo" ]; ensureUsers = [{ name = "odoo"; ensurePermissions = { "DATABASE odoo" = "ALL PRIVILEGES"; }; }]; - ensureDatabases = [ "odoo" ]; }; }); } diff --git a/nixpkgs/nixos/modules/services/misc/paperless.nix b/nixpkgs/nixos/modules/services/misc/paperless.nix index 0683a1f922ab..74a3b49ac9a6 100644 --- a/nixpkgs/nixos/modules/services/misc/paperless.nix +++ b/nixpkgs/nixos/modules/services/misc/paperless.nix @@ -43,6 +43,8 @@ let "-/etc/nsswitch.conf" "-/etc/hosts" "-/etc/localtime" + "-/etc/ssl/certs" + "-/etc/static/ssl/certs" "-/run/postgresql" ] ++ (optional enableRedis redisServer.unixSocket); BindPaths = [ diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix index f5b97c51186a..8bb017894ee2 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -50,6 +50,7 @@ let "mikrotik" "minio" "modemmanager" + "mysqld" "nextcloud" "nginx" "nginxlog" @@ -297,6 +298,12 @@ in or 'services.prometheus.exporters.mail.configFile'. ''; } { + assertion = cfg.mysqld.runAsLocalSuperUser -> config.services.mysql.enable; + message = '' + The exporter is configured to run as 'services.mysql.user', but + 'services.mysql.enable' is set to false. + ''; + } { assertion = cfg.sql.enable -> ( (cfg.sql.configFile == null) != (cfg.sql.configuration == null) ); diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/mysqld.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/mysqld.nix new file mode 100644 index 000000000000..849c514de681 --- /dev/null +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/mysqld.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, options }: +let + cfg = config.services.prometheus.exporters.mysqld; + inherit (lib) types mkOption mdDoc mkIf mkForce cli concatStringsSep optionalString escapeShellArgs; +in { + port = 9104; + extraOpts = { + telemetryPath = mkOption { + type = types.str; + default = "/metrics"; + description = mdDoc '' + Path under which to expose metrics. + ''; + }; + + runAsLocalSuperUser = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Whether to run the exporter as {option}`services.mysql.user`. + ''; + }; + + configFile = mkOption { + type = types.path; + example = "/var/lib/prometheus-mysqld-exporter.cnf"; + description = mdDoc '' + Path to the services config file. + + See <https://github.com/prometheus/mysqld_exporter#running> for more information about + the available options. + + ::: {.warn} + Please do not store this file in the nix store if you choose to include any credentials here, + as it would be world-readable. + ::: + ''; + }; + }; + + serviceOpts = { + serviceConfig = { + DynamicUser = !cfg.runAsLocalSuperUser; + User = mkIf cfg.runAsLocalSuperUser (mkForce config.services.mysql.user); + LoadCredential = mkIf (cfg.configFile != null) (mkForce ("config:" + cfg.configFile)); + ExecStart = concatStringsSep " " [ + "${pkgs.prometheus-mysqld-exporter}/bin/mysqld_exporter" + "--web.listen-address=${cfg.listenAddress}:${toString cfg.port}" + "--web.telemetry-path=${cfg.telemetryPath}" + (optionalString (cfg.configFile != null) ''--config.my-cnf=''${CREDENTIALS_DIRECTORY}/config'') + (escapeShellArgs cfg.extraFlags) + ]; + RestrictAddressFamilies = [ + # The exporter can be configured to talk to a local mysql server via a unix socket. + "AF_UNIX" + ]; + }; + }; +} + diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix index 7808c8861a76..28add020f5cc 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix @@ -33,6 +33,15 @@ in Make sure that this file is readable by the exporter user. ''; }; + tokenFile = mkOption { + type = types.path; + example = "/path/to/token-file"; + default = ""; + description = lib.mdDoc '' + File containing the token for connecting to Nextcloud. + Make sure that this file is readable by the exporter user. + ''; + }; timeout = mkOption { type = types.str; default = "5s"; @@ -47,12 +56,14 @@ in ExecStart = '' ${pkgs.prometheus-nextcloud-exporter}/bin/nextcloud-exporter \ --addr ${cfg.listenAddress}:${toString cfg.port} \ - --username ${cfg.username} \ --timeout ${cfg.timeout} \ --server ${cfg.url} \ - --password ${escapeShellArg "@${cfg.passwordFile}"} \ - ${concatStringsSep " \\\n " cfg.extraFlags} - ''; + ${if cfg.tokenFile == "" then '' + --username ${cfg.username} \ + --password ${escapeShellArg "@${cfg.passwordFile}"} \ + '' else '' + --auth-token ${escapeShellArg "@${cfg.tokenFile}"} \ + ''} ${concatStringsSep " \\\n " cfg.extraFlags}''; }; }; } diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix index f52d92a73d5d..f2336429d42f 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix @@ -1,4 +1,8 @@ -{ config, lib, pkgs, options }: +{ config +, lib +, pkgs +, options +}: with lib; @@ -6,17 +10,14 @@ let cfg = config.services.prometheus.exporters.unbound; in { + imports = [ + (mkRemovedOptionModule [ "controlInterface" ] "This option was removed, use the `unbound.host` option instead.") + (mkRemovedOptionModule [ "fetchType" ] "This option was removed, use the `unbound.host` option instead.") + ({ options.warnings = options.warnings; options.assertions = options.assertions; }) + ]; + port = 9167; extraOpts = { - fetchType = mkOption { - # TODO: add shm when upstream implemented it - type = types.enum [ "tcp" "uds" ]; - default = "uds"; - description = lib.mdDoc '' - Which methods the exporter uses to get the information from unbound. - ''; - }; - telemetryPath = mkOption { type = types.str; default = "/metrics"; @@ -25,34 +26,65 @@ in ''; }; - controlInterface = mkOption { - type = types.nullOr types.str; - default = null; - example = "/run/unbound/unbound.socket"; - description = lib.mdDoc '' - Path to the unbound socket for uds mode or the control interface port for tcp mode. + unbound = { + ca = mkOption { + type = types.nullOr types.path; + default = "/var/lib/unbound/unbound_server.pem"; + example = null; + description = '' + Path to the Unbound server certificate authority + ''; + }; - Example: - uds-mode: /run/unbound/unbound.socket - tcp-mode: 127.0.0.1:8953 - ''; + certificate = mkOption { + type = types.nullOr types.path; + default = "/var/lib/unbound/unbound_control.pem"; + example = null; + description = '' + Path to the Unbound control socket certificate + ''; + }; + + key = mkOption { + type = types.nullOr types.path; + default = "/var/lib/unbound/unbound_control.key"; + example = null; + description = '' + Path to the Unbound control socket key. + ''; + }; + + host = mkOption { + type = types.str; + default = "tcp://127.0.0.1:8953"; + example = "unix:///run/unbound/unbound.socket"; + description = lib.mdDoc '' + Path to the unbound control socket. Supports unix domain sockets, as well as the TCP interface. + ''; + }; }; }; serviceOpts = mkMerge ([{ serviceConfig = { + User = "unbound"; # to access the unbound_control.key ExecStart = '' - ${pkgs.prometheus-unbound-exporter}/bin/unbound-telemetry \ - ${cfg.fetchType} \ - --bind ${cfg.listenAddress}:${toString cfg.port} \ - --path ${cfg.telemetryPath} \ - ${optionalString (cfg.controlInterface != null) "--control-interface ${cfg.controlInterface}"} \ + ${pkgs.prometheus-unbound-exporter}/bin/unbound_exporter \ + --unbound.host "${cfg.unbound.host}" \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --web.telemetry-path ${cfg.telemetryPath} \ + ${optionalString (cfg.unbound.ca != null) "--unbound.ca ${cfg.unbound.ca}"} \ + ${optionalString (cfg.unbound.certificate != null) "--unbound.cert ${cfg.unbound.certificate}"} \ + ${optionalString (cfg.unbound.key != null) "--unbound.key ${cfg.unbound.key}"} \ ${toString cfg.extraFlags} ''; RestrictAddressFamilies = [ - # Need AF_UNIX to collect data "AF_UNIX" + "AF_INET" + "AF_INET6" ]; + } // optionalAttrs (!config.services.unbound.enable) { + DynamicUser = true; }; }] ++ [ (mkIf config.services.unbound.enable { diff --git a/nixpkgs/nixos/modules/services/monitoring/vmagent.nix b/nixpkgs/nixos/modules/services/monitoring/vmagent.nix index c793bb073199..0e2ffb31c57c 100644 --- a/nixpkgs/nixos/modules/services/monitoring/vmagent.nix +++ b/nixpkgs/nixos/modules/services/monitoring/vmagent.nix @@ -62,6 +62,16 @@ in { Whether to open the firewall for the default ports. ''; }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc '' + Extra args to pass to `vmagent`. See the docs: + <https://docs.victoriametrics.com/vmagent.html#advanced-usage> + or {command}`vmagent -help` for more information. + ''; + }; }; config = mkIf cfg.enable { @@ -90,7 +100,7 @@ in { Type = "simple"; Restart = "on-failure"; WorkingDirectory = cfg.dataDir; - ExecStart = "${cfg.package}/bin/vmagent -remoteWrite.url=${cfg.remoteWriteUrl} -promscrape.config=${prometheusConfig}"; + ExecStart = "${cfg.package}/bin/vmagent -remoteWrite.url=${cfg.remoteWriteUrl} -promscrape.config=${prometheusConfig} ${escapeShellArgs cfg.extraArgs}"; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/firewall-nftables.nix b/nixpkgs/nixos/modules/services/networking/firewall-nftables.nix index 452dd97d89d2..7c7136cc96f1 100644 --- a/nixpkgs/nixos/modules/services/networking/firewall-nftables.nix +++ b/nixpkgs/nixos/modules/services/networking/firewall-nftables.nix @@ -70,10 +70,8 @@ in } ]; - networking.nftables.ruleset = '' - - table inet nixos-fw { - + networking.nftables.tables."nixos-fw".family = "inet"; + networking.nftables.tables."nixos-fw".content = '' ${optionalString (cfg.checkReversePath != false) '' chain rpfilter { type filter hook prerouting priority mangle + 10; policy drop; @@ -169,9 +167,6 @@ in } ''} - - } - ''; }; diff --git a/nixpkgs/nixos/modules/services/networking/nat-nftables.nix b/nixpkgs/nixos/modules/services/networking/nat-nftables.nix index 483910a16658..4b2317ca2ffc 100644 --- a/nixpkgs/nixos/modules/services/networking/nat-nftables.nix +++ b/nixpkgs/nixos/modules/services/networking/nat-nftables.nix @@ -145,28 +145,28 @@ in } ]; - networking.nftables.ruleset = '' - table ip nixos-nat { - ${mkTable { + networking.nftables.tables = { + "nixos-nat" = { + family = "ip"; + content = mkTable { ipVer = "ip"; inherit dest ipSet; forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts; inherit (cfg) dmzHost; - }} - } - - ${optionalString cfg.enableIPv6 '' - table ip6 nixos-nat { - ${mkTable { - ipVer = "ip6"; - dest = destIPv6; - ipSet = ipv6Set; - forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts; - dmzHost = null; - }} - } - ''} - ''; + }; + }; + "nixos-nat6" = mkIf cfg.enableIPv6 { + family = "ip6"; + name = "nixos-nat"; + content = mkTable { + ipVer = "ip6"; + dest = destIPv6; + ipSet = ipv6Set; + forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts; + dmzHost = null; + }; + }; + }; networking.firewall.extraForwardRules = optionalString config.networking.firewall.filterForward '' ${optionalString (ifaceSet != "") '' diff --git a/nixpkgs/nixos/modules/services/networking/nftables.nix b/nixpkgs/nixos/modules/services/networking/nftables.nix index faff1dca89ba..0e4cd6fa1503 100644 --- a/nixpkgs/nixos/modules/services/networking/nftables.nix +++ b/nixpkgs/nixos/modules/services/networking/nftables.nix @@ -2,6 +2,35 @@ with lib; let cfg = config.networking.nftables; + + tableSubmodule = { name, ... }: { + options = { + enable = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc "Enable this table."; + }; + + name = mkOption { + type = types.str; + description = lib.mdDoc "Table name."; + }; + + content = mkOption { + type = types.lines; + description = lib.mdDoc "The table content."; + }; + + family = mkOption { + description = lib.mdDoc "Table family."; + type = types.enum [ "ip" "ip6" "inet" "arp" "bridge" "netdev" ]; + }; + }; + + config = { + name = mkDefault name; + }; + }; in { ###### interface @@ -54,6 +83,24 @@ in ''; }; + networking.nftables.flushRuleset = mkEnableOption (lib.mdDoc "Flush the entire ruleset on each reload."); + + networking.nftables.extraDeletions = mkOption { + type = types.lines; + default = ""; + example = '' + # this makes deleting a non-existing table a no-op instead of an error + table inet some-table; + + delete table inet some-table; + ''; + description = + lib.mdDoc '' + Extra deletion commands to be run on every firewall start, reload + and after stopping the firewall. + ''; + }; + networking.nftables.ruleset = mkOption { type = types.lines; default = ""; @@ -103,7 +150,10 @@ in lib.mdDoc '' The ruleset to be used with nftables. Should be in a format that can be loaded using "/bin/nft -f". The ruleset is updated atomically. - This option conflicts with rulesetFile. + Note that if the tables should be cleaned first, either: + - networking.nftables.flushRuleset = true; needs to be set (flushes all tables) + - networking.nftables.extraDeletions needs to be set + - or networking.nftables.tables can be used, which will clean up the table automatically ''; }; networking.nftables.rulesetFile = mkOption { @@ -113,9 +163,64 @@ in lib.mdDoc '' The ruleset file to be used with nftables. Should be in a format that can be loaded using "nft -f". The ruleset is updated atomically. - This option conflicts with ruleset and nftables based firewall. ''; }; + networking.nftables.tables = mkOption { + type = types.attrsOf (types.submodule tableSubmodule); + + default = {}; + + description = lib.mdDoc '' + Tables to be added to ruleset. + Tables will be added together with delete statements to clean up the table before every update. + ''; + + example = { + filter = { + family = "inet"; + content = '' + # Check out https://wiki.nftables.org/ for better documentation. + # Table for both IPv4 and IPv6. + # Block all incoming connections traffic except SSH and "ping". + chain input { + type filter hook input priority 0; + + # accept any localhost traffic + iifname lo accept + + # accept traffic originated from us + ct state {established, related} accept + + # ICMP + # routers may also want: mld-listener-query, nd-router-solicit + ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept + ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept + + # allow "ping" + ip6 nexthdr icmpv6 icmpv6 type echo-request accept + ip protocol icmp icmp type echo-request accept + + # accept SSH connections (required for a server) + tcp dport 22 accept + + # count and drop any other traffic + counter drop + } + + # Allow all outgoing connections. + chain output { + type filter hook output priority 0; + accept + } + + chain forward { + type filter hook forward priority 0; + accept + } + ''; + }; + }; + }; }; ###### implementation @@ -124,6 +229,8 @@ in boot.blacklistedKernelModules = [ "ip_tables" ]; environment.systemPackages = [ pkgs.nftables ]; networking.networkmanager.firewallBackend = mkDefault "nftables"; + # versionOlder for backportability, remove afterwards + networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11" || (cfg.rulesetFile != null || cfg.ruleset != "")); systemd.services.nftables = { description = "nftables firewall"; before = [ "network-pre.target" ]; @@ -131,18 +238,49 @@ in wantedBy = [ "multi-user.target" ]; reloadIfChanged = true; serviceConfig = let + enabledTables = filterAttrs (_: table: table.enable) cfg.tables; + deletionsScript = pkgs.writeScript "nftables-deletions" '' + #! ${pkgs.nftables}/bin/nft -f + ${if cfg.flushRuleset then "flush ruleset" + else concatStringsSep "\n" (mapAttrsToList (_: table: '' + table ${table.family} ${table.name} + delete table ${table.family} ${table.name} + '') enabledTables)} + ${cfg.extraDeletions} + ''; + deletionsScriptVar = "/var/lib/nftables/deletions.nft"; + ensureDeletions = pkgs.writeShellScript "nftables-ensure-deletions" '' + touch ${deletionsScriptVar} + chmod +x ${deletionsScriptVar} + ''; + saveDeletionsScript = pkgs.writeShellScript "nftables-save-deletions" '' + cp ${deletionsScript} ${deletionsScriptVar} + ''; + cleanupDeletionsScript = pkgs.writeShellScript "nftables-cleanup-deletions" '' + rm ${deletionsScriptVar} + ''; rulesScript = pkgs.writeTextFile { name = "nftables-rules"; executable = true; text = '' #! ${pkgs.nftables}/bin/nft -f - flush ruleset - ${if cfg.rulesetFile != null then '' + # previous deletions, if any + include "${deletionsScriptVar}" + # current deletions + include "${deletionsScript}" + ${concatStringsSep "\n" (mapAttrsToList (_: table: '' + table ${table.family} ${table.name} { + ${table.content} + } + '') enabledTables)} + ${cfg.ruleset} + ${lib.optionalString (cfg.rulesetFile != null) '' include "${cfg.rulesetFile}" - '' else cfg.ruleset} + ''} ''; checkPhase = lib.optionalString cfg.checkRuleset '' cp $out ruleset.conf + sed 's|include "${deletionsScriptVar}"||' -i ruleset.conf ${cfg.preCheckRuleset} export NIX_REDIRECTS=/etc/protocols=${pkgs.buildPackages.iana-etc}/etc/protocols:/etc/services=${pkgs.buildPackages.iana-etc}/etc/services LD_PRELOAD="${pkgs.buildPackages.libredirect}/lib/libredirect.so ${pkgs.buildPackages.lklWithFirewall.lib}/lib/liblkl-hijack.so" \ @@ -152,9 +290,11 @@ in in { Type = "oneshot"; RemainAfterExit = true; - ExecStart = rulesScript; - ExecReload = rulesScript; - ExecStop = "${pkgs.nftables}/bin/nft flush ruleset"; + ExecStart = [ ensureDeletions rulesScript ]; + ExecStartPost = saveDeletionsScript; + ExecReload = [ ensureDeletions rulesScript saveDeletionsScript ]; + ExecStop = [ deletionsScriptVar cleanupDeletionsScript ]; + StateDirectory = "nftables"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/nncp.nix b/nixpkgs/nixos/modules/services/networking/nncp.nix new file mode 100644 index 000000000000..3cfe41995e76 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/nncp.nix @@ -0,0 +1,131 @@ +{ config, lib, pkgs, ... }: +with lib; + +let + nncpCfgFile = "/run/nncp.hjson"; + programCfg = config.programs.nncp; + callerCfg = config.services.nncp.caller; + daemonCfg = config.services.nncp.daemon; + settingsFormat = pkgs.formats.json { }; + jsonCfgFile = settingsFormat.generate "nncp.json" programCfg.settings; + pkg = programCfg.package; +in { + options = { + + services.nncp = { + caller = { + enable = mkEnableOption '' + cron'ed NNCP TCP daemon caller. + The daemon will take configuration from + [](#opt-programs.nncp.settings) + ''; + extraArgs = mkOption { + type = with types; listOf str; + description = "Extra command-line arguments to pass to caller."; + default = [ ]; + example = [ "-autotoss" ]; + }; + }; + + daemon = { + enable = mkEnableOption '' + NNCP TCP synronization daemon. + The daemon will take configuration from + [](#opt-programs.nncp.settings) + ''; + socketActivation = { + enable = mkEnableOption '' + Whether to run nncp-daemon persistently or socket-activated. + ''; + listenStreams = mkOption { + type = with types; listOf str; + description = lib.mdDoc '' + TCP sockets to bind to. + See [](#opt-systemd.sockets._name_.listenStreams). + ''; + default = [ "5400" ]; + }; + }; + extraArgs = mkOption { + type = with types; listOf str; + description = "Extra command-line arguments to pass to daemon."; + default = [ ]; + example = [ "-autotoss" ]; + }; + }; + + }; + }; + + config = mkIf (programCfg.enable or callerCfg.enable or daemonCfg.enable) { + + assertions = [{ + assertion = with builtins; + let + callerCongfigured = + let neigh = config.programs.nncp.settings.neigh or { }; + in lib.lists.any (x: hasAttr "calls" x && x.calls != [ ]) + (attrValues neigh); + in !callerCfg.enable || callerCongfigured; + message = "NNCP caller enabled but call configuration is missing"; + }]; + + systemd.services."nncp-caller" = { + inherit (callerCfg) enable; + description = "Croned NNCP TCP daemon caller."; + documentation = [ "http://www.nncpgo.org/nncp_002dcaller.html" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${pkg}/bin/nncp-caller -noprogress -cfg "${nncpCfgFile}" ${ + lib.strings.escapeShellArgs callerCfg.extraArgs + }''; + Group = "uucp"; + UMask = "0002"; + }; + }; + + systemd.services."nncp-daemon" = mkIf daemonCfg.enable { + enable = !daemonCfg.socketActivation.enable; + description = "NNCP TCP syncronization daemon."; + documentation = [ "http://www.nncpgo.org/nncp_002ddaemon.html" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${pkg}/bin/nncp-daemon -noprogress -cfg "${nncpCfgFile}" ${ + lib.strings.escapeShellArgs daemonCfg.extraArgs + }''; + Restart = "on-failure"; + Group = "uucp"; + UMask = "0002"; + }; + }; + + systemd.services."nncp-daemon@" = mkIf daemonCfg.socketActivation.enable { + description = "NNCP TCP syncronization daemon."; + documentation = [ "http://www.nncpgo.org/nncp_002ddaemon.html" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = '' + ${pkg}/bin/nncp-daemon -noprogress -ucspi -cfg "${nncpCfgFile}" ${ + lib.strings.escapeShellArgs daemonCfg.extraArgs + }''; + Group = "uucp"; + UMask = "0002"; + StandardInput = "socket"; + StandardOutput = "inherit"; + StandardError = "journal"; + }; + }; + + systemd.sockets.nncp-daemon = mkIf daemonCfg.socketActivation.enable { + inherit (daemonCfg.socketActivation) listenStreams; + description = "socket for NNCP TCP syncronization."; + conflicts = [ "nncp-daemon.service" ]; + wantedBy = [ "sockets.target" ]; + socketConfig.Accept = true; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/privoxy.nix b/nixpkgs/nixos/modules/services/networking/privoxy.nix index 78d02aaa1125..619490a4c020 100644 --- a/nixpkgs/nixos/modules/services/networking/privoxy.nix +++ b/nixpkgs/nixos/modules/services/networking/privoxy.nix @@ -12,7 +12,7 @@ let else "${name} ${toString val}\n"; configType = with types; - let atom = oneOf [ int bool string path ]; + let atom = oneOf [ int bool str path ]; in attrsOf (either atom (listOf atom)) // { description = '' privoxy configuration type. The format consists of an attribute diff --git a/nixpkgs/nixos/modules/services/security/kanidm.nix b/nixpkgs/nixos/modules/services/security/kanidm.nix index d8a99dee59f4..6f4d1dc382ab 100644 --- a/nixpkgs/nixos/modules/services/security/kanidm.nix +++ b/nixpkgs/nixos/modules/services/security/kanidm.nix @@ -137,7 +137,7 @@ in default = { }; description = lib.mdDoc '' Settings for Kanidm, see - [the documentation](https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/server_configuration.md) + [the documentation](https://kanidm.github.io/kanidm/stable/server_configuration.html) and [example configuration](https://github.com/kanidm/kanidm/blob/master/examples/server.toml) for possible values. ''; @@ -155,7 +155,7 @@ in }; description = lib.mdDoc '' Configure Kanidm clients, needed for the PAM daemon. See - [the documentation](https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/client_tools.md#kanidm-configuration) + [the documentation](https://kanidm.github.io/kanidm/stable/client_tools.html#kanidm-configuration) and [example configuration](https://github.com/kanidm/kanidm/blob/master/examples/config) for possible values. ''; @@ -173,7 +173,7 @@ in }; description = lib.mdDoc '' Configure Kanidm unix daemon. - See [the documentation](https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/pam_and_nsswitch.md#the-unix-daemon) + See [the documentation](https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#the-unix-daemon) and [example configuration](https://github.com/kanidm/kanidm/blob/master/examples/unixd) for possible values. ''; diff --git a/nixpkgs/nixos/modules/services/web-apps/cloudlog.nix b/nixpkgs/nixos/modules/services/web-apps/cloudlog.nix index 9261de8d4354..da2cf93d7f1c 100644 --- a/nixpkgs/nixos/modules/services/web-apps/cloudlog.nix +++ b/nixpkgs/nixos/modules/services/web-apps/cloudlog.nix @@ -308,8 +308,6 @@ in pools.cloudlog = { inherit (cfg) user; group = config.services.nginx.group; - # cloudlog is currently broken on php 8.2 - phpPackage = pkgs.php81; settings = { "listen.owner" = config.services.nginx.user; "listen.group" = config.services.nginx.group; diff --git a/nixpkgs/nixos/modules/services/web-apps/honk.md b/nixpkgs/nixos/modules/services/web-apps/honk.md new file mode 100644 index 000000000000..f34085f7dc52 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/honk.md @@ -0,0 +1,23 @@ +# Honk {#module-services-honk} + +With Honk on NixOS you can quickly configure a complete ActivityPub server with +minimal setup and support costs. + +## Basic usage {#module-services-honk-basic-usage} + +A minimal configuration looks like this: + +```nix +{ + services.honk = { + enable = true; + host = "0.0.0.0"; + port = 8080; + username = "username"; + passwordFile = "/etc/honk/password.txt"; + servername = "honk.example.com"; + }; + + networking.firewall.allowedTCPPorts = [ 8080 ]; +} +``` diff --git a/nixpkgs/nixos/modules/services/web-apps/honk.nix b/nixpkgs/nixos/modules/services/web-apps/honk.nix new file mode 100644 index 000000000000..e8718774575b --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/honk.nix @@ -0,0 +1,153 @@ +{ config +, lib +, pkgs +, ... +}: +let + cfg = config.services.honk; + + honk-initdb-script = cfg: pkgs.writeShellApplication { + name = "honk-initdb-script"; + + runtimeInputs = with pkgs; [ coreutils ]; + + text = '' + PW=$(cat "$CREDENTIALS_DIRECTORY/honk_passwordFile") + + echo -e "${cfg.username}\n''$PW\n${cfg.host}:${toString cfg.port}\n${cfg.servername}" | ${lib.getExe cfg.package} -datadir "$STATE_DIRECTORY" init + ''; + }; +in +{ + options = { + services.honk = { + enable = lib.mkEnableOption (lib.mdDoc "the Honk server"); + package = lib.mkPackageOptionMD pkgs "honk" { }; + + host = lib.mkOption { + default = "127.0.0.1"; + description = lib.mdDoc '' + The host name or IP address the server should listen to. + ''; + type = lib.types.str; + }; + + port = lib.mkOption { + default = 8080; + description = lib.mdDoc '' + The port the server should listen to. + ''; + type = lib.types.port; + }; + + username = lib.mkOption { + description = lib.mdDoc '' + The admin account username. + ''; + type = lib.types.str; + }; + + passwordFile = lib.mkOption { + description = lib.mdDoc '' + Password for admin account. + NOTE: Should be string not a store path, to prevent the password from being world readable + ''; + type = lib.types.path; + }; + + servername = lib.mkOption { + description = lib.mdDoc '' + The server name. + ''; + type = lib.types.str; + }; + + extraJS = lib.mkOption { + default = null; + description = lib.mdDoc '' + An extra JavaScript file to be loaded by the client. + ''; + type = lib.types.nullOr lib.types.path; + }; + + extraCSS = lib.mkOption { + default = null; + description = lib.mdDoc '' + An extra CSS file to be loaded by the client. + ''; + type = lib.types.nullOr lib.types.path; + }; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfg.username or "" != ""; + message = '' + You have to define a username for Honk (`services.honk.username`). + ''; + } + { + assertion = cfg.servername or "" != ""; + message = '' + You have to define a servername for Honk (`services.honk.servername`). + ''; + } + ]; + + systemd.services.honk-initdb = { + description = "Honk server database setup"; + requiredBy = [ "honk.service" ]; + before = [ "honk.service" ]; + + serviceConfig = { + LoadCredential = [ + "honk_passwordFile:${cfg.passwordFile}" + ]; + Type = "oneshot"; + StateDirectory = "honk"; + DynamicUser = true; + RemainAfterExit = true; + ExecStart = lib.getExe (honk-initdb-script cfg); + PrivateTmp = true; + }; + + unitConfig = { + ConditionPathExists = [ + # Skip this service if the database already exists + "!$STATE_DIRECTORY/honk.db" + ]; + }; + }; + + systemd.services.honk = { + description = "Honk server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + bindsTo = [ "honk-initdb.service" ]; + preStart = '' + mkdir -p $STATE_DIRECTORY/views + ${lib.optionalString (cfg.extraJS != null) "ln -fs ${cfg.extraJS} $STATE_DIRECTORY/views/local.js"} + ${lib.optionalString (cfg.extraCSS != null) "ln -fs ${cfg.extraCSS} $STATE_DIRECTORY/views/local.css"} + ${lib.getExe cfg.package} -datadir $STATE_DIRECTORY -viewdir ${cfg.package}/share/honk backup $STATE_DIRECTORY/backup + ${lib.getExe cfg.package} -datadir $STATE_DIRECTORY -viewdir ${cfg.package}/share/honk upgrade + ${lib.getExe cfg.package} -datadir $STATE_DIRECTORY -viewdir ${cfg.package}/share/honk cleanup + ''; + serviceConfig = { + ExecStart = '' + ${lib.getExe cfg.package} -datadir $STATE_DIRECTORY -viewdir ${cfg.package}/share/honk + ''; + StateDirectory = "honk"; + DynamicUser = true; + PrivateTmp = "yes"; + Restart = "on-failure"; + }; + }; + }; + + meta = { + maintainers = with lib.maintainers; [ drupol ]; + doc = ./honk.md; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/lemmy.nix b/nixpkgs/nixos/modules/services/web-apps/lemmy.nix index 895f3a9f1b4b..20d9dcb7c266 100644 --- a/nixpkgs/nixos/modules/services/web-apps/lemmy.nix +++ b/nixpkgs/nixos/modules/services/web-apps/lemmy.nix @@ -160,7 +160,7 @@ in root * ${cfg.ui.package}/dist file_server } - handle_path /static/undefined/* { + handle_path /static/${cfg.ui.package.passthru.commit_sha}/* { root * ${cfg.ui.package}/dist file_server } diff --git a/nixpkgs/nixos/modules/services/web-apps/netbox.nix b/nixpkgs/nixos/modules/services/web-apps/netbox.nix index 5f42f42a9af9..6d89ffc2a7b7 100644 --- a/nixpkgs/nixos/modules/services/web-apps/netbox.nix +++ b/nixpkgs/nixos/modules/services/web-apps/netbox.nix @@ -169,6 +169,13 @@ in { AUTH_LDAP_FIND_GROUP_PERMS = True ''; }; + keycloakClientSecret = lib.mkOption { + type = with lib.types; nullOr path; + default = null; + description = lib.mdDoc '' + File that contains the keycloak client secret. + ''; + }; }; config = lib.mkIf cfg.enable { @@ -227,7 +234,10 @@ in { extraConfig = '' with open("${cfg.secretKeyFile}", "r") as file: SECRET_KEY = file.readline() - ''; + '' + (lib.optionalString (cfg.keycloakClientSecret != null) '' + with open("${cfg.keycloakClientSecret}", "r") as file: + SOCIAL_AUTH_KEYCLOAK_SECRET = file.readline() + ''); }; services.redis.servers.netbox.enable = true; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix index 676d08b93e2c..e6923bcbb56c 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix @@ -231,40 +231,14 @@ in systemd.user.services.dbus.wantedBy = [ "default.target" ]; - programs.dconf.profiles.gdm = - let - customDconf = pkgs.writeTextFile { - name = "gdm-dconf"; - destination = "/dconf/gdm-custom"; - text = '' - ${optionalString (!cfg.gdm.autoSuspend) '' - [org/gnome/settings-daemon/plugins/power] - sleep-inactive-ac-type='nothing' - sleep-inactive-battery-type='nothing' - sleep-inactive-ac-timeout=0 - sleep-inactive-battery-timeout=0 - ''} - ''; - }; - - customDconfDb = pkgs.stdenv.mkDerivation { - name = "gdm-dconf-db"; - buildCommand = '' - ${pkgs.dconf}/bin/dconf compile $out ${customDconf}/dconf - ''; + programs.dconf.profiles.gdm.databases = lib.optionals (!cfg.gdm.autoSuspend) [{ + settings."org/gnome/settings-daemon/plugins/power" = { + sleep-inactive-ac-type = "nothing"; + sleep-inactive-battery-type = "nothing"; + sleep-inactive-ac-timeout = lib.gvariant.mkInt32 0; + sleep-inactive-battery-timeout = lib.gvariant.mkInt32 0; }; - in pkgs.stdenv.mkDerivation { - name = "dconf-gdm-profile"; - buildCommand = '' - # Check that the GDM profile starts with what we expect. - if [ $(head -n 1 ${gdm}/share/dconf/profile/gdm) != "user-db:user" ]; then - echo "GDM dconf profile changed, please update gdm.nix" - exit 1 - fi - # Insert our custom DB behind it. - sed '2ifile-db:${customDconfDb}' ${gdm}/share/dconf/profile/gdm > $out - ''; - }; + }] ++ [ "${gdm}/share/gdm/greeter-dconf-defaults" ]; # Use AutomaticLogin if delay is zero, because it's immediate. # Otherwise with TimedLogin with zero seconds the prompt is still diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix index c04edd0d4b7a..47e60236eaeb 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix @@ -267,6 +267,7 @@ in environment.systemPackages = [ sddm ]; services.dbus.packages = [ sddm ]; + systemd.tmpfiles.packages = [ sddm ]; # We're not using the upstream unit, so copy these: https://github.com/sddm/sddm/blob/develop/services/sddm.service.in systemd.services.display-manager.after = [ diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/default.nix b/nixpkgs/nixos/modules/services/x11/window-managers/default.nix index ce1d4115f225..e180f2693e0c 100644 --- a/nixpkgs/nixos/modules/services/x11/window-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/window-managers/default.nix @@ -35,6 +35,7 @@ in ./openbox.nix ./pekwm.nix ./notion.nix + ./ragnarwm.nix ./ratpoison.nix ./sawfish.nix ./smallwm.nix diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/ragnarwm.nix b/nixpkgs/nixos/modules/services/x11/window-managers/ragnarwm.nix new file mode 100644 index 000000000000..0843b872dba5 --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/window-managers/ragnarwm.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xserver.windowManager.ragnarwm; +in +{ + ###### interface + + options = { + services.xserver.windowManager.ragnarwm = { + enable = mkEnableOption (lib.mdDoc "ragnarwm"); + package = mkOption { + type = types.package; + default = pkgs.ragnarwm; + defaultText = literalExpression "pkgs.ragnarwm"; + description = lib.mdDoc '' + The ragnar package to use. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + services.xserver.displayManager.sessionPackages = [ cfg.package ]; + environment.systemPackages = [ cfg.package ]; + }; + + meta.maintainers = with lib.maintainers; [ sigmanificient ]; +} diff --git a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl index 04d90968c4c1..8bd450d7343b 100755 --- a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl @@ -313,7 +313,8 @@ sub unrecord_unit { # needs to be restarted or reloaded. If the units differ, the service # is restarted unless the only difference is `X-Reload-Triggers` in the # `Unit` section. If this is the only modification, the unit is reloaded -# instead of restarted. +# instead of restarted. If the only difference is `Options` in the +# `[Mount]` section, the unit is reloaded rather than restarted. # Returns: # - 0 if the units are equal # - 1 if the units are different and a restart action is required @@ -390,6 +391,11 @@ sub compare_units { ## no critic(Subroutines::ProhibitExcessComplexity) next; } } + # If this is a mount unit, check if it was only `Options` + if ($section_name eq "Mount" and $ini_key eq "Options") { + $ret = 2; + next; + } return 1; } } @@ -440,10 +446,18 @@ sub handle_modified_unit { ## no critic(Subroutines::ProhibitManyArgs, Subroutin # properties (resource limits and inotify watches) # seem to get applied on daemon-reload. } elsif ($unit =~ /\.mount$/msx) { - # Reload the changed mount unit to force a remount. - # FIXME: only reload when Options= changed, restart otherwise - $units_to_reload->{$unit} = 1; - record_unit($reload_list_file, $unit); + # Just restart the unit. We wouldn't have gotten into this subroutine + # if only `Options` was changed, in which case the unit would be reloaded. + # The only exception is / and /nix because it's very unlikely we can safely + # unmount them so we reload them instead. This means that we may not get + # all changes into the running system but it's better than crashing it. + if ($unit eq "-.mount" or $unit eq "nix.mount") { + $units_to_reload->{$unit} = 1; + record_unit($reload_list_file, $unit); + } else { + $units_to_restart->{$unit} = 1; + record_unit($restart_list_file, $unit); + } } elsif ($unit =~ /\.socket$/msx) { # FIXME: do something? # Attempt to fix this: https://github.com/NixOS/nixpkgs/pull/141192 diff --git a/nixpkgs/nixos/modules/system/boot/binfmt.nix b/nixpkgs/nixos/modules/system/boot/binfmt.nix index 5172371d0afb..fb7afce4a580 100644 --- a/nixpkgs/nixos/modules/system/boot/binfmt.nix +++ b/nixpkgs/nixos/modules/system/boot/binfmt.nix @@ -102,20 +102,28 @@ let mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\x00''; }; mips-linux = { - magicOrExtension = ''\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08''; - mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff''; + magicOrExtension = ''\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20''; }; mipsel-linux = { - magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00''; - mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff''; + magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\x00\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00''; }; mips64-linux = { magicOrExtension = ''\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08''; - mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff''; }; mips64el-linux = { magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00''; - mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\x00\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff''; + }; + mips64-linuxabin32 = { + magicOrExtension = ''\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20''; + }; + mips64el-linuxabin32 = { + magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\x00\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00''; }; riscv32-linux = { magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00''; diff --git a/nixpkgs/nixos/release-combined.nix b/nixpkgs/nixos/release-combined.nix index 125086294d41..29dcdab7d18e 100644 --- a/nixpkgs/nixos/release-combined.nix +++ b/nixpkgs/nixos/release-combined.nix @@ -158,6 +158,11 @@ in rec { (onFullSupported "nixpkgs.emacs") (onFullSupported "nixpkgs.jdk") ["nixpkgs.tarball"] + + # Ensure that nixpkgs-check-by-name is available in all release channels and nixos-unstable, + # so that a pre-built version can be used in CI for PR's on the corresponding development branches. + # See ../pkgs/test/nixpkgs-check-by-name/README.md + (onSystems ["x86_64-linux"] "nixpkgs.tests.nixpkgs-check-by-name") ]; }; } diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index 19aaac694594..c1e124bda5c7 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -210,6 +210,7 @@ in { custom-ca = handleTest ./custom-ca.nix {}; croc = handleTest ./croc.nix {}; darling = handleTest ./darling.nix {}; + dconf = handleTest ./dconf.nix {}; deepin = handleTest ./deepin.nix {}; deluge = handleTest ./deluge.nix {}; dendrite = handleTest ./matrix/dendrite.nix {}; @@ -345,10 +346,12 @@ in { hedgedoc = handleTest ./hedgedoc.nix {}; herbstluftwm = handleTest ./herbstluftwm.nix {}; homepage-dashboard = handleTest ./homepage-dashboard.nix {}; + honk = runTest ./honk.nix; installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {}); invidious = handleTest ./invidious.nix {}; oci-containers = handleTestOn ["aarch64-linux" "x86_64-linux"] ./oci-containers.nix {}; odoo = handleTest ./odoo.nix {}; + odoo15 = handleTest ./odoo.nix { package = pkgs.odoo15; }; # 9pnet_virtio used to mount /nix partition doesn't support # hibernation. This test happens to work on x86_64-linux but # not on other platforms. @@ -443,7 +446,7 @@ in { loki = handleTest ./loki.nix {}; luks = handleTest ./luks.nix {}; lvm2 = handleTest ./lvm2 {}; - lxd = handleTest ./lxd {}; + lxd = pkgs.recurseIntoAttrs (handleTest ./lxd {}); lxd-image-server = handleTest ./lxd-image-server.nix {}; #logstash = handleTest ./logstash.nix {}; lorri = handleTest ./lorri/default.nix {}; @@ -672,6 +675,7 @@ in { rabbitmq = handleTest ./rabbitmq.nix {}; radarr = handleTest ./radarr.nix {}; radicale = handleTest ./radicale.nix {}; + ragnarwm = handleTest ./ragnarwm.nix {}; rasdaemon = handleTest ./rasdaemon.nix {}; readarr = handleTest ./readarr.nix {}; redis = handleTest ./redis.nix {}; @@ -831,6 +835,7 @@ in { uptime-kuma = handleTest ./uptime-kuma.nix {}; usbguard = handleTest ./usbguard.nix {}; user-activation-scripts = handleTest ./user-activation-scripts.nix {}; + user-expiry = runTest ./user-expiry.nix; user-home-mode = handleTest ./user-home-mode.nix {}; uwsgi = handleTest ./uwsgi.nix {}; v2ray = handleTest ./v2ray.nix {}; diff --git a/nixpkgs/nixos/tests/dconf.nix b/nixpkgs/nixos/tests/dconf.nix new file mode 100644 index 000000000000..86f703e3b98e --- /dev/null +++ b/nixpkgs/nixos/tests/dconf.nix @@ -0,0 +1,34 @@ +import ./make-test-python.nix + ({ lib, ... }: + { + name = "dconf"; + + meta.maintainers = with lib.maintainers; [ + linsui + ]; + + nodes.machine = { config, pkgs, lib, ... }: { + users.extraUsers.alice = { isNormalUser = true; }; + programs.dconf = with lib.gvariant; { + enable = true; + profiles.user.databases = [ + { + settings = { + "test/not/locked" = mkInt32 1; + "test/is/locked" = "locked"; + }; + locks = [ + "/test/is/locked" + ]; + } + ]; + }; + }; + + testScript = '' + machine.succeed("test $(dconf read -d /test/not/locked) == 1") + machine.succeed("test $(dconf read -d /test/is/locked) == \"'locked'\"") + machine.fail("sudo -u alice dbus-run-session -- dconf write /test/is/locked \"@s 'unlocked'\"") + machine.succeed("sudo -u alice dbus-run-session -- dconf write /test/not/locked \"@i 2\"") + ''; + }) diff --git a/nixpkgs/nixos/tests/dolibarr.nix b/nixpkgs/nixos/tests/dolibarr.nix index 2f012a0c67da..4fdee9e9698f 100644 --- a/nixpkgs/nixos/tests/dolibarr.nix +++ b/nixpkgs/nixos/tests/dolibarr.nix @@ -50,7 +50,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { # Now, we have installed the machine, let's verify we still have the right configuration. assert 'nixos' in machine.succeed("cat /var/lib/dolibarr/conf.php") # We do not want any redirect now as we have installed the machine. - machine.succeed('curl -f -X POST http://localhost') + machine.succeed('curl -f -X GET http://localhost') # Test authentication to the webservice. parser = TokenParser() parser.feed(machine.succeed('curl -f -X GET http://localhost/index.php?mainmenu=login&username=root')) diff --git a/nixpkgs/nixos/tests/honk.nix b/nixpkgs/nixos/tests/honk.nix new file mode 100644 index 000000000000..71d86a592439 --- /dev/null +++ b/nixpkgs/nixos/tests/honk.nix @@ -0,0 +1,32 @@ +{ lib, ... }: + +{ + name = "honk-server"; + + nodes = { + machine = { pkgs, ... }: { + services.honk = { + enable = true; + host = "0.0.0.0"; + port = 8080; + username = "username"; + passwordFile = "${pkgs.writeText "honk-password" "secure"}"; + servername = "servername"; + }; + }; + }; + + testScript = '' + machine.start() + machine.wait_for_unit("honk.service") + machine.wait_for_open_port(8080) + + machine.stop_job("honk") + machine.wait_for_closed_port(8080) + + machine.start_job("honk") + machine.wait_for_open_port(8080) + ''; + + meta.maintainers = [ lib.maintainers.drupol ]; +} diff --git a/nixpkgs/nixos/tests/lxd/nftables.nix b/nixpkgs/nixos/tests/lxd/nftables.nix index b85caa9eb368..d98bd4952906 100644 --- a/nixpkgs/nixos/tests/lxd/nftables.nix +++ b/nixpkgs/nixos/tests/lxd/nftables.nix @@ -20,8 +20,8 @@ import ../make-test-python.nix ({ pkgs, ...} : { networking = { firewall.enable = false; nftables.enable = true; - nftables.ruleset = '' - table inet filter { + nftables.tables."filter".family = "inet"; + nftables.tables."filter".content = '' chain incoming { type filter hook input priority 0; policy accept; @@ -36,7 +36,6 @@ import ../make-test-python.nix ({ pkgs, ...} : { type filter hook output priority 0; policy accept; } - } ''; }; }; diff --git a/nixpkgs/nixos/tests/odoo.nix b/nixpkgs/nixos/tests/odoo.nix index 7c2cf31370f9..00ae4a2137d1 100644 --- a/nixpkgs/nixos/tests/odoo.nix +++ b/nixpkgs/nixos/tests/odoo.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, lib, ...} : { +import ./make-test-python.nix ({ pkgs, lib, package ? pkgs.odoo, ...} : { name = "odoo"; meta.maintainers = with lib.maintainers; [ mkg20001 ]; @@ -11,6 +11,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { services.odoo = { enable = true; + package = package; domain = "localhost"; }; }; diff --git a/nixpkgs/nixos/tests/prometheus-exporters.nix b/nixpkgs/nixos/tests/prometheus-exporters.nix index d86f8ac634e8..306c5e071e75 100644 --- a/nixpkgs/nixos/tests/prometheus-exporters.nix +++ b/nixpkgs/nixos/tests/prometheus-exporters.nix @@ -716,6 +716,41 @@ let ''; }; + mysqld = { + exporterConfig = { + enable = true; + runAsLocalSuperUser = true; + configFile = pkgs.writeText "test-prometheus-exporter-mysqld-config.my-cnf" '' + [client] + user = exporter + password = snakeoilpassword + ''; + }; + metricProvider = { + services.mysql = { + enable = true; + package = pkgs.mariadb; + initialScript = pkgs.writeText "mysql-init-script.sql" '' + CREATE USER 'exporter'@'localhost' + IDENTIFIED BY 'snakeoilpassword' + WITH MAX_USER_CONNECTIONS 3; + GRANT PROCESS, REPLICATION CLIENT, SLAVE MONITOR, SELECT ON *.* TO 'exporter'@'localhost'; + ''; + }; + }; + exporterTest = '' + wait_for_unit("prometheus-mysqld-exporter.service") + wait_for_open_port(9104) + wait_for_unit("mysql.service") + succeed("curl -sSf http://localhost:9104/metrics | grep 'mysql_up 1'") + systemctl("stop mysql.service") + succeed("curl -sSf http://localhost:9104/metrics | grep 'mysql_up 0'") + systemctl("start mysql.service") + wait_for_unit("mysql.service") + succeed("curl -sSf http://localhost:9104/metrics | grep 'mysql_up 1'") + ''; + }; + nextcloud = { exporterConfig = { enable = true; @@ -1387,8 +1422,7 @@ let unbound = { exporterConfig = { enable = true; - fetchType = "uds"; - controlInterface = "/run/unbound/unbound.ctl"; + unbound.host = "unix:///run/unbound/unbound.ctl"; }; metricProvider = { services.unbound = { @@ -1403,7 +1437,7 @@ let wait_for_unit("unbound.service") wait_for_unit("prometheus-unbound-exporter.service") wait_for_open_port(9167) - succeed("curl -sSf localhost:9167/metrics | grep 'unbound_up 1'") + wait_until_succeeds("curl -sSf localhost:9167/metrics | grep 'unbound_up 1'") ''; }; diff --git a/nixpkgs/nixos/tests/ragnarwm.nix b/nixpkgs/nixos/tests/ragnarwm.nix new file mode 100644 index 000000000000..f7c588b92008 --- /dev/null +++ b/nixpkgs/nixos/tests/ragnarwm.nix @@ -0,0 +1,32 @@ +import ./make-test-python.nix ({ lib, ...} : { + name = "ragnarwm"; + + meta = { + maintainers = with lib.maintainers; [ sigmanificient ]; + }; + + nodes.machine = { pkgs, lib, ... }: { + imports = [ ./common/x11.nix ./common/user-account.nix ]; + test-support.displayManager.auto.user = "alice"; + services.xserver.displayManager.defaultSession = lib.mkForce "ragnar"; + services.xserver.windowManager.ragnarwm.enable = true; + + # Setup the default terminal of Ragnar + environment.systemPackages = [ pkgs.alacritty ]; + }; + + testScript = '' + with subtest("ensure x starts"): + machine.wait_for_x() + machine.wait_for_file("/home/alice/.Xauthority") + machine.succeed("xauth merge ~alice/.Xauthority") + + with subtest("ensure we can open a new terminal"): + # Sleeping a bit before the test, as it may help for sending keys + machine.sleep(2) + machine.send_key("meta_l-ret") + machine.wait_for_window(r"alice.*?machine") + machine.sleep(2) + machine.screenshot("terminal") + ''; +}) diff --git a/nixpkgs/nixos/tests/switch-test.nix b/nixpkgs/nixos/tests/switch-test.nix index 53595ae7d3e2..529a20864206 100644 --- a/nixpkgs/nixos/tests/switch-test.nix +++ b/nixpkgs/nixos/tests/switch-test.nix @@ -450,7 +450,7 @@ in { ]; }; - mountModified.configuration = { + mountOptionsModified.configuration = { systemd.mounts = [ { description = "Testmount"; @@ -463,6 +463,19 @@ in { ]; }; + mountModified.configuration = { + systemd.mounts = [ + { + description = "Testmount"; + what = "ramfs"; + type = "ramfs"; + where = "/testmount"; + options = "size=10M"; + wantedBy = [ "local-fs.target" ]; + } + ]; + }; + timer.configuration = { systemd.timers.test-timer = { wantedBy = [ "timers.target" ]; @@ -1137,7 +1150,8 @@ in { switch_to_specialisation("${machine}", "mount") out = machine.succeed("mount | grep 'on /testmount'") assert_contains(out, "size=1024k") - out = switch_to_specialisation("${machine}", "mountModified") + # Changing options reloads the unit + out = switch_to_specialisation("${machine}", "mountOptionsModified") assert_lacks(out, "stopping the following units:") assert_lacks(out, "NOT restarting the following changed units:") assert_contains(out, "reloading the following units: testmount.mount\n") @@ -1147,6 +1161,17 @@ in { # It changed out = machine.succeed("mount | grep 'on /testmount'") assert_contains(out, "size=10240k") + # Changing anything but `Options=` restarts the unit + out = switch_to_specialisation("${machine}", "mountModified") + assert_lacks(out, "stopping the following units:") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "reloading the following units:") + assert_contains(out, "\nrestarting the following units: testmount.mount\n") + assert_lacks(out, "\nstarting the following units:") + assert_lacks(out, "the following new units were started:") + # It changed + out = machine.succeed("mount | grep 'on /testmount'") + assert_contains(out, "ramfs") with subtest("timers"): switch_to_specialisation("${machine}", "timer") diff --git a/nixpkgs/nixos/tests/user-expiry.nix b/nixpkgs/nixos/tests/user-expiry.nix new file mode 100644 index 000000000000..bcaed7a0ccb0 --- /dev/null +++ b/nixpkgs/nixos/tests/user-expiry.nix @@ -0,0 +1,70 @@ +let + alice = "alice"; + bob = "bob"; + eve = "eve"; + passwd = "pass1"; +in +{ + name = "user-expiry"; + + nodes = { + machine = { + users.users = { + ${alice} = { + initialPassword = passwd; + isNormalUser = true; + expires = "1990-01-01"; + }; + ${bob} = { + initialPassword = passwd; + isNormalUser = true; + expires = "2990-01-01"; + }; + ${eve} = { + initialPassword = passwd; + isNormalUser = true; + }; + }; + }; + }; + + testScript = '' + def switch_to_tty(tty_number): + machine.fail(f"pgrep -f 'agetty.*tty{tty_number}'") + machine.send_key(f"alt-f{tty_number}") + machine.wait_until_succeeds(f"[ $(fgconsole) = {tty_number} ]") + machine.wait_for_unit(f"getty@tty{tty_number}.service") + machine.wait_until_succeeds(f"pgrep -f 'agetty.*tty{tty_number}'") + + + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("getty@tty1.service") + + with subtest("${alice} cannot login"): + machine.wait_until_tty_matches("1", "login: ") + machine.send_chars("${alice}\n") + machine.wait_until_tty_matches("1", "Password: ") + machine.send_chars("${passwd}\n") + + machine.wait_until_succeeds("journalctl --grep='account ${alice} has expired \\(account expired\\)'") + machine.wait_until_tty_matches("1", "login: ") + + with subtest("${bob} can login"): + switch_to_tty(2) + machine.wait_until_tty_matches("2", "login: ") + machine.send_chars("${bob}\n") + machine.wait_until_tty_matches("2", "Password: ") + machine.send_chars("${passwd}\n") + + machine.wait_until_succeeds("pgrep -u ${bob} bash") + + with subtest("${eve} can login"): + switch_to_tty(3) + machine.wait_until_tty_matches("3", "login: ") + machine.send_chars("${eve}\n") + machine.wait_until_tty_matches("3", "Password: ") + machine.send_chars("${passwd}\n") + + machine.wait_until_succeeds("pgrep -u ${eve} bash") + ''; +} |