diff options
author | Alyssa Ross <hi@alyssa.is> | 2024-01-10 01:11:23 +0100 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2024-01-10 01:11:23 +0100 |
commit | c8d05d8abadb244bc4e6cee75d450978d1f09a61 (patch) | |
tree | 2d710425b8e3f78e84d5e46abb3397cb1b34ec18 /nixpkgs/nixos | |
parent | ad899504860973e98351c922ecb934595f2c0f19 (diff) | |
parent | 0ed96eed101462bf05e1e99e1bbadcd49b4eb302 (diff) | |
download | nixlib-c8d05d8abadb244bc4e6cee75d450978d1f09a61.tar nixlib-c8d05d8abadb244bc4e6cee75d450978d1f09a61.tar.gz nixlib-c8d05d8abadb244bc4e6cee75d450978d1f09a61.tar.bz2 nixlib-c8d05d8abadb244bc4e6cee75d450978d1f09a61.tar.lz nixlib-c8d05d8abadb244bc4e6cee75d450978d1f09a61.tar.xz nixlib-c8d05d8abadb244bc4e6cee75d450978d1f09a61.tar.zst nixlib-c8d05d8abadb244bc4e6cee75d450978d1f09a61.zip |
Merge branch 'nixos-unstable-small' of https://github.com/NixOS/nixpkgs
Diffstat (limited to 'nixpkgs/nixos')
-rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md | 5 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/programs/firefox.nix | 1 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/security/pam.nix | 7 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix | 105 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix | 323 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/tasks/filesystems/bcachefs.nix | 9 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/installer.nix | 62 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/nixseparatedebuginfod.nix | 80 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/typesense.nix | 3 |
11 files changed, 527 insertions, 71 deletions
diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md index 8021c0e040f2..9860eca88b57 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md @@ -10,6 +10,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `screen`'s module has been cleaned, and will now require you to set `programs.screen.enable` in order to populate `screenrc` and add the program to the environment. +- `linuxPackages_testing_bcachefs` is now fully deprecated by `linuxPackages_testing`, and is therefore no longer available. + - NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS. - This can be disabled through the `environment.stub-ld.enable` option. - If you use `programs.nix-ld.enable`, no changes are needed. The stub will be disabled automatically. @@ -93,6 +95,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `systemd.oomd.enableUserServices` is renamed to `systemd.oomd.enableUserSlices`. +- `security.pam.enableSSHAgentAuth` now requires `services.openssh.authorizedKeysFiles` to be non-empty, + which is the case when `services.openssh.enable` is true. Previously, `pam_ssh_agent_auth` silently failed to work. + ## Other Notable Changes {#sec-release-24.05-notable-changes} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 29004f3e304d..7b7b37c123b4 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -497,6 +497,7 @@ ./services/development/jupyterhub/default.nix ./services/development/livebook.nix ./services/development/lorri.nix + ./services/development/nixseparatedebuginfod.nix ./services/development/rstudio-server/default.nix ./services/development/zammad.nix ./services/display-managers/greetd.nix @@ -1176,6 +1177,7 @@ ./services/search/typesense.nix ./services/security/aesmd.nix ./services/security/authelia.nix + ./services/security/bitwarden-directory-connector-cli.nix ./services/security/certmgr.nix ./services/security/cfssl.nix ./services/security/clamav.nix diff --git a/nixpkgs/nixos/modules/programs/firefox.nix b/nixpkgs/nixos/modules/programs/firefox.nix index 1edf935d1649..29c567783e27 100644 --- a/nixpkgs/nixos/modules/programs/firefox.nix +++ b/nixpkgs/nixos/modules/programs/firefox.nix @@ -284,6 +284,7 @@ in # Preferences are converted into a policy programs.firefox.policies = { + DisableAppUpdate = true; Preferences = (mapAttrs (_: value: { Value = value; Status = cfg.preferencesStatus; }) cfg.preferences); diff --git a/nixpkgs/nixos/modules/security/pam.nix b/nixpkgs/nixos/modules/security/pam.nix index c99615d5a636..2f777f874f23 100644 --- a/nixpkgs/nixos/modules/security/pam.nix +++ b/nixpkgs/nixos/modules/security/pam.nix @@ -1456,6 +1456,13 @@ in `security.pam.zfs.enable` requires enabling ZFS (`boot.zfs.enabled` or `boot.zfs.enableUnstable`). ''; } + { + assertion = config.security.pam.enableSSHAgentAuth -> config.services.openssh.authorizedKeysFiles != []; + message = '' + `security.pam.enableSSHAgentAuth` requires `services.openssh.authorizedKeysFiles` to be a non-empty list. + Did you forget to set `services.openssh.enable` ? + ''; + } ]; environment.systemPackages = diff --git a/nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix b/nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix new file mode 100644 index 000000000000..daf85153d339 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix @@ -0,0 +1,105 @@ +{ pkgs, lib, config, ... }: +let + cfg = config.services.nixseparatedebuginfod; + url = "127.0.0.1:${toString cfg.port}"; +in +{ + options = { + services.nixseparatedebuginfod = { + enable = lib.mkEnableOption "separatedebuginfod, a debuginfod server providing source and debuginfo for nix packages"; + port = lib.mkOption { + description = "port to listen"; + default = 1949; + type = lib.types.port; + }; + nixPackage = lib.mkOption { + type = lib.types.package; + default = pkgs.nix; + defaultText = lib.literalExpression "pkgs.nix"; + description = '' + The version of nix that nixseparatedebuginfod should use as client for the nix daemon. It is strongly advised to use nix version >= 2.18, otherwise some debug info may go missing. + ''; + }; + allowOldNix = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Do not fail evaluation when {option}`services.nixseparatedebuginfod.nixPackage` is older than nix 2.18. + ''; + }; + }; + }; + config = lib.mkIf cfg.enable { + assertions = [ { + assertion = cfg.allowOldNix || (lib.versionAtLeast cfg.nixPackage.version "2.18"); + message = "nixseparatedebuginfod works better when `services.nixseparatedebuginfod.nixPackage` is set to nix >= 2.18 (instead of ${cfg.nixPackage.name}). Set `services.nixseparatedebuginfod.allowOldNix` to bypass."; + } ]; + + systemd.services.nixseparatedebuginfod = { + wantedBy = [ "multi-user.target" ]; + wants = [ "nix-daemon.service" ]; + after = [ "nix-daemon.service" ]; + path = [ cfg.nixPackage ]; + serviceConfig = { + ExecStart = [ "${pkgs.nixseparatedebuginfod}/bin/nixseparatedebuginfod -l ${url}" ]; + Restart = "on-failure"; + CacheDirectory = "nixseparatedebuginfod"; + # nix does not like DynamicUsers in allowed-users + User = "nixseparatedebuginfod"; + Group = "nixseparatedebuginfod"; + + # hardening + # Filesystem stuff + ProtectSystem = "strict"; # Prevent writing to most of / + ProtectHome = true; # Prevent accessing /home and /root + PrivateTmp = true; # Give an own directory under /tmp + PrivateDevices = true; # Deny access to most of /dev + ProtectKernelTunables = true; # Protect some parts of /sys + ProtectControlGroups = true; # Remount cgroups read-only + RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files + PrivateMounts = true; # Give an own mount namespace + RemoveIPC = true; + UMask = "0077"; + + # Capabilities + CapabilityBoundingSet = ""; # Allow no capabilities at all + NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. + + # Kernel stuff + ProtectKernelModules = true; # Prevent loading of kernel modules + SystemCallArchitectures = "native"; # Usually no need to disable this + ProtectKernelLogs = true; # Prevent access to kernel logs + ProtectClock = true; # Prevent setting the RTC + + # Networking + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + + # Misc + LockPersonality = true; # Prevent change of the personality + ProtectHostname = true; # Give an own UTS namespace + RestrictRealtime = true; # Prevent switching to RT scheduling + MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python + RestrictNamespaces = true; + }; + }; + + users.users.nixseparatedebuginfod = { + isSystemUser = true; + group = "nixseparatedebuginfod"; + }; + + users.groups.nixseparatedebuginfod = { }; + + nix.settings.extra-allowed-users = [ "nixseparatedebuginfod" ]; + + environment.variables.DEBUGINFOD_URLS = "http://${url}"; + + environment.systemPackages = [ + # valgrind support requires debuginfod-find on PATH + (lib.getBin pkgs.elfutils) + ]; + + environment.etc."gdb/gdbinit.d/nixseparatedebuginfod.gdb".text = "set debuginfod enabled on"; + + }; +} diff --git a/nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix b/nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix new file mode 100644 index 000000000000..18c02e22fd7e --- /dev/null +++ b/nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix @@ -0,0 +1,323 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.services.bitwarden-directory-connector-cli; +in { + options.services.bitwarden-directory-connector-cli = { + enable = mkEnableOption "Bitwarden Directory Connector"; + + package = mkPackageOption pkgs "bitwarden-directory-connector-cli" {}; + + domain = mkOption { + type = types.str; + description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessible on."; + example = "https://vaultwarden.example.com"; + }; + + user = mkOption { + type = types.str; + description = lib.mdDoc "User to run the program."; + default = "bwdc"; + }; + + interval = mkOption { + type = types.str; + default = "*:0,15,30,45"; + description = lib.mdDoc "The interval when to run the connector. This uses systemd's OnCalendar syntax."; + }; + + ldap = mkOption { + description = lib.mdDoc '' + Options to configure the LDAP connection. + If you used the desktop application to test the configuration you can find the settings by searching for `ldap` in `~/.config/Bitwarden\ Directory\ Connector/data.json`. + ''; + default = {}; + type = types.submodule ({ + config, + options, + ... + }: { + freeformType = types.attrsOf (pkgs.formats.json {}).type; + + config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options))); + + options = { + finalJSON = mkOption { + type = (pkgs.formats.json {}).type; + internal = true; + readOnly = true; + visible = false; + }; + + ssl = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to use TLS."; + }; + startTls = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to use STARTTLS."; + }; + + hostname = mkOption { + type = types.str; + description = lib.mdDoc "The host the LDAP is accessible on."; + example = "ldap.example.com"; + }; + + port = mkOption { + type = types.port; + default = 389; + description = lib.mdDoc "Port LDAP is accessible on."; + }; + + ad = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether the LDAP Server is an Active Directory."; + }; + + pagedSearch = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether the LDAP server paginates search results."; + }; + + rootPath = mkOption { + type = types.str; + description = lib.mdDoc "Root path for LDAP."; + example = "dc=example,dc=com"; + }; + + username = mkOption { + type = types.str; + description = lib.mdDoc "The user to authenticate as."; + example = "cn=admin,dc=example,dc=com"; + }; + }; + }); + }; + + sync = mkOption { + description = lib.mdDoc '' + Options to configure what gets synced. + If you used the desktop application to test the configuration you can find the settings by searching for `sync` in `~/.config/Bitwarden\ Directory\ Connector/data.json`. + ''; + default = {}; + type = types.submodule ({ + config, + options, + ... + }: { + freeformType = types.attrsOf (pkgs.formats.json {}).type; + + config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options))); + + options = { + finalJSON = mkOption { + type = (pkgs.formats.json {}).type; + internal = true; + readOnly = true; + visible = false; + }; + + removeDisabled = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group."; + }; + + overwriteExisting = mkOption { + type = types.bool; + default = false; + description = + lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details."; + }; + + largeImport = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups."; + }; + + memberAttribute = mkOption { + type = types.str; + description = lib.mdDoc "Attribute that lists members in a LDAP group."; + example = "uniqueMember"; + }; + + creationDateAttribute = mkOption { + type = types.str; + description = lib.mdDoc "Attribute that lists a user's creation date."; + example = "whenCreated"; + }; + + useEmailPrefixSuffix = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email."; + }; + emailPrefixAttribute = mkOption { + type = types.str; + description = lib.mdDoc "The attribute that contains the users username."; + example = "accountName"; + }; + emailSuffix = mkOption { + type = types.str; + description = lib.mdDoc "Suffix for the email, normally @example.com."; + example = "@example.com"; + }; + + users = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Sync users."; + }; + userPath = mkOption { + type = types.str; + description = lib.mdDoc "User directory, relative to root."; + default = "ou=users"; + }; + userObjectClass = mkOption { + type = types.str; + description = lib.mdDoc "Class that users must have."; + default = "inetOrgPerson"; + }; + userEmailAttribute = mkOption { + type = types.str; + description = lib.mdDoc "Attribute for a users email."; + default = "mail"; + }; + userFilter = mkOption { + type = types.str; + description = lib.mdDoc "LDAP filter for users."; + example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)"; + default = ""; + }; + + groups = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to sync ldap groups into BitWarden."; + }; + groupPath = mkOption { + type = types.str; + description = lib.mdDoc "Group directory, relative to root."; + default = "ou=groups"; + }; + groupObjectClass = mkOption { + type = types.str; + description = lib.mdDoc "A class that groups will have."; + default = "groupOfNames"; + }; + groupNameAttribute = mkOption { + type = types.str; + description = lib.mdDoc "Attribute for a name of group."; + default = "cn"; + }; + groupFilter = mkOption { + type = types.str; + description = lib.mdDoc "LDAP filter for groups."; + example = "(cn=sales)"; + default = ""; + }; + }; + }); + }; + + secrets = { + ldap = mkOption { + type = types.str; + description = "Path to file that contains LDAP password for user in {option}`ldap.username"; + }; + + bitwarden = { + client_path_id = mkOption { + type = types.str; + description = "Path to file that contains Client ID."; + }; + client_path_secret = mkOption { + type = types.str; + description = "Path to file that contains Client Secret."; + }; + }; + }; + }; + + config = mkIf cfg.enable { + users.groups."${cfg.user}" = {}; + users.users."${cfg.user}" = { + isSystemUser = true; + group = cfg.user; + }; + + systemd = { + timers.bitwarden-directory-connector-cli = { + description = "Sync timer for Bitwarden Directory Connector"; + wantedBy = ["timers.target"]; + after = ["network-online.target"]; + timerConfig = { + OnCalendar = cfg.interval; + Unit = "bitwarden-directory-connector-cli.service"; + Persistent = true; + }; + }; + + services.bitwarden-directory-connector-cli = { + description = "Main process for Bitwarden Directory Connector"; + path = [pkgs.jq]; + + environment = { + BITWARDENCLI_CONNECTOR_APPDATA_DIR = "/tmp"; + BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true"; + }; + + serviceConfig = { + Type = "oneshot"; + User = "${cfg.user}"; + PrivateTmp = true; + preStart = '' + set -eo pipefail + + # create the config file + ${lib.getExe cfg.package} data-file + touch /tmp/data.json.tmp + chmod 600 /tmp/data.json{,.tmp} + + ${lib.getExe cfg.package} config server ${cfg.domain} + + # now login to set credentials + export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})" + export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})" + ${lib.getExe cfg.package} login + + jq '.authenticatedAccounts[0] as $account + | .[$account].directoryConfigurations.ldap |= $ldap_data + | .[$account].directorySettings.organizationId |= $orgID + | .[$account].directorySettings.sync |= $sync_data' \ + --argjson ldap_data ${escapeShellArg cfg.ldap.finalJSON} \ + --arg orgID "''${BW_CLIENTID//organization.}" \ + --argjson sync_data ${escapeShellArg cfg.sync.finalJSON} \ + /tmp/data.json \ + > /tmp/data.json.tmp + + mv -f /tmp/data.json.tmp /tmp/data.json + + # final config + ${lib.getExe cfg.package} config directory 0 + ${lib.getExe cfg.package} config ldap.password --secretfile ${cfg.secrets.ldap} + ''; + + ExecStart = "${lib.getExe cfg.package} sync"; + }; + }; + }; + }; + + meta.maintainers = with maintainers; [Silver-Golden]; +} diff --git a/nixpkgs/nixos/modules/tasks/filesystems/bcachefs.nix b/nixpkgs/nixos/modules/tasks/filesystems/bcachefs.nix index 85cbe72e433f..e771b706bece 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/bcachefs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/bcachefs.nix @@ -123,15 +123,8 @@ in inherit assertions; # needed for systemd-remount-fs system.fsPackages = [ pkgs.bcachefs-tools ]; - - # FIXME: Replace this with `linuxPackages_testing` after NixOS 23.11 is released # FIXME: Replace this with `linuxPackages_latest` when 6.7 is released, remove this line when the LTS version is at least 6.7 - boot.kernelPackages = lib.mkDefault ( - # FIXME: Remove warning after NixOS 23.11 is released - lib.warn "Please upgrade to Linux 6.7-rc1 or later: 'linuxPackages_testing_bcachefs' is deprecated. Use 'boot.kernelPackages = pkgs.linuxPackages_testing;' to silence this warning" - pkgs.linuxPackages_testing_bcachefs - ); - + boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_testing; systemd.services = lib.mapAttrs' (mkUnits "") (lib.filterAttrs (n: fs: (fs.fsType == "bcachefs") && (!utils.fsNeededForBoot fs)) config.fileSystems); } diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index 02e3e91e2e3d..a0aa4d4f6a0a 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -605,6 +605,7 @@ in { nixos-rebuild-install-bootloader = handleTestOn ["x86_64-linux"] ./nixos-rebuild-install-bootloader.nix {}; nixos-rebuild-specialisations = handleTestOn ["x86_64-linux"] ./nixos-rebuild-specialisations.nix {}; nixpkgs = pkgs.callPackage ../modules/misc/nixpkgs/test.nix { inherit evalMinimalConfig; }; + nixseparatedebuginfod = handleTest ./nixseparatedebuginfod.nix {}; node-red = handleTest ./node-red.nix {}; nomad = handleTest ./nomad.nix {}; non-default-filesystems = handleTest ./non-default-filesystems.nix {}; diff --git a/nixpkgs/nixos/tests/installer.nix b/nixpkgs/nixos/tests/installer.nix index d83e49a3e8f7..eff2ba05d2f1 100644 --- a/nixpkgs/nixos/tests/installer.nix +++ b/nixpkgs/nixos/tests/installer.nix @@ -1266,68 +1266,6 @@ in { ''; }; - bcachefsLinuxTesting = makeInstallerTest "bcachefs-linux-testing" { - extraInstallerConfig = { - imports = [ no-zfs-module ]; - - boot = { - supportedFilesystems = [ "bcachefs" ]; - kernelPackages = pkgs.linuxPackages_testing; - }; - }; - - extraConfig = '' - boot.kernelPackages = pkgs.linuxPackages_testing; - ''; - - createPartitions = '' - machine.succeed( - "flock /dev/vda parted --script /dev/vda -- mklabel msdos" - + " mkpart primary ext2 1M 100MB" # /boot - + " mkpart primary linux-swap 100M 1024M" # swap - + " mkpart primary 1024M -1s", # / - "udevadm settle", - "mkswap /dev/vda2 -L swap", - "swapon -L swap", - "mkfs.bcachefs -L root /dev/vda3", - "mount -t bcachefs /dev/vda3 /mnt", - "mkfs.ext3 -L boot /dev/vda1", - "mkdir -p /mnt/boot", - "mount /dev/vda1 /mnt/boot", - ) - ''; - }; - - bcachefsUpgradeToLinuxTesting = makeInstallerTest "bcachefs-upgrade-to-linux-testing" { - extraInstallerConfig = { - imports = [ no-zfs-module ]; - boot.supportedFilesystems = [ "bcachefs" ]; - # We don't have network access in the VM, we need this for `nixos-install` - system.extraDependencies = [ pkgs.linux_testing ]; - }; - - extraConfig = '' - boot.kernelPackages = pkgs.linuxPackages_testing; - ''; - - createPartitions = '' - machine.succeed( - "flock /dev/vda parted --script /dev/vda -- mklabel msdos" - + " mkpart primary ext2 1M 100MB" # /boot - + " mkpart primary linux-swap 100M 1024M" # swap - + " mkpart primary 1024M -1s", # / - "udevadm settle", - "mkswap /dev/vda2 -L swap", - "swapon -L swap", - "mkfs.bcachefs -L root /dev/vda3", - "mount -t bcachefs /dev/vda3 /mnt", - "mkfs.ext3 -L boot /dev/vda1", - "mkdir -p /mnt/boot", - "mount /dev/vda1 /mnt/boot", - ) - ''; - }; - # Test using labels to identify volumes in grub simpleLabels = makeInstallerTest "simpleLabels" { createPartitions = '' diff --git a/nixpkgs/nixos/tests/nixseparatedebuginfod.nix b/nixpkgs/nixos/tests/nixseparatedebuginfod.nix new file mode 100644 index 000000000000..7c192a73c706 --- /dev/null +++ b/nixpkgs/nixos/tests/nixseparatedebuginfod.nix @@ -0,0 +1,80 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: +let + secret-key = "key-name:/COlMSRbehSh6YSruJWjL+R0JXQUKuPEn96fIb+pLokEJUjcK/2Gv8Ai96D7JGay5gDeUTx5wdpPgNvum9YtwA=="; + public-key = "key-name:BCVI3Cv9hr/AIveg+yRmsuYA3lE8ecHaT4Db7pvWLcA="; +in +{ + name = "nixseparatedebuginfod"; + /* A binary cache with debug info and source for nix */ + nodes.cache = { pkgs, ... }: { + services.nix-serve = { + enable = true; + secretKeyFile = builtins.toFile "secret-key" secret-key; + openFirewall = true; + }; + system.extraDependencies = [ + pkgs.nix.debug + pkgs.nix.src + pkgs.sl + ]; + }; + /* the machine where we need the debuginfo */ + nodes.machine = { + imports = [ + ../modules/installer/cd-dvd/channel.nix + ]; + services.nixseparatedebuginfod.enable = true; + nix.settings = { + substituters = lib.mkForce [ "http://cache:5000" ]; + trusted-public-keys = [ public-key ]; + }; + environment.systemPackages = [ + pkgs.valgrind + pkgs.gdb + (pkgs.writeShellScriptBin "wait_for_indexation" '' + set -x + while debuginfod-find debuginfo /run/current-system/sw/bin/nix |& grep 'File too large'; do + sleep 1; + done + '') + ]; + }; + testScript = '' + start_all() + cache.wait_for_unit("nix-serve.service") + cache.wait_for_open_port(5000) + machine.wait_for_unit("nixseparatedebuginfod.service") + machine.wait_for_open_port(1949) + + with subtest("show the config to debug the test"): + machine.succeed("nix --extra-experimental-features nix-command show-config |& logger") + machine.succeed("cat /etc/nix/nix.conf |& logger") + with subtest("check that the binary cache works"): + machine.succeed("nix-store -r ${pkgs.sl}") + + # nixseparatedebuginfod needs .drv to associate executable -> source + # on regular systems this would be provided by nixos-rebuild + machine.succeed("nix-instantiate '<nixpkgs>' -A nix") + + machine.succeed("timeout 600 wait_for_indexation") + + # test debuginfod-find + machine.succeed("debuginfod-find debuginfo /run/current-system/sw/bin/nix") + + # test that gdb can fetch source + out = machine.succeed("gdb /run/current-system/sw/bin/nix --batch -x ${builtins.toFile "commands" '' + start + l + ''}") + print(out) + assert 'int main(' in out + + # test that valgrind can display location information + # this relies on the fact that valgrind complains about nix + # libgc helps in this regard, and we also ask valgrind to show leak kinds + # which are usually false positives. + out = machine.succeed("valgrind --leak-check=full --show-leak-kinds=all nix-env --version 2>&1") + print(out) + assert 'main.cc' in out + ''; +}) diff --git a/nixpkgs/nixos/tests/typesense.nix b/nixpkgs/nixos/tests/typesense.nix index 4f07a2e194be..87ed248257ea 100644 --- a/nixpkgs/nixos/tests/typesense.nix +++ b/nixpkgs/nixos/tests/typesense.nix @@ -18,6 +18,7 @@ in { testScript = '' machine.wait_for_unit("typesense.service") machine.wait_for_open_port(${toString testPort}) - assert machine.succeed("curl --fail http://localhost:${toString testPort}/health") == '{"ok":true}' + # After waiting for the port, typesense still hasn't initialized the database, so wait until we can connect successfully + assert machine.wait_until_succeeds("curl --fail http://localhost:${toString testPort}/health") == '{"ok":true}' ''; }) |