diff options
author | Alyssa Ross <hi@alyssa.is> | 2019-06-18 18:30:18 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2019-06-18 18:30:18 +0000 |
commit | ef93931efff0323fd13c4270415b578c73b5ef35 (patch) | |
tree | e5b089306c481ce3237027bfb46c940fed1e2114 /nixpkgs/nixos | |
parent | c5571a126859eb658ffd7340cb580f7d91f12bb6 (diff) | |
parent | a1dd419c1ffacea87eba066a2bb332e03cb68f66 (diff) | |
download | nixlib-ef93931efff0323fd13c4270415b578c73b5ef35.tar nixlib-ef93931efff0323fd13c4270415b578c73b5ef35.tar.gz nixlib-ef93931efff0323fd13c4270415b578c73b5ef35.tar.bz2 nixlib-ef93931efff0323fd13c4270415b578c73b5ef35.tar.lz nixlib-ef93931efff0323fd13c4270415b578c73b5ef35.tar.xz nixlib-ef93931efff0323fd13c4270415b578c73b5ef35.tar.zst nixlib-ef93931efff0323fd13c4270415b578c73b5ef35.zip |
Merge commit 'a1dd419c1ffacea87eba066a2bb332e03cb68f66'
Diffstat (limited to 'nixpkgs/nixos')
38 files changed, 748 insertions, 330 deletions
diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml index 951040a0648f..2a3e565a6f6a 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml @@ -137,6 +137,40 @@ </para> </listitem> <listitem> + <para> + The option <option>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink</option> + was renamed to <option>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink</option> + (capital <literal>L</literal>). This follows + <link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c"> + upstreams renaming + </link> of the setting. + </para> + </listitem> + <listitem> + <para> + As of this release the NixOps feature <literal>autoLuks</literal> is deprecated. It no longer works + with our systemd version without manual intervention. + </para> + <para> + Whenever the usage of the module is detected the evaluation will fail with a message + explaining why and how to deal with the situation. + </para> + <para> + A new knob named <literal>nixops.enableDeprecatedAutoLuks</literal> + has been introduced to disable the eval failure and to acknowledge the notice was received and read. + If you plan on using the feature please note that it might break with subsequent updates. + </para> + <para> + Make sure you set the <literal>_netdev</literal> option for each of the file systems referring to block + devices provided by the autoLuks module. Not doing this might render the system in a + state where it doesn't boot anymore. + </para> + <para> + If you are actively using the <literal>autoLuks</literal> module please let us know in + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue #62211</link>. + </para> + </listitem> + <listitem> <para> The setopt declarations will be evaluated at the end of <literal>/etc/zshrc</literal>, so any code in <xref linkend="opt-programs.zsh.interactiveShellInit" />, <xref linkend="opt-programs.zsh.loginShellInit" /> and <xref linkend="opt-programs.zsh.promptInit" /> may break if it relies on those options being set. @@ -211,6 +245,50 @@ RuntimeDirectory and tmpfiles. </para> </listitem> + <listitem> + <para> + With the upgrade to systemd version 242 the <literal>systemd-timesyncd</literal> + service is no longer using <literal>DynamicUser=yes</literal>. In order for the + upgrade to work we rely on an activation script to move the state from the old + to the new directory. The older directory (prior <literal>19.09</literal>) was + <literal>/var/lib/private/systemd/timesync</literal>. + </para> + <para> + As long as the <literal>system.config.stateVersion</literal> is below + <literal>19.09</literal> the state folder will migrated to its proper location + (<literal>/var/lib/systemd/timesync</literal>), if required. + </para> + </listitem> + <listitem> + <para> + Since version 0.1.19, <literal>cargo-vendor</literal> honors package + includes that are specified in the <filename>Cargo.toml</filename> + file of Rust crates. <literal>rustPlatform.buildRustPackage</literal> uses + <literal>cargo-vendor</literal> to collect and build dependent crates. + Since this change in <literal>cargo-vendor</literal> changes the set of + vendored files for most Rust packages, the hash that use used to verify + the dependencies, <literal>cargoSha256</literal>, also changes. + </para> + <para> + The <literal>cargoSha256</literal> hashes of all in-tree derivations that + use <literal>buildRustPackage</literal> have been updated to reflect this + change. However, third-party derivations that use + <literal>buildRustPackage</literal> may have to be updated as well. + </para> + </listitem> + <listitem> + <para> + The default resample-method for PulseAudio has been changed from the upstream default <literal>speex-float-1</literal> + to <literal>speex-float-5</literal>. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this + so you'll need to set <option>hardware.pulseaudio.daemon.config.resample-method</option> back to <literal>speex-float-1</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>phabricator</literal> package and associated <literal>httpd.extraSubservice</literal>, as well as the + <literal>phd</literal> service have been removed from nixpkgs due to lack of maintainer. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixpkgs/nixos/modules/config/pulseaudio.nix b/nixpkgs/nixos/modules/config/pulseaudio.nix index e61a3a731201..5c3e39302583 100644 --- a/nixpkgs/nixos/modules/config/pulseaudio.nix +++ b/nixpkgs/nixos/modules/config/pulseaudio.nix @@ -245,6 +245,9 @@ in { # Disable flat volumes to enable relative ones hardware.pulseaudio.daemon.config.flat-volumes = mkDefault "no"; + # Upstream defaults to speex-float-1 which results in audible artifacts + hardware.pulseaudio.daemon.config.resample-method = mkDefault "speex-float-5"; + # Allow PulseAudio to get realtime priority using rtkit. security.rtkit.enable = true; diff --git a/nixpkgs/nixos/modules/installer/netboot/netboot.nix b/nixpkgs/nixos/modules/installer/netboot/netboot.nix index 303d9fce3f9a..cdfba5ab9e31 100644 --- a/nixpkgs/nixos/modules/installer/netboot/netboot.nix +++ b/nixpkgs/nixos/modules/installer/netboot/netboot.nix @@ -65,8 +65,7 @@ with lib; [ config.system.build.toplevel ]; # Create the squashfs image that contains the Nix store. - system.build.squashfsStore = import ../../../lib/make-squashfs.nix { - inherit (pkgs) stdenv squashfsTools closureInfo; + system.build.squashfsStore = pkgs.callPackage ../../../lib/make-squashfs.nix { storeContents = config.netboot.storeContents; }; diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl index b7e5b99a9e01..0ccdac30d915 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl @@ -258,6 +258,11 @@ foreach my $path (glob "/sys/class/{block,mmc_host}/*") { } } +# Add bcache module, if needed. +my @bcacheDevices = glob("/dev/bcache*"); +if (scalar @bcacheDevices > 0) { + push @initrdAvailableKernelModules, "bcache"; +} my $virt = `systemd-detect-virt`; chomp $virt; diff --git a/nixpkgs/nixos/modules/misc/nixops-autoluks.nix b/nixpkgs/nixos/modules/misc/nixops-autoluks.nix new file mode 100644 index 000000000000..2153c6f975ad --- /dev/null +++ b/nixpkgs/nixos/modules/misc/nixops-autoluks.nix @@ -0,0 +1,44 @@ +{ config, options, lib, ... }: +let + path = [ "deployment" "autoLuks" ]; + hasAutoLuksOption = lib.hasAttrByPath path options; + hasAutoLuksConfig = lib.hasAttrByPath path config && (lib.attrByPath path {} config) != {}; + + inherit (config.nixops) enableDeprecatedAutoLuks; +in { + options.nixops.enableDeprecatedAutoLuks = lib.mkEnableOption "Enable the deprecated NixOps AutoLuks module"; + + config = { + assertions = [ + { + assertion = if hasAutoLuksConfig then hasAutoLuksConfig && enableDeprecatedAutoLuks else true; + message = '' + ⚠️ !!! WARNING !!! ⚠️ + + NixOps autoLuks is deprecated. The feature was never widely used and the maintenance did outgrow the benefit. + If you still want to use the module: + a) Please raise your voice in the issue tracking usage of the module: + https://github.com/NixOS/nixpkgs/issues/62211 + b) make sure you set the `_netdev` option for each of the file + systems referring to block devices provided by the autoLuks module. + + ⚠️ If you do not set the option your system will not boot anymore! ⚠️ + + { + fileSystems."/secret" = { options = [ "_netdev" ]; }; + } + + b) set the option >nixops.enableDeprecatedAutoLuks = true< to remove this error. + + + For more details read through the following resources: + - https://github.com/NixOS/nixops/pull/1156 + - https://github.com/NixOS/nixpkgs/issues/47550 + - https://github.com/NixOS/nixpkgs/issues/62211 + - https://github.com/NixOS/nixpkgs/pull/61321 + ''; + } + ]; + }; + +} diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index c576cf4cb925..c9b374b6d7b1 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -95,6 +95,7 @@ in PRETTY_NAME="NixOS ${cfg.version} (${cfg.codeName})" LOGO="nix-snowflake" HOME_URL="https://nixos.org/" + DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html" SUPPORT_URL="https://nixos.org/nixos/support.html" BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues" ''; diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 062f2bca8df1..12ecec62a226 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -84,6 +84,7 @@ ./misc/nixpkgs.nix ./misc/passthru.nix ./misc/version.nix + ./misc/nixops-autoluks.nix ./programs/adb.nix ./programs/atop.nix ./programs/autojump.nix @@ -91,6 +92,7 @@ ./programs/bcc.nix ./programs/blcr.nix ./programs/browserpass.nix + ./programs/captive-browser.nix ./programs/ccache.nix ./programs/cdemu.nix ./programs/chromium.nix @@ -327,6 +329,7 @@ ./services/hardware/tcsd.nix ./services/hardware/tlp.nix ./services/hardware/thinkfan.nix + ./services/hardware/throttled.nix ./services/hardware/trezord.nix ./services/hardware/triggerhappy.nix ./services/hardware/u2f.nix @@ -442,7 +445,6 @@ ./services/misc/packagekit.nix ./services/misc/paperless.nix ./services/misc/parsoid.nix - ./services/misc/phd.nix ./services/misc/plex.nix ./services/misc/tautulli.nix ./services/misc/pykms.nix diff --git a/nixpkgs/nixos/modules/programs/captive-browser.nix b/nixpkgs/nixos/modules/programs/captive-browser.nix new file mode 100644 index 000000000000..55d474e5c9db --- /dev/null +++ b/nixpkgs/nixos/modules/programs/captive-browser.nix @@ -0,0 +1,122 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.captive-browser; +in +{ + ###### interface + + options = { + programs.captive-browser = { + enable = mkEnableOption "captive browser"; + + package = mkOption { + type = types.package; + default = pkgs.captive-browser; + defaultText = "pkgs.captive-browser"; + description = "Which package to use for captive-browser"; + }; + + interface = mkOption { + type = types.str; + description = "your public network interface (wlp3s0, wlan0, eth0, ...)"; + }; + + # the options below are the same as in "captive-browser.toml" + browser = mkOption { + type = types.str; + default = concatStringsSep " " [ ''${pkgs.chromium}/bin/chromium'' + ''--user-data-dir=$HOME/.chromium-captive'' + ''--proxy-server="socks5://$PROXY"'' + ''--host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"'' + ''--no-first-run'' + ''--new-window'' + ''--incognito'' + ''http://cache.nixos.org/'' + ]; + description = '' + The shell (/bin/sh) command executed once the proxy starts. + When browser exits, the proxy exits. An extra env var PROXY is available. + + Here, we use a separate Chrome instance in Incognito mode, so that + it can run (and be waited for) alongside the default one, and that + it maintains no state across runs. To configure this browser open a + normal window in it, settings will be preserved. + + @volth: chromium is to open a plain HTTP (not HTTPS nor redirect to HTTPS!) website. + upstream uses http://example.com but I have seen captive portals whose DNS server resolves "example.com" to 127.0.0.1 + ''; + }; + + dhcp-dns = mkOption { + type = types.str; + description = '' + The shell (/bin/sh) command executed to obtain the DHCP + DNS server address. The first match of an IPv4 regex is used. + IPv4 only, because let's be real, it's a captive portal. + ''; + }; + + socks5-addr = mkOption { + type = types.str; + default = "localhost:1666"; + description = ''the listen address for the SOCKS5 proxy server''; + }; + + bindInterface = mkOption { + default = true; + type = types.bool; + description = '' + Binds <package>captive-browser</package> to the network interface declared in + <literal>cfg.interface</literal>. This can be used to avoid collisions + with private subnets. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + programs.captive-browser.dhcp-dns = mkOptionDefault ( + if config.networking.networkmanager.enable then + "${pkgs.networkmanager}/bin/nmcli dev show ${escapeShellArg cfg.interface} | ${pkgs.gnugrep}/bin/fgrep IP4.DNS" + else if config.networking.dhcpcd.enable then + "${pkgs.dhcpcd}/bin/dhcpcd -U ${escapeShellArg cfg.interface} | ${pkgs.gnugrep}/bin/fgrep domain_name_servers" + else if config.networking.useNetworkd then + "${cfg.package}/bin/systemd-networkd-dns ${escapeShellArg cfg.interface}" + else + "${config.security.wrapperDir}/udhcpc --quit --now -f -i ${escapeShellArg cfg.interface} -O dns --script ${ + pkgs.writeScript "udhcp-script" '' + #!/bin/sh + if [ "$1" = bound ]; then + echo "$dns" + fi + ''}" + ); + + security.wrappers.udhcpc = { + capabilities = "cap_net_raw+p"; + source = "${pkgs.busybox}/bin/udhcpc"; + }; + + security.wrappers.captive-browser = { + capabilities = "cap_net_raw+p"; + source = pkgs.writeScript "captive-browser" '' + #!${pkgs.bash}/bin/bash + export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' + browser = """${cfg.browser}""" + dhcp-dns = """${cfg.dhcp-dns}""" + socks5-addr = """${cfg.socks5-addr}""" + ${optionalString cfg.bindInterface '' + bind-device = """${cfg.interface}""" + ''} + ''} + exec ${cfg.package}/bin/captive-browser + ''; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/databases/cassandra.nix b/nixpkgs/nixos/modules/services/databases/cassandra.nix index 688938868020..e2ea9fcda6b0 100644 --- a/nixpkgs/nixos/modules/services/databases/cassandra.nix +++ b/nixpkgs/nixos/modules/services/databases/cassandra.nix @@ -8,18 +8,21 @@ let cassandraConfig = flip recursiveUpdate cfg.extraConfig ({ commitlog_sync = "batch"; commitlog_sync_batch_window_in_ms = 2; + start_native_transport = cfg.allowClients; + cluster_name = cfg.clusterName; partitioner = "org.apache.cassandra.dht.Murmur3Partitioner"; endpoint_snitch = "SimpleSnitch"; - seed_provider = - [{ class_name = "org.apache.cassandra.locator.SimpleSeedProvider"; - parameters = [ { seeds = "127.0.0.1"; } ]; - }]; data_file_directories = [ "${cfg.homeDir}/data" ]; commitlog_directory = "${cfg.homeDir}/commitlog"; saved_caches_directory = "${cfg.homeDir}/saved_caches"; - } // (if builtins.compareVersions cfg.package.version "3" >= 0 - then { hints_directory = "${cfg.homeDir}/hints"; } - else {}) + } // (lib.optionalAttrs (cfg.seedAddresses != []) { + seed_provider = [{ + class_name = "org.apache.cassandra.locator.SimpleSeedProvider"; + parameters = [ { seeds = concatStringsSep "," cfg.seedAddresses; } ]; + }]; + }) // (lib.optionalAttrs (lib.versionAtLeast cfg.package.version "3") { + hints_directory = "${cfg.homeDir}/hints"; + }) ); cassandraConfigWithAddresses = cassandraConfig // ( if cfg.listenAddress == null @@ -39,15 +42,42 @@ let mkdir -p "$out" echo "$cassandraYaml" > "$out/cassandra.yaml" - ln -s "$cassandraEnvPkg" "$out/cassandra-env.sh" ln -s "$cassandraLogbackConfig" "$out/logback.xml" + + cp "$cassandraEnvPkg" "$out/cassandra-env.sh" + + # Delete default JMX Port, otherwise we can't set it using env variable + sed -i '/JMX_PORT="7199"/d' "$out/cassandra-env.sh" + + # Delete default password file + sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" ''; }; + defaultJmxRolesFile = builtins.foldl' + (left: right: left + right) "" + (map (role: "${role.username} ${role.password}") cfg.jmxRoles); + fullJvmOptions = cfg.jvmOpts + ++ lib.optionals (cfg.jmxRoles != []) [ + "-Dcom.sun.management.jmxremote.authenticate=true" + "-Dcom.sun.management.jmxremote.password.file=${cfg.jmxRolesFile}" + ] + ++ lib.optionals cfg.remoteJmx [ + "-Djava.rmi.server.hostname=${cfg.rpcAddress}" + ]; in { options.services.cassandra = { enable = mkEnableOption '' Apache Cassandra – Scalable and highly available database. ''; + clusterName = mkOption { + type = types.str; + default = "NixOS Test Cluster"; + description = '' + The name of the cluster. + This setting prevents nodes in one logical cluster from joining + another. All nodes in a cluster must have the same value. + ''; + }; user = mkOption { type = types.str; default = defaultUser; @@ -162,6 +192,28 @@ in { XML logback configuration for cassandra ''; }; + seedAddresses = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" ]; + description = '' + The addresses of hosts designated as contact points in the cluster. A + joining node contacts one of the nodes in the seeds list to learn the + topology of the ring. + Set to 127.0.0.1 for a single node cluster. + ''; + }; + allowClients = mkOption { + type = types.bool; + default = true; + description = '' + Enables or disables the native transport server (CQL binary protocol). + This server uses the same address as the <literal>rpcAddress</literal>, + but the port it uses is not <literal>rpc_port</literal> but + <literal>native_transport_port</literal>. See the official Cassandra + docs for more information on these variables and set them using + <literal>extraConfig</literal>. + ''; + }; extraConfig = mkOption { type = types.attrs; default = {}; @@ -178,11 +230,11 @@ in { example = literalExample "null"; description = '' Set the interval how often full repairs are run, i.e. - `nodetool repair --full` is executed. See + <literal>nodetool repair --full</literal> is executed. See https://cassandra.apache.org/doc/latest/operating/repair.html for more information. - Set to `null` to disable full repairs. + Set to <literal>null</literal> to disable full repairs. ''; }; fullRepairOptions = mkOption { @@ -199,11 +251,11 @@ in { example = literalExample "null"; description = '' Set the interval how often incremental repairs are run, i.e. - `nodetool repair` is executed. See + <literal>nodetool repair</literal> is executed. See https://cassandra.apache.org/doc/latest/operating/repair.html for more information. - Set to `null` to disable incremental repairs. + Set to <literal>null</literal> to disable incremental repairs. ''; }; incrementalRepairOptions = mkOption { @@ -214,20 +266,135 @@ in { Options passed through to the incremental repair command. ''; }; + maxHeapSize = mkOption { + type = types.nullOr types.string; + default = null; + example = "4G"; + description = '' + Must be left blank or set together with heapNewSize. + If left blank a sensible value for the available amount of RAM and CPU + cores is calculated. + + Override to set the amount of memory to allocate to the JVM at + start-up. For production use you may wish to adjust this for your + environment. MAX_HEAP_SIZE is the total amount of memory dedicated + to the Java heap. HEAP_NEWSIZE refers to the size of the young + generation. + + The main trade-off for the young generation is that the larger it + is, the longer GC pause times will be. The shorter it is, the more + expensive GC will be (usually). + ''; + }; + heapNewSize = mkOption { + type = types.nullOr types.string; + default = null; + example = "800M"; + description = '' + Must be left blank or set together with heapNewSize. + If left blank a sensible value for the available amount of RAM and CPU + cores is calculated. + + Override to set the amount of memory to allocate to the JVM at + start-up. For production use you may wish to adjust this for your + environment. HEAP_NEWSIZE refers to the size of the young + generation. + + The main trade-off for the young generation is that the larger it + is, the longer GC pause times will be. The shorter it is, the more + expensive GC will be (usually). + + The example HEAP_NEWSIZE assumes a modern 8-core+ machine for decent pause + times. If in doubt, and if you do not particularly want to tweak, go with + 100 MB per physical CPU core. + ''; + }; + mallocArenaMax = mkOption { + type = types.nullOr types.int; + default = null; + example = 4; + description = '' + Set this to control the amount of arenas per-thread in glibc. + ''; + }; + remoteJmx = mkOption { + type = types.bool; + default = false; + description = '' + Cassandra ships with JMX accessible *only* from localhost. + To enable remote JMX connections set to true. + + Be sure to also enable authentication and/or TLS. + See: https://wiki.apache.org/cassandra/JmxSecurity + ''; + }; + jmxPort = mkOption { + type = types.int; + default = 7199; + description = '' + Specifies the default port over which Cassandra will be available for + JMX connections. + For security reasons, you should not expose this port to the internet. + Firewall it if needed. + ''; + }; + jmxRoles = mkOption { + default = []; + description = '' + Roles that are allowed to access the JMX (e.g. nodetool) + BEWARE: The passwords will be stored world readable in the nix-store. + It's recommended to use your own protected file using + <literal>jmxRolesFile</literal> + + Doesn't work in versions older than 3.11 because they don't like that + it's world readable. + ''; + type = types.listOf (types.submodule { + options = { + username = mkOption { + type = types.string; + description = "Username for JMX"; + }; + password = mkOption { + type = types.string; + description = "Password for JMX"; + }; + }; + }); + }; + jmxRolesFile = mkOption { + type = types.nullOr types.path; + default = if (lib.versionAtLeast cfg.package.version "3.11") + then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile + else null; + example = "/var/lib/cassandra/jmx.password"; + description = '' + Specify your own jmx roles file. + + Make sure the permissions forbid "others" from reading the file if + you're using Cassandra below version 3.11. + ''; + }; }; config = mkIf cfg.enable { assertions = - [ { assertion = - (cfg.listenAddress == null || cfg.listenInterface == null) - && !(cfg.listenAddress == null && cfg.listenInterface == null); + [ { assertion = (cfg.listenAddress == null) != (cfg.listenInterface == null); message = "You have to set either listenAddress or listenInterface"; } - { assertion = - (cfg.rpcAddress == null || cfg.rpcInterface == null) - && !(cfg.rpcAddress == null && cfg.rpcInterface == null); + { assertion = (cfg.rpcAddress == null) != (cfg.rpcInterface == null); message = "You have to set either rpcAddress or rpcInterface"; } + { assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null); + message = "If you set either of maxHeapSize or heapNewSize you have to set both"; + } + { assertion = cfg.remoteJmx -> cfg.jmxRolesFile != null; + message = '' + If you want JMX available remotely you need to set a password using + <literal>jmxRoles</literal> or <literal>jmxRolesFile</literal> if + using Cassandra older than v3.11. + ''; + } ]; users = mkIf (cfg.user == defaultUser) { extraUsers."${defaultUser}" = @@ -245,7 +412,12 @@ in { after = [ "network.target" ]; environment = { CASSANDRA_CONF = "${cassandraEtc}"; - JVM_OPTS = builtins.concatStringsSep " " cfg.jvmOpts; + JVM_OPTS = builtins.concatStringsSep " " fullJvmOptions; + MAX_HEAP_SIZE = toString cfg.maxHeapSize; + HEAP_NEWSIZE = toString cfg.heapNewSize; + MALLOC_ARENA_MAX = toString cfg.mallocArenaMax; + LOCAL_JMX = if cfg.remoteJmx then "no" else "yes"; + JMX_PORT = toString cfg.jmxPort; }; wantedBy = [ "multi-user.target" ]; serviceConfig = diff --git a/nixpkgs/nixos/modules/services/desktops/deepin/deepin.nix b/nixpkgs/nixos/modules/services/desktops/deepin/deepin.nix index 7ec326e599e5..d9d5d539e422 100644 --- a/nixpkgs/nixos/modules/services/desktops/deepin/deepin.nix +++ b/nixpkgs/nixos/modules/services/desktops/deepin/deepin.nix @@ -35,6 +35,7 @@ pkgs.deepin.dde-calendar pkgs.deepin.dde-daemon pkgs.deepin.dde-dock + pkgs.deepin.dde-file-manager pkgs.deepin.dde-session-ui pkgs.deepin.deepin-anything pkgs.deepin.deepin-image-viewer @@ -46,6 +47,7 @@ pkgs.deepin.dde-calendar pkgs.deepin.dde-daemon pkgs.deepin.dde-dock + pkgs.deepin.dde-file-manager pkgs.deepin.dde-session-ui pkgs.deepin.deepin-anything pkgs.deepin.deepin-image-viewer @@ -55,6 +57,7 @@ systemd.packages = [ pkgs.deepin.dde-api pkgs.deepin.dde-daemon + pkgs.deepin.dde-file-manager pkgs.deepin.deepin-anything ]; diff --git a/nixpkgs/nixos/modules/services/hardware/80-net-setup-link.rules b/nixpkgs/nixos/modules/services/hardware/80-net-setup-link.rules deleted file mode 100644 index 18547f170a3f..000000000000 --- a/nixpkgs/nixos/modules/services/hardware/80-net-setup-link.rules +++ /dev/null @@ -1,13 +0,0 @@ -# Copied from systemd 203. -ACTION=="remove", GOTO="net_name_slot_end" -SUBSYSTEM!="net", GOTO="net_name_slot_end" -NAME!="", GOTO="net_name_slot_end" - -IMPORT{cmdline}="net.ifnames" -ENV{net.ifnames}=="0", GOTO="net_name_slot_end" - -NAME=="", ENV{ID_NET_NAME_ONBOARD}!="", NAME="$env{ID_NET_NAME_ONBOARD}" -NAME=="", ENV{ID_NET_NAME_SLOT}!="", NAME="$env{ID_NET_NAME_SLOT}" -NAME=="", ENV{ID_NET_NAME_PATH}!="", NAME="$env{ID_NET_NAME_PATH}" - -LABEL="net_name_slot_end" diff --git a/nixpkgs/nixos/modules/services/hardware/throttled.nix b/nixpkgs/nixos/modules/services/hardware/throttled.nix new file mode 100644 index 000000000000..cd5b01450e44 --- /dev/null +++ b/nixpkgs/nixos/modules/services/hardware/throttled.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.throttled; +in { + options = { + services.throttled = { + enable = mkEnableOption "fix for Intel CPU throttling"; + }; + }; + + config = mkIf cfg.enable { + systemd.packages = [ pkgs.throttled ]; + # The upstream package has this in Install, but that's not enough, see the NixOS manual + systemd.services."lenovo_fix".wantedBy = [ "multi-user.target" ]; + + environment.etc."lenovo_fix.conf".source = "${pkgs.throttled}/etc/lenovo_fix.conf"; + }; +} diff --git a/nixpkgs/nixos/modules/services/hardware/udev.nix b/nixpkgs/nixos/modules/services/hardware/udev.nix index 0266286aaacf..cb2f1e6621ae 100644 --- a/nixpkgs/nixos/modules/services/hardware/udev.nix +++ b/nixpkgs/nixos/modules/services/hardware/udev.nix @@ -116,10 +116,6 @@ let exit 1 fi - ${optionalString config.networking.usePredictableInterfaceNames '' - cp ${./80-net-setup-link.rules} $out/80-net-setup-link.rules - ''} - # If auto-configuration is disabled, then remove # udev's 80-drivers.rules file, which contains rules for # automatically calling modprobe. @@ -282,6 +278,8 @@ in services.udev.path = [ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.utillinux udev ]; + boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ]; + environment.etc = [ { source = udevRules; target = "udev/rules.d"; diff --git a/nixpkgs/nixos/modules/services/misc/gitea.nix b/nixpkgs/nixos/modules/services/misc/gitea.nix index 6fd4183bd6b4..7daa2dd0d4cc 100644 --- a/nixpkgs/nixos/modules/services/misc/gitea.nix +++ b/nixpkgs/nixos/modules/services/misc/gitea.nix @@ -159,7 +159,8 @@ in socket = mkOption { type = types.nullOr types.path; - default = null; + default = if (cfg.database.createDatabase && usePostgresql) then "/run/postgresql" else if (cfg.database.createDatabase && useMysql) then "/run/mysqld/mysqld.sock" else null; + defaultText = "null"; example = "/run/mysqld/mysqld.sock"; description = "Path to the unix socket file to use for authentication."; }; @@ -173,10 +174,7 @@ in createDatabase = mkOption { type = types.bool; default = true; - description = '' - Whether to create a local postgresql database automatically. - This only applies if database type "postgres" is selected. - ''; + description = "Whether to create a local database automatically."; }; }; @@ -277,7 +275,46 @@ in }; config = mkIf cfg.enable { - services.postgresql.enable = mkIf usePostgresql (mkDefault true); + assertions = [ + { assertion = cfg.database.createDatabase -> cfg.database.user == cfg.user; + message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned"; + } + ]; + + services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { + enable = mkDefault true; + + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { name = cfg.database.user; + ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; }; + } + ]; + }; + + services.mysql = optionalAttrs (useMysql && cfg.database.createDatabase) { + enable = mkDefault true; + package = mkDefault pkgs.mariadb; + + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { name = cfg.database.user; + ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; + } + ]; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}/conf' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}/custom/conf' - ${cfg.user} gitea - -" + "d '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" + "Z '${cfg.stateDir}' - ${cfg.user} gitea - -" + + # If we have a folder or symlink with gitea locales, remove it + # And symlink the current gitea locales in place + "L+ '${cfg.stateDir}/conf/locale' - - - - ${gitea.out}/locale" + ]; systemd.services.gitea = { description = "gitea"; @@ -289,12 +326,8 @@ in runConfig = "${cfg.stateDir}/custom/conf/app.ini"; secretKey = "${cfg.stateDir}/custom/conf/secret_key"; in '' - # Make sure that the stateDir exists, as well as the conf dir in there - mkdir -p ${cfg.stateDir}/conf - # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' - mkdir -p ${cfg.stateDir}/custom/conf cp -f ${configFile} ${runConfig} if [ ! -e ${secretKey} ]; then @@ -309,7 +342,6 @@ in chmod 640 ${runConfig} ${secretKey} ''} - mkdir -p ${cfg.repositoryRoot} # update all hooks' binary paths HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 6 -type f -wholename "*git/hooks/*") if [ "$HOOKS" ] @@ -319,43 +351,19 @@ in sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS fi - # If we have a folder or symlink with gitea locales, remove it - if [ -e ${cfg.stateDir}/conf/locale ] - then - rm -r ${cfg.stateDir}/conf/locale - fi - # And symlink the current gitea locales in place - ln -s ${gitea.out}/locale ${cfg.stateDir}/conf/locale + # update command option in authorized_keys if [ -r ${cfg.stateDir}/.ssh/authorized_keys ] then sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea.bin}/bin/gitea,g' ${cfg.stateDir}/.ssh/authorized_keys fi - '' + optionalString (usePostgresql && cfg.database.createDatabase) '' - if ! test -e "${cfg.stateDir}/db-created"; then - echo "CREATE ROLE ${cfg.database.user} - WITH ENCRYPTED PASSWORD '$(head -n1 ${cfg.database.passwordFile})' - NOCREATEDB NOCREATEROLE LOGIN" | - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} ${pg.package}/bin/psql - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} \ - ${pg.package}/bin/createdb \ - --owner=${cfg.database.user} \ - --encoding=UTF8 \ - --lc-collate=C \ - --lc-ctype=C \ - --template=template0 \ - ${cfg.database.name} - touch "${cfg.stateDir}/db-created" - fi - '' + '' - chown ${cfg.user} -R ${cfg.stateDir} ''; serviceConfig = { Type = "simple"; User = cfg.user; + Group = "gitea"; WorkingDirectory = cfg.stateDir; - PermissionsStartOnly = true; ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; }; @@ -367,15 +375,17 @@ in }; }; - users = mkIf (cfg.user == "gitea") { - users.gitea = { + users.users = mkIf (cfg.user == "gitea") { + gitea = { description = "Gitea Service"; home = cfg.stateDir; - createHome = true; useDefaultShell = true; + group = "gitea"; }; }; + users.groups.gitea = {}; + warnings = optional (cfg.database.password != "") ''config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead.''; diff --git a/nixpkgs/nixos/modules/services/misc/phd.nix b/nixpkgs/nixos/modules/services/misc/phd.nix deleted file mode 100644 index e605ce5de16e..000000000000 --- a/nixpkgs/nixos/modules/services/misc/phd.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.phd; - -in - -{ - - ###### interface - - options = { - - services.phd = { - - enable = mkOption { - default = false; - description = " - Enable daemons for phabricator. - "; - }; - - }; - - }; - - ###### implementation - - config = mkIf cfg.enable { - - systemd.services.phd = { - path = [ pkgs.phabricator pkgs.php pkgs.mercurial pkgs.git pkgs.subversion ]; - - after = [ "httpd.service" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - ExecStart = "${pkgs.phabricator}/phabricator/bin/phd start"; - ExecStop = "${pkgs.phabricator}/phabricator/bin/phd stop"; - User = "wwwrun"; - RestartSec = "30s"; - Restart = "always"; - StartLimitInterval = "1m"; - }; - }; - - }; - -} diff --git a/nixpkgs/nixos/modules/services/networking/bind.nix b/nixpkgs/nixos/modules/services/networking/bind.nix index 98486cefd528..7f89cff22329 100644 --- a/nixpkgs/nixos/modules/services/networking/bind.nix +++ b/nixpkgs/nixos/modules/services/networking/bind.nix @@ -184,7 +184,7 @@ in preStart = '' mkdir -m 0755 -p /etc/bind if ! [ -f "/etc/bind/rndc.key" ]; then - ${pkgs.bind.out}/sbin/rndc-confgen -r /dev/urandom -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null + ${pkgs.bind.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null fi ${pkgs.coreutils}/bin/mkdir -p /run/named diff --git a/nixpkgs/nixos/modules/services/networking/openvpn.nix b/nixpkgs/nixos/modules/services/networking/openvpn.nix index b94b4026fd91..f47122ee70bf 100644 --- a/nixpkgs/nixos/modules/services/networking/openvpn.nix +++ b/nixpkgs/nixos/modules/services/networking/openvpn.nix @@ -85,7 +85,7 @@ in { server = { config = ''' - # Simplest server configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html. + # Simplest server configuration: https://community.openvpn.net/openvpn/wiki/StaticKeyMiniHowto # server : dev tun ifconfig 10.8.0.1 10.8.0.2 diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index 89f56a726f46..0f9d2420903b 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -4,7 +4,15 @@ with lib; let - sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ cfgc.package ]; } '' + # The splicing information needed for nativeBuildInputs isn't available + # on the derivations likely to be used as `cfgc.package`. + # This middle-ground solution ensures *an* sshd can do their basic validation + # on the configuration. + validationPackage = if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform + then [ cfgc.package ] + else [ pkgs.buildPackages.openssh ]; + + sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } '' cat >$out <<EOL ${cfg.extraConfig} EOL diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/phabricator.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/phabricator.nix deleted file mode 100644 index efd4a7b5f0fb..000000000000 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/phabricator.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - phabricatorRoot = pkgs.phabricator; -in { - - enablePHP = true; - extraApacheModules = [ "mod_rewrite" ]; - DocumentRoot = "${phabricatorRoot}/phabricator/webroot"; - - options = { - git = mkOption { - default = true; - description = "Enable git repositories."; - }; - mercurial = mkOption { - default = true; - description = "Enable mercurial repositories."; - }; - subversion = mkOption { - default = true; - description = "Enable subversion repositories."; - }; - }; - - extraConfig = '' - DocumentRoot ${phabricatorRoot}/phabricator/webroot - - RewriteEngine on - RewriteRule ^/rsrc/(.*) - [L,QSA] - RewriteRule ^/favicon.ico - [L,QSA] - RewriteRule ^(.*)$ /index.php?__path__=$1 [B,L,QSA] - ''; - - extraServerPath = [ - "${pkgs.which}" - "${pkgs.diffutils}" - ] ++ - (if config.mercurial then ["${pkgs.mercurial}"] else []) ++ - (if config.subversion then ["${pkgs.subversion.out}"] else []) ++ - (if config.git then ["${pkgs.git}"] else []); - - startupScript = pkgs.writeScript "activatePhabricator" '' - mkdir -p /var/repo - chown wwwrun /var/repo - ''; - -} diff --git a/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix b/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix index e6a054c296dc..4ec4a5a3359e 100644 --- a/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix +++ b/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix @@ -44,6 +44,8 @@ in example = '' cache-size=1000 scan-path=/srv/git + source-filter=''${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=''${pkgs.cgit}/lib/cgit/filters/about-formatting.sh ''; type = types.lines; description = '' diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 4da146940648..527e4b18045b 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -34,7 +34,7 @@ in pkgs.gtk2 # To get GTK+'s themes. pkgs.tango-icon-theme - pkgs.gnome2.gnomeicontheme + pkgs.gnome2.gnome_icon_theme pkgs.xorg.xcursorthemes ]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix index 9a0f77a856a7..41903b33fae9 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -195,7 +195,7 @@ in ]); fonts.fonts = with pkgs; [ - opensans-ttf + open-sans roboto-mono pantheon.elementary-redacted-script # needed by screenshot-tool ]; diff --git a/nixpkgs/nixos/modules/system/boot/luksroot.nix b/nixpkgs/nixos/modules/system/boot/luksroot.nix index 9dcb683eff43..b5c8d5241a3d 100644 --- a/nixpkgs/nixos/modules/system/boot/luksroot.nix +++ b/nixpkgs/nixos/modules/system/boot/luksroot.nix @@ -438,6 +438,7 @@ in default = [ "aes" "aes_generic" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512" + "af_alg" "algif_skcipher" (if pkgs.stdenv.hostPlatform.system == "x86_64-linux" then "aes_x86_64" else "aes_i586") ]; diff --git a/nixpkgs/nixos/modules/system/boot/networkd.nix b/nixpkgs/nixos/modules/system/boot/networkd.nix index 63a6f7fbe099..f1aa9064bef4 100644 --- a/nixpkgs/nixos/modules/system/boot/networkd.nix +++ b/nixpkgs/nixos/modules/system/boot/networkd.nix @@ -203,7 +203,7 @@ let checkRoute = checkUnitConfig "Route" [ (assertOnlyFields [ - "Gateway" "GatewayOnlink" "Destination" "Source" "Metric" + "Gateway" "GatewayOnLink" "Destination" "Source" "Metric" "IPv6Preference" "Scope" "PreferredSource" "Table" "Protocol" "Type" "InitialCongestionWindow" "InitialAdvertisedReceiveWindow" "QuickAck" "MTUBytes" @@ -669,7 +669,7 @@ let }; }; - commonMatchText = def: '' + commonMatchText = def: optionalString (def.matchConfig != {}) '' [Match] ${attrsToSection def.matchConfig} ''; diff --git a/nixpkgs/nixos/modules/system/boot/systemd.nix b/nixpkgs/nixos/modules/system/boot/systemd.nix index 18ee2ef1b8f5..cf35504e5182 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd.nix @@ -186,6 +186,9 @@ let "sockets.target" "sound.target" "systemd-exit.service" + "systemd-tmpfiles-clean.service" + "systemd-tmpfiles-clean.timer" + "systemd-tmpfiles-setup.service" "timers.target" ]; @@ -940,7 +943,6 @@ in # Don't bother with certain units in containers. systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; systemd.services.systemd-random-seed.unitConfig.ConditionVirtualization = "!container"; - }; # FIXME: Remove these eventually. @@ -949,5 +951,4 @@ in (mkRenamedOptionModule [ "boot" "systemd" "targets" ] [ "systemd" "targets" ]) (mkRenamedOptionModule [ "boot" "systemd" "services" ] [ "systemd" "services" ]) ]; - } diff --git a/nixpkgs/nixos/modules/system/boot/timesyncd.nix b/nixpkgs/nixos/modules/system/boot/timesyncd.nix index 8d8bfe5900a9..8282cdd6f3aa 100644 --- a/nixpkgs/nixos/modules/system/boot/timesyncd.nix +++ b/nixpkgs/nixos/modules/system/boot/timesyncd.nix @@ -40,6 +40,15 @@ with lib; users.users.systemd-timesync.uid = config.ids.uids.systemd-timesync; users.groups.systemd-timesync.gid = config.ids.gids.systemd-timesync; + system.activationScripts.systemd-timesyncd-migration = mkIf (versionOlder config.system.stateVersion "19.09") '' + # workaround an issue of systemd-timesyncd not starting due to upstream systemd reverting their dynamic users changes + # - https://github.com/NixOS/nixpkgs/pull/61321#issuecomment-492423742 + # - https://github.com/systemd/systemd/issues/12131 + if [ -L /var/lib/systemd/timesync ]; then + rm /var/lib/systemd/timesync + mv /var/lib/private/systemd/timesync /var/lib/systemd/timesync + fi + ''; }; } diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix index 2318bdd1d582..857aaf1e6e30 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix @@ -12,7 +12,7 @@ let i.ipv4.addresses ++ optionals cfg.enableIPv6 i.ipv6.addresses; - dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "none"; + dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "no"; slaves = concatLists (map (bond: bond.interfaces) (attrValues cfg.bonds)) @@ -59,7 +59,14 @@ in in { DHCP = override (dhcpStr cfg.useDHCP); } // optionalAttrs (gateway != [ ]) { - gateway = override gateway; + routes = override [ + { + routeConfig = { + Gateway = gateway; + GatewayOnLink = false; + }; + } + ]; } // optionalAttrs (domains != [ ]) { domains = override domains; }; diff --git a/nixpkgs/nixos/modules/testing/test-instrumentation.nix b/nixpkgs/nixos/modules/testing/test-instrumentation.nix index ed4cfa7805e2..1a11d9ce7c26 100644 --- a/nixpkgs/nixos/modules/testing/test-instrumentation.nix +++ b/nixpkgs/nixos/modules/testing/test-instrumentation.nix @@ -129,9 +129,6 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; users.users.root.initialHashedPassword = mkOverride 150 ""; services.xserver.displayManager.job.logToJournal = true; - - # set default stateVersion to avoid warnings during eval - system.stateVersion = mkDefault "18.03"; }; } diff --git a/nixpkgs/nixos/modules/virtualisation/containers.nix b/nixpkgs/nixos/modules/virtualisation/containers.nix index 97243e3304ee..2235eec9d95a 100644 --- a/nixpkgs/nixos/modules/virtualisation/containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/containers.nix @@ -465,20 +465,24 @@ in merge = loc: defs: (import ../../lib/eval-config.nix { inherit system; modules = - let extraConfig = - { boot.isContainer = true; - networking.hostName = mkDefault name; - networking.useDHCP = false; - assertions = [ - { - assertion = config.privateNetwork -> stringLength name < 12; - message = '' - Container name `${name}` is too long: When `privateNetwork` is enabled, container names can - not be longer than 11 characters, because the container's interface name is derived from it. - This might be fixed in the future. See https://github.com/NixOS/nixpkgs/issues/38509 - ''; - } - ]; + let + extraConfig = { + _file = "module at ${__curPos.file}:${toString __curPos.line}"; + config = { + boot.isContainer = true; + networking.hostName = mkDefault name; + networking.useDHCP = false; + assertions = [ + { + assertion = config.privateNetwork -> stringLength name < 12; + message = '' + Container name `${name}` is too long: When `privateNetwork` is enabled, container names can + not be longer than 11 characters, because the container's interface name is derived from it. + This might be fixed in the future. See https://github.com/NixOS/nixpkgs/issues/38509 + ''; + } + ]; + }; }; in [ extraConfig ] ++ (map (x: x.value) defs); prefix = [ "containers" name ]; diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index 8b38e802e62e..359f62751b99 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -36,6 +36,7 @@ in borgbackup = handleTest ./borgbackup.nix {}; buildbot = handleTest ./buildbot.nix {}; cadvisor = handleTestOn ["x86_64-linux"] ./cadvisor.nix {}; + cassandra = handleTest ./cassandra.nix {}; ceph = handleTestOn ["x86_64-linux"] ./ceph.nix {}; certmgr = handleTest ./certmgr.nix {}; cfssl = handleTestOn ["x86_64-linux"] ./cfssl.nix {}; @@ -82,6 +83,7 @@ in fish = handleTest ./fish.nix {}; flannel = handleTestOn ["x86_64-linux"] ./flannel.nix {}; flatpak = handleTest ./flatpak.nix {}; + flatpak-builder = handleTest ./flatpak-builder.nix {}; fsck = handleTest ./fsck.nix {}; fwupd = handleTestOn ["x86_64-linux"] ./fwupd.nix {}; # libsmbios is unsupported on aarch64 gdk-pixbuf = handleTest ./gdk-pixbuf.nix {}; @@ -239,6 +241,7 @@ in syncthing-relay = handleTest ./syncthing-relay.nix {}; systemd = handleTest ./systemd.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; + systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; diff --git a/nixpkgs/nixos/tests/cassandra.nix b/nixpkgs/nixos/tests/cassandra.nix index 60d0c6d76068..aea4fa4d1c95 100644 --- a/nixpkgs/nixos/tests/cassandra.nix +++ b/nixpkgs/nixos/tests/cassandra.nix @@ -1,26 +1,43 @@ -import ./make-test.nix ({ pkgs, ...}: +import ./make-test.nix ({ pkgs, lib, ... }: let # Change this to test a different version of Cassandra: testPackage = pkgs.cassandra; - cassandraCfg = + clusterName = "NixOS Automated-Test Cluster"; + + testRemoteAuth = lib.versionAtLeast testPackage.version "3.11"; + jmxRoles = [{ username = "me"; password = "password"; }]; + jmxRolesFile = ./cassandra-jmx-roles; + jmxAuthArgs = "-u ${(builtins.elemAt jmxRoles 0).username} -pw ${(builtins.elemAt jmxRoles 0).password}"; + + # Would usually be assigned to 512M + numMaxHeapSize = "400"; + getHeapLimitCommand = '' + nodetool info | grep "^Heap Memory" | awk \'{print $NF}\' + ''; + checkHeapLimitCommand = '' + [ 1 -eq "$(echo "$(${getHeapLimitCommand}) < ${numMaxHeapSize}" | ${pkgs.bc}/bin/bc)" ] + ''; + + cassandraCfg = ipAddress: { enable = true; - listenAddress = null; - listenInterface = "eth1"; - rpcAddress = null; - rpcInterface = "eth1"; - extraConfig = - { start_native_transport = true; - seed_provider = - [{ class_name = "org.apache.cassandra.locator.SimpleSeedProvider"; - parameters = [ { seeds = "cass0"; } ]; - }]; - }; + inherit clusterName; + listenAddress = ipAddress; + rpcAddress = ipAddress; + seedAddresses = [ "192.168.1.1" ]; package = testPackage; + maxHeapSize = "${numMaxHeapSize}M"; + heapNewSize = "100M"; }; - nodeCfg = extra: {pkgs, config, ...}: + nodeCfg = ipAddress: extra: {pkgs, config, ...}: { environment.systemPackages = [ testPackage ]; - networking.firewall.enable = false; - services.cassandra = cassandraCfg // extra; + networking = { + firewall.allowedTCPPorts = [ 7000 7199 9042 ]; + useDHCP = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = ipAddress; prefixLength = 24; } + ]; + }; + services.cassandra = cassandraCfg ipAddress // extra; virtualisation.memorySize = 1024; }; in @@ -28,40 +45,65 @@ in name = "cassandra-ci"; nodes = { - cass0 = nodeCfg {}; - cass1 = nodeCfg {}; - cass2 = nodeCfg { jvmOpts = [ "-Dcassandra.replace_address=cass1" ]; }; + cass0 = nodeCfg "192.168.1.1" {}; + cass1 = nodeCfg "192.168.1.2" (lib.optionalAttrs testRemoteAuth { inherit jmxRoles; remoteJmx = true; }); + cass2 = nodeCfg "192.168.1.3" { jvmOpts = [ "-Dcassandra.replace_address=cass1" ]; }; }; testScript = '' - subtest "timers exist", sub { + # Check configuration + subtest "Timers exist", sub { $cass0->succeed("systemctl list-timers | grep cassandra-full-repair.timer"); $cass0->succeed("systemctl list-timers | grep cassandra-incremental-repair.timer"); }; - subtest "can connect via cqlsh", sub { + subtest "Can connect via cqlsh", sub { $cass0->waitForUnit("cassandra.service"); $cass0->waitUntilSucceeds("nc -z cass0 9042"); $cass0->succeed("echo 'show version;' | cqlsh cass0"); }; - subtest "nodetool is operational", sub { + subtest "Nodetool is operational", sub { $cass0->waitForUnit("cassandra.service"); $cass0->waitUntilSucceeds("nc -z localhost 7199"); $cass0->succeed("nodetool status --resolve-ip | egrep '^UN[[:space:]]+cass0'"); }; - subtest "bring up cluster", sub { + subtest "Cluster name was set", sub { + $cass0->waitForUnit("cassandra.service"); + $cass0->waitUntilSucceeds("nc -z localhost 7199"); + $cass0->waitUntilSucceeds("nodetool describecluster | grep 'Name: ${clusterName}'"); + }; + subtest "Heap limit set correctly", sub { + # Nodetool takes a while until it can display info + $cass0->waitUntilSucceeds('nodetool info'); + $cass0->succeed('${checkHeapLimitCommand}'); + }; + + # Check cluster interaction + subtest "Bring up cluster", sub { $cass1->waitForUnit("cassandra.service"); - $cass1->waitUntilSucceeds("nodetool status | egrep -c '^UN' | grep 2"); + $cass1->waitUntilSucceeds("nodetool ${jmxAuthArgs} status | egrep -c '^UN' | grep 2"); $cass0->succeed("nodetool status --resolve-ip | egrep '^UN[[:space:]]+cass1'"); }; - subtest "break and fix node", sub { + '' + lib.optionalString testRemoteAuth '' + subtest "Remote authenticated jmx", sub { + # Doesn't work if not enabled + $cass0->waitUntilSucceeds("nc -z localhost 7199"); + $cass1->fail("nc -z 192.168.1.1 7199"); + $cass1->fail("nodetool -h 192.168.1.1 status"); + + # Works if enabled + $cass1->waitUntilSucceeds("nc -z localhost 7199"); + $cass0->succeed("nodetool -h 192.168.1.2 ${jmxAuthArgs} status"); + }; + '' + '' + subtest "Break and fix node", sub { $cass1->block; $cass0->waitUntilSucceeds("nodetool status --resolve-ip | egrep -c '^DN[[:space:]]+cass1'"); $cass0->succeed("nodetool status | egrep -c '^UN' | grep 1"); $cass1->unblock; - $cass1->waitUntilSucceeds("nodetool status | egrep -c '^UN' | grep 2"); + $cass1->waitUntilSucceeds("nodetool ${jmxAuthArgs} status | egrep -c '^UN' | grep 2"); $cass0->succeed("nodetool status | egrep -c '^UN' | grep 2"); }; - subtest "replace crashed node", sub { + subtest "Replace crashed node", sub { $cass1->crash; $cass2->waitForUnit("cassandra.service"); $cass0->waitUntilFails("nodetool status --resolve-ip | egrep '^UN[[:space:]]+cass1'"); diff --git a/nixpkgs/nixos/tests/containers-imperative.nix b/nixpkgs/nixos/tests/containers-imperative.nix index 0c101037aa7f..2e7e4b2f1d69 100644 --- a/nixpkgs/nixos/tests/containers-imperative.nix +++ b/nixpkgs/nixos/tests/containers-imperative.nix @@ -35,7 +35,17 @@ import ./make-test.nix ({ pkgs, ...} : { ]; }; - testScript = + testScript = let + tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" '' + { + systemd.tmpfiles.rules = [ "d /foo - - - - -" ]; + systemd.services.foo = { + serviceConfig.Type = "oneshot"; + script = "ls -al /foo"; + wantedBy = [ "multi-user.target" ]; + }; + } + ''; in '' # Make sure we have a NixOS tree (required by ‘nixos-container create’). $machine->succeed("PAGER=cat nix-env -qa -A nixos.hello >&2"); @@ -93,6 +103,15 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->succeed("nixos-container stop $id1"); $machine->succeed("nixos-container start $id1"); + # Ensure tmpfiles are present + $machine->log("creating container tmpfiles"); + $machine->succeed("nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}"); + $machine->log("created, starting…"); + $machine->succeed("nixos-container start tmpfiles"); + $machine->log("done starting, investigating…"); + $machine->succeed("echo \$(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;"); + $machine->succeed("nixos-container destroy tmpfiles"); + # Execute commands via the root shell. $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die; diff --git a/nixpkgs/nixos/tests/flatpak-builder.nix b/nixpkgs/nixos/tests/flatpak-builder.nix new file mode 100644 index 000000000000..2100631ec7f4 --- /dev/null +++ b/nixpkgs/nixos/tests/flatpak-builder.nix @@ -0,0 +1,19 @@ +# run installed tests +import ./make-test.nix ({ pkgs, ... }: + +{ + name = "flatpak-builder"; + meta = { + maintainers = pkgs.flatpak-builder.meta.maintainers; + }; + + machine = { pkgs, ... }: { + services.flatpak.enable = true; + environment.systemPackages = with pkgs; [ gnome-desktop-testing flatpak-builder ] ++ flatpak-builder.installedTestsDependencies; + virtualisation.diskSize = 2048; + }; + + testScript = '' + $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.flatpak-builder.installedTests}/share' --timeout 3600"); + ''; +}) diff --git a/nixpkgs/nixos/tests/gitea.nix b/nixpkgs/nixos/tests/gitea.nix index cccf8c7cd44f..b8ab6dabc8c1 100644 --- a/nixpkgs/nixos/tests/gitea.nix +++ b/nixpkgs/nixos/tests/gitea.nix @@ -13,18 +13,8 @@ with pkgs.lib; machine = { config, pkgs, ... }: - { services.mysql.enable = true; - services.mysql.package = pkgs.mariadb; - services.mysql.ensureDatabases = [ "gitea" ]; - services.mysql.ensureUsers = [ - { name = "gitea"; - ensurePermissions = { "gitea.*" = "ALL PRIVILEGES"; }; - } - ]; - - services.gitea.enable = true; + { services.gitea.enable = true; services.gitea.database.type = "mysql"; - services.gitea.database.socket = "/run/mysqld/mysqld.sock"; }; testScript = '' @@ -42,10 +32,8 @@ with pkgs.lib; machine = { config, pkgs, ... }: - { - services.gitea.enable = true; + { services.gitea.enable = true; services.gitea.database.type = "postgres"; - services.gitea.database.passwordFile = pkgs.writeText "db-password" "secret"; }; testScript = '' diff --git a/nixpkgs/nixos/tests/installer.nix b/nixpkgs/nixos/tests/installer.nix index 5e363f5d09e9..07659b60b3b8 100644 --- a/nixpkgs/nixos/tests/installer.nix +++ b/nixpkgs/nixos/tests/installer.nix @@ -273,7 +273,7 @@ let }; }; - makeLuksRootTest = name: luksFormatOpts: makeInstallerTest "luksroot-format2" + makeLuksRootTest = name: luksFormatOpts: makeInstallerTest name { createPartitions = '' $machine->succeed( "flock /dev/vda parted --script /dev/vda -- mklabel msdos" diff --git a/nixpkgs/nixos/tests/phabricator.nix b/nixpkgs/nixos/tests/phabricator.nix deleted file mode 100644 index db23331842cb..000000000000 --- a/nixpkgs/nixos/tests/phabricator.nix +++ /dev/null @@ -1,77 +0,0 @@ -import ./make-test.nix ({ pkgs, ... }: { - name = "phabricator"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ ]; - }; - - nodes = { - storage = - { ... }: - { services.nfs.server.enable = true; - services.nfs.server.exports = '' - /repos 192.168.1.0/255.255.255.0(rw,no_root_squash) - ''; - services.nfs.server.createMountPoints = true; - }; - - webserver = - { pkgs, ... }: - { fileSystems = pkgs.lib.mkVMOverride - [ { mountPoint = "/repos"; - device = "storage:/repos"; - fsType = "nfs"; - } - ]; - networking.firewall.enable = false; - networking.useDHCP = false; - - services = { - httpd = { - enable = true; - adminAddr = "root@localhost"; - virtualHosts = [{ - hostName = "phabricator.local"; - extraSubservices = [{serviceType = "phabricator";}]; - }]; - }; - - phd = { - enable = true; - }; - - mysql = { - enable = true; - package = pkgs.mysql; - extraOptions = '' - sql_mode=STRICT_ALL_TABLES - ''; - }; - }; - - environment.systemPackages = [ pkgs.php ]; - }; - - client = - { ... }: - { imports = [ ./common/x11.nix ]; - services.xserver.desktopManager.plasma5.enable = true; - }; - }; - - testScript = - '' - startAll; - - $client->waitForX; - - $webserver->waitForUnit("mysql"); - $webserver->waitForUnit("httpd"); - $webserver->execute("cd /nix/store; less >/repos/log1"); - - $client->sleep(30); # loading takes a long time - $client->execute("konqueror http://webserver/ &"); - $client->sleep(90); # loading takes a long time - - $client->screenshot("screen"); - ''; -}) diff --git a/nixpkgs/nixos/tests/radicale.nix b/nixpkgs/nixos/tests/radicale.nix index bf22fc9291af..607964255640 100644 --- a/nixpkgs/nixos/tests/radicale.nix +++ b/nixpkgs/nixos/tests/radicale.nix @@ -85,7 +85,7 @@ in $radicale->succeed('mv /tmp/collections-new/collection-root /tmp/collections'); $radicale->succeed('${switchToConfig "radicale2_verify"} >&2'); $radicale->waitUntilFails('systemctl status radicale'); - my ($retcode, $logs) = $radicale->execute('journalctl -u radicale -n 5'); + my ($retcode, $logs) = $radicale->execute('journalctl -u radicale -n 10'); if ($retcode != 0 || index($logs, 'Verifying storage') == -1) { die "Radicale 2 didn't verify storage" } diff --git a/nixpkgs/nixos/tests/systemd-timesyncd.nix b/nixpkgs/nixos/tests/systemd-timesyncd.nix new file mode 100644 index 000000000000..d12b8eb2bf7e --- /dev/null +++ b/nixpkgs/nixos/tests/systemd-timesyncd.nix @@ -0,0 +1,52 @@ +# Regression test for systemd-timesync having moved the state directory without +# upstream providing a migration path. https://github.com/systemd/systemd/issues/12131 + +import ./make-test.nix (let + common = { lib, ... }: { + # override the `false` value from the qemu-vm base profile + services.timesyncd.enable = lib.mkForce true; + }; + mkVM = conf: { imports = [ conf common ]; }; +in { + name = "systemd-timesyncd"; + nodes = { + current = mkVM {}; + pre1909 = mkVM ({lib, ... }: with lib; { + # create the path that should be migrated by our activation script when + # upgrading to a newer nixos version + system.stateVersion = "19.03"; + system.activationScripts.simulate-old-timesync-state-dir = mkBefore '' + rm -f /var/lib/systemd/timesync + mkdir -p /var/lib/systemd /var/lib/private/systemd/timesync + ln -s /var/lib/private/systemd/timesync /var/lib/systemd/timesync + chown systemd-timesync: /var/lib/private/systemd/timesync + ''; + }); + }; + + testScript = '' + startAll; + $current->succeed('systemctl status systemd-timesyncd.service'); + # on a new install with a recent systemd there should not be any + # leftovers from the dynamic user mess + $current->succeed('test -e /var/lib/systemd/timesync'); + $current->succeed('test ! -L /var/lib/systemd/timesync'); + + # timesyncd should be running on the upgrading system since we fixed the + # file bits in the activation script + $pre1909->succeed('systemctl status systemd-timesyncd.service'); + + # the path should be gone after the migration + $pre1909->succeed('test ! -e /var/lib/private/systemd/timesync'); + + # and the new path should no longer be a symlink + $pre1909->succeed('test -e /var/lib/systemd/timesync'); + $pre1909->succeed('test ! -L /var/lib/systemd/timesync'); + + # after a restart things should still work and not fail in the activation + # scripts and cause the boot to fail.. + $pre1909->shutdown; + $pre1909->start; + $pre1909->succeed('systemctl status systemd-timesyncd.service'); + ''; +}) |