diff options
| author | Alyssa Ross <hi@alyssa.is> | 2022-03-30 13:30:47 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2022-03-31 10:13:20 +0000 |
| commit | f2e61678de300336b3666afd19af7565efb0c4cf (patch) | |
| tree | 49f6906c9d557f7fdd58257ff85ec17fc4495f31 /nixpkgs/nixos | |
| parent | f920d5e07c29a9aa1b77d9b88bd604cf1a1f3664 (diff) | |
| parent | 00e27c78d3d2de6964096ceee8d70e5b487365e3 (diff) | |
| download | nixlib-f2e61678de300336b3666afd19af7565efb0c4cf.tar nixlib-f2e61678de300336b3666afd19af7565efb0c4cf.tar.gz nixlib-f2e61678de300336b3666afd19af7565efb0c4cf.tar.bz2 nixlib-f2e61678de300336b3666afd19af7565efb0c4cf.tar.lz nixlib-f2e61678de300336b3666afd19af7565efb0c4cf.tar.xz nixlib-f2e61678de300336b3666afd19af7565efb0c4cf.tar.zst nixlib-f2e61678de300336b3666afd19af7565efb0c4cf.zip | |
Merge commit '00e27c78d3d2de6964096ceee8d70e5b487365e3'
Conflicts: nixpkgs/nixos/modules/system/boot/systemd.nix nixpkgs/pkgs/applications/networking/browsers/firefox/common.nix nixpkgs/pkgs/applications/version-management/git-and-tools/cgit/common.nix nixpkgs/pkgs/applications/version-management/git-and-tools/cgit/default.nix nixpkgs/pkgs/applications/version-management/git-and-tools/cgit/pink.nix nixpkgs/pkgs/top-level/all-packages.nix
Diffstat (limited to 'nixpkgs/nixos')
131 files changed, 4502 insertions, 1807 deletions
diff --git a/nixpkgs/nixos/doc/manual/development/option-declarations.section.md b/nixpkgs/nixos/doc/manual/development/option-declarations.section.md index 819fc6d891f0..53ecb9b3a624 100644 --- a/nixpkgs/nixos/doc/manual/development/option-declarations.section.md +++ b/nixpkgs/nixos/doc/manual/development/option-declarations.section.md @@ -27,9 +27,10 @@ The function `mkOption` accepts the following arguments. `type` -: The type of the option (see [](#sec-option-types)). It may be - omitted, but that's not advisable since it may lead to errors that - are hard to diagnose. +: The type of the option (see [](#sec-option-types)). This + argument is mandatory for nixpkgs modules. Setting this is highly + recommended for the sake of documentation and type checking. In case it is + not set, a fallback type with unspecified behavior is used. `default` diff --git a/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.section.md b/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.section.md index 7de57d0d2a37..433e1906f775 100644 --- a/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.section.md +++ b/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.section.md @@ -158,6 +158,12 @@ The following methods are available on machine objects: e.g., `send_chars("foobar\n")` will type the string `foobar` followed by the Enter key. +`send_console` + +: Send keys to the kernel console. This allows interaction with the systemd + emergency mode, for example. Takes a string that is sent, e.g., + `send_console("\n\nsystemctl default\n")`. + `execute` : Execute a shell command, returning a list `(status, stdout)`. @@ -272,6 +278,13 @@ The following methods are available on machine objects: Killing the interactive session with `Ctrl-d` or `Ctrl-c` also ends the guest session. +`console_interact` + +: Allows you to directly interact with QEMU's stdin. This should + only be used during test development, not in production tests. + Output from QEMU is only read line-wise. `Ctrl-c` kills QEMU and + `Ctrl-d` closes console and returns to the test runner. + To test user units declared by `systemd.user.services` the optional `user` argument can be used: diff --git a/nixpkgs/nixos/doc/manual/from_md/development/option-declarations.section.xml b/nixpkgs/nixos/doc/manual/from_md/development/option-declarations.section.xml index 554705e2e424..0ac5e0eeca2d 100644 --- a/nixpkgs/nixos/doc/manual/from_md/development/option-declarations.section.xml +++ b/nixpkgs/nixos/doc/manual/from_md/development/option-declarations.section.xml @@ -38,9 +38,11 @@ options = { <listitem> <para> The type of the option (see - <xref linkend="sec-option-types" />). It may be omitted, but - that’s not advisable since it may lead to errors that are hard - to diagnose. + <xref linkend="sec-option-types" />). This argument is + mandatory for nixpkgs modules. Setting this is highly + recommended for the sake of documentation and type checking. + In case it is not set, a fallback type with unspecified + behavior is used. </para> </listitem> </varlistentry> diff --git a/nixpkgs/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml b/nixpkgs/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml index 45c9c40c6095..4f856f98f2a2 100644 --- a/nixpkgs/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml +++ b/nixpkgs/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml @@ -263,6 +263,19 @@ start_all() </varlistentry> <varlistentry> <term> + <literal>send_console</literal> + </term> + <listitem> + <para> + Send keys to the kernel console. This allows interaction + with the systemd emergency mode, for example. Takes a string + that is sent, e.g., + <literal>send_console("\n\nsystemctl default\n")</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> <literal>execute</literal> </term> <listitem> @@ -502,6 +515,21 @@ machine.systemctl("list-jobs --no-pager", "any-user") # spaw </para> </listitem> </varlistentry> + <varlistentry> + <term> + <literal>console_interact</literal> + </term> + <listitem> + <para> + Allows you to directly interact with QEMU’s stdin. This + should only be used during test development, not in + production tests. Output from QEMU is only read line-wise. + <literal>Ctrl-c</literal> kills QEMU and + <literal>Ctrl-d</literal> closes console and returns to the + test runner. + </para> + </listitem> + </varlistentry> </variablelist> <para> To test user units declared by diff --git a/nixpkgs/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixpkgs/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 396de8cd77c2..0c5b3b4fec76 100644 --- a/nixpkgs/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixpkgs/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -17,6 +17,14 @@ <itemizedlist> <listitem> <para> + The <literal>firefox</literal> browser on + <literal>x86_64-linux</literal> is now making use of + profile-guided optimization resulting in a much more + responsive browsing experience. + </para> + </listitem> + <listitem> + <para> <literal>security.acme.defaults</literal> has been added to simplify configuring settings for many certificates at once. This also opens up the the option to use DNS-01 validation @@ -27,6 +35,16 @@ </listitem> <listitem> <para> + GNOME has been upgraded to 42. Please take a look at their + <link xlink:href="https://release.gnome.org/42/">Release + Notes</link> for details. Notably, it replaces gedit with + GNOME Text Editor, GNOME Terminal with GNOME Console (formerly + King’s Cross), and GNOME Screenshot with a tool built into the + Shell. + </para> + </listitem> + <listitem> + <para> PHP 8.1 is now available </para> </listitem> @@ -62,6 +80,14 @@ notes</link> for details. </para> </listitem> + <listitem> + <para> + Module authors can use + <literal>mkRenamedOptionModuleWith</literal> to automate the + deprecation cycle without annoying out-of-tree module authors + and their users. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-new-services"> @@ -109,7 +135,7 @@ <para> <link xlink:href="https://frrouting.org/">FRRouting</link>, a popular suite of Internet routing protocol daemons (BGP, BFD, - OSPF, IS-IS, VVRP and others). Available as + OSPF, IS-IS, VRRP and others). Available as <link linkend="opt-services.frr.babel.enable">services.frr</link> </para> </listitem> @@ -276,6 +302,13 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/Mic92/nix-ld">nix-ld</link>, + Run unpatched dynamic binaries on NixOS. Available as + <link xlink:href="options.html#opt-programs.nix-ld.enable">programs.nix-ld</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://timetagger.app">timetagger</link>, an open source time-tracker with an intuitive user experience and powerful reporting. @@ -306,6 +339,12 @@ with many features. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://clusterlabs.org/pacemaker/">pacemaker</link> + cluster resource manager + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-incompatibilities"> @@ -448,6 +487,15 @@ </listitem> <listitem> <para> + <literal>services.ipfs.extraFlags</literal> is now escaped + with <literal>utils.escapeSystemdExecArgs</literal>. If you + rely on systemd interpolating <literal>extraFlags</literal> in + the service <literal>ExecStart</literal>, this will no longer + work. + </para> + </listitem> + <listitem> + <para> The <literal>matrix-synapse</literal> service (<literal>services.matrix-synapse</literal>) has been converted to use the <literal>settings</literal> option @@ -462,6 +510,12 @@ freeform type. </para> <para> + The <literal>listeners.*.bind_address</literal> option was + renamed to <literal>bind_addresses</literal> in order to match + the upstream <literal>homeserver.yaml</literal> option name. + It is now also a list of strings instead of a string. + </para> + <para> An example to make the required migration clearer: </para> <para> @@ -522,7 +576,7 @@ listeners = [ { port = 8448; - bind_address = [ + bind_addresses = [ "::" "0.0.0.0" ]; @@ -553,7 +607,14 @@ Additionally a few option defaults have been synced up with upstream default values, for example the <literal>max_upload_size</literal> grew from - <literal>10M</literal> to <literal>50M</literal>. + <literal>10M</literal> to <literal>50M</literal>. For the same + reason, the default <literal>media_store_path</literal> was + changed from <literal>${dataDir}/media</literal> to + <literal>${dataDir}/media_store</literal> if + <literal>system.stateVersion</literal> is at least + <literal>22.05</literal>. Files will need to be manually moved + to the new location if the <literal>stateVersion</literal> is + updated. </para> </listitem> <listitem> @@ -565,6 +626,25 @@ </listitem> <listitem> <para> + Services in the <literal>hadoop</literal> module previously + set <literal>openFirewall</literal> to true by default. This + has now been changed to false. Node definitions for multi-node + clusters would need <literal>openFirewall = true;</literal> to + be added to to hadoop services when upgrading from NixOS + 21.11. + </para> + </listitem> + <listitem> + <para> + <literal>services.hadoop.yarn.nodemanager</literal> now uses + cgroup-based CPU limit enforcement by default. Additionally, + the option <literal>useCGroups</literal> was added to + nodemanagers as an easy way to switch back to the old + behavior. + </para> + </listitem> + <listitem> + <para> The <literal>wafHook</literal> hook now honors <literal>NIX_BUILD_CORES</literal> when <literal>enableParallelBuilding</literal> is not set @@ -610,6 +690,23 @@ </listitem> <listitem> <para> + <literal>services.gnome.experimental-features.realtime-scheduling</literal> + option has been removed, as GNOME Shell now + <link xlink:href="https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2060">uses + rtkit</link>. Use + <literal>security.rtkit.enable = true;</literal> instead. As + before, you will need to have it enabled using GSettings. + </para> + </listitem> + <listitem> + <para> + <literal>services.telepathy</literal> will no longer be + enabled by default for GNOME desktops, one should enable it in + their configs if using Empathy or Polari. + </para> + </listitem> + <listitem> + <para> If you previously used <literal>/etc/docker/daemon.json</literal>, you need to incorporate the changes into the new option @@ -737,6 +834,60 @@ </listitem> <listitem> <para> + <literal>pkgs._7zz</literal> is now correctly licensed as + LGPL3+ and BSD3 with optional unfree unRAR licensed code + </para> + </listitem> + <listitem> + <para> + The <literal>vim.customize</literal> function produced by + <literal>vimUtils.makeCustomizable</literal> now has a + slightly different interface: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The wrapper now includes everything in the given Vim + derivation if <literal>name</literal> is + <literal>"vim"</literal> (the default). This + makes the <literal>wrapManual</literal> argument obsolete, + but this behavior can be overriden by setting the + <literal>standalone</literal> argument. + </para> + </listitem> + <listitem> + <para> + All the executables present in the given derivation (or, + in <literal>standalone</literal> mode, only the + <literal>*vim</literal> ones) are wrapped. This makes the + <literal>wrapGui</literal> argument obsolete. + </para> + </listitem> + <listitem> + <para> + The <literal>vimExecutableName</literal> and + <literal>gvimExecutableName</literal> arguments were + replaced by a single <literal>executableName</literal> + argument in which the shell variable + <literal>$exe</literal> can be used to refer to the + wrapped executable’s name. + </para> + </listitem> + </itemizedlist> + <para> + See the comments in + <literal>pkgs/applications/editors/vim/plugins/vim-utils.nix</literal> + for more details. + </para> + <para> + <literal>vimUtils.vimWithRC</literal> was removed. You should + instead use <literal>customize</literal> on a Vim derivation, + which now accepts <literal>vimrcFile</literal> and + <literal>gvimrcFile</literal> arguments. + </para> + </listitem> + <listitem> + <para> <literal>tilp2</literal> was removed together with its module </para> </listitem> @@ -769,6 +920,16 @@ </listitem> <listitem> <para> + The <literal>miller</literal> package has been upgraded from + 5.10.3 to + <link xlink:href="https://github.com/johnkerl/miller/releases/tag/v6.2.0">6.2.0</link>. + See + <link xlink:href="https://miller.readthedocs.io/en/latest/new-in-miller-6">What’s + new in Miller 6</link>. + </para> + </listitem> + <listitem> + <para> MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing @@ -794,6 +955,16 @@ </listitem> <listitem> <para> + The Tor SOCKS proxy is now actually disabled if + <literal>services.tor.client.enable</literal> is set to + <literal>false</literal> (the default). If you are using this + functionality but didn’t change the setting or set it to + <literal>false</literal>, you now need to set it to + <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> The terraform 0.12 compatibility has been removed and the <literal>terraform.withPlugins</literal> and <literal>terraform-providers.mkProvider</literal> @@ -1146,7 +1317,8 @@ Legacy options have been mapped to the corresponding options under under <link xlink:href="options.html#opt-nix.settings">nix.settings</link> - but may be deprecated in the future. + and will be deprecated when NixOS 21.11 reaches end of + life. </para> </listitem> <listitem> @@ -1169,6 +1341,33 @@ </listitem> <listitem> <para> + Some improvements have been made to the + <literal>hadoop</literal> module: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + A <literal>gatewayRole</literal> option has been added, + for deploying hadoop cluster configuration files to a node + that does not have any active services + </para> + </listitem> + <listitem> + <para> + Support for older versions of hadoop have been added to + the module + </para> + </listitem> + <listitem> + <para> + Overriding and extending site XML files has been made + easier + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable <literal>NIXOS_OZONE_WL=1</literal> @@ -1192,6 +1391,14 @@ </listitem> <listitem> <para> + The <literal>unifi</literal> package was switched from + <literal>unifi6</literal> to <literal>unifi7</literal>. Direct + downgrades from Unifi 7 to Unifi 6 are not possible and + require restoring from a backup made by Unifi 6. + </para> + </listitem> + <listitem> + <para> <literal>programs.zsh.autosuggestions.strategy</literal> now takes a list of strings instead of a string. </para> @@ -1206,6 +1413,15 @@ </listitem> <listitem> <para> + The <literal>services.unifi-video.openPorts</literal> option + default value of <literal>true</literal> is now deprecated and + will be changed to <literal>false</literal> in 22.11. + Configurations using this default will print a warning when + rebuilt. + </para> + </listitem> + <listitem> + <para> <literal>security.acme</literal> certificates will now correctly check for CA revokation before reaching their minimum age. @@ -1267,10 +1483,10 @@ </listitem> <listitem> <para> - A new option - <literal>boot.initrd.extraModprobeConfig</literal> has been - added which can be used to configure kernel modules that are - loaded in the initrd. + The options <literal>boot.extraModprobeConfig</literal> and + <literal>boot.blacklistedKernelModules</literal> now also take + effect in the initrd by copying the file + <literal>/etc/modprobe.d/nixos.conf</literal> into the initrd. </para> </listitem> <listitem> @@ -1282,6 +1498,52 @@ </listitem> <listitem> <para> + ORY Kratos was updated to version 0.8.3-alpha.1.pre.0, which + introduces some breaking changes: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + If you are relying on the SQLite images, update your + Docker Pull commands as follows: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>docker pull oryd/kratos:{version}</literal> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Additionally, all passwords now have to be at least 8 + characters long. + </para> + </listitem> + <listitem> + <para> + For more details, see: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.1-alpha.1">Release + Notes for v0.8.1-alpha-1</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.2-alpha.1">Release + Notes for v0.8.2-alpha-1</link> + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> <literal>fetchFromSourcehut</literal> now allows fetching repositories recursively using <literal>fetchgit</literal> or <literal>fetchhg</literal> if the argument @@ -1414,6 +1676,12 @@ </listitem> <listitem> <para> + <literal>services.autorandr</literal> now allows for adding + hooks and profiles declaratively. + </para> + </listitem> + <listitem> + <para> The <literal>pomerium-cli</literal> command has been moved out of the <literal>pomerium</literal> package into the <literal>pomerium-cli</literal> package, following upstream’s @@ -1450,6 +1718,52 @@ desktop environments as needed. </para> </listitem> + <listitem> + <para> + The <literal>hadoop</literal> package has added support for + <literal>aarch64-linux</literal> and + <literal>aarch64-darwin</literal> as of 3.3.1 + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/158613">#158613</link>). + </para> + </listitem> + <listitem> + <para> + The <literal>R</literal> package now builds again on + <literal>aarch64-darwin</literal> + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/158992">#158992</link>). + </para> + </listitem> + <listitem> + <para> + The <literal>spark3</literal> package has been updated from + 3.1.2 to 3.2.1 + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/160075">#160075</link>): + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Testing has been enabled for + <literal>aarch64-linux</literal> in addition to + <literal>x86_64-linux</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>spark3</literal> package is now usable on + <literal>aarch64-darwin</literal> as a result of + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/158613">#158613</link> + and + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/158992">#158992</link>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>programs.nncp</literal> options were added for + generating host-global NNCP configuration. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml b/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml index ab2a5d83a089..b2ca9f457a2b 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml @@ -92,6 +92,10 @@ </arg> <arg> + <option>--no-flake</option> + </arg> + + <arg> <option>--override-input</option> <replaceable>input-name</replaceable> <replaceable>flake-uri</replaceable> </arg> @@ -594,6 +598,20 @@ </listitem> </varlistentry> + <varlistentry> + <term> + <option>--no-flake</option> + </term> + <listitem> + <para> + Do not imply <option>--flake</option> if + <filename>/etc/nixos/flake.nix</filename> exists. With this + option, it is possible to build non-flake NixOS configurations + even if the current NixOS systems uses flakes. + </para> + </listitem> + </varlistentry> + </variablelist> <para> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2205.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2205.section.md index 2f730de737c0..7cafdcabbaaf 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2205.section.md @@ -6,11 +6,17 @@ In addition to numerous new and upgraded packages, this release has the followin ## Highlights {#sec-release-22.05-highlights} +- The `firefox` browser on `x86_64-linux` is now making use of + profile-guided optimization resulting in a much more responsive + browsing experience. + - `security.acme.defaults` has been added to simplify configuring settings for many certificates at once. This also opens up the the option to use DNS-01 validation when using `enableACME` on web server virtual hosts (e.g. `services.nginx.virtualHosts.*.enableACME`). +- GNOME has been upgraded to 42. Please take a look at their [Release Notes](https://release.gnome.org/42/) for details. Notably, it replaces gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly King’s Cross), and GNOME Screenshot with a tool built into the Shell. + - PHP 8.1 is now available - Mattermost has been updated to extended support release 6.3, as the previously packaged extended support release 5.37 is [reaching its end of life](https://docs.mattermost.com/upgrade/extended-support-release.html). @@ -21,6 +27,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [`kops`](https://kops.sigs.k8s.io) defaults to 1.22.4, which will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) and require tokens on new clusters with Kubernetes 1.22. This will increase security by default, but may break some types of workloads. See the [release notes](https://kops.sigs.k8s.io/releases/1.22-notes/) for details. +- Module authors can use `mkRenamedOptionModuleWith` to automate the deprecation cycle without annoying out-of-tree module authors and their users. + ## New Services {#sec-release-22.05-new-services} - [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable). @@ -33,7 +41,7 @@ In addition to numerous new and upgraded packages, this release has the followin - [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS). -- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as [services.frr](#opt-services.frr.babel.enable) +- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as [services.frr](#opt-services.frr.babel.enable) - [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable). @@ -79,6 +87,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [nbd](https://nbd.sourceforge.io/), a Network Block Device server. Available as [services.nbd](options.html#opt-services.nbd.server.enable). +- [nix-ld](https://github.com/Mic92/nix-ld), Run unpatched dynamic binaries on NixOS. Available as [programs.nix-ld](options.html#opt-programs.nix-ld.enable). + - [timetagger](https://timetagger.app), an open source time-tracker with an intuitive user experience and powerful reporting. [services.timetagger](options.html#opt-services.timetagger.enable). - [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](options.html#opt-services.rstudio-server.enable). @@ -87,6 +97,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features. +- [pacemaker](https://clusterlabs.org/pacemaker/) cluster resource manager + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Backward Incompatibilities {#sec-release-22.05-incompatibilities} @@ -151,11 +163,16 @@ In addition to numerous new and upgraded packages, this release has the followin - The `mailpile` email webclient (`services.mailpile`) has been removed due to its reliance on python2. +- `services.ipfs.extraFlags` is now escaped with `utils.escapeSystemdExecArgs`. If you rely on systemd interpolating `extraFlags` in the service `ExecStart`, this will no longer work. + - The `matrix-synapse` service (`services.matrix-synapse`) has been converted to use the `settings` option defined in RFC42. This means that options that are part of your `homeserver.yaml` configuration, and that were specified at the top-level of the module (`services.matrix-synapse`) now need to be moved into `services.matrix-synapse.settings`. And while not all options you may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type. + The `listeners.*.bind_address` option was renamed to `bind_addresses` in order to match the upstream `homeserver.yaml` option + name. It is now also a list of strings instead of a string. + An example to make the required migration clearer: Before: @@ -213,7 +230,7 @@ In addition to numerous new and upgraded packages, this release has the followin listeners = [ { port = 8448; - bind_address = [ + bind_addresses = [ "::" "0.0.0.0" ]; @@ -238,10 +255,20 @@ In addition to numerous new and upgraded packages, this release has the followin The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`. - Additionally a few option defaults have been synced up with upstream default values, for example the `max_upload_size` grew from `10M` to `50M`. + Additionally a few option defaults have been synced up with upstream default values, for example the `max_upload_size` grew from `10M` to `50M`. For the same reason, the default + `media_store_path` was changed from `${dataDir}/media` to `${dataDir}/media_store` if `system.stateVersion` is at least `22.05`. Files will need to be manually moved to the new + location if the `stateVersion` is updated. - The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs. +- Services in the `hadoop` module previously set `openFirewall` to true by default. + This has now been changed to false. Node definitions for multi-node clusters would need + `openFirewall = true;` to be added to to hadoop services when upgrading from NixOS 21.11. + +- `services.hadoop.yarn.nodemanager` now uses cgroup-based CPU limit enforcement by default. + Additionally, the option `useCGroups` was added to nodemanagers as an easy way to switch + back to the old behavior. + - The `wafHook` hook now honors `NIX_BUILD_CORES` when `enableParallelBuilding` is not set explicitly. Packages can restore the old behaviour by setting `enableParallelBuilding=false`. - `pkgs.claws-mail-gtk2`, representing Claws Mail's older release version three, was removed in order to get rid of Python 2. @@ -254,6 +281,10 @@ In addition to numerous new and upgraded packages, this release has the followin - The `gnome-passwordsafe` package updated to [version 6.x](https://gitlab.gnome.org/World/secrets/-/tags/6.0) and renamed to `gnome-secrets`. +- `services.gnome.experimental-features.realtime-scheduling` option has been removed, as GNOME Shell now [uses rtkit](https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2060). Use `security.rtkit.enable = true;` instead. As before, you will need to have it enabled using GSettings. + +- `services.telepathy` will no longer be enabled by default for GNOME desktops, one should enable it in their configs if using Empathy or Polari. + - If you previously used `/etc/docker/daemon.json`, you need to incorporate the changes into the new option `virtualisation.docker.daemon.settings`. - Ntopng (`services.ntopng`) is updated to 5.2.1 and uses a separate Redis instance if `system.stateVersion` is at least `22.05`. Existing setups shouldn't be affected. @@ -294,6 +325,17 @@ In addition to numerous new and upgraded packages, this release has the followin - `pkgs.docbookrx` was removed since it's unmaintained +- `pkgs._7zz` is now correctly licensed as LGPL3+ and BSD3 with optional unfree unRAR licensed code + +- The `vim.customize` function produced by `vimUtils.makeCustomizable` now has a slightly different interface: + * The wrapper now includes everything in the given Vim derivation if `name` is `"vim"` (the default). This makes the `wrapManual` argument obsolete, but this behavior can be overriden by setting the `standalone` argument. + * All the executables present in the given derivation (or, in `standalone` mode, only the `*vim` ones) are wrapped. This makes the `wrapGui` argument obsolete. + * The `vimExecutableName` and `gvimExecutableName` arguments were replaced by a single `executableName` argument in which the shell variable `$exe` can be used to refer to the wrapped executable's name. + + See the comments in `pkgs/applications/editors/vim/plugins/vim-utils.nix` for more details. + + `vimUtils.vimWithRC` was removed. You should instead use `customize` on a Vim derivation, which now accepts `vimrcFile` and `gvimrcFile` arguments. + - `tilp2` was removed together with its module - The F-PROT antivirus (`fprot` package) and its service module were removed because it @@ -303,10 +345,14 @@ In addition to numerous new and upgraded packages, this release has the followin - The options `networking.interfaces.<name>.ipv4.routes` and `networking.interfaces.<name>.ipv6.routes` are no longer ignored when using networkd instead of the default scripted network backend by setting `networking.useNetworkd` to `true`. +- The `miller` package has been upgraded from 5.10.3 to [6.2.0](https://github.com/johnkerl/miller/releases/tag/v6.2.0). See [What's new in Miller 6](https://miller.readthedocs.io/en/latest/new-in-miller-6). + - MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename `~/.local/share/multimc` to `~/.local/share/polymc`. The main config file's path has also moved from `~/.local/share/multimc/multimc.cfg` to `~/.local/share/polymc/polymc.cfg`. - `systemd-nspawn@.service` settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set `systemd.nspawn.<name>.execConfig.PrivateUsers = false` +- The Tor SOCKS proxy is now actually disabled if `services.tor.client.enable` is set to `false` (the default). If you are using this functionality but didn't change the setting or set it to `false`, you now need to set it to `true`. + - The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under `$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>` (which mkProvider does). @@ -429,11 +475,16 @@ In addition to numerous new and upgraded packages, this release has the followin Similarly [virtualisation.vmVariantWithBootloader](#opt-virtualisation.vmVariantWithBootLoader) was added. - The configuration portion of the `nix-daemon` module has been reworked and exposed as [nix.settings](options.html#opt-nix-settings): - * Legacy options have been mapped to the corresponding options under under [nix.settings](options.html#opt-nix.settings) but may be deprecated in the future. + * Legacy options have been mapped to the corresponding options under under [nix.settings](options.html#opt-nix.settings) and will be deprecated when NixOS 21.11 reaches end of life. * [nix.buildMachines.publicHostKey](options.html#opt-nix.buildMachines.publicHostKey) has been added. - The `writers.writePyPy2`/`writers.writePyPy3` and corresponding `writers.writePyPy2Bin`/`writers.writePyPy3Bin` convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added. +- Some improvements have been made to the `hadoop` module: + - A `gatewayRole` option has been added, for deploying hadoop cluster configuration files to a node that does not have any active services + - Support for older versions of hadoop have been added to the module + - Overriding and extending site XML files has been made easier + - If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable `NIXOS_OZONE_WL=1` (for example via @@ -447,11 +498,17 @@ In addition to numerous new and upgraded packages, this release has the followin combined `influxdb2` package is still provided in this release for backwards compatibilty, but will be removed at a later date. +- The `unifi` package was switched from `unifi6` to `unifi7`. + Direct downgrades from Unifi 7 to Unifi 6 are not possible and require restoring from a backup made by Unifi 6. + - `programs.zsh.autosuggestions.strategy` now takes a list of strings instead of a string. - The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11. Configurations using this default will print a warning when rebuilt. +- The `services.unifi-video.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11. + Configurations using this default will print a warning when rebuilt. + - `security.acme` certificates will now correctly check for CA revokation before reaching their minimum age. @@ -476,10 +533,18 @@ In addition to numerous new and upgraded packages, this release has the followin - The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files. -- A new option `boot.initrd.extraModprobeConfig` has been added which can be used to configure kernel modules that are loaded in the initrd. +- The options `boot.extraModprobeConfig` and `boot.blacklistedKernelModules` now also take effect in the initrd by copying the file `/etc/modprobe.d/nixos.conf` into the initrd. - `nixos-generate-config` now puts the dhcp configuration in `hardware-configuration.nix` instead of `configuration.nix`. +- ORY Kratos was updated to version 0.8.3-alpha.1.pre.0, which introduces some breaking changes: + - If you are relying on the SQLite images, update your Docker Pull commands as follows: + - `docker pull oryd/kratos:{version}` + - Additionally, all passwords now have to be at least 8 characters long. + - For more details, see: + - [Release Notes for v0.8.1-alpha-1](https://github.com/ory/kratos/releases/tag/v0.8.1-alpha.1) + - [Release Notes for v0.8.2-alpha-1](https://github.com/ory/kratos/releases/tag/v0.8.2-alpha.1) + - `fetchFromSourcehut` now allows fetching repositories recursively using `fetchgit` or `fetchhg` if the argument `fetchSubmodules` is set to `true`. @@ -520,6 +585,8 @@ In addition to numerous new and upgraded packages, this release has the followin Reason is that the old name has been deprecated upstream. Using the old option name will still work, but produce a warning. +- `services.autorandr` now allows for adding hooks and profiles declaratively. + - The `pomerium-cli` command has been moved out of the `pomerium` package into the `pomerium-cli` package, following upstream's repository split. If you are using the `pomerium-cli` command, you should now install the `pomerium-cli` @@ -535,4 +602,15 @@ In addition to numerous new and upgraded packages, this release has the followin - The polkit service, available at `security.polkit.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. +- The `hadoop` package has added support for `aarch64-linux` and `aarch64-darwin` as of 3.3.1 ([#158613](https://github.com/NixOS/nixpkgs/pull/158613)). + +- The `R` package now builds again on `aarch64-darwin` ([#158992](https://github.com/NixOS/nixpkgs/pull/158992)). + +- The `spark3` package has been updated from 3.1.2 to 3.2.1 ([#160075](https://github.com/NixOS/nixpkgs/pull/160075)): + + - Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`. + - The `spark3` package is now usable on `aarch64-darwin` as a result of [#158613](https://github.com/NixOS/nixpkgs/pull/158613) and [#158992](https://github.com/NixOS/nixpkgs/pull/158992). + +- The `programs.nncp` options were added for generating host-global NNCP configuration. + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixpkgs/nixos/lib/make-options-doc/mergeJSON.py b/nixpkgs/nixos/lib/make-options-doc/mergeJSON.py index 029787a31586..8e2ea322dc89 100644 --- a/nixpkgs/nixos/lib/make-options-doc/mergeJSON.py +++ b/nixpkgs/nixos/lib/make-options-doc/mergeJSON.py @@ -66,14 +66,21 @@ for (k, v) in overrides.items(): elif ov is not None or cur.get(ok, None) is None: cur[ok] = ov +severity = "error" if warningsAreErrors else "warning" + # check that every option has a description hasWarnings = False for (k, v) in options.items(): if v.value.get('description', None) is None: - severity = "error" if warningsAreErrors else "warning" hasWarnings = True print(f"\x1b[1;31m{severity}: option {v.name} has no description\x1b[0m", file=sys.stderr) v.value['description'] = "This option has no description." + if v.value.get('type', "unspecified") == "unspecified": + hasWarnings = True + print( + f"\x1b[1;31m{severity}: option {v.name} has no type. Please specify a valid type, see " + + "https://nixos.org/manual/nixos/stable/index.html#sec-option-types\x1b[0m", file=sys.stderr) + if hasWarnings and warningsAreErrors: print( "\x1b[1;31m" + diff --git a/nixpkgs/nixos/lib/systemd-lib.nix b/nixpkgs/nixos/lib/systemd-lib.nix index ab166d7327ce..37900b0b16f6 100644 --- a/nixpkgs/nixos/lib/systemd-lib.nix +++ b/nixpkgs/nixos/lib/systemd-lib.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.systemd; lndir = "${pkgs.buildPackages.xorg.lndir}/bin/lndir"; + systemd = cfg.package; in rec { shellEscape = s: (replaceChars [ "\\" ] [ "\\\\" ] s); @@ -22,8 +23,9 @@ in rec { inherit (unit) text; } '' - mkdir -p $out - echo -n "$text" > $out/${shellEscape name} + name=${shellEscape name} + mkdir -p "$out/$(dirname "$name")" + echo -n "$text" > "$out/$name" '' else pkgs.runCommand "unit-${mkPathSafeName name}-disabled" @@ -31,8 +33,9 @@ in rec { allowSubstitutes = false; } '' - mkdir -p $out - ln -s /dev/null $out/${shellEscape name} + name=${shellEscape name} + mkdir -p "$out/$(dirname "$name")" + ln -s /dev/null "$out/$name" ''; boolValues = [true false "yes" "no"]; @@ -235,4 +238,205 @@ in rec { ''} ''; # */ + makeJobScript = name: text: + let + scriptName = replaceChars [ "\\" "@" ] [ "-" "_" ] (shellEscape name); + out = (pkgs.writeShellScriptBin scriptName '' + set -e + ${text} + '').overrideAttrs (_: { + # The derivation name is different from the script file name + # to keep the script file name short to avoid cluttering logs. + name = "unit-script-${scriptName}"; + }); + in "${out}/bin/${scriptName}"; + + unitConfig = { config, options, ... }: { + config = { + unitConfig = + optionalAttrs (config.requires != []) + { Requires = toString config.requires; } + // optionalAttrs (config.wants != []) + { Wants = toString config.wants; } + // optionalAttrs (config.after != []) + { After = toString config.after; } + // optionalAttrs (config.before != []) + { Before = toString config.before; } + // optionalAttrs (config.bindsTo != []) + { BindsTo = toString config.bindsTo; } + // optionalAttrs (config.partOf != []) + { PartOf = toString config.partOf; } + // optionalAttrs (config.conflicts != []) + { Conflicts = toString config.conflicts; } + // optionalAttrs (config.requisite != []) + { Requisite = toString config.requisite; } + // optionalAttrs (config.restartTriggers != []) + { X-Restart-Triggers = toString config.restartTriggers; } + // optionalAttrs (config.reloadTriggers != []) + { X-Reload-Triggers = toString config.reloadTriggers; } + // optionalAttrs (config.description != "") { + Description = config.description; } + // optionalAttrs (config.documentation != []) { + Documentation = toString config.documentation; } + // optionalAttrs (config.onFailure != []) { + OnFailure = toString config.onFailure; } + // optionalAttrs (options.startLimitIntervalSec.isDefined) { + StartLimitIntervalSec = toString config.startLimitIntervalSec; + } // optionalAttrs (options.startLimitBurst.isDefined) { + StartLimitBurst = toString config.startLimitBurst; + }; + }; + }; + + serviceConfig = { name, config, ... }: { + config = mkMerge + [ { # Default path for systemd services. Should be quite minimal. + path = mkAfter + [ pkgs.coreutils + pkgs.findutils + pkgs.gnugrep + pkgs.gnused + systemd + ]; + environment.PATH = "${makeBinPath config.path}:${makeSearchPathOutput "bin" "sbin" config.path}"; + } + (mkIf (config.preStart != "") + { serviceConfig.ExecStartPre = + [ (makeJobScript "${name}-pre-start" config.preStart) ]; + }) + (mkIf (config.script != "") + { serviceConfig.ExecStart = + makeJobScript "${name}-start" config.script + " " + config.scriptArgs; + }) + (mkIf (config.postStart != "") + { serviceConfig.ExecStartPost = + [ (makeJobScript "${name}-post-start" config.postStart) ]; + }) + (mkIf (config.reload != "") + { serviceConfig.ExecReload = + makeJobScript "${name}-reload" config.reload; + }) + (mkIf (config.preStop != "") + { serviceConfig.ExecStop = + makeJobScript "${name}-pre-stop" config.preStop; + }) + (mkIf (config.postStop != "") + { serviceConfig.ExecStopPost = + makeJobScript "${name}-post-stop" config.postStop; + }) + ]; + }; + + mountConfig = { config, ... }: { + config = { + mountConfig = + { What = config.what; + Where = config.where; + } // optionalAttrs (config.type != "") { + Type = config.type; + } // optionalAttrs (config.options != "") { + Options = config.options; + }; + }; + }; + + automountConfig = { config, ... }: { + config = { + automountConfig = + { Where = config.where; + }; + }; + }; + + commonUnitText = def: '' + [Unit] + ${attrsToSection def.unitConfig} + ''; + + targetToUnit = name: def: + { inherit (def) aliases wantedBy requiredBy enable; + text = + '' + [Unit] + ${attrsToSection def.unitConfig} + ''; + }; + + serviceToUnit = name: def: + { inherit (def) aliases wantedBy requiredBy enable; + text = commonUnitText def + + '' + [Service] + ${let env = cfg.globalEnvironment // def.environment; + in concatMapStrings (n: + let s = optionalString (env.${n} != null) + "Environment=${builtins.toJSON "${n}=${env.${n}}"}\n"; + # systemd max line length is now 1MiB + # https://github.com/systemd/systemd/commit/e6dde451a51dc5aaa7f4d98d39b8fe735f73d2af + in if stringLength s >= 1048576 then throw "The value of the environment variable ‘${n}’ in systemd service ‘${name}.service’ is too long." else s) (attrNames env)} + ${if def.reloadIfChanged then '' + X-ReloadIfChanged=true + '' else if !def.restartIfChanged then '' + X-RestartIfChanged=false + '' else ""} + ${optionalString (!def.stopIfChanged) "X-StopIfChanged=false"} + ${attrsToSection def.serviceConfig} + ''; + }; + + socketToUnit = name: def: + { inherit (def) aliases wantedBy requiredBy enable; + text = commonUnitText def + + '' + [Socket] + ${attrsToSection def.socketConfig} + ${concatStringsSep "\n" (map (s: "ListenStream=${s}") def.listenStreams)} + ${concatStringsSep "\n" (map (s: "ListenDatagram=${s}") def.listenDatagrams)} + ''; + }; + + timerToUnit = name: def: + { inherit (def) aliases wantedBy requiredBy enable; + text = commonUnitText def + + '' + [Timer] + ${attrsToSection def.timerConfig} + ''; + }; + + pathToUnit = name: def: + { inherit (def) aliases wantedBy requiredBy enable; + text = commonUnitText def + + '' + [Path] + ${attrsToSection def.pathConfig} + ''; + }; + + mountToUnit = name: def: + { inherit (def) aliases wantedBy requiredBy enable; + text = commonUnitText def + + '' + [Mount] + ${attrsToSection def.mountConfig} + ''; + }; + + automountToUnit = name: def: + { inherit (def) aliases wantedBy requiredBy enable; + text = commonUnitText def + + '' + [Automount] + ${attrsToSection def.automountConfig} + ''; + }; + + sliceToUnit = name: def: + { inherit (def) aliases wantedBy requiredBy enable; + text = commonUnitText def + + '' + [Slice] + ${attrsToSection def.sliceConfig} + ''; + }; } diff --git a/nixpkgs/nixos/lib/test-driver/test_driver/driver.py b/nixpkgs/nixos/lib/test-driver/test_driver/driver.py index 880b1c5fdec0..0e5f013193fe 100644 --- a/nixpkgs/nixos/lib/test-driver/test_driver/driver.py +++ b/nixpkgs/nixos/lib/test-driver/test_driver/driver.py @@ -55,6 +55,7 @@ class Driver: tmp_dir = get_tmp_dir() with rootlog.nested("start all VLans"): + vlans = list(set(vlans)) self.vlans = [VLan(nr, tmp_dir) for nr in vlans] def cmd(scripts: List[str]) -> Iterator[NixStartScript]: diff --git a/nixpkgs/nixos/lib/test-driver/test_driver/machine.py b/nixpkgs/nixos/lib/test-driver/test_driver/machine.py index 569a0f3c61e4..f3e615fe5bf9 100644 --- a/nixpkgs/nixos/lib/test-driver/test_driver/machine.py +++ b/nixpkgs/nixos/lib/test-driver/test_driver/machine.py @@ -198,7 +198,7 @@ class StartCommand: ) -> subprocess.Popen: return subprocess.Popen( self.cmd(monitor_socket_path, shell_socket_path), - stdin=subprocess.DEVNULL, + stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True, @@ -558,6 +558,28 @@ class Machine: pass_fds=[self.shell.fileno()], ) + def console_interact(self) -> None: + """Allows you to interact with QEMU's stdin + + The shell can be exited with Ctrl+D. Note that Ctrl+C is not allowed to be used. + QEMU's stdout is read line-wise. + + Should only be used during test development, not in the production test.""" + self.log("Terminal is ready (there is no prompt):") + + assert self.process + assert self.process.stdin + + while True: + try: + char = sys.stdin.buffer.read(1) + except KeyboardInterrupt: + break + if char == b"": # ctrl+d + self.log("Closing connection to the console") + break + self.send_console(char.decode()) + def succeed(self, *commands: str, timeout: Optional[int] = None) -> str: """Execute each command and check that it succeeds.""" output = "" @@ -834,6 +856,12 @@ class Machine: self.send_monitor_command("sendkey {}".format(key)) time.sleep(0.01) + def send_console(self, chars: str) -> None: + assert self.process + assert self.process.stdin + self.process.stdin.write(chars.encode()) + self.process.stdin.flush() + def start(self) -> None: if self.booted: return diff --git a/nixpkgs/nixos/lib/testing-python.nix b/nixpkgs/nixos/lib/testing-python.nix index 0d3c3a89e783..facc7a253a75 100644 --- a/nixpkgs/nixos/lib/testing-python.nix +++ b/nixpkgs/nixos/lib/testing-python.nix @@ -146,26 +146,28 @@ rec { # Make a full-blown test makeTest = - { testScript + { machine ? null + , nodes ? {} + , testScript , enableOCR ? false , name ? "unnamed" # Skip linting (mainly intended for faster dev cycles) , skipLint ? false , passthru ? {} + , meta ? {} , # For meta.position pos ? # position used in error messages and for meta.position - (if t.meta.description or null != null - then builtins.unsafeGetAttrPos "description" t.meta + (if meta.description or null != null + then builtins.unsafeGetAttrPos "description" meta else builtins.unsafeGetAttrPos "testScript" t) - , ... } @ t: let - nodes = qemu_pkg: + mkNodes = qemu_pkg: let testScript' = # Call the test script with the computed nodes. if lib.isFunction testScript - then testScript { nodes = nodes qemu_pkg; } + then testScript { nodes = mkNodes qemu_pkg; } else testScript; build-vms = import ./build-vms.nix { @@ -205,33 +207,29 @@ rec { }; in build-vms.buildVirtualNetwork ( - t.nodes or (if t ? machine then { machine = t.machine; } else { }) + nodes // lib.optionalAttrs (machine != null) { inherit machine; } ); driver = setupDriverForTest { inherit testScript enableOCR skipLint passthru; testName = name; qemu_pkg = pkgs.qemu_test; - nodes = nodes pkgs.qemu_test; + nodes = mkNodes pkgs.qemu_test; }; driverInteractive = setupDriverForTest { inherit testScript enableOCR skipLint passthru; testName = name; qemu_pkg = pkgs.qemu; - nodes = nodes pkgs.qemu; + nodes = mkNodes pkgs.qemu; interactive = true; }; - test = - let - passMeta = drv: drv // lib.optionalAttrs (t ? meta) { - meta = (drv.meta or { }) // t.meta; - }; - in passMeta (runTests { inherit driver pos driverInteractive; }); + test = lib.addMetaAttrs meta (runTests { inherit driver pos driverInteractive; }); in test // { - inherit test driver driverInteractive nodes; + inherit test driver driverInteractive; + inherit (driver) nodes; }; abortForFunction = functionName: abort ''The ${functionName} function was diff --git a/nixpkgs/nixos/modules/config/resolvconf.nix b/nixpkgs/nixos/modules/config/resolvconf.nix index cd0ed491383c..4499481811fd 100644 --- a/nixpkgs/nixos/modules/config/resolvconf.nix +++ b/nixpkgs/nixos/modules/config/resolvconf.nix @@ -47,8 +47,8 @@ in enable = mkOption { type = types.bool; - default = false; - internal = true; + default = !(config.environment.etc ? "resolv.conf"); + defaultText = literalExpression ''!(config.environment.etc ? "resolv.conf")''; description = '' DNS configuration is managed by resolvconf. ''; @@ -110,8 +110,6 @@ in config = mkMerge [ { - networking.resolvconf.enable = !(config.environment.etc ? "resolv.conf"); - environment.etc."resolvconf.conf".text = if !cfg.enable then # Force-stop any attempts to use resolvconf diff --git a/nixpkgs/nixos/modules/hardware/video/nvidia.nix b/nixpkgs/nixos/modules/hardware/video/nvidia.nix index a81220a92a1b..6de5b99a1ee6 100644 --- a/nixpkgs/nixos/modules/hardware/video/nvidia.nix +++ b/nixpkgs/nixos/modules/hardware/video/nvidia.nix @@ -244,7 +244,7 @@ in modules = optional (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ]; deviceSection = '' BusID "${igpuBusId}" - ${optionalString syncCfg.enable ''Option "AccelMethod" "none"''} + ${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''} ''; } ++ singleton { name = "nvidia"; @@ -269,9 +269,15 @@ in Option "AllowNVIDIAGPUScreens" ''; - services.xserver.displayManager.setupCommands = optionalString syncCfg.enable '' + services.xserver.displayManager.setupCommands = let + sinkGpuProviderName = if igpuDriver == "amdgpu" then + # find the name of the provider if amdgpu + "`${pkgs.xorg.xrandr}/bin/xrandr --listproviders | ${pkgs.gnugrep}/bin/grep -i AMD | ${pkgs.gnused}/bin/sed -n 's/^.*name://p'`" + else + igpuDriver; + in optionalString syncCfg.enable '' # Added by nvidia configuration module for Optimus/PRIME. - ${pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource ${igpuDriver} NVIDIA-0 + ${pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource "${sinkGpuProviderName}" NVIDIA-0 ${pkgs.xorg.xrandr}/bin/xrandr --auto ''; @@ -283,14 +289,14 @@ in environment.etc."egl/egl_external_platform.d".source = "/run/opengl-driver/share/egl/egl_external_platform.d/"; - hardware.opengl.package = mkIf (!offloadCfg.enable) nvidia_x11.out; - hardware.opengl.package32 = mkIf (!offloadCfg.enable) nvidia_x11.lib32; hardware.opengl.extraPackages = [ + nvidia_x11.out pkgs.nvidia-vaapi-driver - ] ++ optional offloadCfg.enable nvidia_x11.out; + ]; hardware.opengl.extraPackages32 = [ + nvidia_x11.lib32 pkgs.pkgsi686Linux.nvidia-vaapi-driver - ] ++ optional offloadCfg.enable nvidia_x11.lib32; + ]; environment.systemPackages = [ nvidia_x11.bin ] ++ optionals cfg.nvidiaSettings [ nvidia_x11.settings ] diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix b/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix index 3ff1b3d670e9..860e240b43d4 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix @@ -91,29 +91,9 @@ let SERIAL 0 115200 TIMEOUT ${builtins.toString syslinuxTimeout} UI vesamenu.c32 - MENU TITLE NixOS MENU BACKGROUND /isolinux/background.png - MENU RESOLUTION 800 600 - MENU CLEAR - MENU ROWS 6 - MENU CMDLINEROW -4 - MENU TIMEOUTROW -3 - MENU TABMSGROW -2 - MENU HELPMSGROW -1 - MENU HELPMSGENDROW -1 - MENU MARGIN 0 - - # FG:AARRGGBB BG:AARRGGBB shadow - MENU COLOR BORDER 30;44 #00000000 #00000000 none - MENU COLOR SCREEN 37;40 #FF000000 #00E2E8FF none - MENU COLOR TABMSG 31;40 #80000000 #00000000 none - MENU COLOR TIMEOUT 1;37;40 #FF000000 #00000000 none - MENU COLOR TIMEOUT_MSG 37;40 #FF000000 #00000000 none - MENU COLOR CMDMARK 1;36;40 #FF000000 #00000000 none - MENU COLOR CMDLINE 37;40 #FF000000 #00000000 none - MENU COLOR TITLE 1;36;44 #00000000 #00000000 none - MENU COLOR UNSEL 37;44 #FF000000 #00000000 none - MENU COLOR SEL 7;37;40 #FFFFFFFF #FF5277C3 std + + ${config.isoImage.syslinuxTheme} DEFAULT boot @@ -601,6 +581,37 @@ in ''; }; + isoImage.syslinuxTheme = mkOption { + default = '' + MENU TITLE NixOS + MENU RESOLUTION 800 600 + MENU CLEAR + MENU ROWS 6 + MENU CMDLINEROW -4 + MENU TIMEOUTROW -3 + MENU TABMSGROW -2 + MENU HELPMSGROW -1 + MENU HELPMSGENDROW -1 + MENU MARGIN 0 + + # FG:AARRGGBB BG:AARRGGBB shadow + MENU COLOR BORDER 30;44 #00000000 #00000000 none + MENU COLOR SCREEN 37;40 #FF000000 #00E2E8FF none + MENU COLOR TABMSG 31;40 #80000000 #00000000 none + MENU COLOR TIMEOUT 1;37;40 #FF000000 #00000000 none + MENU COLOR TIMEOUT_MSG 37;40 #FF000000 #00000000 none + MENU COLOR CMDMARK 1;36;40 #FF000000 #00000000 none + MENU COLOR CMDLINE 37;40 #FF000000 #00000000 none + MENU COLOR TITLE 1;36;44 #00000000 #00000000 none + MENU COLOR UNSEL 37;44 #FF000000 #00000000 none + MENU COLOR SEL 7;37;40 #FFFFFFFF #FF5277C3 std + ''; + type = types.str; + description = '' + The syslinux theme used for BIOS boot. + ''; + }; + isoImage.appendToMenuLabel = mkOption { default = " Installer"; example = " Live System"; diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-enter.sh b/nixpkgs/nixos/modules/installer/tools/nixos-enter.sh index 115b3d7a7c5e..89beeee7cf9e 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-enter.sh +++ b/nixpkgs/nixos/modules/installer/tools/nixos-enter.sh @@ -63,32 +63,32 @@ mount --rbind /sys "$mountPoint/sys" # modified from https://github.com/archlinux/arch-install-scripts/blob/bb04ab435a5a89cd5e5ee821783477bc80db797f/arch-chroot.in#L26-L52 chroot_add_resolv_conf() { - local chrootdir=$1 resolv_conf=$1/etc/resolv.conf + local chrootDir="$1" resolvConf="$1/etc/resolv.conf" [[ -e /etc/resolv.conf ]] || return 0 # Handle resolv.conf as a symlink to somewhere else. - if [[ -L $chrootdir/etc/resolv.conf ]]; then + if [[ -L "$resolvConf" ]]; then # readlink(1) should always give us *something* since we know at this point # it's a symlink. For simplicity, ignore the case of nested symlinks. - # We also ignore the possibility if `../`s escaping the root. - resolv_conf=$(readlink "$chrootdir/etc/resolv.conf") - if [[ $resolv_conf = /* ]]; then - resolv_conf=$chrootdir$resolv_conf + # We also ignore the possibility of `../`s escaping the root. + resolvConf="$(readlink "$resolvConf")" + if [[ "$resolvConf" = /* ]]; then + resolvConf="$chrootDir$resolvConf" else - resolv_conf=$chrootdir/etc/$resolv_conf + resolvConf="$chrootDir/etc/$resolvConf" fi fi # ensure file exists to bind mount over - if [[ ! -f $resolv_conf ]]; then - install -Dm644 /dev/null "$resolv_conf" || return 1 + if [[ ! -f "$resolvConf" ]]; then + install -Dm644 /dev/null "$resolvConf" || return 1 fi - mount --bind /etc/resolv.conf "$resolv_conf" + mount --bind /etc/resolv.conf "$resolvConf" } -chroot_add_resolv_conf "$mountPoint" || print "ERROR: failed to set up resolv.conf" +chroot_add_resolv_conf "$mountPoint" || echo "$0: failed to set up resolv.conf" >&2 ( # If silent, write both stdout and stderr of activation script to /dev/null diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl index 57aef50a0f6b..fb5d3ba47325 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl @@ -51,7 +51,9 @@ for (my $n = 0; $n < scalar @ARGV; $n++) { $n++; $rootDir = $ARGV[$n]; die "$0: ‘--root’ requires an argument\n" unless defined $rootDir; + die "$0: no need to specify `/` with `--root`, it is the default\n" if $rootDir eq "/"; $rootDir =~ s/\/*$//; # remove trailing slashes + $rootDir = File::Spec->rel2abs($rootDir); # resolve absolute path } elsif ($arg eq "--force") { $force = 1; @@ -616,7 +618,12 @@ EOF if ($showHardwareConfig) { print STDOUT $hwConfig; } else { - $outDir = "$rootDir$outDir"; + if ($outDir eq "/etc/nixos") { + $outDir = "$rootDir$outDir"; + } else { + $outDir = File::Spec->rel2abs($outDir); + $outDir =~ s/\/*$//; # remove trailing slashes + } my $fn = "$outDir/hardware-configuration.nix"; print STDERR "writing $fn...\n"; diff --git a/nixpkgs/nixos/modules/installer/tools/tools.nix b/nixpkgs/nixos/modules/installer/tools/tools.nix index 71aaf7f253d9..2e088b977710 100644 --- a/nixpkgs/nixos/modules/installer/tools/tools.nix +++ b/nixpkgs/nixos/modules/installer/tools/tools.nix @@ -117,7 +117,7 @@ in ''; }; - config = lib.mkIf (!config.system.disableInstallerTools) { + config = lib.mkIf (config.nix.enable && !config.system.disableInstallerTools) { system.nixos-generate-config.configuration = mkDefault '' # Edit this configuration file to define what should be installed on diff --git a/nixpkgs/nixos/modules/misc/locate.nix b/nixpkgs/nixos/modules/misc/locate.nix index 66a49b0b888f..204a89143008 100644 --- a/nixpkgs/nixos/modules/misc/locate.nix +++ b/nixpkgs/nixos/modules/misc/locate.nix @@ -183,7 +183,11 @@ in pruneNames = mkOption { type = listOf str; - default = [ ".bzr" ".cache" ".git" ".hg" ".svn" ]; + default = lib.optionals (!isFindutils) [ ".bzr" ".cache" ".git" ".hg" ".svn" ]; + defaultText = literalDocBook '' + <literal>[ ".bzr" ".cache" ".git" ".hg" ".svn" ]</literal>, if + supported by the locate implementation (i.e. mlocate or plocate). + ''; description = '' Directory components which should exclude paths containing them from indexing ''; diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index 6c072021ed83..d825f4beb301 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -8,8 +8,12 @@ let concatStringsSep mapAttrsToList toLower literalExpression mkRenamedOptionModule mkDefault mkOption trivial types; + needsEscaping = s: null != builtins.match "[a-zA-Z0-9]+" s; + escapeIfNeccessary = s: if needsEscaping s then s else ''"${lib.escape [ "\$" "\"" "\\" "\`" ] s}"''; attrsToText = attrs: - concatStringsSep "\n" (mapAttrsToList (n: v: ''${n}="${toString v}"'') attrs); + concatStringsSep "\n" ( + mapAttrsToList (n: v: ''${n}=${escapeIfNeccessary (toString v)}'') attrs + ); in { diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 12bca45a9958..9e5255be2d79 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -118,6 +118,7 @@ ./misc/version.nix ./misc/wordlist.nix ./misc/nixops-autoluks.nix + ./programs/_1password-gui.nix ./programs/adb.nix ./programs/appgate-sdp.nix ./programs/atop.nix @@ -181,8 +182,10 @@ ./programs/mtr.nix ./programs/nano.nix ./programs/nbd.nix + ./programs/nix-ld.nix ./programs/neovim.nix ./programs/nm-applet.nix + ./programs/nncp.nix ./programs/npm.nix ./programs/noisetorch.nix ./programs/oblogout.nix @@ -302,6 +305,7 @@ ./services/backup/znapzend.nix ./services/blockchain/ethereum/geth.nix ./services/backup/zrepl.nix + ./services/cluster/corosync/default.nix ./services/cluster/hadoop/default.nix ./services/cluster/k3s/default.nix ./services/cluster/kubernetes/addons/dns.nix @@ -314,6 +318,7 @@ ./services/cluster/kubernetes/pki.nix ./services/cluster/kubernetes/proxy.nix ./services/cluster/kubernetes/scheduler.nix + ./services/cluster/pacemaker/default.nix ./services/cluster/spark/default.nix ./services/computing/boinc/client.nix ./services/computing/foldingathome/client.nix @@ -776,6 +781,7 @@ ./services/networking/headscale.nix ./services/networking/hostapd.nix ./services/networking/htpdate.nix + ./services/networking/https-dns-proxy.nix ./services/networking/hylafax/default.nix ./services/networking/i2pd.nix ./services/networking/i2p.nix @@ -1168,7 +1174,12 @@ ./system/boot/stage-1.nix ./system/boot/stage-2.nix ./system/boot/systemd.nix - ./system/boot/systemd-nspawn.nix + ./system/boot/systemd/coredump.nix + ./system/boot/systemd/journald.nix + ./system/boot/systemd/logind.nix + ./system/boot/systemd/nspawn.nix + ./system/boot/systemd/tmpfiles.nix + ./system/boot/systemd/user.nix ./system/boot/timesyncd.nix ./system/boot/tmp.nix ./system/etc/etc-activation.nix diff --git a/nixpkgs/nixos/modules/programs/_1password-gui.nix b/nixpkgs/nixos/modules/programs/_1password-gui.nix new file mode 100644 index 000000000000..f57de44bb9e2 --- /dev/null +++ b/nixpkgs/nixos/modules/programs/_1password-gui.nix @@ -0,0 +1,69 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs._1password-gui; + +in { + options = { + programs._1password-gui = { + enable = mkEnableOption "The 1Password Desktop application with browser integration"; + + groupId = mkOption { + type = types.int; + example = literalExpression "5000"; + description = '' + The GroupID to assign to the onepassword group, which is needed for browser integration. The group ID must be 1000 or greater. + ''; + }; + + polkitPolicyOwners = mkOption { + type = types.listOf types.str; + default = []; + example = literalExpression "[\"user1\" \"user2\" \"user3\"]"; + description = '' + A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms. By default, no users will have such access. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs._1password-gui; + defaultText = literalExpression "pkgs._1password-gui"; + example = literalExpression "pkgs._1password-gui"; + description = '' + The 1Password derivation to use. This can be used to upgrade from the stable release that we keep in nixpkgs to the betas. + ''; + }; + }; + }; + + config = let + package = cfg.package.override { + polkitPolicyOwners = cfg.polkitPolicyOwners; + }; + in mkIf cfg.enable { + environment.systemPackages = [ package ]; + users.groups.onepassword.gid = cfg.groupId; + + security.wrappers = { + "1Password-BrowserSupport" = + { source = "${cfg.package}/share/1password/1Password-BrowserSupport"; + owner = "root"; + group = "onepassword"; + setuid = false; + setgid = true; + }; + + "1Password-KeyringHelper" = + { source = "${cfg.package}/share/1password/1Password-KeyringHelper"; + owner = "root"; + group = "onepassword"; + setuid = true; + setgid = true; + }; + }; + + }; +} diff --git a/nixpkgs/nixos/modules/programs/nix-ld.nix b/nixpkgs/nixos/modules/programs/nix-ld.nix new file mode 100644 index 000000000000..810a74ab50b7 --- /dev/null +++ b/nixpkgs/nixos/modules/programs/nix-ld.nix @@ -0,0 +1,12 @@ +{ pkgs, lib, config, ... }: +{ + meta.maintainers = [ lib.maintainers.mic92 ]; + options = { + programs.nix-ld.enable = lib.mkEnableOption ''nix-ld, Documentation: <link xlink:href="https://github.com/Mic92/nix-ld"/>''; + }; + config = lib.mkIf config.programs.nix-ld.enable { + systemd.tmpfiles.rules = [ + "L+ ${pkgs.nix-ld.ldPath} - - - - ${pkgs.nix-ld}/libexec/nix-ld" + ]; + }; +} diff --git a/nixpkgs/nixos/modules/programs/nncp.nix b/nixpkgs/nixos/modules/programs/nncp.nix new file mode 100644 index 000000000000..29a703eadf10 --- /dev/null +++ b/nixpkgs/nixos/modules/programs/nncp.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + nncpCfgFile = "/run/nncp.hjson"; + programCfg = config.programs.nncp; + settingsFormat = pkgs.formats.json { }; + jsonCfgFile = settingsFormat.generate "nncp.json" programCfg.settings; + pkg = programCfg.package; +in { + options.programs.nncp = { + + enable = + mkEnableOption "NNCP (Node to Node copy) utilities and configuration"; + + group = mkOption { + type = types.str; + default = "uucp"; + description = '' + The group under which NNCP files shall be owned. + Any member of this group may access the secret keys + of this NNCP node. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.nncp; + defaultText = literalExpression "pkgs.nncp"; + description = "The NNCP package to use system-wide."; + }; + + secrets = mkOption { + type = with types; listOf str; + example = [ "/run/keys/nncp.hjson" ]; + description = '' + A list of paths to NNCP configuration files that should not be + in the Nix store. These files are layered on top of the values at + <xref linkend="opt-programs.nncp.settings"/>. + ''; + }; + + settings = mkOption { + type = settingsFormat.type; + description = '' + NNCP configuration, see + <link xlink:href="http://www.nncpgo.org/Configuration.html"/>. + At runtime these settings will be overlayed by the contents of + <xref linkend="opt-programs.nncp.secrets"/> into the file + <literal>${nncpCfgFile}</literal>. Node keypairs go in + <literal>secrets</literal>, do not specify them in + <literal>settings</literal> as they will be leaked into + <literal>/nix/store</literal>! + ''; + default = { }; + }; + + }; + + config = mkIf programCfg.enable { + + environment = { + systemPackages = [ pkg ]; + etc."nncp.hjson".source = nncpCfgFile; + }; + + programs.nncp.settings = { + spool = mkDefault "/var/spool/nncp"; + log = mkDefault "/var/spool/nncp/log"; + }; + + systemd.tmpfiles.rules = [ + "d ${programCfg.settings.spool} 0770 root ${programCfg.group}" + "f ${programCfg.settings.log} 0770 root ${programCfg.group}" + ]; + + systemd.services.nncp-config = { + path = [ pkg ]; + description = "Generate NNCP configuration"; + wantedBy = [ "basic.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + umask u=rw + nncpCfgDir=$(mktemp --directory nncp.XXX) + for f in ${jsonCfgFile} ${toString config.programs.nncp.secrets}; do + tmpdir=$(mktemp --directory nncp.XXX) + nncp-cfgdir -cfg $f -dump $tmpdir + find $tmpdir -size 1c -delete + cp -a $tmpdir/* $nncpCfgDir/ + rm -rf $tmpdir + done + nncp-cfgdir -load $nncpCfgDir > ${nncpCfgFile} + rm -rf $nncpCfgDir + chgrp ${programCfg.group} ${nncpCfgFile} + chmod g+r ${nncpCfgFile} + ''; + }; + }; + + meta.maintainers = with lib.maintainers; [ ehmry ]; +} diff --git a/nixpkgs/nixos/modules/services/cluster/corosync/default.nix b/nixpkgs/nixos/modules/services/cluster/corosync/default.nix new file mode 100644 index 000000000000..b4144917feea --- /dev/null +++ b/nixpkgs/nixos/modules/services/cluster/corosync/default.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.corosync; +in +{ + # interface + options.services.corosync = { + enable = mkEnableOption "corosync"; + + package = mkOption { + type = types.package; + default = pkgs.corosync; + defaultText = literalExpression "pkgs.corosync"; + description = "Package that should be used for corosync."; + }; + + clusterName = mkOption { + type = types.str; + default = "nixcluster"; + description = "Name of the corosync cluster."; + }; + + extraOptions = mkOption { + type = with types; listOf str; + default = []; + description = "Additional options with which to start corosync."; + }; + + nodelist = mkOption { + description = "Corosync nodelist: all cluster members."; + default = []; + type = with types; listOf (submodule { + options = { + nodeid = mkOption { + type = int; + description = "Node ID number"; + }; + name = mkOption { + type = str; + description = "Node name"; + }; + ring_addrs = mkOption { + type = listOf str; + description = "List of addresses, one for each ring."; + }; + }; + }); + }; + }; + + # implementation + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + environment.etc."corosync/corosync.conf".text = '' + totem { + version: 2 + secauth: on + cluster_name: ${cfg.clusterName} + transport: knet + } + + nodelist { + ${concatMapStrings ({ nodeid, name, ring_addrs }: '' + node { + nodeid: ${toString nodeid} + name: ${name} + ${concatStrings (imap0 (i: addr: '' + ring${toString i}_addr: ${addr} + '') ring_addrs)} + } + '') cfg.nodelist} + } + + quorum { + # only corosync_votequorum is supported + provider: corosync_votequorum + wait_for_all: 0 + ${optionalString (builtins.length cfg.nodelist < 3) '' + two_node: 1 + ''} + } + + logging { + to_syslog: yes + } + ''; + + environment.etc."corosync/uidgid.d/root".text = '' + # allow pacemaker connection by root + uidgid { + uid: 0 + gid: 0 + } + ''; + + systemd.packages = [ cfg.package ]; + systemd.services.corosync = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + StateDirectory = "corosync"; + StateDirectoryMode = "0700"; + }; + }; + + environment.etc."sysconfig/corosync".text = lib.optionalString (cfg.extraOptions != []) '' + COROSYNC_OPTIONS="${lib.escapeShellArgs cfg.extraOptions}" + ''; + }; +} diff --git a/nixpkgs/nixos/modules/services/cluster/hadoop/conf.nix b/nixpkgs/nixos/modules/services/cluster/hadoop/conf.nix index 0caec5cfc203..e3c26a0d5505 100644 --- a/nixpkgs/nixos/modules/services/cluster/hadoop/conf.nix +++ b/nixpkgs/nixos/modules/services/cluster/hadoop/conf.nix @@ -1,6 +1,6 @@ { cfg, pkgs, lib }: let - propertyXml = name: value: '' + propertyXml = name: value: lib.optionalString (value != null) '' <property> <name>${name}</name> <value>${builtins.toString value}</value> @@ -29,16 +29,16 @@ let export HADOOP_LOG_DIR=/tmp/hadoop/$USER ''; in -pkgs.runCommand "hadoop-conf" {} '' +pkgs.runCommand "hadoop-conf" {} (with cfg; '' mkdir -p $out/ - cp ${siteXml "core-site.xml" cfg.coreSite}/* $out/ - cp ${siteXml "hdfs-site.xml" cfg.hdfsSite}/* $out/ - cp ${siteXml "mapred-site.xml" cfg.mapredSite}/* $out/ - cp ${siteXml "yarn-site.xml" cfg.yarnSite}/* $out/ - cp ${siteXml "httpfs-site.xml" cfg.httpfsSite}/* $out/ - cp ${cfgFile "container-executor.cfg" cfg.containerExecutorCfg}/* $out/ + cp ${siteXml "core-site.xml" (coreSite // coreSiteInternal)}/* $out/ + cp ${siteXml "hdfs-site.xml" (hdfsSiteDefault // hdfsSite // hdfsSiteInternal)}/* $out/ + cp ${siteXml "mapred-site.xml" (mapredSiteDefault // mapredSite)}/* $out/ + cp ${siteXml "yarn-site.xml" (yarnSiteDefault // yarnSite // yarnSiteInternal)}/* $out/ + cp ${siteXml "httpfs-site.xml" httpfsSite}/* $out/ + cp ${cfgFile "container-executor.cfg" containerExecutorCfg}/* $out/ cp ${pkgs.writeTextDir "hadoop-user-functions.sh" userFunctions}/* $out/ cp ${pkgs.writeTextDir "hadoop-env.sh" hadoopEnv}/* $out/ - cp ${cfg.log4jProperties} $out/log4j.properties - ${lib.concatMapStringsSep "\n" (dir: "cp -r ${dir}/* $out/") cfg.extraConfDirs} -'' + cp ${log4jProperties} $out/log4j.properties + ${lib.concatMapStringsSep "\n" (dir: "cp -r ${dir}/* $out/") extraConfDirs} +'') diff --git a/nixpkgs/nixos/modules/services/cluster/hadoop/default.nix b/nixpkgs/nixos/modules/services/cluster/hadoop/default.nix index a1a95fe31cac..a4fdea81037c 100644 --- a/nixpkgs/nixos/modules/services/cluster/hadoop/default.nix +++ b/nixpkgs/nixos/modules/services/cluster/hadoop/default.nix @@ -21,24 +21,50 @@ with lib; <link xlink:href="https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/core-default.xml"/> ''; }; + coreSiteInternal = mkOption { + default = {}; + type = types.attrsOf types.anything; + internal = true; + description = '' + Internal option to add configs to core-site.xml based on module options + ''; + }; - hdfsSite = mkOption { + hdfsSiteDefault = mkOption { default = { "dfs.namenode.rpc-bind-host" = "0.0.0.0"; + "dfs.namenode.http-address" = "0.0.0.0:9870"; + "dfs.namenode.servicerpc-bind-host" = "0.0.0.0"; + "dfs.namenode.http-bind-host" = "0.0.0.0"; }; type = types.attrsOf types.anything; + description = '' + Default options for hdfs-site.xml + ''; + }; + hdfsSite = mkOption { + default = {}; + type = types.attrsOf types.anything; example = literalExpression '' { "dfs.nameservices" = "namenode1"; } ''; description = '' - Hadoop hdfs-site.xml definition + Additional options and overrides for hdfs-site.xml <link xlink:href="https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/hdfs-default.xml"/> ''; }; + hdfsSiteInternal = mkOption { + default = {}; + type = types.attrsOf types.anything; + internal = true; + description = '' + Internal option to add configs to hdfs-site.xml based on module options + ''; + }; - mapredSite = mkOption { + mapredSiteDefault = mkOption { default = { "mapreduce.framework.name" = "yarn"; "yarn.app.mapreduce.am.env" = "HADOOP_MAPRED_HOME=${cfg.package}/lib/${cfg.package.untarDir}"; @@ -54,18 +80,25 @@ with lib; } ''; type = types.attrsOf types.anything; + description = '' + Default options for mapred-site.xml + ''; + }; + mapredSite = mkOption { + default = {}; + type = types.attrsOf types.anything; example = literalExpression '' - options.services.hadoop.mapredSite.default // { + { "mapreduce.map.java.opts" = "-Xmx900m -XX:+UseParallelGC"; } ''; description = '' - Hadoop mapred-site.xml definition + Additional options and overrides for mapred-site.xml <link xlink:href="https://hadoop.apache.org/docs/current/hadoop-mapreduce-client/hadoop-mapreduce-client-core/mapred-default.xml"/> ''; }; - yarnSite = mkOption { + yarnSiteDefault = mkOption { default = { "yarn.nodemanager.admin-env" = "PATH=$PATH"; "yarn.nodemanager.aux-services" = "mapreduce_shuffle"; @@ -77,19 +110,34 @@ with lib; "yarn.nodemanager.linux-container-executor.path" = "/run/wrappers/yarn-nodemanager/bin/container-executor"; "yarn.nodemanager.log-dirs" = "/var/log/hadoop/yarn/nodemanager"; "yarn.resourcemanager.bind-host" = "0.0.0.0"; - "yarn.resourcemanager.scheduler.class" = "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler"; + "yarn.resourcemanager.scheduler.class" = "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler"; }; type = types.attrsOf types.anything; + description = '' + Default options for yarn-site.xml + ''; + }; + yarnSite = mkOption { + default = {}; + type = types.attrsOf types.anything; example = literalExpression '' - options.services.hadoop.yarnSite.default // { + { "yarn.resourcemanager.hostname" = "''${config.networking.hostName}"; } ''; description = '' - Hadoop yarn-site.xml definition + Additional options and overrides for yarn-site.xml <link xlink:href="https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-common/yarn-default.xml"/> ''; }; + yarnSiteInternal = mkOption { + default = {}; + type = types.attrsOf types.anything; + internal = true; + description = '' + Internal option to add configs to yarn-site.xml based on module options + ''; + }; httpfsSite = mkOption { default = { }; @@ -123,6 +171,7 @@ with lib; "yarn.nodemanager.linux-container-executor.group"="hadoop"; "min.user.id"=1000; "feature.terminal.enabled"=1; + "feature.mount-cgroup.enabled" = 1; }; type = types.attrsOf types.anything; example = literalExpression '' @@ -148,6 +197,8 @@ with lib; description = "Directories containing additional config files to be added to HADOOP_CONF_DIR"; }; + gatewayRole.enable = mkEnableOption "gateway role for deploying hadoop configs"; + package = mkOption { type = types.package; default = pkgs.hadoop; @@ -157,20 +208,16 @@ with lib; }; - config = mkMerge [ - (mkIf (builtins.hasAttr "yarn" config.users.users || - builtins.hasAttr "hdfs" config.users.users || - builtins.hasAttr "httpfs" config.users.users) { - users.groups.hadoop = { - gid = config.ids.gids.hadoop; - }; - environment = { - systemPackages = [ cfg.package ]; - etc."hadoop-conf".source = let - hadoopConf = "${import ./conf.nix { inherit cfg pkgs lib; }}/"; - in "${hadoopConf}"; - }; - }) - - ]; + config = mkIf cfg.gatewayRole.enable { + users.groups.hadoop = { + gid = config.ids.gids.hadoop; + }; + environment = { + systemPackages = [ cfg.package ]; + etc."hadoop-conf".source = let + hadoopConf = "${import ./conf.nix { inherit cfg pkgs lib; }}/"; + in "${hadoopConf}"; + variables.HADOOP_CONF_DIR = "/etc/hadoop-conf/"; + }; + }; } diff --git a/nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix b/nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix index be667aa82d8a..325a002ad32f 100644 --- a/nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix +++ b/nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix @@ -1,191 +1,191 @@ -{ config, lib, pkgs, ...}: +{ config, lib, pkgs, ... }: with lib; let cfg = config.services.hadoop; + + # Config files for hadoop services hadoopConf = "${import ./conf.nix { inherit cfg pkgs lib; }}/"; - restartIfChanged = mkOption { - type = types.bool; - description = '' - Automatically restart the service on config change. - This can be set to false to defer restarts on clusters running critical applications. - Please consider the security implications of inadvertently running an older version, - and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option. - ''; - default = false; - }; + + # Generator for HDFS service options + hadoopServiceOption = { serviceName, firewallOption ? true, extraOpts ? null }: { + enable = mkEnableOption serviceName; + restartIfChanged = mkOption { + type = types.bool; + description = '' + Automatically restart the service on config change. + This can be set to false to defer restarts on clusters running critical applications. + Please consider the security implications of inadvertently running an older version, + and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option. + ''; + default = false; + }; + extraFlags = mkOption{ + type = with types; listOf str; + default = []; + description = "Extra command line flags to pass to ${serviceName}"; + example = [ + "-Dcom.sun.management.jmxremote" + "-Dcom.sun.management.jmxremote.port=8010" + ]; + }; + extraEnv = mkOption{ + type = with types; attrsOf str; + default = {}; + description = "Extra environment variables for ${serviceName}"; + }; + } // (optionalAttrs firewallOption { + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Open firewall ports for ${serviceName}."; + }; + }) // (optionalAttrs (extraOpts != null) extraOpts); + + # Generator for HDFS service configs + hadoopServiceConfig = + { name + , serviceOptions ? cfg.hdfs."${toLower name}" + , description ? "Hadoop HDFS ${name}" + , User ? "hdfs" + , allowedTCPPorts ? [ ] + , preStart ? "" + , environment ? { } + , extraConfig ? { } + }: ( + + mkIf serviceOptions.enable ( mkMerge [{ + systemd.services."hdfs-${toLower name}" = { + inherit description preStart; + environment = environment // serviceOptions.extraEnv; + wantedBy = [ "multi-user.target" ]; + inherit (serviceOptions) restartIfChanged; + serviceConfig = { + inherit User; + SyslogIdentifier = "hdfs-${toLower name}"; + ExecStart = "${cfg.package}/bin/hdfs --config ${hadoopConf} ${toLower name} ${escapeShellArgs serviceOptions.extraFlags}"; + Restart = "always"; + }; + }; + + services.hadoop.gatewayRole.enable = true; + + networking.firewall.allowedTCPPorts = mkIf + ((builtins.hasAttr "openFirewall" serviceOptions) && serviceOptions.openFirewall) + allowedTCPPorts; + } extraConfig]) + ); + in { options.services.hadoop.hdfs = { - namenode = { - enable = mkEnableOption "Whether to run the HDFS NameNode"; + + namenode = hadoopServiceOption { serviceName = "HDFS NameNode"; } // { formatOnInit = mkOption { type = types.bool; default = false; description = '' - Format HDFS namenode on first start. This is useful for quickly spinning up ephemeral HDFS clusters with a single namenode. - For HA clusters, initialization involves multiple steps across multiple nodes. Follow [this guide](https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithQJM.html) - to initialize an HA cluster manually. - ''; - }; - inherit restartIfChanged; - openFirewall = mkOption { - type = types.bool; - default = true; - description = '' - Open firewall ports for namenode - ''; - }; - }; - datanode = { - enable = mkEnableOption "Whether to run the HDFS DataNode"; - inherit restartIfChanged; - openFirewall = mkOption { - type = types.bool; - default = true; - description = '' - Open firewall ports for datanode + Format HDFS namenode on first start. This is useful for quickly spinning up + ephemeral HDFS clusters with a single namenode. + For HA clusters, initialization involves multiple steps across multiple nodes. + Follow this guide to initialize an HA cluster manually: + <link xlink:href="https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithQJM.html"/> ''; }; }; - journalnode = { - enable = mkEnableOption "Whether to run the HDFS JournalNode"; - inherit restartIfChanged; - openFirewall = mkOption { - type = types.bool; - default = true; - description = '' - Open firewall ports for journalnode - ''; + + datanode = hadoopServiceOption { serviceName = "HDFS DataNode"; } // { + dataDirs = mkOption { + default = null; + description = "Tier and path definitions for datanode storage."; + type = with types; nullOr (listOf (submodule { + options = { + type = mkOption { + type = enum [ "SSD" "DISK" "ARCHIVE" "RAM_DISK" ]; + description = '' + Storage types ([SSD]/[DISK]/[ARCHIVE]/[RAM_DISK]) for HDFS storage policies. + ''; + }; + path = mkOption { + type = path; + example = [ "/var/lib/hadoop/hdfs/dn" ]; + description = "Determines where on the local filesystem a data node should store its blocks."; + }; + }; + })); }; }; - zkfc = { - enable = mkEnableOption "Whether to run the HDFS ZooKeeper failover controller"; - inherit restartIfChanged; + + journalnode = hadoopServiceOption { serviceName = "HDFS JournalNode"; }; + + zkfc = hadoopServiceOption { + serviceName = "HDFS ZooKeeper failover controller"; + firewallOption = false; }; - httpfs = { - enable = mkEnableOption "Whether to run the HDFS HTTPfs server"; + + httpfs = hadoopServiceOption { serviceName = "HDFS JournalNode"; } // { tempPath = mkOption { type = types.path; default = "/tmp/hadoop/httpfs"; - description = '' - HTTPFS_TEMP path used by HTTPFS - ''; - }; - inherit restartIfChanged; - openFirewall = mkOption { - type = types.bool; - default = true; - description = '' - Open firewall ports for HTTPFS - ''; + description = "HTTPFS_TEMP path used by HTTPFS"; }; }; + }; config = mkMerge [ - (mkIf cfg.hdfs.namenode.enable { - systemd.services.hdfs-namenode = { - description = "Hadoop HDFS NameNode"; - wantedBy = [ "multi-user.target" ]; - inherit (cfg.hdfs.namenode) restartIfChanged; - - preStart = (mkIf cfg.hdfs.namenode.formatOnInit '' - ${cfg.package}/bin/hdfs --config ${hadoopConf} namenode -format -nonInteractive || true - ''); - - serviceConfig = { - User = "hdfs"; - SyslogIdentifier = "hdfs-namenode"; - ExecStart = "${cfg.package}/bin/hdfs --config ${hadoopConf} namenode"; - Restart = "always"; - }; - }; - - networking.firewall.allowedTCPPorts = (mkIf cfg.hdfs.namenode.openFirewall [ + (hadoopServiceConfig { + name = "NameNode"; + allowedTCPPorts = [ 9870 # namenode.http-address 8020 # namenode.rpc-address - 8022 # namenode. servicerpc-address - ]); + 8022 # namenode.servicerpc-address + 8019 # dfs.ha.zkfc.port + ]; + preStart = (mkIf cfg.hdfs.namenode.formatOnInit + "${cfg.package}/bin/hdfs --config ${hadoopConf} namenode -format -nonInteractive || true" + ); }) - (mkIf cfg.hdfs.datanode.enable { - systemd.services.hdfs-datanode = { - description = "Hadoop HDFS DataNode"; - wantedBy = [ "multi-user.target" ]; - inherit (cfg.hdfs.datanode) restartIfChanged; - - serviceConfig = { - User = "hdfs"; - SyslogIdentifier = "hdfs-datanode"; - ExecStart = "${cfg.package}/bin/hdfs --config ${hadoopConf} datanode"; - Restart = "always"; - }; - }; - networking.firewall.allowedTCPPorts = (mkIf cfg.hdfs.datanode.openFirewall [ + (hadoopServiceConfig { + name = "DataNode"; + # port numbers for datanode changed between hadoop 2 and 3 + allowedTCPPorts = if versionAtLeast cfg.package.version "3" then [ 9864 # datanode.http.address 9866 # datanode.address 9867 # datanode.ipc.address - ]); + ] else [ + 50075 # datanode.http.address + 50010 # datanode.address + 50020 # datanode.ipc.address + ]; + extraConfig.services.hadoop.hdfsSiteInternal."dfs.datanode.data.dir" = let d = cfg.hdfs.datanode.dataDirs; in + if (d!= null) then (concatMapStringsSep "," (x: "["+x.type+"]file://"+x.path) cfg.hdfs.datanode.dataDirs) else d; }) - (mkIf cfg.hdfs.journalnode.enable { - systemd.services.hdfs-journalnode = { - description = "Hadoop HDFS JournalNode"; - wantedBy = [ "multi-user.target" ]; - inherit (cfg.hdfs.journalnode) restartIfChanged; - - serviceConfig = { - User = "hdfs"; - SyslogIdentifier = "hdfs-journalnode"; - ExecStart = "${cfg.package}/bin/hdfs --config ${hadoopConf} journalnode"; - Restart = "always"; - }; - }; - networking.firewall.allowedTCPPorts = (mkIf cfg.hdfs.journalnode.openFirewall [ + (hadoopServiceConfig { + name = "JournalNode"; + allowedTCPPorts = [ 8480 # dfs.journalnode.http-address 8485 # dfs.journalnode.rpc-address - ]); + ]; }) - (mkIf cfg.hdfs.zkfc.enable { - systemd.services.hdfs-zkfc = { - description = "Hadoop HDFS ZooKeeper failover controller"; - wantedBy = [ "multi-user.target" ]; - inherit (cfg.hdfs.zkfc) restartIfChanged; - - serviceConfig = { - User = "hdfs"; - SyslogIdentifier = "hdfs-zkfc"; - ExecStart = "${cfg.package}/bin/hdfs --config ${hadoopConf} zkfc"; - Restart = "always"; - }; - }; - }) - (mkIf cfg.hdfs.httpfs.enable { - systemd.services.hdfs-httpfs = { - description = "Hadoop httpfs"; - wantedBy = [ "multi-user.target" ]; - inherit (cfg.hdfs.httpfs) restartIfChanged; - - environment.HTTPFS_TEMP = cfg.hdfs.httpfs.tempPath; - preStart = '' - mkdir -p $HTTPFS_TEMP - ''; + (hadoopServiceConfig { + name = "zkfc"; + description = "Hadoop HDFS ZooKeeper failover controller"; + }) - serviceConfig = { - User = "httpfs"; - SyslogIdentifier = "hdfs-httpfs"; - ExecStart = "${cfg.package}/bin/hdfs --config ${hadoopConf} httpfs"; - Restart = "always"; - }; - }; - networking.firewall.allowedTCPPorts = (mkIf cfg.hdfs.httpfs.openFirewall [ + (hadoopServiceConfig { + name = "HTTPFS"; + environment.HTTPFS_TEMP = cfg.hdfs.httpfs.tempPath; + preStart = "mkdir -p $HTTPFS_TEMP"; + User = "httpfs"; + allowedTCPPorts = [ 14000 # httpfs.http.port - ]); + ]; }) - (mkIf ( - cfg.hdfs.namenode.enable || cfg.hdfs.datanode.enable || cfg.hdfs.journalnode.enable || cfg.hdfs.zkfc.enable - ) { + + (mkIf cfg.gatewayRole.enable { users.users.hdfs = { description = "Hadoop HDFS user"; group = "hadoop"; @@ -199,5 +199,6 @@ in isSystemUser = true; }; }) + ]; } diff --git a/nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix b/nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix index 37c26ea10f76..74e16bdec687 100644 --- a/nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix +++ b/nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix @@ -13,23 +13,77 @@ let ''; default = false; }; + extraFlags = mkOption{ + type = with types; listOf str; + default = []; + description = "Extra command line flags to pass to the service"; + example = [ + "-Dcom.sun.management.jmxremote" + "-Dcom.sun.management.jmxremote.port=8010" + ]; + }; + extraEnv = mkOption{ + type = with types; attrsOf str; + default = {}; + description = "Extra environment variables"; + }; in { options.services.hadoop.yarn = { resourcemanager = { - enable = mkEnableOption "Whether to run the Hadoop YARN ResourceManager"; - inherit restartIfChanged; + enable = mkEnableOption "Hadoop YARN ResourceManager"; + inherit restartIfChanged extraFlags extraEnv; + openFirewall = mkOption { type = types.bool; - default = true; + default = false; description = '' Open firewall ports for resourcemanager ''; }; }; nodemanager = { - enable = mkEnableOption "Whether to run the Hadoop YARN NodeManager"; - inherit restartIfChanged; + enable = mkEnableOption "Hadoop YARN NodeManager"; + inherit restartIfChanged extraFlags extraEnv; + + resource = { + cpuVCores = mkOption { + description = "Number of vcores that can be allocated for containers."; + type = with types; nullOr ints.positive; + default = null; + }; + maximumAllocationVCores = mkOption { + description = "The maximum virtual CPU cores any container can be allocated."; + type = with types; nullOr ints.positive; + default = null; + }; + memoryMB = mkOption { + description = "Amount of physical memory, in MB, that can be allocated for containers."; + type = with types; nullOr ints.positive; + default = null; + }; + maximumAllocationMB = mkOption { + description = "The maximum physical memory any container can be allocated."; + type = with types; nullOr ints.positive; + default = null; + }; + }; + + useCGroups = mkOption { + type = types.bool; + default = true; + description = '' + Use cgroups to enforce resource limits on containers + ''; + }; + + localDir = mkOption { + description = "List of directories to store localized files in."; + type = with types; nullOr (listOf path); + example = [ "/var/lib/hadoop/yarn/nm" ]; + default = null; + }; + addBinBash = mkOption { type = types.bool; default = true; @@ -39,7 +93,7 @@ in }; openFirewall = mkOption { type = types.bool; - default = true; + default = false; description = '' Open firewall ports for nodemanager. Because containers can listen on any ephemeral port, TCP ports 1024–65535 will be opened. @@ -49,10 +103,7 @@ in }; config = mkMerge [ - (mkIf ( - cfg.yarn.resourcemanager.enable || cfg.yarn.nodemanager.enable - ) { - + (mkIf cfg.gatewayRole.enable { users.users.yarn = { description = "Hadoop YARN user"; group = "hadoop"; @@ -65,15 +116,19 @@ in description = "Hadoop YARN ResourceManager"; wantedBy = [ "multi-user.target" ]; inherit (cfg.yarn.resourcemanager) restartIfChanged; + environment = cfg.yarn.resourcemanager.extraEnv; serviceConfig = { User = "yarn"; SyslogIdentifier = "yarn-resourcemanager"; ExecStart = "${cfg.package}/bin/yarn --config ${hadoopConf} " + - " resourcemanager"; + " resourcemanager ${escapeShellArgs cfg.yarn.resourcemanager.extraFlags}"; Restart = "always"; }; }; + + services.hadoop.gatewayRole.enable = true; + networking.firewall.allowedTCPPorts = (mkIf cfg.yarn.resourcemanager.openFirewall [ 8088 # resourcemanager.webapp.address 8030 # resourcemanager.scheduler.address @@ -94,6 +149,7 @@ in description = "Hadoop YARN NodeManager"; wantedBy = [ "multi-user.target" ]; inherit (cfg.yarn.nodemanager) restartIfChanged; + environment = cfg.yarn.nodemanager.extraEnv; preStart = '' # create log dir @@ -101,8 +157,9 @@ in chown yarn:hadoop /var/log/hadoop/yarn/nodemanager # set up setuid container executor binary + umount /run/wrappers/yarn-nodemanager/cgroup/cpu || true rm -rf /run/wrappers/yarn-nodemanager/ || true - mkdir -p /run/wrappers/yarn-nodemanager/{bin,etc/hadoop} + mkdir -p /run/wrappers/yarn-nodemanager/{bin,etc/hadoop,cgroup/cpu} cp ${cfg.package}/lib/${cfg.package.untarDir}/bin/container-executor /run/wrappers/yarn-nodemanager/bin/ chgrp hadoop /run/wrappers/yarn-nodemanager/bin/container-executor chmod 6050 /run/wrappers/yarn-nodemanager/bin/container-executor @@ -114,11 +171,26 @@ in SyslogIdentifier = "yarn-nodemanager"; PermissionsStartOnly = true; ExecStart = "${cfg.package}/bin/yarn --config ${hadoopConf} " + - " nodemanager"; + " nodemanager ${escapeShellArgs cfg.yarn.nodemanager.extraFlags}"; Restart = "always"; }; }; + services.hadoop.gatewayRole.enable = true; + + services.hadoop.yarnSiteInternal = with cfg.yarn.nodemanager; { + "yarn.nodemanager.local-dirs" = localDir; + "yarn.scheduler.maximum-allocation-vcores" = resource.maximumAllocationVCores; + "yarn.scheduler.maximum-allocation-mb" = resource.maximumAllocationMB; + "yarn.nodemanager.resource.cpu-vcores" = resource.cpuVCores; + "yarn.nodemanager.resource.memory-mb" = resource.memoryMB; + } // mkIf useCGroups { + "yarn.nodemanager.linux-container-executor.cgroups.hierarchy" = "/hadoop-yarn"; + "yarn.nodemanager.linux-container-executor.resources-handler.class" = "org.apache.hadoop.yarn.server.nodemanager.util.CgroupsLCEResourcesHandler"; + "yarn.nodemanager.linux-container-executor.cgroups.mount" = "true"; + "yarn.nodemanager.linux-container-executor.cgroups.mount-path" = "/run/wrappers/yarn-nodemanager/cgroup"; + }; + networking.firewall.allowedTCPPortRanges = [ (mkIf (cfg.yarn.nodemanager.openFirewall) {from = 1024; to = 65535;}) ]; diff --git a/nixpkgs/nixos/modules/services/cluster/pacemaker/default.nix b/nixpkgs/nixos/modules/services/cluster/pacemaker/default.nix new file mode 100644 index 000000000000..7eeadffcc586 --- /dev/null +++ b/nixpkgs/nixos/modules/services/cluster/pacemaker/default.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.pacemaker; +in +{ + # interface + options.services.pacemaker = { + enable = mkEnableOption "pacemaker"; + + package = mkOption { + type = types.package; + default = pkgs.pacemaker; + defaultText = literalExpression "pkgs.pacemaker"; + description = "Package that should be used for pacemaker."; + }; + }; + + # implementation + config = mkIf cfg.enable { + assertions = [ { + assertion = config.services.corosync.enable; + message = '' + Enabling services.pacemaker requires a services.corosync configuration. + ''; + } ]; + + environment.systemPackages = [ cfg.package ]; + + # required by pacemaker + users.users.hacluster = { + isSystemUser = true; + group = "pacemaker"; + home = "/var/lib/pacemaker"; + }; + users.groups.pacemaker = {}; + + systemd.tmpfiles.rules = [ + "d /var/log/pacemaker 0700 hacluster pacemaker -" + ]; + + systemd.packages = [ cfg.package ]; + systemd.services.pacemaker = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + StateDirectory = "pacemaker"; + StateDirectoryMode = "0700"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix index aaa159d3cb18..80c6c6abfd0b 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -64,7 +64,7 @@ in { description = "Factory Steps"; default = []; example = [ - "steps.Git(repourl='git://github.com/buildbot/pyflakes.git', mode='incremental')" + "steps.Git(repourl='https://github.com/buildbot/pyflakes.git', mode='incremental')" "steps.ShellCommand(command=['trial', 'pyflakes'])" ]; }; @@ -74,7 +74,7 @@ in { description = "List of Change Sources."; default = []; example = [ - "changes.GitPoller('git://github.com/buildbot/pyflakes.git', workdir='gitpoller-workdir', branch='master', pollinterval=300)" + "changes.GitPoller('https://github.com/buildbot/pyflakes.git', workdir='gitpoller-workdir', branch='master', pollinterval=300)" ]; }; diff --git a/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix b/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix index 109c91134b99..6027e4f3d4bf 100644 --- a/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix +++ b/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix @@ -110,6 +110,11 @@ in { source = json.generate "v4l2-monitor.conf" configs.v4l2-monitor; }; + environment.etc."pipewire/media-session.d/with-audio" = + mkIf config.services.pipewire.audio.enable { + text = ""; + }; + environment.etc."pipewire/media-session.d/with-alsa" = mkIf config.services.pipewire.alsa.enable { text = ""; diff --git a/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix b/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix index 59e9342a6ea1..1323336d866e 100644 --- a/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix +++ b/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix @@ -116,6 +116,16 @@ in { }; }; + audio = { + enable = lib.mkOption { + type = lib.types.bool; + # this is for backwards compatibility + default = cfg.alsa.enable || cfg.jack.enable || cfg.pulse.enable; + defaultText = lib.literalExpression "config.services.pipewire.alsa.enable || config.services.pipewire.jack.enable || config.services.pipewire.pulse.enable"; + description = "Whether to use PipeWire as the primary sound server"; + }; + }; + alsa = { enable = mkEnableOption "ALSA support"; support32Bit = mkEnableOption "32-bit ALSA support on 64-bit systems"; @@ -152,13 +162,18 @@ in { config = mkIf cfg.enable { assertions = [ { - assertion = cfg.pulse.enable -> !config.hardware.pulseaudio.enable; - message = "PipeWire based PulseAudio server emulation replaces PulseAudio. This option requires `hardware.pulseaudio.enable` to be set to false"; + assertion = cfg.audio.enable -> !config.hardware.pulseaudio.enable; + message = "Using PipeWire as the sound server conflicts with PulseAudio. This option requires `hardware.pulseaudio.enable` to be set to false"; } { assertion = cfg.jack.enable -> !config.services.jack.jackd.enable; message = "PipeWire based JACK emulation doesn't use the JACK service. This option requires `services.jack.jackd.enable` to be set to false"; } + { + # JACK intentionally not checked, as PW-on-JACK setups are a thing that some people may want + assertion = (cfg.alsa.enable || cfg.pulse.enable) -> cfg.audio.enable; + message = "Using PipeWire's ALSA/PulseAudio compatibility layers requires running PipeWire as the sound server. Set `services.pipewire.audio.enable` to true."; + } ]; environment.systemPackages = [ cfg.package ] diff --git a/nixpkgs/nixos/modules/services/desktops/pipewire/wireplumber.nix b/nixpkgs/nixos/modules/services/desktops/pipewire/wireplumber.nix index 52ec17b95db4..32206ccb4e60 100644 --- a/nixpkgs/nixos/modules/services/desktops/pipewire/wireplumber.nix +++ b/nixpkgs/nixos/modules/services/desktops/pipewire/wireplumber.nix @@ -1,7 +1,9 @@ { config, lib, pkgs, ... }: let - cfg = config.services.pipewire.wireplumber; + pwCfg = config.services.pipewire; + cfg = pwCfg.wireplumber; + pwUsedForAudio = pwCfg.audio.enable; in { meta.maintainers = [ lib.maintainers.k900 ]; @@ -33,6 +35,14 @@ in ]; environment.systemPackages = [ cfg.package ]; + + environment.etc."wireplumber/main.lua.d/80-nixos.lua" = lib.mkIf (!pwUsedForAudio) { + text = '' + # Pipewire is not used for audio, so prevent it from grabbing audio devices + alsa_monitor.enable = function() end + ''; + }; + systemd.packages = [ cfg.package ]; systemd.services.wireplumber.enable = config.services.pipewire.systemWide; diff --git a/nixpkgs/nixos/modules/services/games/factorio.nix b/nixpkgs/nixos/modules/services/games/factorio.nix index 96fcd6d2c8b3..ff73d7a46ed3 100644 --- a/nixpkgs/nixos/modules/services/games/factorio.nix +++ b/nixpkgs/nixos/modules/services/games/factorio.nix @@ -53,6 +53,14 @@ in ''; }; + bind = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + The address to which the service should bind. + ''; + }; + admins = mkOption { type = types.listOf types.str; default = []; @@ -241,6 +249,7 @@ in "${cfg.package}/bin/factorio" "--config=${cfg.configFile}" "--port=${toString cfg.port}" + "--bind=${cfg.bind}" "--start-server=${mkSavePath cfg.saveName}" "--server-settings=${serverSettingsFile}" (optionalString (cfg.mods != []) "--mod-directory=${modDir}") diff --git a/nixpkgs/nixos/modules/services/games/minecraft-server.nix b/nixpkgs/nixos/modules/services/games/minecraft-server.nix index 5bb8eff57629..8233962c1a2c 100644 --- a/nixpkgs/nixos/modules/services/games/minecraft-server.nix +++ b/nixpkgs/nixos/modules/services/games/minecraft-server.nix @@ -153,7 +153,7 @@ in { type = types.separatedString " "; default = "-Xmx2048M -Xms2048M"; # Example options from https://minecraft.gamepedia.com/Tutorials/Server_startup_script - example = "-Xmx2048M -Xms4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing " + example = "-Xms4092M -Xmx4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing " + "-XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 " + "-XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10"; description = "JVM options for the Minecraft server."; diff --git a/nixpkgs/nixos/modules/services/hardware/joycond.nix b/nixpkgs/nixos/modules/services/hardware/joycond.nix index ffef4f8a4e18..d81c1bb6d63d 100644 --- a/nixpkgs/nixos/modules/services/hardware/joycond.nix +++ b/nixpkgs/nixos/modules/services/hardware/joycond.nix @@ -22,13 +22,9 @@ with lib; }; config = mkIf cfg.enable { - environment.systemPackages = [ - kernelPackages.hid-nintendo - cfg.package - ]; + environment.systemPackages = [ cfg.package ]; - boot.extraModulePackages = [ kernelPackages.hid-nintendo ]; - boot.kernelModules = [ "hid_nintendo" ]; + boot.extraModulePackages = optional (versionOlder kernelPackages.kernel.version "5.16") kernelPackages.hid-nintendo; services.udev.packages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/services/logging/graylog.nix b/nixpkgs/nixos/modules/services/logging/graylog.nix index e6a23233ba28..28e2d18bf031 100644 --- a/nixpkgs/nixos/modules/services/logging/graylog.nix +++ b/nixpkgs/nixos/modules/services/logging/graylog.nix @@ -132,7 +132,7 @@ in description = "Graylog server daemon user"; }; }; - users.groups = mkIf (cfg.user == "graylog") {}; + users.groups = mkIf (cfg.user == "graylog") { graylog = {}; }; systemd.tmpfiles.rules = [ "d '${cfg.messageJournalDir}' - ${cfg.user} - - -" diff --git a/nixpkgs/nixos/modules/services/matrix/matrix-synapse.xml b/nixpkgs/nixos/modules/services/matrix/matrix-synapse.xml index cdc4b4de1a73..cf33957d58ec 100644 --- a/nixpkgs/nixos/modules/services/matrix/matrix-synapse.xml +++ b/nixpkgs/nixos/modules/services/matrix/matrix-synapse.xml @@ -119,7 +119,7 @@ in { <link linkend="opt-services.matrix-synapse.settings.listeners">listeners</link> = [ { <link linkend="opt-services.matrix-synapse.settings.listeners._.port">port</link> = 8008; - <link linkend="opt-services.matrix-synapse.settings.listeners._.bind_addresses">bind_address</link> = [ "::1" ]; + <link linkend="opt-services.matrix-synapse.settings.listeners._.bind_addresses">bind_addresses</link> = [ "::1" ]; <link linkend="opt-services.matrix-synapse.settings.listeners._.type">type</link> = "http"; <link linkend="opt-services.matrix-synapse.settings.listeners._.tls">tls</link> = false; <link linkend="opt-services.matrix-synapse.settings.listeners._.x_forwarded">x_forwarded</link> = true; @@ -152,10 +152,10 @@ in { <para> If you want to run a server with public registration by anybody, you can - then enable <literal><link linkend="opt-services.matrix-synapse.settings.enable_registration">services.matrix-synapse.enable_registration</link> = + then enable <literal><link linkend="opt-services.matrix-synapse.settings.enable_registration">services.matrix-synapse.settings.enable_registration</link> = true;</literal>. Otherwise, or you can generate a registration secret with <command>pwgen -s 64 1</command> and set it with - <option><link linkend="opt-services.matrix-synapse.settings.registration_shared_secret">services.matrix-synapse.registration_shared_secret</link></option>. + <option><link linkend="opt-services.matrix-synapse.settings.registration_shared_secret">services.matrix-synapse.settings.registration_shared_secret</link></option>. To create a new user or admin, run the following after you have set the secret and have rebuilt NixOS: <screen> diff --git a/nixpkgs/nixos/modules/services/misc/autorandr.nix b/nixpkgs/nixos/modules/services/misc/autorandr.nix index a65c5c9d11cf..ef799e9ce3b6 100644 --- a/nixpkgs/nixos/modules/services/misc/autorandr.nix +++ b/nixpkgs/nixos/modules/services/misc/autorandr.nix @@ -5,6 +5,243 @@ with lib; let cfg = config.services.autorandr; + hookType = types.lines; + + matrixOf = n: m: elemType: + mkOptionType rec { + name = "matrixOf"; + description = + "${toString n}×${toString m} matrix of ${elemType.description}s"; + check = xss: + let listOfSize = l: xs: isList xs && length xs == l; + in listOfSize n xss + && all (xs: listOfSize m xs && all elemType.check xs) xss; + merge = mergeOneOption; + getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "*" "*" ]); + getSubModules = elemType.getSubModules; + substSubModules = mod: matrixOf n m (elemType.substSubModules mod); + functor = (defaultFunctor name) // { wrapped = elemType; }; + }; + + profileModule = types.submodule { + options = { + fingerprint = mkOption { + type = types.attrsOf types.str; + description = '' + Output name to EDID mapping. + Use <code>autorandr --fingerprint</code> to get current setup values. + ''; + default = { }; + }; + + config = mkOption { + type = types.attrsOf configModule; + description = "Per output profile configuration."; + default = { }; + }; + + hooks = mkOption { + type = hooksModule; + description = "Profile hook scripts."; + default = { }; + }; + }; + }; + + configModule = types.submodule { + options = { + enable = mkOption { + type = types.bool; + description = "Whether to enable the output."; + default = true; + }; + + crtc = mkOption { + type = types.nullOr types.ints.unsigned; + description = "Output video display controller."; + default = null; + example = 0; + }; + + primary = mkOption { + type = types.bool; + description = "Whether output should be marked as primary"; + default = false; + }; + + position = mkOption { + type = types.str; + description = "Output position"; + default = ""; + example = "5760x0"; + }; + + mode = mkOption { + type = types.str; + description = "Output resolution."; + default = ""; + example = "3840x2160"; + }; + + rate = mkOption { + type = types.str; + description = "Output framerate."; + default = ""; + example = "60.00"; + }; + + gamma = mkOption { + type = types.str; + description = "Output gamma configuration."; + default = ""; + example = "1.0:0.909:0.833"; + }; + + rotate = mkOption { + type = types.nullOr (types.enum [ "normal" "left" "right" "inverted" ]); + description = "Output rotate configuration."; + default = null; + example = "left"; + }; + + transform = mkOption { + type = types.nullOr (matrixOf 3 3 types.float); + default = null; + example = literalExpression '' + [ + [ 0.6 0.0 0.0 ] + [ 0.0 0.6 0.0 ] + [ 0.0 0.0 1.0 ] + ] + ''; + description = '' + Refer to + <citerefentry> + <refentrytitle>xrandr</refentrytitle> + <manvolnum>1</manvolnum> + </citerefentry> + for the documentation of the transform matrix. + ''; + }; + + dpi = mkOption { + type = types.nullOr types.ints.positive; + description = "Output DPI configuration."; + default = null; + example = 96; + }; + + scale = mkOption { + type = types.nullOr (types.submodule { + options = { + method = mkOption { + type = types.enum [ "factor" "pixel" ]; + description = "Output scaling method."; + default = "factor"; + example = "pixel"; + }; + + x = mkOption { + type = types.either types.float types.ints.positive; + description = "Horizontal scaling factor/pixels."; + }; + + y = mkOption { + type = types.either types.float types.ints.positive; + description = "Vertical scaling factor/pixels."; + }; + }; + }); + description = '' + Output scale configuration. + </para><para> + Either configure by pixels or a scaling factor. When using pixel method the + <citerefentry> + <refentrytitle>xrandr</refentrytitle> + <manvolnum>1</manvolnum> + </citerefentry> + option + <parameter class="command">--scale-from</parameter> + will be used; when using factor method the option + <parameter class="command">--scale</parameter> + will be used. + </para><para> + This option is a shortcut version of the transform option and they are mutually + exclusive. + ''; + default = null; + example = literalExpression '' + { + x = 1.25; + y = 1.25; + } + ''; + }; + }; + }; + + hooksModule = types.submodule { + options = { + postswitch = mkOption { + type = types.attrsOf hookType; + description = "Postswitch hook executed after mode switch."; + default = { }; + }; + + preswitch = mkOption { + type = types.attrsOf hookType; + description = "Preswitch hook executed before mode switch."; + default = { }; + }; + + predetect = mkOption { + type = types.attrsOf hookType; + description = '' + Predetect hook executed before autorandr attempts to run xrandr. + ''; + default = { }; + }; + }; + }; + + hookToFile = folder: name: hook: + nameValuePair "xdg/autorandr/${folder}/${name}" { + source = "${pkgs.writeShellScriptBin "hook" hook}/bin/hook"; + }; + profileToFiles = name: profile: + with profile; + mkMerge ([ + { + "xdg/autorandr/${name}/setup".text = concatStringsSep "\n" + (mapAttrsToList fingerprintToString fingerprint); + "xdg/autorandr/${name}/config".text = + concatStringsSep "\n" (mapAttrsToList configToString profile.config); + } + (mapAttrs' (hookToFile "${name}/postswitch.d") hooks.postswitch) + (mapAttrs' (hookToFile "${name}/preswitch.d") hooks.preswitch) + (mapAttrs' (hookToFile "${name}/predetect.d") hooks.predetect) + ]); + fingerprintToString = name: edid: "${name} ${edid}"; + configToString = name: config: + if config.enable then + concatStringsSep "\n" ([ "output ${name}" ] + ++ optional (config.position != "") "pos ${config.position}" + ++ optional (config.crtc != null) "crtc ${toString config.crtc}" + ++ optional config.primary "primary" + ++ optional (config.dpi != null) "dpi ${toString config.dpi}" + ++ optional (config.gamma != "") "gamma ${config.gamma}" + ++ optional (config.mode != "") "mode ${config.mode}" + ++ optional (config.rate != "") "rate ${config.rate}" + ++ optional (config.rotate != null) "rotate ${config.rotate}" + ++ optional (config.transform != null) ("transform " + + concatMapStringsSep "," toString (flatten config.transform)) + ++ optional (config.scale != null) + ((if config.scale.method == "factor" then "scale" else "scale-from") + + " ${toString config.scale.x}x${toString config.scale.y}")) + else '' + output ${name} + off + ''; in { @@ -22,6 +259,67 @@ in { for further reference. ''; }; + + hooks = mkOption { + type = hooksModule; + description = "Global hook scripts"; + default = { }; + example = '' + { + postswitch = { + "notify-i3" = "''${pkgs.i3}/bin/i3-msg restart"; + "change-background" = readFile ./change-background.sh; + "change-dpi" = ''' + case "$AUTORANDR_CURRENT_PROFILE" in + default) + DPI=120 + ;; + home) + DPI=192 + ;; + work) + DPI=144 + ;; + *) + echo "Unknown profle: $AUTORANDR_CURRENT_PROFILE" + exit 1 + esac + echo "Xft.dpi: $DPI" | ''${pkgs.xorg.xrdb}/bin/xrdb -merge + ''' + }; + } + ''; + }; + profiles = mkOption { + type = types.attrsOf profileModule; + description = "Autorandr profiles specification."; + default = { }; + example = literalExpression '' + { + "work" = { + fingerprint = { + eDP1 = "<EDID>"; + DP1 = "<EDID>"; + }; + config = { + eDP1.enable = false; + DP1 = { + enable = true; + crtc = 0; + primary = true; + position = "0x0"; + mode = "3840x2160"; + gamma = "1.0:0.909:0.833"; + rate = "60.00"; + rotate = "left"; + }; + }; + hooks.postswitch = readFile ./work-postswitch.sh; + }; + } + ''; + }; + }; }; @@ -30,7 +328,15 @@ in { services.udev.packages = [ pkgs.autorandr ]; - environment.systemPackages = [ pkgs.autorandr ]; + environment = { + systemPackages = [ pkgs.autorandr ]; + etc = mkMerge ([ + (mapAttrs' (hookToFile "postswitch.d") cfg.hooks.postswitch) + (mapAttrs' (hookToFile "preswitch.d") cfg.hooks.preswitch) + (mapAttrs' (hookToFile "predetect.d") cfg.hooks.predetect) + (mkMerge (mapAttrsToList profileToFiles cfg.profiles)) + ]); + }; systemd.services.autorandr = { wantedBy = [ "sleep.target" ]; @@ -49,5 +355,5 @@ in { }; - meta.maintainers = with maintainers; [ ]; + meta.maintainers = with maintainers; [ alexnortung ]; } diff --git a/nixpkgs/nixos/modules/services/misc/dendrite.nix b/nixpkgs/nixos/modules/services/misc/dendrite.nix index b2885b094153..89bb989a09ec 100644 --- a/nixpkgs/nixos/modules/services/misc/dendrite.nix +++ b/nixpkgs/nixos/modules/services/misc/dendrite.nix @@ -248,14 +248,11 @@ in RuntimeDirectory = "dendrite"; RuntimeDirectoryMode = "0700"; EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; - ExecStartPre = - if (cfg.environmentFile != null) then '' - ${pkgs.envsubst}/bin/envsubst \ - -i ${configurationYaml} \ - -o /run/dendrite/dendrite.yaml - '' else '' - ${pkgs.coreutils}/bin/cp ${configurationYaml} /run/dendrite/dendrite.yaml - ''; + ExecStartPre = '' + ${pkgs.envsubst}/bin/envsubst \ + -i ${configurationYaml} \ + -o /run/dendrite/dendrite.yaml + ''; ExecStart = lib.strings.concatStringsSep " " ([ "${pkgs.dendrite}/bin/dendrite-monolith-server" "--config /run/dendrite/dendrite.yaml" diff --git a/nixpkgs/nixos/modules/services/misc/moonraker.nix b/nixpkgs/nixos/modules/services/misc/moonraker.nix index ae57aaa6d479..b75227effa04 100644 --- a/nixpkgs/nixos/modules/services/misc/moonraker.nix +++ b/nixpkgs/nixos/modules/services/misc/moonraker.nix @@ -79,6 +79,19 @@ in { for supported values. ''; }; + + allowSystemControl = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow Moonraker to perform system-level operations. + + Moonraker exposes APIs to perform system-level operations, such as + reboot, shutdown, and management of systemd units. See the + <link xlink:href="https://moonraker.readthedocs.io/en/latest/web_api/#machine-commands">documentation</link> + for details on what clients are able to do. + ''; + }; }; }; @@ -86,6 +99,13 @@ in { warnings = optional (cfg.settings ? update_manager) ''Enabling update_manager is not supported on NixOS and will lead to non-removable warnings in some clients.''; + assertions = [ + { + assertion = cfg.allowSystemControl -> config.security.polkit.enable; + message = "services.moonraker.allowSystemControl requires polkit to be enabled (security.polkit.enable)."; + } + ]; + users.users = optionalAttrs (cfg.user == "moonraker") { moonraker = { group = cfg.group; @@ -128,11 +148,31 @@ in { exec ${pkg}/bin/moonraker -c ${cfg.configDir}/moonraker-temp.cfg ''; + # Needs `ip` command + path = [ pkgs.iproute2 ]; + serviceConfig = { WorkingDirectory = cfg.stateDir; Group = cfg.group; User = cfg.user; }; }; + + security.polkit.extraConfig = lib.optionalString cfg.allowSystemControl '' + // nixos/moonraker: Allow Moonraker to perform system-level operations + // + // This was enabled via services.moonraker.allowSystemControl. + polkit.addRule(function(action, subject) { + if ((action.id == "org.freedesktop.systemd1.manage-units" || + action.id == "org.freedesktop.login1.power-off" || + action.id == "org.freedesktop.login1.power-off-multiple-sessions" || + action.id == "org.freedesktop.login1.reboot" || + action.id == "org.freedesktop.login1.reboot-multiple-sessions" || + action.id.startsWith("org.freedesktop.packagekit.")) && + subject.user == "${cfg.user}") { + return polkit.Result.YES; + } + }); + ''; }; } diff --git a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix index 2b21df91b82f..d56808c7564e 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix @@ -112,11 +112,11 @@ in { imports = [ - (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) - (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) - (mkRenamedOptionModule [ "nix" "daemonIONiceLevel" ] [ "nix" "daemonIOSchedPriority" ]) + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; }) + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; }) + (mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; }) (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") - ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModule [ "nix" oldConf ] [ "nix" "settings" newConf ]) legacyConfMappings; + ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" oldConf ]; to = [ "nix" "settings" newConf ]; }) legacyConfMappings; ###### interface diff --git a/nixpkgs/nixos/modules/services/misc/nix-gc.nix b/nixpkgs/nixos/modules/services/misc/nix-gc.nix index a7a6a3b59644..b4b4b55a6c82 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-gc.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-gc.nix @@ -81,8 +81,14 @@ in ###### implementation config = { - - systemd.services.nix-gc = { + assertions = [ + { + assertion = cfg.automatic -> config.nix.enable; + message = ''nix.gc.automatic requires nix.enable''; + } + ]; + + systemd.services.nix-gc = lib.mkIf config.nix.enable { description = "Nix Garbage Collector"; script = "exec ${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options}"; startAt = optional cfg.automatic cfg.dates; diff --git a/nixpkgs/nixos/modules/services/misc/nix-optimise.nix b/nixpkgs/nixos/modules/services/misc/nix-optimise.nix index e02026d5f76c..acf8177b146a 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-optimise.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-optimise.nix @@ -37,8 +37,14 @@ in ###### implementation config = { - - systemd.services.nix-optimise = + assertions = [ + { + assertion = cfg.automatic -> config.nix.enable; + message = ''nix.optimise.automatic requires nix.enable''; + } + ]; + + systemd.services.nix-optimise = lib.mkIf config.nix.enable { description = "Nix Store Optimiser"; # No point this if the nix daemon (and thus the nix store) is outside unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket"; diff --git a/nixpkgs/nixos/modules/services/misc/paperless-ng.nix b/nixpkgs/nixos/modules/services/misc/paperless-ng.nix index 44efc234a2b3..11e44f5ece57 100644 --- a/nixpkgs/nixos/modules/services/misc/paperless-ng.nix +++ b/nixpkgs/nixos/modules/services/misc/paperless-ng.nix @@ -214,6 +214,8 @@ in User = cfg.user; ExecStart = "${cfg.package}/bin/paperless-ng qcluster"; Restart = "on-failure"; + # The `mbind` syscall is needed for running the classifier. + SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "mbind" ]; }; environment = env; wantedBy = [ "multi-user.target" ]; diff --git a/nixpkgs/nixos/modules/services/monitoring/grafana.nix b/nixpkgs/nixos/modules/services/monitoring/grafana.nix index 81fca33f5fec..b959379d331a 100644 --- a/nixpkgs/nixos/modules/services/monitoring/grafana.nix +++ b/nixpkgs/nixos/modules/services/monitoring/grafana.nix @@ -214,6 +214,11 @@ let type = types.path; description = "Path grafana will watch for dashboards."; }; + foldersFromFilesStructure = mkOption { + type = types.bool; + default = false; + description = "Use folder names from filesystem to create folders in Grafana."; + }; }; }; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix index 5b5a6e18fcd6..ede6028933a4 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix @@ -45,7 +45,8 @@ in }; instance = mkOption { type = types.nullOr types.str; - default = null; + default = config.services.varnish.stateDir; + defaultText = lib.literalExpression "config.services.varnish.stateDir"; description = '' varnishstat -n value. ''; @@ -66,7 +67,7 @@ in }; }; serviceOpts = { - path = [ pkgs.varnish ]; + path = [ config.services.varnish.package ]; serviceConfig = { RestartSec = mkDefault 1; DynamicUser = false; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/ipfs.nix b/nixpkgs/nixos/modules/services/network-filesystems/ipfs.nix index 17da020bf3e2..7e96179b3cab 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/ipfs.nix @@ -1,16 +1,17 @@ -{ config, lib, pkgs, options, ... }: +{ config, lib, pkgs, options, utils, ... }: with lib; let cfg = config.services.ipfs; opt = options.services.ipfs; - ipfsFlags = toString ([ - (optionalString cfg.autoMount "--mount") - (optionalString cfg.enableGC "--enable-gc") - (optionalString (cfg.serviceFdlimit != null) "--manage-fdlimit=false") - (optionalString (cfg.defaultMode == "offline") "--offline") - (optionalString (cfg.defaultMode == "norouting") "--routing=none") - ] ++ cfg.extraFlags); + ipfsFlags = utils.escapeSystemdExecArgs ( + optional cfg.autoMount "--mount" ++ + optional cfg.enableGC "--enable-gc" ++ + optional (cfg.serviceFdlimit != null) "--manage-fdlimit=false" ++ + optional (cfg.defaultMode == "offline") "--offline" ++ + optional (cfg.defaultMode == "norouting") "--routing=none" ++ + cfg.extraFlags + ); profile = if cfg.localDiscovery @@ -239,7 +240,10 @@ in "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -" ]; - systemd.packages = [ cfg.package ]; + # The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself + systemd.packages = if cfg.autoMount + then [ cfg.package.systemd_unit ] + else [ cfg.package.systemd_unit_hardened ]; systemd.services.ipfs = { path = [ "/run/wrappers" cfg.package ]; @@ -275,6 +279,8 @@ in ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ]; User = cfg.user; Group = cfg.group; + StateDirectory = ""; + ReadWritePaths = [ "" cfg.dataDir ]; } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; }; } // optionalAttrs (!cfg.startWhenNeeded) { wantedBy = [ "default.target" ]; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix index 9ed755d0465c..992f948e8cd5 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix @@ -224,6 +224,7 @@ in targets.samba = { description = "Samba Server"; after = [ "network.target" ]; + wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; }; # Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd diff --git a/nixpkgs/nixos/modules/services/networking/dhcpd.nix b/nixpkgs/nixos/modules/services/networking/dhcpd.nix index 3c4c0069dfd0..49950efc0a1b 100644 --- a/nixpkgs/nixos/modules/services/networking/dhcpd.nix +++ b/nixpkgs/nixos/modules/services/networking/dhcpd.nix @@ -7,7 +7,7 @@ let cfg4 = config.services.dhcpd4; cfg6 = config.services.dhcpd6; - writeConfig = cfg: pkgs.writeText "dhcpd.conf" + writeConfig = postfix: cfg: pkgs.writeText "dhcpd.conf" '' default-lease-time 600; max-lease-time 7200; @@ -21,7 +21,9 @@ let (machine: '' host ${machine.hostName} { hardware ethernet ${machine.ethernetAddress}; - fixed-address ${machine.ipAddress}; + fixed-address${ + optionalString (postfix == "6") postfix + } ${machine.ipAddress}; } '') cfg.machines @@ -33,7 +35,7 @@ let configFile = if cfg.configFile != null then cfg.configFile - else writeConfig cfg; + else writeConfig postfix cfg; leaseFile = "/var/lib/dhcpd${postfix}/dhcpd.leases"; args = [ "@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}" diff --git a/nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix b/nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix new file mode 100644 index 000000000000..85d6c362b466 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix @@ -0,0 +1,128 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) + concatStringsSep + mkEnableOption mkIf mkOption types; + + cfg = config.services.https-dns-proxy; + + providers = { + cloudflare = { + ips = [ "1.1.1.1" "1.0.0.1" ]; + url = "https://cloudflare-dns.com/dns-query"; + }; + google = { + ips = [ "8.8.8.8" "8.8.4.4" ]; + url = "https://dns.google/dns-query"; + }; + quad9 = { + ips = [ "9.9.9.9" "149.112.112.112" ]; + url = "https://dns.quad9.net/dns-query"; + }; + }; + + defaultProvider = "quad9"; + + providerCfg = + let + isCustom = cfg.provider.kind == "custom"; + in + lib.concatStringsSep " " [ + "-b" + (concatStringsSep "," (if isCustom then cfg.provider.ips else providers."${cfg.provider.kind}".ips)) + "-r" + (if isCustom then cfg.provider.url else providers."${cfg.provider.kind}".url) + ]; + +in +{ + meta.maintainers = with lib.maintainers; [ peterhoeg ]; + + ###### interface + + options.services.https-dns-proxy = { + enable = mkEnableOption "https-dns-proxy daemon"; + + address = mkOption { + description = "The address on which to listen"; + type = types.str; + default = "127.0.0.1"; + }; + + port = mkOption { + description = "The port on which to listen"; + type = types.port; + default = 5053; + }; + + provider = { + kind = mkOption { + description = '' + The upstream provider to use or custom in case you do not trust any of + the predefined providers or just want to use your own. + + The default is ${defaultProvider} and there are privacy and security trade-offs + when using any upstream provider. Please consider that before using any + of them. + + If you pick a custom provider, you will need to provide the bootstrap + IP addresses as well as the resolver https URL. + ''; + type = types.enum ((builtins.attrNames providers) ++ [ "custom" ]); + default = defaultProvider; + }; + + ips = mkOption { + description = "The custom provider IPs"; + type = types.listOf types.str; + }; + + url = mkOption { + description = "The custom provider URL"; + type = types.str; + }; + }; + + preferIPv4 = mkOption { + description = '' + https_dns_proxy will by default use IPv6 and fail if it is not available. + To play it safe, we choose IPv4. + ''; + type = types.bool; + default = true; + }; + + extraArgs = mkOption { + description = "Additional arguments to pass to the process."; + type = types.listOf types.str; + default = [ "-v" ]; + }; + }; + + ###### implementation + + config = lib.mkIf cfg.enable { + systemd.services.https-dns-proxy = { + description = "DNS to DNS over HTTPS (DoH) proxy"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = rec { + Type = "exec"; + DynamicUser = true; + ExecStart = lib.concatStringsSep " " ( + [ + "${pkgs.https-dns-proxy}/bin/https_dns_proxy" + "-a ${toString cfg.address}" + "-p ${toString cfg.port}" + "-l -" + providerCfg + ] + ++ lib.optional cfg.preferIPv4 "-4" + ++ cfg.extraArgs + ); + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/iwd.nix b/nixpkgs/nixos/modules/services/networking/iwd.nix index 8835f7f9372d..5c1480e7e2fb 100644 --- a/nixpkgs/nixos/modules/services/networking/iwd.nix +++ b/nixpkgs/nixos/modules/services/networking/iwd.nix @@ -1,12 +1,21 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) + mkEnableOption mkIf mkOption types + recursiveUpdate; + cfg = config.networking.wireless.iwd; ini = pkgs.formats.ini { }; - configFile = ini.generate "main.conf" cfg.settings; -in { + defaults = { + # without UseDefaultInterface, sometimes wlan0 simply goes AWOL with NetworkManager + # https://iwd.wiki.kernel.org/interface_lifecycle#interface_management_in_iwd + General.UseDefaultInterface = with config.networking.networkmanager; (enable && (wifi.backend == "iwd")); + }; + configFile = ini.generate "main.conf" (recursiveUpdate defaults cfg.settings); + +in +{ options.networking.wireless.iwd = { enable = mkEnableOption "iwd"; @@ -38,10 +47,10 @@ in { ''; }]; - environment.etc."iwd/main.conf".source = configFile; + environment.etc."iwd/${configFile.name}".source = configFile; # for iwctl - environment.systemPackages = [ pkgs.iwd ]; + environment.systemPackages = [ pkgs.iwd ]; services.dbus.packages = [ pkgs.iwd ]; diff --git a/nixpkgs/nixos/modules/services/networking/nsd.nix b/nixpkgs/nixos/modules/services/networking/nsd.nix index cf6c9661dc1b..a51fc5345342 100644 --- a/nixpkgs/nixos/modules/services/networking/nsd.nix +++ b/nixpkgs/nixos/modules/services/networking/nsd.nix @@ -194,19 +194,8 @@ let zone.children ); - # fighting infinite recursion - zoneOptions = zoneOptionsRaw // childConfig zoneOptions1 true; - zoneOptions1 = zoneOptionsRaw // childConfig zoneOptions2 false; - zoneOptions2 = zoneOptionsRaw // childConfig zoneOptions3 false; - zoneOptions3 = zoneOptionsRaw // childConfig zoneOptions4 false; - zoneOptions4 = zoneOptionsRaw // childConfig zoneOptions5 false; - zoneOptions5 = zoneOptionsRaw // childConfig zoneOptions6 false; - zoneOptions6 = zoneOptionsRaw // childConfig null false; - - childConfig = x: v: { options.children = { type = types.attrsOf x; visible = v; }; }; - # options are ordered alphanumerically - zoneOptionsRaw = types.submodule { + zoneOptions = types.submodule { options = { allowAXFRFallback = mkOption { @@ -246,6 +235,13 @@ let }; children = mkOption { + # TODO: This relies on the fact that `types.anything` doesn't set any + # values of its own to any defaults, because in the above zoneConfigs', + # values from children override ones from parents, but only if the + # attributes are defined. Because of this, we can't replace the element + # type here with `zoneConfigs`, since that would set all the attributes + # to default values, breaking the parent inheriting function. + type = types.attrsOf types.anything; default = {}; description = '' Children zones inherit all options of their parents. Attributes diff --git a/nixpkgs/nixos/modules/services/networking/pleroma.nix b/nixpkgs/nixos/modules/services/networking/pleroma.nix index 9b8382392c0a..c6d4c14dcb7e 100644 --- a/nixpkgs/nixos/modules/services/networking/pleroma.nix +++ b/nixpkgs/nixos/modules/services/networking/pleroma.nix @@ -1,6 +1,7 @@ { config, options, lib, pkgs, stdenv, ... }: let cfg = config.services.pleroma; + cookieFile = "/var/lib/pleroma/.cookie"; in { options = { services.pleroma = with lib; { @@ -8,7 +9,7 @@ in { package = mkOption { type = types.package; - default = pkgs.pleroma; + default = pkgs.pleroma.override { inherit cookieFile; }; defaultText = literalExpression "pkgs.pleroma"; description = "Pleroma package to use."; }; @@ -100,7 +101,6 @@ in { after = [ "network-online.target" "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ]; - environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie"; serviceConfig = { User = cfg.user; Group = cfg.group; @@ -118,10 +118,10 @@ in { # Better be safe than sorry migration-wise. ExecStartPre = let preScript = pkgs.writers.writeBashBin "pleromaStartPre" '' - if [ ! -f /var/lib/pleroma/.cookie ] + if [ ! -f "${cookieFile}" ] || [ ! -s "${cookieFile}" ] then echo "Creating cookie file" - dd if=/dev/urandom bs=1 count=16 | hexdump -e '16/1 "%02x"' > /var/lib/pleroma/.cookie + dd if=/dev/urandom bs=1 count=16 | ${pkgs.hexdump}/bin/hexdump -e '16/1 "%02x"' > "${cookieFile}" fi ${cfg.package}/bin/pleroma_ctl migrate ''; diff --git a/nixpkgs/nixos/modules/services/networking/powerdns.nix b/nixpkgs/nixos/modules/services/networking/powerdns.nix index 8cae61b83543..b035698456c0 100644 --- a/nixpkgs/nixos/modules/services/networking/powerdns.nix +++ b/nixpkgs/nixos/modules/services/networking/powerdns.nix @@ -24,14 +24,14 @@ in { config = mkIf cfg.enable { - systemd.packages = [ pkgs.powerdns ]; + systemd.packages = [ pkgs.pdns ]; systemd.services.pdns = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ]; serviceConfig = { - ExecStart = [ "" "${pkgs.powerdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; + ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/squid.nix b/nixpkgs/nixos/modules/services/networking/squid.nix index 4f3881af8bbf..db4f0d26b6f4 100644 --- a/nixpkgs/nixos/modules/services/networking/squid.nix +++ b/nixpkgs/nixos/modules/services/networking/squid.nix @@ -111,6 +111,13 @@ in description = "Whether to run squid web proxy."; }; + package = mkOption { + default = pkgs.squid; + defaultText = literalExpression "pkgs.squid"; + type = types.package; + description = "Squid package to use."; + }; + proxyAddress = mkOption { type = types.nullOr types.str; default = null; @@ -157,17 +164,21 @@ in users.groups.squid = {}; systemd.services.squid = { - description = "Squid caching web proxy"; + description = "Squid caching proxy"; + documentation = [ "man:squid(8)" ]; after = [ "network.target" "nss-lookup.target" ]; wantedBy = [ "multi-user.target"]; preStart = '' mkdir -p "/var/log/squid" chown squid:squid "/var/log/squid" + ${cfg.package}/bin/squid --foreground -z -f ${squidConfig} ''; serviceConfig = { - Type="forking"; PIDFile="/run/squid.pid"; - ExecStart = "${pkgs.squid}/bin/squid -YCs -f ${squidConfig}"; + ExecStart = "${cfg.package}/bin/squid --foreground -YCs -f ${squidConfig}"; + ExecReload="kill -HUP $MAINPID"; + KillMode="mixed"; + NotifyAccess="all"; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/unbound.nix b/nixpkgs/nixos/modules/services/networking/unbound.nix index f6e963490924..87873c8c1e83 100644 --- a/nixpkgs/nixos/modules/services/networking/unbound.nix +++ b/nixpkgs/nixos/modules/services/networking/unbound.nix @@ -62,6 +62,7 @@ in { }; stateDir = mkOption { + type = types.path; default = "/var/lib/unbound"; description = "Directory holding all state for unbound to run."; }; diff --git a/nixpkgs/nixos/modules/services/networking/vsftpd.nix b/nixpkgs/nixos/modules/services/networking/vsftpd.nix index 710c2d9ca17b..d205302051e1 100644 --- a/nixpkgs/nixos/modules/services/networking/vsftpd.nix +++ b/nixpkgs/nixos/modules/services/networking/vsftpd.nix @@ -153,6 +153,7 @@ in userlist = mkOption { default = []; + type = types.listOf types.str; description = "See <option>userlistFile</option>."; }; diff --git a/nixpkgs/nixos/modules/services/networking/wg-quick.nix b/nixpkgs/nixos/modules/services/networking/wg-quick.nix index 414775fc3577..61e9fe5096b1 100644 --- a/nixpkgs/nixos/modules/services/networking/wg-quick.nix +++ b/nixpkgs/nixos/modules/services/networking/wg-quick.nix @@ -17,6 +17,13 @@ let description = "The IP addresses of the interface."; }; + autostart = mkOption { + description = "Whether to bring up this interface automatically during boot."; + default = true; + example = false; + type = types.bool; + }; + dns = mkOption { example = [ "192.168.2.2" ]; default = []; @@ -247,7 +254,7 @@ let description = "wg-quick WireGuard Tunnel - ${name}"; requires = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = optional values.autostart "multi-user.target"; environment.DEVICE = name; path = [ pkgs.kmod pkgs.wireguard-tools ]; diff --git a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix index 4d3562424170..ce295bd4ba3b 100644 --- a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix @@ -102,17 +102,19 @@ in # Taken from: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go provider = mkOption { type = types.enum [ - "google" + "adfs" "azure" + "bitbucket" + "digitalocean" "facebook" "github" - "keycloak" "gitlab" + "google" + "keycloak" + "keycloak-oidc" "linkedin" "login.gov" - "bitbucket" "nextcloud" - "digitalocean" "oidc" ]; default = "google"; diff --git a/nixpkgs/nixos/modules/services/security/sslmate-agent.nix b/nixpkgs/nixos/modules/services/security/sslmate-agent.nix new file mode 100644 index 000000000000..c850eb22a031 --- /dev/null +++ b/nixpkgs/nixos/modules/services/security/sslmate-agent.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.sslmate-agent; + +in { + meta.maintainers = with maintainers; [ wolfangaukang ]; + + options = { + services.sslmate-agent = { + enable = mkEnableOption "sslmate-agent, a daemon for managing SSL/TLS certificates on a server"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ sslmate-agent ]; + + systemd = { + packages = [ pkgs.sslmate-agent ]; + services.sslmate-agent = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ConfigurationDirectory = "sslmate-agent"; + LogsDirectory = "sslmate-agent"; + StateDirectory = "sslmate-agent"; + }; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/security/tor.nix b/nixpkgs/nixos/modules/services/security/tor.nix index ddd216ca7fd0..a5822c02794d 100644 --- a/nixpkgs/nixos/modules/services/security/tor.nix +++ b/nixpkgs/nixos/modules/services/security/tor.nix @@ -910,6 +910,11 @@ in ORPort = mkForce []; PublishServerDescriptor = mkForce false; }) + (mkIf (!cfg.client.enable) { + # Make sure application connections via SOCKS are disabled + # when services.tor.client.enable is false + SOCKSPort = mkForce [ 0 ]; + }) (mkIf cfg.client.enable ( { SOCKSPort = [ cfg.client.socksListenAddress ]; } // optionalAttrs cfg.client.transparentProxy.enable { diff --git a/nixpkgs/nixos/modules/services/system/earlyoom.nix b/nixpkgs/nixos/modules/services/system/earlyoom.nix index ddd5bcebcdd5..629358559890 100644 --- a/nixpkgs/nixos/modules/services/system/earlyoom.nix +++ b/nixpkgs/nixos/modules/services/system/earlyoom.nix @@ -5,8 +5,8 @@ let inherit (lib) mkDefault mkEnableOption mkIf mkOption types - mkRemovedOptionModule - concatStringsSep optional; + mkRemovedOptionModule literalExpression + escapeShellArg concatStringsSep optional optionalString; in { @@ -17,10 +17,26 @@ in type = types.ints.between 1 100; default = 10; description = '' - Minimum of availabe memory (in percent). - If the free memory falls below this threshold and the analog is true for - <option>services.earlyoom.freeSwapThreshold</option> - the killing begins. + Minimum available memory (in percent). + + If the available memory falls below this threshold (and the analog is true for + <option>freeSwapThreshold</option>) the killing begins. + SIGTERM is sent first to the process that uses the most memory; then, if the available + memory falls below <option>freeMemKillThreshold</option> (and the analog is true for + <option>freeSwapKillThreshold</option>), SIGKILL is sent. + + See <link xlink:href="https://github.com/rfjakob/earlyoom#command-line-options">README</link> for details. + ''; + }; + + freeMemKillThreshold = mkOption { + type = types.nullOr (types.ints.between 1 100); + default = null; + description = '' + Minimum available memory (in percent) before sending SIGKILL. + If unset, this defaults to half of <option>freeMemThreshold</option>. + + See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. ''; }; @@ -28,19 +44,20 @@ in type = types.ints.between 1 100; default = 10; description = '' - Minimum of availabe swap space (in percent). - If the available swap space falls below this threshold and the analog - is true for <option>services.earlyoom.freeMemThreshold</option> - the killing begins. + Minimum free swap space (in percent) before sending SIGTERM. + + See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. ''; }; - # TODO: remove or warn after 1.7 (https://github.com/rfjakob/earlyoom/commit/7ebc4554) - ignoreOOMScoreAdjust = mkOption { - type = types.bool; - default = false; + freeSwapKillThreshold = mkOption { + type = types.nullOr (types.ints.between 1 100); + default = null; description = '' - Ignore oom_score_adjust values of processes. + Minimum free swap space (in percent) before sending SIGKILL. + If unset, this defaults to half of <option>freeSwapThreshold</option>. + + See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. ''; }; @@ -63,12 +80,43 @@ in local user to DoS your session by spamming notifications. To actually see the notifications in your GUI session, you need to have - <literal>systembus-notify</literal> running as your user which this - option handles. + <literal>systembus-notify</literal> running as your user, which this + option handles by enabling <option>services.systembus-notify</option>. See <link xlink:href="https://github.com/rfjakob/earlyoom#notifications">README</link> for details. ''; }; + + killHook = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExpression '' + pkgs.writeShellScript "earlyoom-kill-hook" ''' + echo "Process $EARLYOOM_NAME ($EARLYOOM_PID) was killed" >> /path/to/log + ''' + ''; + description = '' + An absolute path to an executable to be run for each process killed. + Some environment variables are available, see + <link xlink:href="https://github.com/rfjakob/earlyoom#notifications">README</link> and + <link xlink:href="https://github.com/rfjakob/earlyoom/blob/master/MANPAGE.md#-n-pathtoscript">the man page</link> + for details. + ''; + }; + + reportInterval = mkOption { + type = types.int; + default = 3600; + example = 0; + description = "Interval (in seconds) at which a memory report is printed (set to 0 to disable)."; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "-g" "--prefer '(^|/)(java|chromium)$'" ]; + description = "Extra command-line arguments to be passed to earlyoom."; + }; }; imports = [ @@ -76,7 +124,11 @@ in This option is deprecated and ignored by earlyoom since 1.2. '') (mkRemovedOptionModule [ "services" "earlyoom" "notificationsCommand" ] '' - This option is deprecated and ignored by earlyoom since 1.6. + This option was removed in earlyoom 1.6, but was reimplemented in 1.7 + and is available as the new option `services.earlyoom.killHook`. + '') + (mkRemovedOptionModule [ "services" "earlyoom" "ignoreOOMScoreAdjust" ] '' + This option is deprecated and ignored by earlyoom since 1.7. '') ]; @@ -91,12 +143,16 @@ in StandardError = "journal"; ExecStart = concatStringsSep " " ([ "${pkgs.earlyoom}/bin/earlyoom" - "-m ${toString cfg.freeMemThreshold}" - "-s ${toString cfg.freeSwapThreshold}" + ("-m ${toString cfg.freeMemThreshold}" + + optionalString (cfg.freeMemKillThreshold != null) ",${toString cfg.freeMemKillThreshold}") + ("-s ${toString cfg.freeSwapThreshold}" + + optionalString (cfg.freeSwapKillThreshold != null) ",${toString cfg.freeSwapKillThreshold}") + "-r ${toString cfg.reportInterval}" ] - ++ optional cfg.ignoreOOMScoreAdjust "-i" ++ optional cfg.enableDebugInfo "-d" ++ optional cfg.enableNotifications "-n" + ++ optional (cfg.killHook != null) "-N ${escapeShellArg cfg.killHook}" + ++ cfg.extraArgs ); }; }; diff --git a/nixpkgs/nixos/modules/services/video/unifi-video.nix b/nixpkgs/nixos/modules/services/video/unifi-video.nix index 43208a9fe4cf..11d9fe305470 100644 --- a/nixpkgs/nixos/modules/services/video/unifi-video.nix +++ b/nixpkgs/nixos/modules/services/video/unifi-video.nix @@ -16,7 +16,7 @@ let -pidfile ${cfg.pidFile} \ -procname unifi-video \ -Djava.security.egd=file:/dev/./urandom \ - -Xmx${cfg.maximumJavaHeapSize}M \ + -Xmx${toString cfg.maximumJavaHeapSize}M \ -Xss512K \ -XX:+UseG1GC \ -XX:+UseStringDeduplication \ @@ -91,98 +91,102 @@ let stateDir = "/var/lib/unifi-video"; in - { - - options.services.unifi-video = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether or not to enable the unifi-video service. - ''; - }; +{ - jrePackage = mkOption { - type = types.package; - default = pkgs.jre8; - defaultText = literalExpression "pkgs.jre8"; - description = '' - The JRE package to use. Check the release notes to ensure it is supported. - ''; - }; + options.services.unifi-video = { - unifiVideoPackage = mkOption { - type = types.package; - default = pkgs.unifi-video; - defaultText = literalExpression "pkgs.unifi-video"; - description = '' - The unifi-video package to use. - ''; - }; + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether or not to enable the unifi-video service. + ''; + }; - mongodbPackage = mkOption { - type = types.package; - default = pkgs.mongodb-4_0; - defaultText = literalExpression "pkgs.mongodb"; - description = '' - The mongodb package to use. - ''; - }; + jrePackage = mkOption { + type = types.package; + default = pkgs.jre8; + defaultText = literalExpression "pkgs.jre8"; + description = '' + The JRE package to use. Check the release notes to ensure it is supported. + ''; + }; - logDir = mkOption { - type = types.str; - default = "${stateDir}/logs"; - description = '' - Where to store the logs. - ''; - }; + unifiVideoPackage = mkOption { + type = types.package; + default = pkgs.unifi-video; + defaultText = literalExpression "pkgs.unifi-video"; + description = '' + The unifi-video package to use. + ''; + }; - dataDir = mkOption { - type = types.str; - default = "${stateDir}/data"; - description = '' - Where to store the database and other data. - ''; - }; + mongodbPackage = mkOption { + type = types.package; + default = pkgs.mongodb-4_0; + defaultText = literalExpression "pkgs.mongodb"; + description = '' + The mongodb package to use. + ''; + }; - openPorts = mkOption { - type = types.bool; - default = true; - description = '' - Whether or not to open the required ports on the firewall. - ''; - }; + logDir = mkOption { + type = types.str; + default = "${stateDir}/logs"; + description = '' + Where to store the logs. + ''; + }; - maximumJavaHeapSize = mkOption { - type = types.nullOr types.int; - default = 1024; - example = 4096; - description = '' - Set the maximimum heap size for the JVM in MB. - ''; - }; + dataDir = mkOption { + type = types.str; + default = "${stateDir}/data"; + description = '' + Where to store the database and other data. + ''; + }; - pidFile = mkOption { - type = types.path; - default = "${cfg.dataDir}/unifi-video.pid"; - defaultText = literalExpression ''"''${config.${opt.dataDir}}/unifi-video.pid"''; - description = "Location of unifi-video pid file."; - }; + openFirewall = mkOption { + type = types.bool; + default = true; + description = '' + Whether or not to open the required ports on the firewall. + ''; + }; + + maximumJavaHeapSize = mkOption { + type = types.nullOr types.int; + default = 1024; + example = 4096; + description = '' + Set the maximimum heap size for the JVM in MB. + ''; + }; + + pidFile = mkOption { + type = types.path; + default = "${cfg.dataDir}/unifi-video.pid"; + defaultText = literalExpression ''"''${config.${opt.dataDir}}/unifi-video.pid"''; + description = "Location of unifi-video pid file."; + }; + + }; + + config = mkIf cfg.enable { -}; + warnings = optional + (options.services.unifi-video.openFirewall.highestPrio >= (mkOptionDefault null).priority) + "The current services.unifi-video.openFirewall = true default is deprecated and will change to false in 22.11. Set it explicitly to silence this warning."; -config = mkIf cfg.enable { - users = { - users.unifi-video = { + users.users.unifi-video = { description = "UniFi Video controller daemon user"; home = stateDir; group = "unifi-video"; isSystemUser = true; }; - groups.unifi-video = {}; - }; + users.groups.unifi-video = {}; - networking.firewall = mkIf cfg.openPorts { + networking.firewall = mkIf cfg.openFirewall { # https://help.ui.com/hc/en-us/articles/217875218-UniFi-Video-Ports-Used allowedTCPPorts = [ 7080 # HTTP portal @@ -237,7 +241,6 @@ config = mkIf cfg.enable { "L+ '${stateDir}/conf/server.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/server.xml" "L+ '${stateDir}/conf/tomcat-users.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/tomcat-users.xml" "L+ '${stateDir}/conf/web.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/web.xml" - ]; systemd.services.unifi-video = { @@ -258,10 +261,11 @@ config = mkIf cfg.enable { WorkingDirectory = "${stateDir}"; }; }; - }; - meta = { - maintainers = with lib.maintainers; [ rsynnest ]; - }; + imports = [ + (mkRenamedOptionModule [ "services" "unifi-video" "openPorts" ] [ "services" "unifi-video" "openFirewall" ]) + ]; + + meta.maintainers = with lib.maintainers; [ rsynnest ]; } diff --git a/nixpkgs/nixos/modules/services/web-apps/keycloak.nix b/nixpkgs/nixos/modules/services/web-apps/keycloak.nix index 22c16be76139..c4a2127663a9 100644 --- a/nixpkgs/nixos/modules/services/web-apps/keycloak.nix +++ b/nixpkgs/nixos/modules/services/web-apps/keycloak.nix @@ -129,6 +129,14 @@ in ''; }; + plugins = lib.mkOption { + type = lib.types.listOf lib.types.path; + default = []; + description = '' + Keycloak plugin jar, ear files or derivations with them + ''; + }; + database = { type = mkOption { type = enum [ "mysql" "postgresql" ]; @@ -787,6 +795,14 @@ in umask u=rwx,g=,o= + install_plugin() { + if [ -d "$1" ]; then + find "$1" -type f \( -iname \*.ear -o -iname \*.jar \) -exec install -m 0500 -o keycloak -g keycloak "{}" "/run/keycloak/deployments/" \; + else + install -m 0500 -o keycloak -g keycloak "$1" "/run/keycloak/deployments/" + fi + } + install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml @@ -794,7 +810,9 @@ in export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}' - '' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' + '' + + lib.optionalString (cfg.plugins != []) (lib.concatStringsSep "\n" (map (pl: "install_plugin ${lib.escapeShellArg pl}") cfg.plugins)) + "\n" + + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' pushd /run/keycloak/ssl/ cat "$CREDENTIALS_DIRECTORY/ssl_cert" <(echo) \ "$CREDENTIALS_DIRECTORY/ssl_key" <(echo) \ diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix index 141ab98e29bf..b32220a5e579 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix @@ -153,7 +153,7 @@ in { package = mkOption { type = types.package; description = "Which package to use for the Nextcloud instance."; - relatedPackages = [ "nextcloud21" "nextcloud22" "nextcloud23" ]; + relatedPackages = [ "nextcloud22" "nextcloud23" ]; }; phpPackage = mkOption { type = types.package; @@ -571,15 +571,6 @@ in { nextcloud defined in an overlay, please set `services.nextcloud.package` to `pkgs.nextcloud`. '' - # 21.03 will not be an official release - it was instead 21.05. - # This versionOlder statement remains set to 21.03 for backwards compatibility. - # See https://github.com/NixOS/nixpkgs/pull/108899 and - # https://github.com/NixOS/rfcs/blob/master/rfcs/0080-nixos-release-schedule.md. - # FIXME(@Ma27) remove this else-if as soon as 21.05 is EOL! This is only here - # to ensure that users who are on Nextcloud 19 with a stateVersion <21.05 with - # no explicit services.nextcloud.package don't upgrade to v21 by accident ( - # nextcloud20 throws an eval-error because it's dropped). - else if versionOlder stateVersion "21.03" then nextcloud20 else if versionOlder stateVersion "21.11" then nextcloud21 else if versionOlder stateVersion "22.05" then nextcloud22 else nextcloud23 diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix index e2323785149a..f87258ac8dc5 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -132,6 +132,10 @@ in [ "environment" "gnome3" "excludePackages" ] [ "environment" "gnome" "excludePackages" ] ) + (mkRemovedOptionModule + [ "services" "gnome" "experimental-features" "realtime-scheduling" ] + "Set `security.rtkit.enable = true;` to make realtime scheduling possible. (Still needs to be enabled using GSettings.)" + ) ]; options = { @@ -142,38 +146,6 @@ in core-utilities.enable = mkEnableOption "GNOME core utilities"; core-developer-tools.enable = mkEnableOption "GNOME core developer tools"; games.enable = mkEnableOption "GNOME games"; - - experimental-features = { - realtime-scheduling = mkOption { - type = types.bool; - default = false; - description = '' - Makes mutter (which propagates to gnome-shell) request a low priority real-time - scheduling which is only available on the wayland session. - To enable this experimental feature it requires a restart of the compositor. - Note that enabling this option only enables the <emphasis>capability</emphasis> - for realtime-scheduling to be used. It doesn't automatically set the gsetting - so that mutter actually uses realtime-scheduling. This would require adding <literal> - rt-scheduler</literal> to <literal>/org/gnome/mutter/experimental-features</literal> - with dconf-editor. You cannot use extraGSettingsOverrides because that will only - change the default value of the setting. - - Please be aware of these known issues with the feature in nixos: - <itemizedlist> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixpkgs/issues/90201">NixOS/nixpkgs#90201</link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixpkgs/issues/86730">NixOS/nixpkgs#86730</link> - </para> - </listitem> - </itemizedlist> - ''; - }; - }; }; services.xserver.desktopManager.gnome = { @@ -414,7 +386,6 @@ in services.gnome.rygel.enable = mkDefault true; services.gvfs.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.telepathy.enable = mkDefault true; systemd.packages = with pkgs.gnome; [ gnome-session @@ -480,29 +451,6 @@ in ]; }) - # Enable soft realtime scheduling, only supported on wayland - (mkIf serviceCfg.experimental-features.realtime-scheduling { - security.wrappers.".gnome-shell-wrapped" = { - source = "${pkgs.gnome.gnome-shell}/bin/.gnome-shell-wrapped"; - owner = "root"; - group = "root"; - capabilities = "cap_sys_nice=ep"; - }; - - systemd.user.services.gnome-shell-wayland = let - gnomeShellRT = with pkgs.gnome; pkgs.runCommand "gnome-shell-rt" {} '' - mkdir -p $out/bin/ - cp ${gnome-shell}/bin/gnome-shell $out/bin - sed -i "s@${gnome-shell}/bin/@${config.security.wrapperDir}/@" $out/bin/gnome-shell - ''; - in { - # Note we need to clear ExecStart before overriding it - serviceConfig.ExecStart = ["" "${gnomeShellRT}/bin/gnome-shell"]; - # Do not use the default environment, it provides a broken PATH - environment = mkForce {}; - }; - }) - # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-38/elements/core/meta-gnome-core-utilities.bst (mkIf serviceCfg.core-utilities.enable { environment.systemPackages = @@ -513,18 +461,18 @@ in cheese eog epiphany - gedit + pkgs.gnome-text-editor gnome-calculator gnome-calendar gnome-characters gnome-clocks + pkgs.gnome-console gnome-contacts gnome-font-viewer gnome-logs gnome-maps gnome-music pkgs.gnome-photos - gnome-screenshot gnome-system-monitor gnome-weather nautilus @@ -547,10 +495,13 @@ in programs.file-roller.enable = notExcluded pkgs.gnome.file-roller; programs.geary.enable = notExcluded pkgs.gnome.geary; programs.gnome-disks.enable = notExcluded pkgs.gnome.gnome-disk-utility; - programs.gnome-terminal.enable = notExcluded pkgs.gnome.gnome-terminal; programs.seahorse.enable = notExcluded pkgs.gnome.seahorse; services.gnome.sushi.enable = notExcluded pkgs.gnome.sushi; + # VTE shell integration for gnome-console + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + # Let nautilus find extensions # TODO: Create nautilus-with-extensions package environment.sessionVariables.NAUTILUS_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-3.0"; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix index 8ff9b0b756d3..48e119a86187 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -220,9 +220,7 @@ in ] config.environment.pantheon.excludePackages); programs.evince.enable = mkDefault true; - programs.evince.package = pkgs.pantheon.evince; programs.file-roller.enable = mkDefault true; - programs.file-roller.package = pkgs.pantheon.file-roller; # Settings from elementary-default-settings environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini"; @@ -304,7 +302,6 @@ in environment.systemPackages = with pkgs.pantheon; [ contractor file-roller-contract - gnome-bluetooth-contract ]; environment.pathsToLink = [ diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix index b7aa2eba81cf..3ca044ad5bc8 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -519,7 +519,7 @@ in with plasma5; with kdeApplications; with kdeFrameworks; [ # Basic packages without which Plasma Mobile fails to work properly. - plasma-phone-components + plasma-mobile plasma-nano pkgs.maliit-framework pkgs.maliit-keyboard @@ -573,7 +573,7 @@ in }; }; - services.xserver.displayManager.sessionPackages = [ pkgs.libsForQt5.plasma5.plasma-phone-components ]; + services.xserver.displayManager.sessionPackages = [ pkgs.libsForQt5.plasma5.plasma-mobile ]; }) ]; } diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix index 92b3af8527f1..a5db3dd5dd45 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix @@ -219,6 +219,7 @@ in session = mkOption { default = []; + type = types.listOf types.attrs; example = literalExpression '' [ { manage = "desktop"; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix index b1dc6643be82..70ae6b8978d0 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix @@ -141,7 +141,7 @@ in GDM_X_SERVER_EXTRA_ARGS = toString (filter (arg: arg != "-terminate") cfg.xserverArgs); # GDM is needed for gnome-login.session - XDG_DATA_DIRS = "${gdm}/share:${cfg.sessionData.desktops}/share"; + XDG_DATA_DIRS = "${gdm}/share:${cfg.sessionData.desktops}/share:${pkgs.gnome.gnome-control-center}/share"; } // optionalAttrs (xSessionWrapper != null) { # Make GDM use this wrapper before running the session, which runs the # configured setupCommands. This relies on a patched GDM which supports diff --git a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl index 459d09faa53b..9e5b760434a0 100755 --- a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl @@ -8,18 +8,29 @@ use File::Basename; use File::Slurp qw(read_file write_file edit_file); use Net::DBus; use Sys::Syslog qw(:standard :macros); -use Cwd 'abs_path'; +use Cwd qw(abs_path); +## no critic(ControlStructures::ProhibitDeepNests) +## no critic(ErrorHandling::RequireCarping) ## no critic(CodeLayout::ProhibitParensWithBuiltins) +## no critic(Variables::ProhibitPunctuationVars, Variables::RequireLocalizedPunctuationVars) +## no critic(InputOutput::RequireCheckedSyscalls, InputOutput::RequireBracedFileHandleWithPrint, InputOutput::RequireBriefOpen) +## no critic(ValuesAndExpressions::ProhibitNoisyQuotes, ValuesAndExpressions::ProhibitMagicNumbers, ValuesAndExpressions::ProhibitEmptyQuotes, ValuesAndExpressions::ProhibitInterpolationOfLiterals) +## no critic(RegularExpressions::ProhibitEscapedMetacharacters) +# System closure path to switch to my $out = "@out@"; - -my $curSystemd = abs_path("/run/current-system/sw/bin"); +# Path to the directory containing systemd tools of the old system +my $cur_systemd = abs_path("/run/current-system/sw/bin"); +# Path to the systemd store path of the new system +my $new_systemd = "@systemd@"; # To be robust against interruption, record what units need to be started etc. -my $startListFile = "/run/nixos/start-list"; -my $restartListFile = "/run/nixos/restart-list"; -my $reloadListFile = "/run/nixos/reload-list"; +# We read these files again every time this script starts to make sure we continue +# where the old (interrupted) script left off. +my $start_list_file = "/run/nixos/start-list"; +my $restart_list_file = "/run/nixos/restart-list"; +my $reload_list_file = "/run/nixos/reload-list"; # Parse restart/reload requests by the activation script. # Activation scripts may write newline-separated units to the restart @@ -31,21 +42,23 @@ my $reloadListFile = "/run/nixos/reload-list"; # The reload file asks the script to reload a unit. This is the same as # specifying a reload trigger in the NixOS module and can be ignored if # the unit is restarted in this activation. -my $restartByActivationFile = "/run/nixos/activation-restart-list"; -my $reloadByActivationFile = "/run/nixos/activation-reload-list"; -my $dryRestartByActivationFile = "/run/nixos/dry-activation-restart-list"; -my $dryReloadByActivationFile = "/run/nixos/dry-activation-reload-list"; - -make_path("/run/nixos", { mode => oct(755) }); +my $restart_by_activation_file = "/run/nixos/activation-restart-list"; +my $reload_by_activation_file = "/run/nixos/activation-reload-list"; +my $dry_restart_by_activation_file = "/run/nixos/dry-activation-restart-list"; +my $dry_reload_by_activation_file = "/run/nixos/dry-activation-reload-list"; +# The action that is to be performed (like switch, boot, test, dry-activate) +# Also exposed via environment variable from now on my $action = shift(@ARGV); +$ENV{NIXOS_ACTION} = $action; +# Expose the locale archive as an environment variable for systemctl and the activation script if ("@localeArchive@" ne "") { $ENV{LOCALE_ARCHIVE} = "@localeArchive@"; } if (!defined($action) || ($action ne "switch" && $action ne "boot" && $action ne "test" && $action ne "dry-activate")) { - print STDERR <<EOF; + print STDERR <<"EOF"; Usage: $0 [switch|boot|test] switch: make the configuration the boot default and activate now @@ -56,37 +69,41 @@ EOF exit(1); } -$ENV{NIXOS_ACTION} = $action; - # This is a NixOS installation if it has /etc/NIXOS or a proper # /etc/os-release. -die("This is not a NixOS installation!\n") unless - -f "/etc/NIXOS" || (read_file("/etc/os-release", err_mode => 'quiet') // "") =~ /ID="?nixos"?/s; +if (!-f "/etc/NIXOS" && (read_file("/etc/os-release", err_mode => "quiet") // "") !~ /^ID="?nixos"?/msx) { + die("This is not a NixOS installation!\n"); +} +make_path("/run/nixos", { mode => oct(755) }); openlog("nixos", "", LOG_USER); # Install or update the bootloader. if ($action eq "switch" || $action eq "boot") { - chomp(my $installBootLoader = <<'EOFBOOTLOADER'); + chomp(my $install_boot_loader = <<'EOFBOOTLOADER'); @installBootLoader@ EOFBOOTLOADER - system("$installBootLoader $out") == 0 or exit 1; + system("$install_boot_loader $out") == 0 or exit 1; } # Just in case the new configuration hangs the system, do a sync now. -system("@coreutils@/bin/sync", "-f", "/nix/store") unless ($ENV{"NIXOS_NO_SYNC"} // "") eq "1"; +if (($ENV{"NIXOS_NO_SYNC"} // "") ne "1") { + system("@coreutils@/bin/sync", "-f", "/nix/store"); +} -exit(0) if $action eq "boot"; +if ($action eq "boot") { + exit(0); +} # Check if we can activate the new configuration. -my $oldVersion = read_file("/run/current-system/init-interface-version", err_mode => 'quiet') // ""; -my $newVersion = read_file("$out/init-interface-version"); +my $cur_init_interface_version = read_file("/run/current-system/init-interface-version", err_mode => "quiet") // ""; +my $new_init_interface_version = read_file("$out/init-interface-version"); -if ($newVersion ne $oldVersion) { - print STDERR <<EOF; +if ($new_init_interface_version ne $cur_init_interface_version) { + print STDERR <<'EOF'; Warning: the new NixOS configuration has an ‘init’ that is incompatible with the current configuration. The new configuration -won\'t take effect until you reboot the system. +won't take effect until you reboot the system. EOF exit(100); } @@ -95,41 +112,56 @@ EOF # virtual console 1 and we restart the "tty1" unit. $SIG{PIPE} = "IGNORE"; -sub getActiveUnits { +# Asks the currently running systemd instance via dbus which units are active. +# Returns a hash where the key is the name of each unit and the value a hash +# of load, state, substate. +sub get_active_units { my $mgr = Net::DBus->system->get_service("org.freedesktop.systemd1")->get_object("/org/freedesktop/systemd1"); my $units = $mgr->ListUnitsByPatterns([], []); my $res = {}; - for my $item (@$units) { + for my $item (@{$units}) { my ($id, $description, $load_state, $active_state, $sub_state, - $following, $unit_path, $job_id, $job_type, $job_path) = @$item; - next unless $following eq ''; - next if $job_id == 0 and $active_state eq 'inactive'; + $following, $unit_path, $job_id, $job_type, $job_path) = @{$item}; + if ($following ne "") { + next; + } + if ($job_id == 0 and $active_state eq "inactive") { + next; + } $res->{$id} = { load => $load_state, state => $active_state, substate => $sub_state }; } return $res; } -# Returns whether a systemd unit is active +# Asks the currently running systemd instance whether a unit is currently active. +# Takes the name of the unit as an argument and returns a bool whether the unit is active or not. sub unit_is_active { my ($unit_name) = @_; - my $mgr = Net::DBus->system->get_service('org.freedesktop.systemd1')->get_object('/org/freedesktop/systemd1'); + my $mgr = Net::DBus->system->get_service("org.freedesktop.systemd1")->get_object("/org/freedesktop/systemd1"); my $units = $mgr->ListUnitsByNames([$unit_name]); if (scalar(@{$units}) == 0) { return 0; } - my $active_state = $units->[0]->[3]; ## no critic (ValuesAndExpressions::ProhibitMagicNumbers) - return $active_state eq 'active' || $active_state eq 'activating'; + my $active_state = $units->[0]->[3]; + return $active_state eq "active" || $active_state eq "activating"; } -sub parseFstab { +# Parse a fstab file, given its path. +# Returns a tuple of filesystems and swaps. +# +# Filesystems is a hash of mountpoint and { device, fsType, options } +# Swaps is a hash of device and { options } +sub parse_fstab { my ($filename) = @_; my ($fss, $swaps); - foreach my $line (read_file($filename, err_mode => 'quiet')) { + foreach my $line (read_file($filename, err_mode => "quiet")) { chomp($line); - $line =~ s/^\s*#.*//; - next if $line =~ /^\s*$/; - my @xs = split(/ /, $line); + $line =~ s/^\s*\#.*//msx; + if ($line =~ /^\s*$/msx) { + next; + } + my @xs = split(/\s+/msx, $line); if ($xs[2] eq "swap") { $swaps->{$xs[0]} = { options => $xs[3] // "" }; } else { @@ -148,35 +180,35 @@ sub parseFstab { # # Instead of returning the hash, this subroutine takes a hashref to return the data in. This # allows calling the subroutine multiple times with the same hash to parse override files. -sub parseSystemdIni { - my ($unitContents, $path) = @_; +sub parse_systemd_ini { + my ($unit_contents, $path) = @_; # Tie the ini file to a hash for easier access - tie(my %fileContents, 'Config::IniFiles', (-file => $path, -allowempty => 1, -allowcontinue => 1)); ## no critic(Miscellanea::ProhibitTies) + tie(my %file_contents, "Config::IniFiles", (-file => $path, -allowempty => 1, -allowcontinue => 1)); ## no critic(Miscellanea::ProhibitTies) # Copy over all sections - foreach my $sectionName (keys(%fileContents)) { - if ($sectionName eq "Install") { + foreach my $section_name (keys(%file_contents)) { + if ($section_name eq "Install") { # Skip the [Install] section because it has no relevant keys for us next; } # Copy over all keys - foreach my $iniKey (keys(%{$fileContents{$sectionName}})) { + foreach my $ini_key (keys(%{$file_contents{$section_name}})) { # Ensure the value is an array so it's easier to work with - my $iniValue = $fileContents{$sectionName}{$iniKey}; - my @iniValues; - if (ref($iniValue) eq "ARRAY") { - @iniValues = @{$iniValue}; + my $ini_value = $file_contents{$section_name}{$ini_key}; + my @ini_values; + if (ref($ini_value) eq "ARRAY") { + @ini_values = @{$ini_value}; } else { - @iniValues = $iniValue; + @ini_values = $ini_value; } # Go over all values - for my $iniValue (@iniValues) { + for my $ini_value (@ini_values) { # If a value is empty, it's an override that tells us to clean the value - if ($iniValue eq "") { - delete $unitContents->{$sectionName}->{$iniKey}; + if ($ini_value eq "") { + delete $unit_contents->{$section_name}->{$ini_key}; next; } - push(@{$unitContents->{$sectionName}->{$iniKey}}, $iniValue); + push(@{$unit_contents->{$section_name}->{$ini_key}}, $ini_value); } } } @@ -185,7 +217,7 @@ sub parseSystemdIni { # This subroutine takes the path to a systemd configuration file (like a unit configuration), # parses it, and returns a hash that contains the contents. The contents of this hash are -# explained in the `parseSystemdIni` subroutine. Neither the sections nor the keys inside +# explained in the `parse_systemd_ini` subroutine. Neither the sections nor the keys inside # the sections are consistently sorted. # # If a directory with the same basename ending in .d exists next to the unit file, it will be @@ -199,36 +231,44 @@ sub parse_unit { # Valid characters in unit names are ASCII letters, digits, ":", "-", "_", ".", and "\" $unit_path =~ s/\\/\\\\/gmsx; foreach (glob("${unit_path}{,.d/*.conf}")) { - parseSystemdIni(\%unit_data, "$_") + parse_systemd_ini(\%unit_data, "$_") } return %unit_data; } # Checks whether a specified boolean in a systemd unit is true # or false, with a default that is applied when the value is not set. -sub parseSystemdBool { - my ($unitConfig, $sectionName, $boolName, $default) = @_; +sub parse_systemd_bool { + my ($unit_config, $section_name, $bool_name, $default) = @_; - my @values = @{$unitConfig->{$sectionName}{$boolName} // []}; + my @values = @{$unit_config->{$section_name}{$bool_name} // []}; # Return default if value is not set - if (scalar(@values) lt 1 || not defined($values[-1])) { + if ((scalar(@values) < 1) || (not defined($values[-1]))) { return $default; } # If value is defined multiple times, use the last definition - my $last = $values[-1]; + my $last_value = $values[-1]; # These are valid values as of systemd.syntax(7) - return $last eq "1" || $last eq "yes" || $last eq "true" || $last eq "on"; + return $last_value eq "1" || $last_value eq "yes" || $last_value eq "true" || $last_value eq "on"; } -sub recordUnit { +# Writes a unit name into a given file to be more resilient against +# crashes of the script. Does nothing when the action is dry-activate. +sub record_unit { my ($fn, $unit) = @_; - write_file($fn, { append => 1 }, "$unit\n") if $action ne "dry-activate"; + if ($action ne "dry-activate") { + write_file($fn, { append => 1 }, "$unit\n"); + } + return; } -# The opposite of recordUnit, removes a unit name from a file +# The opposite of record_unit, removes a unit name from a file sub unrecord_unit { my ($fn, $unit) = @_; - edit_file(sub { s/^$unit\n//msx }, $fn) if $action ne "dry-activate"; + if ($action ne "dry-activate") { + edit_file(sub { s/^$unit\n//msx }, $fn); + } + return; } # Compare the contents of two unit files and return whether the unit @@ -240,8 +280,8 @@ sub unrecord_unit { # - 0 if the units are equal # - 1 if the units are different and a restart action is required # - 2 if the units are different and a reload action is required -sub compare_units { - my ($old_unit, $new_unit) = @_; +sub compare_units { ## no critic(Subroutines::ProhibitExcessComplexity) + my ($cur_unit, $new_unit) = @_; my $ret = 0; # Keys to ignore in the [Unit] section my %unit_section_ignores = map { $_ => 1 } qw( @@ -262,13 +302,13 @@ sub compare_units { # Comparison hash for the sections my %section_cmp = map { $_ => 1 } keys(%{$new_unit}); # Iterate over the sections - foreach my $section_name (keys(%{$old_unit})) { + foreach my $section_name (keys(%{$cur_unit})) { # Missing section in the new unit? if (not exists($section_cmp{$section_name})) { # If the [Unit] section was removed, make sure that only keys # were in it that are ignored - if ($section_name eq 'Unit') { - foreach my $ini_key (keys(%{$old_unit->{'Unit'}})) { + if ($section_name eq "Unit") { + foreach my $ini_key (keys(%{$cur_unit->{"Unit"}})) { if (not defined($unit_section_ignores{$ini_key})) { return 1; } @@ -277,7 +317,7 @@ sub compare_units { } else { return 1; } - if ($section_name eq 'Unit' and %{$old_unit->{'Unit'}} == 1 and defined(%{$old_unit->{'Unit'}}{'X-Reload-Triggers'})) { + if ($section_name eq "Unit" and %{$cur_unit->{"Unit"}} == 1 and defined(%{$cur_unit->{"Unit"}}{"X-Reload-Triggers"})) { # If a new [Unit] section was removed that only contained X-Reload-Triggers, # do nothing. next; @@ -289,23 +329,23 @@ sub compare_units { # Comparison hash for the section contents my %ini_cmp = map { $_ => 1 } keys(%{$new_unit->{$section_name}}); # Iterate over the keys of the section - foreach my $ini_key (keys(%{$old_unit->{$section_name}})) { + foreach my $ini_key (keys(%{$cur_unit->{$section_name}})) { delete $ini_cmp{$ini_key}; - my @old_value = @{$old_unit->{$section_name}{$ini_key}}; + my @cur_value = @{$cur_unit->{$section_name}{$ini_key}}; # If the key is missing in the new unit, they are different... if (not $new_unit->{$section_name}{$ini_key}) { # ... unless the key that is now missing is one of the ignored keys - if ($section_name eq 'Unit' and defined($unit_section_ignores{$ini_key})) { + if ($section_name eq "Unit" and defined($unit_section_ignores{$ini_key})) { next; } return 1; } my @new_value = @{$new_unit->{$section_name}{$ini_key}}; # If the contents are different, the units are different - if (not $comp_array->(\@old_value, \@new_value)) { + if (not $comp_array->(\@cur_value, \@new_value)) { # Check if only the reload triggers changed or one of the ignored keys - if ($section_name eq 'Unit') { - if ($ini_key eq 'X-Reload-Triggers') { + if ($section_name eq "Unit") { + if ($ini_key eq "X-Reload-Triggers") { $ret = 2; next; } elsif (defined($unit_section_ignores{$ini_key})) { @@ -315,11 +355,11 @@ sub compare_units { return 1; } } - # A key was introduced that was missing in the old unit + # A key was introduced that was missing in the previous unit if (%ini_cmp) { - if ($section_name eq 'Unit') { + if ($section_name eq "Unit") { foreach my $ini_key (keys(%ini_cmp)) { - if ($ini_key eq 'X-Reload-Triggers') { + if ($ini_key eq "X-Reload-Triggers") { $ret = 2; } elsif (defined($unit_section_ignores{$ini_key})) { next; @@ -332,13 +372,13 @@ sub compare_units { } }; } - # A section was introduced that was missing in the old unit + # A section was introduced that was missing in the previous unit if (%section_cmp) { - if (%section_cmp == 1 and defined($section_cmp{'Unit'})) { - foreach my $ini_key (keys(%{$new_unit->{'Unit'}})) { + if (%section_cmp == 1 and defined($section_cmp{"Unit"})) { + foreach my $ini_key (keys(%{$new_unit->{"Unit"}})) { if (not defined($unit_section_ignores{$ini_key})) { return 1; - } elsif ($ini_key eq 'X-Reload-Triggers') { + } elsif ($ini_key eq "X-Reload-Triggers") { $ret = 2; } } @@ -350,76 +390,78 @@ sub compare_units { return $ret; } -sub handleModifiedUnit { - my ($unit, $baseName, $newUnitFile, $newUnitInfo, $activePrev, $unitsToStop, $unitsToStart, $unitsToReload, $unitsToRestart, $unitsToSkip) = @_; +# Called when a unit exists in both the old systemd and the new system and the units +# differ. This figures out of what units are to be stopped, restarted, reloaded, started, and skipped. +sub handle_modified_unit { ## no critic(Subroutines::ProhibitManyArgs, Subroutines::ProhibitExcessComplexity) + my ($unit, $base_name, $new_unit_file, $new_unit_info, $active_cur, $units_to_stop, $units_to_start, $units_to_reload, $units_to_restart, $units_to_skip) = @_; - if ($unit eq "sysinit.target" || $unit eq "basic.target" || $unit eq "multi-user.target" || $unit eq "graphical.target" || $unit =~ /\.path$/ || $unit =~ /\.slice$/) { + if ($unit eq "sysinit.target" || $unit eq "basic.target" || $unit eq "multi-user.target" || $unit eq "graphical.target" || $unit =~ /\.path$/msx || $unit =~ /\.slice$/msx) { # Do nothing. These cannot be restarted directly. # Slices and Paths don't have to be restarted since # properties (resource limits and inotify watches) # seem to get applied on daemon-reload. - } elsif ($unit =~ /\.mount$/) { + } elsif ($unit =~ /\.mount$/msx) { # Reload the changed mount unit to force a remount. # FIXME: only reload when Options= changed, restart otherwise - $unitsToReload->{$unit} = 1; - recordUnit($reloadListFile, $unit); - } elsif ($unit =~ /\.socket$/) { + $units_to_reload->{$unit} = 1; + record_unit($reload_list_file, $unit); + } elsif ($unit =~ /\.socket$/msx) { # FIXME: do something? # Attempt to fix this: https://github.com/NixOS/nixpkgs/pull/141192 # Revert of the attempt: https://github.com/NixOS/nixpkgs/pull/147609 # More details: https://github.com/NixOS/nixpkgs/issues/74899#issuecomment-981142430 } else { - my %unitInfo = $newUnitInfo ? %{$newUnitInfo} : parse_unit($newUnitFile); - if (parseSystemdBool(\%unitInfo, "Service", "X-ReloadIfChanged", 0) and not $unitsToRestart->{$unit} and not $unitsToStop->{$unit}) { - $unitsToReload->{$unit} = 1; - recordUnit($reloadListFile, $unit); + my %new_unit_info = $new_unit_info ? %{$new_unit_info} : parse_unit($new_unit_file); + if (parse_systemd_bool(\%new_unit_info, "Service", "X-ReloadIfChanged", 0) and not $units_to_restart->{$unit} and not $units_to_stop->{$unit}) { + $units_to_reload->{$unit} = 1; + record_unit($reload_list_file, $unit); } - elsif (!parseSystemdBool(\%unitInfo, "Service", "X-RestartIfChanged", 1) || parseSystemdBool(\%unitInfo, "Unit", "RefuseManualStop", 0) || parseSystemdBool(\%unitInfo, "Unit", "X-OnlyManualStart", 0)) { - $unitsToSkip->{$unit} = 1; + elsif (!parse_systemd_bool(\%new_unit_info, "Service", "X-RestartIfChanged", 1) || parse_systemd_bool(\%new_unit_info, "Unit", "RefuseManualStop", 0) || parse_systemd_bool(\%new_unit_info, "Unit", "X-OnlyManualStart", 0)) { + $units_to_skip->{$unit} = 1; } else { # It doesn't make sense to stop and start non-services because # they can't have ExecStop= - if (!parseSystemdBool(\%unitInfo, "Service", "X-StopIfChanged", 1) || $unit !~ /\.service$/) { + if (!parse_systemd_bool(\%new_unit_info, "Service", "X-StopIfChanged", 1) || $unit !~ /\.service$/msx) { # This unit should be restarted instead of # stopped and started. - $unitsToRestart->{$unit} = 1; - recordUnit($restartListFile, $unit); + $units_to_restart->{$unit} = 1; + record_unit($restart_list_file, $unit); # Remove from units to reload so we don't restart and reload - if ($unitsToReload->{$unit}) { - delete $unitsToReload->{$unit}; - unrecord_unit($reloadListFile, $unit); + if ($units_to_reload->{$unit}) { + delete $units_to_reload->{$unit}; + unrecord_unit($reload_list_file, $unit); } } else { # If this unit is socket-activated, then stop the # socket unit(s) as well, and restart the # socket(s) instead of the service. my $socket_activated = 0; - if ($unit =~ /\.service$/) { - my @sockets = split(/ /, join(" ", @{$unitInfo{Service}{Sockets} // []})); + if ($unit =~ /\.service$/msx) { + my @sockets = split(/\s+/msx, join(" ", @{$new_unit_info{Service}{Sockets} // []})); if (scalar(@sockets) == 0) { - @sockets = ("$baseName.socket"); + @sockets = ("$base_name.socket"); } foreach my $socket (@sockets) { - if (defined($activePrev->{$socket})) { + if (defined($active_cur->{$socket})) { # We can now be sure this is a socket-activate unit - $unitsToStop->{$socket} = 1; + $units_to_stop->{$socket} = 1; # Only restart sockets that actually # exist in new configuration: if (-e "$out/etc/systemd/system/$socket") { - $unitsToStart->{$socket} = 1; - if ($unitsToStart eq $unitsToRestart) { - recordUnit($restartListFile, $socket); + $units_to_start->{$socket} = 1; + if ($units_to_start eq $units_to_restart) { + record_unit($restart_list_file, $socket); } else { - recordUnit($startListFile, $socket); + record_unit($start_list_file, $socket); } $socket_activated = 1; } # Remove from units to reload so we don't restart and reload - if ($unitsToReload->{$unit}) { - delete $unitsToReload->{$unit}; - unrecord_unit($reloadListFile, $unit); + if ($units_to_reload->{$unit}) { + delete $units_to_reload->{$unit}; + unrecord_unit($reload_list_file, $unit); } } } @@ -430,64 +472,67 @@ sub handleModifiedUnit { # We write this to a file to ensure that the # service gets restarted if we're interrupted. if (!$socket_activated) { - $unitsToStart->{$unit} = 1; - if ($unitsToStart eq $unitsToRestart) { - recordUnit($restartListFile, $unit); + $units_to_start->{$unit} = 1; + if ($units_to_start eq $units_to_restart) { + record_unit($restart_list_file, $unit); } else { - recordUnit($startListFile, $unit); + record_unit($start_list_file, $unit); } } - $unitsToStop->{$unit} = 1; + $units_to_stop->{$unit} = 1; # Remove from units to reload so we don't restart and reload - if ($unitsToReload->{$unit}) { - delete $unitsToReload->{$unit}; - unrecord_unit($reloadListFile, $unit); + if ($units_to_reload->{$unit}) { + delete $units_to_reload->{$unit}; + unrecord_unit($reload_list_file, $unit); } } } } + return; } # Figure out what units need to be stopped, started, restarted or reloaded. -my (%unitsToStop, %unitsToSkip, %unitsToStart, %unitsToRestart, %unitsToReload); +my (%units_to_stop, %units_to_skip, %units_to_start, %units_to_restart, %units_to_reload); -my %unitsToFilter; # units not shown +my %units_to_filter; # units not shown -$unitsToStart{$_} = 1 foreach - split('\n', read_file($startListFile, err_mode => 'quiet') // ""); +%units_to_start = map { $_ => 1 } + split(/\n/msx, read_file($start_list_file, err_mode => "quiet") // ""); -$unitsToRestart{$_} = 1 foreach - split('\n', read_file($restartListFile, err_mode => 'quiet') // ""); +%units_to_restart = map { $_ => 1 } + split(/\n/msx, read_file($restart_list_file, err_mode => "quiet") // ""); -$unitsToReload{$_} = 1 foreach - split('\n', read_file($reloadListFile, err_mode => 'quiet') // ""); +%units_to_reload = map { $_ => 1 } + split(/\n/msx, read_file($reload_list_file, err_mode => "quiet") // ""); -my $activePrev = getActiveUnits(); -while (my ($unit, $state) = each(%{$activePrev})) { - my $baseUnit = $unit; +my $active_cur = get_active_units(); +while (my ($unit, $state) = each(%{$active_cur})) { + my $base_unit = $unit; - my $prevUnitFile = "/etc/systemd/system/$baseUnit"; - my $newUnitFile = "$out/etc/systemd/system/$baseUnit"; + my $cur_unit_file = "/etc/systemd/system/$base_unit"; + my $new_unit_file = "$out/etc/systemd/system/$base_unit"; # Detect template instances. - if (!-e $prevUnitFile && !-e $newUnitFile && $unit =~ /^(.*)@[^\.]*\.(.*)$/) { - $baseUnit = "$1\@.$2"; - $prevUnitFile = "/etc/systemd/system/$baseUnit"; - $newUnitFile = "$out/etc/systemd/system/$baseUnit"; + if (!-e $cur_unit_file && !-e $new_unit_file && $unit =~ /^(.*)@[^\.]*\.(.*)$/msx) { + $base_unit = "$1\@.$2"; + $cur_unit_file = "/etc/systemd/system/$base_unit"; + $new_unit_file = "$out/etc/systemd/system/$base_unit"; } - my $baseName = $baseUnit; - $baseName =~ s/\.[a-z]*$//; + my $base_name = $base_unit; + $base_name =~ s/\.[[:lower:]]*$//msx; - if (-e $prevUnitFile && ($state->{state} eq "active" || $state->{state} eq "activating")) { - if (! -e $newUnitFile || abs_path($newUnitFile) eq "/dev/null") { - my %unitInfo = parse_unit($prevUnitFile); - $unitsToStop{$unit} = 1 if parseSystemdBool(\%unitInfo, "Unit", "X-StopOnRemoval", 1); + if (-e $cur_unit_file && ($state->{state} eq "active" || $state->{state} eq "activating")) { + if (! -e $new_unit_file || abs_path($new_unit_file) eq "/dev/null") { + my %cur_unit_info = parse_unit($cur_unit_file); + if (parse_systemd_bool(\%cur_unit_info, "Unit", "X-StopOnRemoval", 1)) { + $units_to_stop{$unit} = 1; + } } - elsif ($unit =~ /\.target$/) { - my %unitInfo = parse_unit($newUnitFile); + elsif ($unit =~ /\.target$/msx) { + my %new_unit_info = parse_unit($new_unit_file); # Cause all active target units to be restarted below. # This should start most changed units we stop here as @@ -496,11 +541,11 @@ while (my ($unit, $state) = each(%{$activePrev})) { # active after the system has resumed, which probably # should not be the case. Just ignore it. if ($unit ne "suspend.target" && $unit ne "hibernate.target" && $unit ne "hybrid-sleep.target") { - unless (parseSystemdBool(\%unitInfo, "Unit", "RefuseManualStart", 0) || parseSystemdBool(\%unitInfo, "Unit", "X-OnlyManualStart", 0)) { - $unitsToStart{$unit} = 1; - recordUnit($startListFile, $unit); + if (!(parse_systemd_bool(\%new_unit_info, "Unit", "RefuseManualStart", 0) || parse_systemd_bool(\%new_unit_info, "Unit", "X-OnlyManualStart", 0))) { + $units_to_start{$unit} = 1; + record_unit($start_list_file, $unit); # Don't spam the user with target units that always get started. - $unitsToFilter{$unit} = 1; + $units_to_filter{$unit} = 1; } } @@ -515,33 +560,35 @@ while (my ($unit, $state) = each(%{$activePrev})) { # Stopping a target generally has no effect on other units # (unless there is a PartOf dependency), so this is just a # bookkeeping thing to get systemd to do the right thing. - if (parseSystemdBool(\%unitInfo, "Unit", "X-StopOnReconfiguration", 0)) { - $unitsToStop{$unit} = 1; + if (parse_systemd_bool(\%new_unit_info, "Unit", "X-StopOnReconfiguration", 0)) { + $units_to_stop{$unit} = 1; } } else { - my %old_unit_info = parse_unit($prevUnitFile); - my %new_unit_info = parse_unit($newUnitFile); - my $diff = compare_units(\%old_unit_info, \%new_unit_info); + my %cur_unit_info = parse_unit($cur_unit_file); + my %new_unit_info = parse_unit($new_unit_file); + my $diff = compare_units(\%cur_unit_info, \%new_unit_info); if ($diff == 1) { - handleModifiedUnit($unit, $baseName, $newUnitFile, \%new_unit_info, $activePrev, \%unitsToStop, \%unitsToStart, \%unitsToReload, \%unitsToRestart, \%unitsToSkip); - } elsif ($diff == 2 and not $unitsToRestart{$unit}) { - $unitsToReload{$unit} = 1; - recordUnit($reloadListFile, $unit); + handle_modified_unit($unit, $base_name, $new_unit_file, \%new_unit_info, $active_cur, \%units_to_stop, \%units_to_start, \%units_to_reload, \%units_to_restart, \%units_to_skip); + } elsif ($diff == 2 and not $units_to_restart{$unit}) { + $units_to_reload{$unit} = 1; + record_unit($reload_list_file, $unit); } } } } -sub pathToUnitName { +# Converts a path to the name of a systemd mount unit that would be responsible +# for mounting this path. +sub path_to_unit_name { my ($path) = @_; # Use current version of systemctl binary before daemon is reexeced. - open(my $cmd, "-|", "$curSystemd/systemd-escape", "--suffix=mount", "-p", $path) + open(my $cmd, "-|", "$cur_systemd/systemd-escape", "--suffix=mount", "-p", $path) or die "Unable to escape $path!\n"; - my $escaped = join("", <$cmd>); + my $escaped = do { local $/ = undef; <$cmd> }; chomp($escaped); - close($cmd) or die('Unable to close systemd-escape pipe'); + close($cmd) or die("Unable to close systemd-escape pipe"); return $escaped; } @@ -550,31 +597,31 @@ sub pathToUnitName { # automatically by starting local-fs.target. FIXME: might be nicer if # we generated units for all mounts; then we could unify this with the # unit checking code above. -my ($prevFss, $prevSwaps) = parseFstab("/etc/fstab"); -my ($newFss, $newSwaps) = parseFstab("$out/etc/fstab"); -foreach my $mountPoint (keys(%$prevFss)) { - my $prev = $prevFss->{$mountPoint}; - my $new = $newFss->{$mountPoint}; - my $unit = pathToUnitName($mountPoint); +my ($cur_fss, $cur_swaps) = parse_fstab("/etc/fstab"); +my ($new_fss, $new_swaps) = parse_fstab("$out/etc/fstab"); +foreach my $mount_point (keys(%{$cur_fss})) { + my $cur = $cur_fss->{$mount_point}; + my $new = $new_fss->{$mount_point}; + my $unit = path_to_unit_name($mount_point); if (!defined($new)) { # Filesystem entry disappeared, so unmount it. - $unitsToStop{$unit} = 1; - } elsif ($prev->{fsType} ne $new->{fsType} || $prev->{device} ne $new->{device}) { + $units_to_stop{$unit} = 1; + } elsif ($cur->{fsType} ne $new->{fsType} || $cur->{device} ne $new->{device}) { # Filesystem type or device changed, so unmount and mount it. - $unitsToStop{$unit} = 1; - $unitsToStart{$unit} = 1; - recordUnit($startListFile, $unit); - } elsif ($prev->{options} ne $new->{options}) { + $units_to_stop{$unit} = 1; + $units_to_start{$unit} = 1; + record_unit($start_list_file, $unit); + } elsif ($cur->{options} ne $new->{options}) { # Mount options changes, so remount it. - $unitsToReload{$unit} = 1; - recordUnit($reloadListFile, $unit); + $units_to_reload{$unit} = 1; + record_unit($reload_list_file, $unit); } } # Also handles swap devices. -foreach my $device (keys(%$prevSwaps)) { - my $prev = $prevSwaps->{$device}; - my $new = $newSwaps->{$device}; +foreach my $device (keys(%{$cur_swaps})) { + my $cur = $cur_swaps->{$device}; + my $new = $new_swaps->{$device}; if (!defined($new)) { # Swap entry disappeared, so turn it off. Can't use # "systemctl stop" here because systemd has lots of alias @@ -592,97 +639,109 @@ foreach my $device (keys(%$prevSwaps)) { # Should we have systemd re-exec itself? -my $prevSystemd = abs_path("/proc/1/exe") // "/unknown"; -my $prevSystemdSystemConfig = abs_path("/etc/systemd/system.conf") // "/unknown"; -my $newSystemd = abs_path("@systemd@/lib/systemd/systemd") or die; -my $newSystemdSystemConfig = abs_path("$out/etc/systemd/system.conf") // "/unknown"; +my $cur_pid1_path = abs_path("/proc/1/exe") // "/unknown"; +my $cur_systemd_system_config = abs_path("/etc/systemd/system.conf") // "/unknown"; +my $new_pid1_path = abs_path("$new_systemd/lib/systemd/systemd") or die; +my $new_systemd_system_config = abs_path("$out/etc/systemd/system.conf") // "/unknown"; -my $restartSystemd = $prevSystemd ne $newSystemd; -if ($prevSystemdSystemConfig ne $newSystemdSystemConfig) { - $restartSystemd = 1; +my $restart_systemd = $cur_pid1_path ne $new_pid1_path; +if ($cur_systemd_system_config ne $new_systemd_system_config) { + $restart_systemd = 1; } - -sub filterUnits { +# Takes an array of unit names and returns an array with the same elements, +# except all units that are also in the global variable `unitsToFilter`. +sub filter_units { my ($units) = @_; my @res; foreach my $unit (sort(keys(%{$units}))) { - push(@res, $unit) if !defined($unitsToFilter{$unit}); + if (!defined($units_to_filter{$unit})) { + push(@res, $unit); + } } return @res; } -my @unitsToStopFiltered = filterUnits(\%unitsToStop); +my @units_to_stop_filtered = filter_units(\%units_to_stop); # Show dry-run actions. if ($action eq "dry-activate") { - print STDERR "would stop the following units: ", join(", ", @unitsToStopFiltered), "\n" - if scalar(@unitsToStopFiltered) > 0; - print STDERR "would NOT stop the following changed units: ", join(", ", sort(keys(%unitsToSkip))), "\n" - if scalar(keys(%unitsToSkip)) > 0; + if (scalar(@units_to_stop_filtered) > 0) { + print STDERR "would stop the following units: ", join(", ", @units_to_stop_filtered), "\n"; + } + if (scalar(keys(%units_to_skip)) > 0) { + print STDERR "would NOT stop the following changed units: ", join(", ", sort(keys(%units_to_skip))), "\n"; + } print STDERR "would activate the configuration...\n"; system("$out/dry-activate", "$out"); # Handle the activation script requesting the restart or reload of a unit. - foreach (split('\n', read_file($dryRestartByActivationFile, err_mode => 'quiet') // "")) { + foreach (split(/\n/msx, read_file($dry_restart_by_activation_file, err_mode => "quiet") // "")) { my $unit = $_; - my $baseUnit = $unit; - my $newUnitFile = "$out/etc/systemd/system/$baseUnit"; + my $base_unit = $unit; + my $new_unit_file = "$out/etc/systemd/system/$base_unit"; # Detect template instances. - if (!-e $newUnitFile && $unit =~ /^(.*)@[^\.]*\.(.*)$/) { - $baseUnit = "$1\@.$2"; - $newUnitFile = "$out/etc/systemd/system/$baseUnit"; + if (!-e $new_unit_file && $unit =~ /^(.*)@[^\.]*\.(.*)$/msx) { + $base_unit = "$1\@.$2"; + $new_unit_file = "$out/etc/systemd/system/$base_unit"; } - my $baseName = $baseUnit; - $baseName =~ s/\.[a-z]*$//; + my $base_name = $base_unit; + $base_name =~ s/\.[[:lower:]]*$//msx; # Start units if they were not active previously - if (not defined($activePrev->{$unit})) { - $unitsToStart{$unit} = 1; + if (not defined($active_cur->{$unit})) { + $units_to_start{$unit} = 1; next; } - handleModifiedUnit($unit, $baseName, $newUnitFile, undef, $activePrev, \%unitsToRestart, \%unitsToRestart, \%unitsToReload, \%unitsToRestart, \%unitsToSkip); + handle_modified_unit($unit, $base_name, $new_unit_file, undef, $active_cur, \%units_to_restart, \%units_to_restart, \%units_to_reload, \%units_to_restart, \%units_to_skip); } - unlink($dryRestartByActivationFile); + unlink($dry_restart_by_activation_file); - foreach (split('\n', read_file($dryReloadByActivationFile, err_mode => 'quiet') // "")) { + foreach (split(/\n/msx, read_file($dry_reload_by_activation_file, err_mode => "quiet") // "")) { my $unit = $_; - if (defined($activePrev->{$unit}) and not $unitsToRestart{$unit} and not $unitsToStop{$unit}) { - $unitsToReload{$unit} = 1; - recordUnit($reloadListFile, $unit); + if (defined($active_cur->{$unit}) and not $units_to_restart{$unit} and not $units_to_stop{$unit}) { + $units_to_reload{$unit} = 1; + record_unit($reload_list_file, $unit); } } - unlink($dryReloadByActivationFile); + unlink($dry_reload_by_activation_file); - print STDERR "would restart systemd\n" if $restartSystemd; - print STDERR "would reload the following units: ", join(", ", sort(keys(%unitsToReload))), "\n" - if scalar(keys(%unitsToReload)) > 0; - print STDERR "would restart the following units: ", join(", ", sort(keys(%unitsToRestart))), "\n" - if scalar(keys(%unitsToRestart)) > 0; - my @unitsToStartFiltered = filterUnits(\%unitsToStart); - print STDERR "would start the following units: ", join(", ", @unitsToStartFiltered), "\n" - if scalar(@unitsToStartFiltered); + if ($restart_systemd) { + print STDERR "would restart systemd\n"; + } + if (scalar(keys(%units_to_reload)) > 0) { + print STDERR "would reload the following units: ", join(", ", sort(keys(%units_to_reload))), "\n"; + } + if (scalar(keys(%units_to_restart)) > 0) { + print STDERR "would restart the following units: ", join(", ", sort(keys(%units_to_restart))), "\n"; + } + my @units_to_start_filtered = filter_units(\%units_to_start); + if (scalar(@units_to_start_filtered)) { + print STDERR "would start the following units: ", join(", ", @units_to_start_filtered), "\n"; + } exit 0; } syslog(LOG_NOTICE, "switching to system configuration $out"); -if (scalar(keys(%unitsToStop)) > 0) { - print STDERR "stopping the following units: ", join(", ", @unitsToStopFiltered), "\n" - if scalar(@unitsToStopFiltered); +if (scalar(keys(%units_to_stop)) > 0) { + if (scalar(@units_to_stop_filtered)) { + print STDERR "stopping the following units: ", join(", ", @units_to_stop_filtered), "\n"; + } # Use current version of systemctl binary before daemon is reexeced. - system("$curSystemd/systemctl", "stop", "--", sort(keys(%unitsToStop))); + system("$cur_systemd/systemctl", "stop", "--", sort(keys(%units_to_stop))); } -print STDERR "NOT restarting the following changed units: ", join(", ", sort(keys(%unitsToSkip))), "\n" - if scalar(keys(%unitsToSkip)) > 0; +if (scalar(keys(%units_to_skip)) > 0) { + print STDERR "NOT restarting the following changed units: ", join(", ", sort(keys(%units_to_skip))), "\n"; +} # Activate the new configuration (i.e., update /etc, make accounts, # and so on). @@ -691,108 +750,110 @@ print STDERR "activating the configuration...\n"; system("$out/activate", "$out") == 0 or $res = 2; # Handle the activation script requesting the restart or reload of a unit. -foreach (split('\n', read_file($restartByActivationFile, err_mode => 'quiet') // "")) { +foreach (split(/\n/msx, read_file($restart_by_activation_file, err_mode => "quiet") // "")) { my $unit = $_; - my $baseUnit = $unit; - my $newUnitFile = "$out/etc/systemd/system/$baseUnit"; + my $base_unit = $unit; + my $new_unit_file = "$out/etc/systemd/system/$base_unit"; # Detect template instances. - if (!-e $newUnitFile && $unit =~ /^(.*)@[^\.]*\.(.*)$/) { - $baseUnit = "$1\@.$2"; - $newUnitFile = "$out/etc/systemd/system/$baseUnit"; + if (!-e $new_unit_file && $unit =~ /^(.*)@[^\.]*\.(.*)$/msx) { + $base_unit = "$1\@.$2"; + $new_unit_file = "$out/etc/systemd/system/$base_unit"; } - my $baseName = $baseUnit; - $baseName =~ s/\.[a-z]*$//; + my $base_name = $base_unit; + $base_name =~ s/\.[[:lower:]]*$//msx; # Start units if they were not active previously - if (not defined($activePrev->{$unit})) { - $unitsToStart{$unit} = 1; - recordUnit($startListFile, $unit); + if (not defined($active_cur->{$unit})) { + $units_to_start{$unit} = 1; + record_unit($start_list_file, $unit); next; } - handleModifiedUnit($unit, $baseName, $newUnitFile, undef, $activePrev, \%unitsToRestart, \%unitsToRestart, \%unitsToReload, \%unitsToRestart, \%unitsToSkip); + handle_modified_unit($unit, $base_name, $new_unit_file, undef, $active_cur, \%units_to_restart, \%units_to_restart, \%units_to_reload, \%units_to_restart, \%units_to_skip); } # We can remove the file now because it has been propagated to the other restart/reload files -unlink($restartByActivationFile); +unlink($restart_by_activation_file); -foreach (split('\n', read_file($reloadByActivationFile, err_mode => 'quiet') // "")) { +foreach (split(/\n/msx, read_file($reload_by_activation_file, err_mode => "quiet") // "")) { my $unit = $_; - if (defined($activePrev->{$unit}) and not $unitsToRestart{$unit} and not $unitsToStop{$unit}) { - $unitsToReload{$unit} = 1; - recordUnit($reloadListFile, $unit); + if (defined($active_cur->{$unit}) and not $units_to_restart{$unit} and not $units_to_stop{$unit}) { + $units_to_reload{$unit} = 1; + record_unit($reload_list_file, $unit); } } # We can remove the file now because it has been propagated to the other reload file -unlink($reloadByActivationFile); +unlink($reload_by_activation_file); # Restart systemd if necessary. Note that this is done using the # current version of systemd, just in case the new one has trouble # communicating with the running pid 1. -if ($restartSystemd) { +if ($restart_systemd) { print STDERR "restarting systemd...\n"; - system("$curSystemd/systemctl", "daemon-reexec") == 0 or $res = 2; + system("$cur_systemd/systemctl", "daemon-reexec") == 0 or $res = 2; } # Forget about previously failed services. -system("@systemd@/bin/systemctl", "reset-failed"); +system("$new_systemd/bin/systemctl", "reset-failed"); # Make systemd reload its units. -system("@systemd@/bin/systemctl", "daemon-reload") == 0 or $res = 3; +system("$new_systemd/bin/systemctl", "daemon-reload") == 0 or $res = 3; # Reload user units -open(my $listActiveUsers, '-|', '@systemd@/bin/loginctl', 'list-users', '--no-legend'); -while (my $f = <$listActiveUsers>) { - next unless $f =~ /^\s*(?<uid>\d+)\s+(?<user>\S+)/; +open(my $list_active_users, "-|", "$new_systemd/bin/loginctl", "list-users", "--no-legend") || die("Unable to call loginctl"); +while (my $f = <$list_active_users>) { + if ($f !~ /^\s*(?<uid>\d+)\s+(?<user>\S+)/msx) { + next; + } my ($uid, $name) = ($+{uid}, $+{user}); print STDERR "reloading user units for $name...\n"; system("@su@", "-s", "@shell@", "-l", $name, "-c", "export XDG_RUNTIME_DIR=/run/user/$uid; " . - "$curSystemd/systemctl --user daemon-reexec; " . - "@systemd@/bin/systemctl --user start nixos-activation.service"); + "$cur_systemd/systemctl --user daemon-reexec; " . + "$new_systemd/bin/systemctl --user start nixos-activation.service"); } -close($listActiveUsers); +close($list_active_users) || die("Unable to close the file handle to loginctl"); # Set the new tmpfiles print STDERR "setting up tmpfiles\n"; -system("@systemd@/bin/systemd-tmpfiles", "--create", "--remove", "--exclude-prefix=/dev") == 0 or $res = 3; +system("$new_systemd/bin/systemd-tmpfiles", "--create", "--remove", "--exclude-prefix=/dev") == 0 or $res = 3; # Before reloading we need to ensure that the units are still active. They may have been # deactivated because one of their requirements got stopped. If they are inactive # but should have been reloaded, the user probably expects them to be started. -if (scalar(keys(%unitsToReload)) > 0) { - for my $unit (keys(%unitsToReload)) { +if (scalar(keys(%units_to_reload)) > 0) { + for my $unit (keys(%units_to_reload)) { if (!unit_is_active($unit)) { # Figure out if we need to start the unit my %unit_info = parse_unit("$out/etc/systemd/system/$unit"); - if (!(parseSystemdBool(\%unit_info, 'Unit', 'RefuseManualStart', 0) || parseSystemdBool(\%unit_info, 'Unit', 'X-OnlyManualStart', 0))) { - $unitsToStart{$unit} = 1; - recordUnit($startListFile, $unit); + if (!(parse_systemd_bool(\%unit_info, "Unit", "RefuseManualStart", 0) || parse_systemd_bool(\%unit_info, "Unit", "X-OnlyManualStart", 0))) { + $units_to_start{$unit} = 1; + record_unit($start_list_file, $unit); } # Don't reload the unit, reloading would fail - delete %unitsToReload{$unit}; - unrecord_unit($reloadListFile, $unit); + delete %units_to_reload{$unit}; + unrecord_unit($reload_list_file, $unit); } } } # Reload units that need it. This includes remounting changed mount # units. -if (scalar(keys(%unitsToReload)) > 0) { - print STDERR "reloading the following units: ", join(", ", sort(keys(%unitsToReload))), "\n"; - system("@systemd@/bin/systemctl", "reload", "--", sort(keys(%unitsToReload))) == 0 or $res = 4; - unlink($reloadListFile); +if (scalar(keys(%units_to_reload)) > 0) { + print STDERR "reloading the following units: ", join(", ", sort(keys(%units_to_reload))), "\n"; + system("$new_systemd/bin/systemctl", "reload", "--", sort(keys(%units_to_reload))) == 0 or $res = 4; + unlink($reload_list_file); } # Restart changed services (those that have to be restarted rather # than stopped and started). -if (scalar(keys(%unitsToRestart)) > 0) { - print STDERR "restarting the following units: ", join(", ", sort(keys(%unitsToRestart))), "\n"; - system("@systemd@/bin/systemctl", "restart", "--", sort(keys(%unitsToRestart))) == 0 or $res = 4; - unlink($restartListFile); +if (scalar(keys(%units_to_restart)) > 0) { + print STDERR "restarting the following units: ", join(", ", sort(keys(%units_to_restart))), "\n"; + system("$new_systemd/bin/systemctl", "restart", "--", sort(keys(%units_to_restart))) == 0 or $res = 4; + unlink($restart_list_file); } # Start all active targets, as well as changed units we stopped above. @@ -801,17 +862,18 @@ if (scalar(keys(%unitsToRestart)) > 0) { # that are symlinks to other units. We shouldn't start both at the # same time because we'll get a "Failed to add path to set" error from # systemd. -my @unitsToStartFiltered = filterUnits(\%unitsToStart); -print STDERR "starting the following units: ", join(", ", @unitsToStartFiltered), "\n" - if scalar(@unitsToStartFiltered); -system("@systemd@/bin/systemctl", "start", "--", sort(keys(%unitsToStart))) == 0 or $res = 4; -unlink($startListFile); +my @units_to_start_filtered = filter_units(\%units_to_start); +if (scalar(@units_to_start_filtered)) { + print STDERR "starting the following units: ", join(", ", @units_to_start_filtered), "\n" +} +system("$new_systemd/bin/systemctl", "start", "--", sort(keys(%units_to_start))) == 0 or $res = 4; +unlink($start_list_file); # Print failed and new units. my (@failed, @new); -my $activeNew = getActiveUnits(); -while (my ($unit, $state) = each(%{$activeNew})) { +my $active_new = get_active_units(); +while (my ($unit, $state) = each(%{$active_new})) { if ($state->{state} eq "failed") { push(@failed, $unit); next; @@ -819,7 +881,9 @@ while (my ($unit, $state) = each(%{$activeNew})) { if ($state->{substate} eq "auto-restart") { # A unit in auto-restart substate is a failure *if* it previously failed to start - my $main_status = `@systemd@/bin/systemctl show --value --property=ExecMainStatus '$unit'`; + open(my $main_status_fd, "-|", "$new_systemd/bin/systemctl", "show", "--value", "--property=ExecMainStatus", $unit) || die("Unable to call 'systemctl show'"); + my $main_status = do { local $/ = undef; <$main_status_fd> }; + close($main_status_fd) || die("Unable to close 'systemctl show' fd"); chomp($main_status); if ($main_status ne "0") { @@ -831,7 +895,7 @@ while (my ($unit, $state) = each(%{$activeNew})) { # Ignore scopes since they are not managed by this script but rather # created and managed by third-party services via the systemd dbus API. # This only lists units that are not failed (including ones that are in auto-restart but have not failed previously) - if ($state->{state} ne "failed" && !defined($activePrev->{$unit}) && $unit !~ /\.scope$/msx) { + if ($state->{state} ne "failed" && !defined($active_cur->{$unit}) && $unit !~ /\.scope$/msx) { push(@new, $unit); } } @@ -843,7 +907,7 @@ if (scalar(@new) > 0) { if (scalar(@failed) > 0) { my @failed_sorted = sort(@failed); print STDERR "warning: the following units failed: ", join(", ", @failed_sorted), "\n\n"; - system("@systemd@/bin/systemctl status --no-pager --full '" . join("' '", @failed_sorted) . "' >&2"); + system("$new_systemd/bin/systemctl status --no-pager --full '" . join("' '", @failed_sorted) . "' >&2"); $res = 4; } diff --git a/nixpkgs/nixos/modules/system/boot/kernel.nix b/nixpkgs/nixos/modules/system/boot/kernel.nix index d147155d796c..db00244ca0af 100644 --- a/nixpkgs/nixos/modules/system/boot/kernel.nix +++ b/nixpkgs/nixos/modules/system/boot/kernel.nix @@ -36,7 +36,7 @@ in boot.kernelPackages = mkOption { default = pkgs.linuxPackages; - type = types.unspecified // { merge = mergeEqualOption; }; + type = types.raw; apply = kernelPackages: kernelPackages.extend (self: super: { kernel = super.kernel.override (originalArgs: { inherit randstructSeed; diff --git a/nixpkgs/nixos/modules/system/boot/modprobe.nix b/nixpkgs/nixos/modules/system/boot/modprobe.nix index 27f78835adb2..e683d1817297 100644 --- a/nixpkgs/nixos/modules/system/boot/modprobe.nix +++ b/nixpkgs/nixos/modules/system/boot/modprobe.nix @@ -34,23 +34,6 @@ with lib; type = types.lines; }; - boot.initrd.extraModprobeConfig = mkOption { - default = ""; - example = - '' - options zfs zfs_arc_max=1073741824 - ''; - description = '' - Does exactly the same thing as - <option>boot.extraModprobeConfig</option>, except - that the generated <filename>modprobe.conf</filename> - file is also included in the initrd. - This is useful for setting module options for kernel - modules that are loaded during early boot in the initrd. - ''; - type = types.lines; - }; - }; @@ -67,9 +50,6 @@ with lib; '')} ${config.boot.extraModprobeConfig} ''; - environment.etc."modprobe.d/nixos-initrd.conf".text = '' - ${config.boot.initrd.extraModprobeConfig} - ''; environment.etc."modprobe.d/debian.conf".source = pkgs.kmod-debian-aliases; environment.etc."modprobe.d/systemd.conf".source = "${pkgs.systemd}/lib/modprobe.d/systemd.conf"; diff --git a/nixpkgs/nixos/modules/system/boot/stage-1.nix b/nixpkgs/nixos/modules/system/boot/stage-1.nix index 1575c0257d1c..8b011d91563f 100644 --- a/nixpkgs/nixos/modules/system/boot/stage-1.nix +++ b/nixpkgs/nixos/modules/system/boot/stage-1.nix @@ -338,9 +338,6 @@ let { object = pkgs.writeText "mdadm.conf" config.boot.initrd.mdadmConf; symlink = "/etc/mdadm.conf"; } - { object = config.environment.etc."modprobe.d/nixos-initrd.conf".source; - symlink = "/etc/modprobe.d/nixos-initrd.conf"; - } { object = pkgs.runCommand "initrd-kmod-blacklist-ubuntu" { src = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf"; preferLocalBuild = true; @@ -581,7 +578,7 @@ in else "gzip" ); defaultText = literalDocBook "<literal>zstd</literal> if the kernel supports it (5.9+), <literal>gzip</literal> if not"; - type = types.unspecified; # We don't have a function type... + type = types.either types.str (types.functionTo types.str); description = '' The compressor to use on the initrd image. May be any of: diff --git a/nixpkgs/nixos/modules/system/boot/stage-2.nix b/nixpkgs/nixos/modules/system/boot/stage-2.nix index f6b6a8e4b0b4..fa2bf938df4f 100644 --- a/nixpkgs/nixos/modules/system/boot/stage-2.nix +++ b/nixpkgs/nixos/modules/system/boot/stage-2.nix @@ -47,36 +47,6 @@ in ''; }; - devSize = mkOption { - default = "5%"; - example = "32m"; - type = types.str; - description = '' - Size limit for the /dev tmpfs. Look at mount(8), tmpfs size option, - for the accepted syntax. - ''; - }; - - devShmSize = mkOption { - default = "50%"; - example = "256m"; - type = types.str; - description = '' - Size limit for the /dev/shm tmpfs. Look at mount(8), tmpfs size option, - for the accepted syntax. - ''; - }; - - runSize = mkOption { - default = "25%"; - example = "256m"; - type = types.str; - description = '' - Size limit for the /run tmpfs. Look at mount(8), tmpfs size option, - for the accepted syntax. - ''; - }; - systemdExecutable = mkOption { default = "systemd"; type = types.str; diff --git a/nixpkgs/nixos/modules/system/boot/systemd.nix b/nixpkgs/nixos/modules/system/boot/systemd.nix index 2607e57195ca..057474c607ac 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd.nix @@ -2,7 +2,6 @@ with utils; with systemdUtils.unitOptions; -with systemdUtils.lib; with lib; let @@ -11,6 +10,24 @@ let systemd = cfg.package; + inherit (systemdUtils.lib) + makeUnit + generateUnits + makeJobScript + unitConfig + serviceConfig + mountConfig + automountConfig + commonUnitText + targetToUnit + serviceToUnit + socketToUnit + timerToUnit + pathToUnit + mountToUnit + automountToUnit + sliceToUnit; + upstreamSystemUnits = [ # Targets. "basic.target" @@ -63,32 +80,6 @@ let "printer.target" "smartcard.target" - # Login stuff. - "systemd-logind.service" - "autovt@.service" - "systemd-user-sessions.service" - "dbus-org.freedesktop.import1.service" - "dbus-org.freedesktop.machine1.service" - "dbus-org.freedesktop.login1.service" - "user@.service" - "user-runtime-dir@.service" - - # Journal. - "systemd-journald.socket" - "systemd-journald@.socket" - "systemd-journald-varlink@.socket" - "systemd-journald.service" - "systemd-journald@.service" - "systemd-journal-flush.service" - "systemd-journal-catalog-update.service" - ] ++ (optional (!config.boot.isContainer) "systemd-journald-audit.socket") ++ [ - "systemd-journald-dev-log.socket" - "syslog.socket" - - # Coredumps. - "systemd-coredump.socket" - "systemd-coredump@.service" - # Kernel module loading. "systemd-modules-load.service" "kmod-static-nodes.service" @@ -149,19 +140,12 @@ let # Slices / containers. "slices.target" - "user.slice" "machine.slice" "machines.target" "systemd-importd.service" "systemd-machined.service" "systemd-nspawn@.service" - # Temporary file creation / cleanup. - "systemd-tmpfiles-clean.service" - "systemd-tmpfiles-clean.timer" - "systemd-tmpfiles-setup.service" - "systemd-tmpfiles-setup-dev.service" - # Misc. "systemd-sysctl.service" "dbus-org.freedesktop.timedate1.service" @@ -172,9 +156,6 @@ let "systemd-hostnamed.service" "systemd-exit.service" "systemd-update-done.service" - ] ++ optionals config.services.journald.enableHttpGateway [ - "systemd-journal-gatewayd.socket" - "systemd-journal-gatewayd.service" ] ++ cfg.additionalUpstreamSystemUnits; upstreamSystemWants = @@ -185,237 +166,6 @@ let "timers.target.wants" ]; - upstreamUserUnits = [ - "app.slice" - "background.slice" - "basic.target" - "bluetooth.target" - "default.target" - "exit.target" - "graphical-session-pre.target" - "graphical-session.target" - "paths.target" - "printer.target" - "session.slice" - "shutdown.target" - "smartcard.target" - "sockets.target" - "sound.target" - "systemd-exit.service" - "systemd-tmpfiles-clean.service" - "systemd-tmpfiles-clean.timer" - "systemd-tmpfiles-setup.service" - "timers.target" - "xdg-desktop-autostart.target" - ]; - - makeJobScript = name: text: - let - scriptName = replaceChars [ "\\" "@" ] [ "-" "_" ] (shellEscape name); - out = (pkgs.writeShellScriptBin scriptName '' - set -e - ${text} - '').overrideAttrs (_: { - # The derivation name is different from the script file name - # to keep the script file name short to avoid cluttering logs. - name = "unit-script-${scriptName}"; - }); - in "${out}/bin/${scriptName}"; - - unitConfig = { config, options, ... }: { - config = { - unitConfig = - optionalAttrs (config.requires != []) - { Requires = toString config.requires; } - // optionalAttrs (config.wants != []) - { Wants = toString config.wants; } - // optionalAttrs (config.after != []) - { After = toString config.after; } - // optionalAttrs (config.before != []) - { Before = toString config.before; } - // optionalAttrs (config.bindsTo != []) - { BindsTo = toString config.bindsTo; } - // optionalAttrs (config.partOf != []) - { PartOf = toString config.partOf; } - // optionalAttrs (config.conflicts != []) - { Conflicts = toString config.conflicts; } - // optionalAttrs (config.requisite != []) - { Requisite = toString config.requisite; } - // optionalAttrs (config.restartTriggers != []) - { X-Restart-Triggers = toString config.restartTriggers; } - // optionalAttrs (config.reloadTriggers != []) - { X-Reload-Triggers = toString config.reloadTriggers; } - // optionalAttrs (config.description != "") { - Description = config.description; } - // optionalAttrs (config.documentation != []) { - Documentation = toString config.documentation; } - // optionalAttrs (config.onFailure != []) { - OnFailure = toString config.onFailure; } - // optionalAttrs (options.startLimitIntervalSec.isDefined) { - StartLimitIntervalSec = toString config.startLimitIntervalSec; - } // optionalAttrs (options.startLimitBurst.isDefined) { - StartLimitBurst = toString config.startLimitBurst; - }; - }; - }; - - serviceConfig = { name, config, ... }: { - config = mkMerge - [ { # Default path for systemd services. Should be quite minimal. - path = mkAfter - [ pkgs.coreutils - pkgs.findutils - pkgs.gnugrep - pkgs.gnused - systemd - ]; - environment.PATH = "${makeBinPath config.path}:${makeSearchPathOutput "bin" "sbin" config.path}"; - } - (mkIf (config.preStart != "") - { serviceConfig.ExecStartPre = - [ (makeJobScript "${name}-pre-start" config.preStart) ]; - }) - (mkIf (config.script != "") - { serviceConfig.ExecStart = - makeJobScript "${name}-start" config.script + " " + config.scriptArgs; - }) - (mkIf (config.postStart != "") - { serviceConfig.ExecStartPost = - [ (makeJobScript "${name}-post-start" config.postStart) ]; - }) - (mkIf (config.reload != "") - { serviceConfig.ExecReload = - makeJobScript "${name}-reload" config.reload; - }) - (mkIf (config.preStop != "") - { serviceConfig.ExecStop = - makeJobScript "${name}-pre-stop" config.preStop; - }) - (mkIf (config.postStop != "") - { serviceConfig.ExecStopPost = - makeJobScript "${name}-post-stop" config.postStop; - }) - ]; - }; - - mountConfig = { config, ... }: { - config = { - mountConfig = - { What = config.what; - Where = config.where; - } // optionalAttrs (config.type != "") { - Type = config.type; - } // optionalAttrs (config.options != "") { - Options = config.options; - }; - }; - }; - - automountConfig = { config, ... }: { - config = { - automountConfig = - { Where = config.where; - }; - }; - }; - - commonUnitText = def: '' - [Unit] - ${attrsToSection def.unitConfig} - ''; - - targetToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; - text = - '' - [Unit] - ${attrsToSection def.unitConfig} - ''; - }; - - serviceToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; - text = commonUnitText def + - '' - [Service] - ${let env = cfg.globalEnvironment // def.environment; - in concatMapStrings (n: - let s = optionalString (env.${n} != null) - "Environment=${builtins.toJSON "${n}=${env.${n}}"}\n"; - # systemd max line length is now 1MiB - # https://github.com/systemd/systemd/commit/e6dde451a51dc5aaa7f4d98d39b8fe735f73d2af - in if stringLength s >= 1048576 then throw "The value of the environment variable ‘${n}’ in systemd service ‘${name}.service’ is too long." else s) (attrNames env)} - ${if def.reloadIfChanged then '' - X-ReloadIfChanged=true - '' else if !def.restartIfChanged then '' - X-RestartIfChanged=false - '' else ""} - ${optionalString (!def.stopIfChanged) "X-StopIfChanged=false"} - ${attrsToSection def.serviceConfig} - ''; - }; - - socketToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; - text = commonUnitText def + - '' - [Socket] - ${attrsToSection def.socketConfig} - ${concatStringsSep "\n" (map (s: "ListenStream=${s}") def.listenStreams)} - ${concatStringsSep "\n" (map (s: "ListenDatagram=${s}") def.listenDatagrams)} - ''; - }; - - timerToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; - text = commonUnitText def + - '' - [Timer] - ${attrsToSection def.timerConfig} - ''; - }; - - pathToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; - text = commonUnitText def + - '' - [Path] - ${attrsToSection def.pathConfig} - ''; - }; - - mountToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; - text = commonUnitText def + - '' - [Mount] - ${attrsToSection def.mountConfig} - ''; - }; - - automountToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; - text = commonUnitText def + - '' - [Automount] - ${attrsToSection def.automountConfig} - ''; - }; - - sliceToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy enable; - text = commonUnitText def + - '' - [Slice] - ${attrsToSection def.sliceConfig} - ''; - }; - - logindHandlerType = types.enum [ - "ignore" "poweroff" "reboot" "halt" "kexec" "suspend" - "hibernate" "hybrid-sleep" "suspend-then-hibernate" "lock" - ]; - proxy_env = config.networking.proxy.envVars; in @@ -568,26 +318,6 @@ in ''; }; - systemd.coredump.enable = mkOption { - default = true; - type = types.bool; - description = '' - Whether core dumps should be processed by - <command>systemd-coredump</command>. If disabled, core dumps - appear in the current directory of the crashing process. - ''; - }; - - systemd.coredump.extraConfig = mkOption { - default = ""; - type = types.lines; - example = "Storage=journal"; - description = '' - Extra config options for systemd-coredump. See coredump.conf(5) man page - for available options. - ''; - }; - systemd.extraConfig = mkOption { default = ""; type = types.lines; @@ -598,142 +328,6 @@ in ''; }; - services.journald.console = mkOption { - default = ""; - type = types.str; - description = "If non-empty, write log messages to the specified TTY device."; - }; - - services.journald.rateLimitInterval = mkOption { - default = "30s"; - type = types.str; - description = '' - Configures the rate limiting interval that is applied to all - messages generated on the system. This rate limiting is applied - per-service, so that two services which log do not interfere with - each other's limit. The value may be specified in the following - units: s, min, h, ms, us. To turn off any kind of rate limiting, - set either value to 0. - - See <option>services.journald.rateLimitBurst</option> for important - considerations when setting this value. - ''; - }; - - services.journald.rateLimitBurst = mkOption { - default = 10000; - type = types.int; - description = '' - Configures the rate limiting burst limit (number of messages per - interval) that is applied to all messages generated on the system. - This rate limiting is applied per-service, so that two services - which log do not interfere with each other's limit. - - Note that the effective rate limit is multiplied by a factor derived - from the available free disk space for the journal as described on - <link xlink:href="https://www.freedesktop.org/software/systemd/man/journald.conf.html"> - journald.conf(5)</link>. - - Note that the total amount of logs stored is limited by journald settings - such as <literal>SystemMaxUse</literal>, which defaults to a 4 GB cap. - - It is thus recommended to compute what period of time that you will be - able to store logs for when an application logs at full burst rate. - With default settings for log lines that are 100 Bytes long, this can - amount to just a few hours. - ''; - }; - - services.journald.extraConfig = mkOption { - default = ""; - type = types.lines; - example = "Storage=volatile"; - description = '' - Extra config options for systemd-journald. See man journald.conf - for available options. - ''; - }; - - services.journald.enableHttpGateway = mkOption { - default = false; - type = types.bool; - description = '' - Whether to enable the HTTP gateway to the journal. - ''; - }; - - services.journald.forwardToSyslog = mkOption { - default = config.services.rsyslogd.enable || config.services.syslog-ng.enable; - defaultText = literalExpression "services.rsyslogd.enable || services.syslog-ng.enable"; - type = types.bool; - description = '' - Whether to forward log messages to syslog. - ''; - }; - - services.logind.extraConfig = mkOption { - default = ""; - type = types.lines; - example = "IdleAction=lock"; - description = '' - Extra config options for systemd-logind. See - <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html"> - logind.conf(5)</link> for available options. - ''; - }; - - services.logind.killUserProcesses = mkOption { - default = false; - type = types.bool; - description = '' - Specifies whether the processes of a user should be killed - when the user logs out. If true, the scope unit corresponding - to the session and all processes inside that scope will be - terminated. If false, the scope is "abandoned" (see - <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.scope.html#"> - systemd.scope(5)</link>), and processes are not killed. - </para> - - <para> - See <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=">logind.conf(5)</link> - for more details. - ''; - }; - - services.logind.lidSwitch = mkOption { - default = "suspend"; - example = "ignore"; - type = logindHandlerType; - - description = '' - Specifies what to be done when the laptop lid is closed. - ''; - }; - - services.logind.lidSwitchDocked = mkOption { - default = "ignore"; - example = "suspend"; - type = logindHandlerType; - - description = '' - Specifies what to be done when the laptop lid is closed - and another screen is added. - ''; - }; - - services.logind.lidSwitchExternalPower = mkOption { - default = config.services.logind.lidSwitch; - defaultText = literalExpression "services.logind.lidSwitch"; - example = "ignore"; - type = logindHandlerType; - - description = '' - Specifies what to do when the laptop lid is closed and the system is - on external power. By default use the same action as specified in - services.logind.lidSwitch. - ''; - }; - systemd.sleep.extraConfig = mkOption { default = ""; type = types.lines; @@ -744,95 +338,6 @@ in ''; }; - systemd.user.extraConfig = mkOption { - default = ""; - type = types.lines; - example = "DefaultCPUAccounting=yes"; - description = '' - Extra config options for systemd user instances. See man systemd-user.conf for - available options. - ''; - }; - - systemd.tmpfiles.rules = mkOption { - type = types.listOf types.str; - default = []; - example = [ "d /tmp 1777 root root 10d" ]; - description = '' - Rules for creation, deletion and cleaning of volatile and temporary files - automatically. See - <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for the exact format. - ''; - }; - - systemd.tmpfiles.packages = mkOption { - type = types.listOf types.package; - default = []; - example = literalExpression "[ pkgs.lvm2 ]"; - apply = map getLib; - description = '' - List of packages containing <command>systemd-tmpfiles</command> rules. - - All files ending in .conf found in - <filename><replaceable>pkg</replaceable>/lib/tmpfiles.d</filename> - will be included. - If this folder does not exist or does not contain any files an error will be returned instead. - - If a <filename>lib</filename> output is available, rules are searched there and only there. - If there is no <filename>lib</filename> output it will fall back to <filename>out</filename> - and if that does not exist either, the default output will be used. - ''; - }; - - systemd.user.units = mkOption { - description = "Definition of systemd per-user units."; - default = {}; - type = with types; attrsOf (submodule ( - { name, config, ... }: - { options = concreteUnitOptions; - config = { - unit = mkDefault (makeUnit name config); - }; - })); - }; - - systemd.user.paths = mkOption { - default = {}; - type = with types; attrsOf (submodule [ { options = pathOptions; } unitConfig ]); - description = "Definition of systemd per-user path units."; - }; - - systemd.user.services = mkOption { - default = {}; - type = with types; attrsOf (submodule [ { options = serviceOptions; } unitConfig serviceConfig ] ); - description = "Definition of systemd per-user service units."; - }; - - systemd.user.slices = mkOption { - default = {}; - type = with types; attrsOf (submodule [ { options = sliceOptions; } unitConfig ] ); - description = "Definition of systemd per-user slice units."; - }; - - systemd.user.sockets = mkOption { - default = {}; - type = with types; attrsOf (submodule [ { options = socketOptions; } unitConfig ] ); - description = "Definition of systemd per-user socket units."; - }; - - systemd.user.targets = mkOption { - default = {}; - type = with types; attrsOf (submodule [ { options = targetOptions; } unitConfig] ); - description = "Definition of systemd per-user target units."; - }; - - systemd.user.timers = mkOption { - default = {}; - type = with types; attrsOf (submodule [ { options = timerOptions; } unitConfig ] ); - description = "Definition of systemd per-user timer units."; - }; - systemd.additionalUpstreamSystemUnits = mkOption { default = [ ]; type = types.listOf types.str; @@ -968,8 +473,6 @@ in in ({ "systemd/system".source = generateUnits "system" enabledUnits enabledUpstreamSystemUnits upstreamSystemWants; - "systemd/user".source = generateUnits "user" cfg.user.units upstreamUserUnits []; - "systemd/system.conf".text = '' [Manager] ${optionalString config.systemd.enableCgroupAccounting '' @@ -995,76 +498,17 @@ in ${config.systemd.extraConfig} ''; - "systemd/user.conf".text = '' - [Manager] - ${config.systemd.user.extraConfig} - ''; - - "systemd/journald.conf".text = '' - [Journal] - Storage=persistent - RateLimitInterval=${config.services.journald.rateLimitInterval} - RateLimitBurst=${toString config.services.journald.rateLimitBurst} - ${optionalString (config.services.journald.console != "") '' - ForwardToConsole=yes - TTYPath=${config.services.journald.console} - ''} - ${optionalString (config.services.journald.forwardToSyslog) '' - ForwardToSyslog=yes - ''} - ${config.services.journald.extraConfig} - ''; - - "systemd/coredump.conf".text = - '' - [Coredump] - ${config.systemd.coredump.extraConfig} - ''; - - "systemd/logind.conf".text = '' - [Login] - KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"} - HandleLidSwitch=${config.services.logind.lidSwitch} - HandleLidSwitchDocked=${config.services.logind.lidSwitchDocked} - HandleLidSwitchExternalPower=${config.services.logind.lidSwitchExternalPower} - ${config.services.logind.extraConfig} - ''; - "systemd/sleep.conf".text = '' [Sleep] ${config.systemd.sleep.extraConfig} ''; - # install provided sysctl snippets - "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; - "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; - - "tmpfiles.d".source = (pkgs.symlinkJoin { - name = "tmpfiles.d"; - paths = map (p: p + "/lib/tmpfiles.d") cfg.tmpfiles.packages; - postBuild = '' - for i in $(cat $pathsPath); do - (test -d "$i" && test $(ls "$i"/*.conf | wc -l) -ge 1) || ( - echo "ERROR: The path '$i' from systemd.tmpfiles.packages contains no *.conf files." - exit 1 - ) - done - '' + concatMapStrings (name: optionalString (hasPrefix "tmpfiles.d/" name) '' - rm -f $out/${removePrefix "tmpfiles.d/" name} - '') config.system.build.etc.passthru.targets; - }) + "/*"; - "systemd/system-generators" = { source = hooks "generators" cfg.generators; }; "systemd/system-shutdown" = { source = hooks "shutdown" cfg.shutdown; }; }); services.dbus.enable = true; - users.users.systemd-coredump = { - uid = config.ids.uids.systemd-coredump; - group = "systemd-coredump"; - }; - users.groups.systemd-coredump = {}; users.users.systemd-network = { uid = config.ids.uids.systemd-network; group = "systemd-network"; @@ -1084,38 +528,6 @@ in unitConfig.X-StopOnReconfiguration = true; }; - systemd.tmpfiles.packages = [ - # Default tmpfiles rules provided by systemd - (pkgs.runCommand "systemd-default-tmpfiles" {} '' - mkdir -p $out/lib/tmpfiles.d - cd $out/lib/tmpfiles.d - - # home.conf creates /srv (which we don't want), and /home, which - # is handled by NixOS anyway. - # ln -s "${systemd}/example/tmpfiles.d/home.conf" - ln -s "${systemd}/example/tmpfiles.d/journal-nocow.conf" - ln -s "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf" - ln -s "${systemd}/example/tmpfiles.d/systemd.conf" - ln -s "${systemd}/example/tmpfiles.d/systemd-nologin.conf" - ln -s "${systemd}/example/tmpfiles.d/systemd-nspawn.conf" - ln -s "${systemd}/example/tmpfiles.d/systemd-tmp.conf" - ln -s "${systemd}/example/tmpfiles.d/tmp.conf" - ln -s "${systemd}/example/tmpfiles.d/var.conf" - ln -s "${systemd}/example/tmpfiles.d/x11.conf" - '') - # User-specified tmpfiles rules - (pkgs.writeTextFile { - name = "nixos-tmpfiles.d"; - destination = "/lib/tmpfiles.d/00-nixos.conf"; - text = '' - # This file is created automatically and should not be modified. - # Please change the option ‘systemd.tmpfiles.rules’ instead. - - ${concatStringsSep "\n" cfg.tmpfiles.rules} - ''; - }) - ]; - systemd.units = mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit n v)) cfg.paths // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services @@ -1130,14 +542,6 @@ in (v: let n = escapeSystemdPath v.where; in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts); - systemd.user.units = - mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit n v)) cfg.user.paths - // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.user.services - // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit n v)) cfg.user.slices - // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.user.sockets - // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit n v)) cfg.user.targets - // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit n v)) cfg.user.timers; - system.requiredKernelConfig = map config.lib.kernelConfig.isEnabled [ "DEVTMPFS" "CGROUPS" "INOTIFY_USER" "SIGNALFD" "TIMERFD" "EPOLL" "NET" "SYSFS" "PROC_FS" "FHANDLE" "CRYPTO_USER_API_HASH" "CRYPTO_HMAC" @@ -1145,11 +549,6 @@ in "TMPFS_XATTR" "SECCOMP" ]; - users.groups.systemd-journal.gid = config.ids.gids.systemd-journal; - users.users.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway; - users.users.systemd-journal-gateway.group = "systemd-journal-gateway"; - users.groups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway; - # Generate timer units for all services that have a ‘startAt’ value. systemd.timers = mapAttrs (name: service: @@ -1166,42 +565,14 @@ in }) (filterAttrs (name: service: service.startAt != []) cfg.user.services); - systemd.sockets.systemd-journal-gatewayd.wantedBy = - optional config.services.journald.enableHttpGateway "sockets.target"; - - # Provide the systemd-user PAM service, required to run systemd - # user instances. - security.pam.services.systemd-user = - { # Ensure that pam_systemd gets included. This is special-cased - # in systemd to provide XDG_RUNTIME_DIR. - startSession = true; - }; - # Some overrides to upstream units. systemd.services."systemd-backlight@".restartIfChanged = false; systemd.services."systemd-fsck@".restartIfChanged = false; systemd.services."systemd-fsck@".path = [ config.system.path ]; - systemd.services."user@".restartIfChanged = false; - systemd.services.systemd-journal-flush.restartIfChanged = false; systemd.services.systemd-random-seed.restartIfChanged = false; systemd.services.systemd-remount-fs.restartIfChanged = false; systemd.services.systemd-update-utmp.restartIfChanged = false; - systemd.services.systemd-user-sessions.restartIfChanged = false; # Restart kills all active sessions. systemd.services.systemd-udev-settle.restartIfChanged = false; # Causes long delays in nixos-rebuild - # Restarting systemd-logind breaks X11 - # - upstream commit: https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101 - # - systemd announcement: https://github.com/systemd/systemd/blob/22043e4317ecd2bc7834b48a6d364de76bb26d91/NEWS#L103-L112 - # - this might be addressed in the future by xorg - #systemd.services.systemd-logind.restartTriggers = [ config.environment.etc."systemd/logind.conf".source ]; - systemd.services.systemd-logind.restartIfChanged = false; - systemd.services.systemd-logind.stopIfChanged = false; - # The user-runtime-dir@ service is managed by systemd-logind we should not touch it or else we break the users' sessions. - systemd.services."user-runtime-dir@".stopIfChanged = false; - systemd.services."user-runtime-dir@".restartIfChanged = false; - systemd.services.systemd-journald.restartTriggers = [ config.environment.etc."systemd/journald.conf".source ]; - systemd.services.systemd-journald.stopIfChanged = false; - systemd.services."systemd-journald@".restartTriggers = [ config.environment.etc."systemd/journald.conf".source ]; - systemd.services."systemd-journald@".stopIfChanged = false; systemd.targets.local-fs.unitConfig.X-StopOnReconfiguration = true; systemd.targets.remote-fs.unitConfig.X-StopOnReconfiguration = true; systemd.targets.network-online.wantedBy = [ "multi-user.target" ]; @@ -1212,8 +583,6 @@ in systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; systemd.services.systemd-random-seed.unitConfig.ConditionVirtualization = "!container"; - boot.kernel.sysctl."kernel.core_pattern" = mkIf (!cfg.coredump.enable) "core"; - # Increase numeric PID range (set directly instead of copying a one-line file from systemd) # https://github.com/systemd/systemd/pull/12226 boot.kernel.sysctl."kernel.pid_max" = mkIf pkgs.stdenv.is64bit (lib.mkDefault 4194304); diff --git a/nixpkgs/nixos/modules/system/boot/systemd/coredump.nix b/nixpkgs/nixos/modules/system/boot/systemd/coredump.nix new file mode 100644 index 000000000000..b6ee2cff1f9a --- /dev/null +++ b/nixpkgs/nixos/modules/system/boot/systemd/coredump.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, utils, ... }: + +with lib; + +let + cfg = config.systemd.coredump; + systemd = config.systemd.package; +in { + options = { + systemd.coredump.enable = mkOption { + default = true; + type = types.bool; + description = '' + Whether core dumps should be processed by + <command>systemd-coredump</command>. If disabled, core dumps + appear in the current directory of the crashing process. + ''; + }; + + systemd.coredump.extraConfig = mkOption { + default = ""; + type = types.lines; + example = "Storage=journal"; + description = '' + Extra config options for systemd-coredump. See coredump.conf(5) man page + for available options. + ''; + }; + }; + + config = { + systemd.additionalUpstreamSystemUnits = [ + "systemd-coredump.socket" + "systemd-coredump@.service" + ]; + + environment.etc = { + "systemd/coredump.conf".text = + '' + [Coredump] + ${cfg.extraConfig} + ''; + + # install provided sysctl snippets + "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; + "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + }; + + users.users.systemd-coredump = { + uid = config.ids.uids.systemd-coredump; + group = "systemd-coredump"; + }; + users.groups.systemd-coredump = {}; + + boot.kernel.sysctl."kernel.core_pattern" = mkIf (!cfg.enable) "core"; + }; +} diff --git a/nixpkgs/nixos/modules/system/boot/systemd/journald.nix b/nixpkgs/nixos/modules/system/boot/systemd/journald.nix new file mode 100644 index 000000000000..7e14c8ae4077 --- /dev/null +++ b/nixpkgs/nixos/modules/system/boot/systemd/journald.nix @@ -0,0 +1,131 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.journald; +in { + options = { + services.journald.console = mkOption { + default = ""; + type = types.str; + description = "If non-empty, write log messages to the specified TTY device."; + }; + + services.journald.rateLimitInterval = mkOption { + default = "30s"; + type = types.str; + description = '' + Configures the rate limiting interval that is applied to all + messages generated on the system. This rate limiting is applied + per-service, so that two services which log do not interfere with + each other's limit. The value may be specified in the following + units: s, min, h, ms, us. To turn off any kind of rate limiting, + set either value to 0. + + See <option>services.journald.rateLimitBurst</option> for important + considerations when setting this value. + ''; + }; + + services.journald.rateLimitBurst = mkOption { + default = 10000; + type = types.int; + description = '' + Configures the rate limiting burst limit (number of messages per + interval) that is applied to all messages generated on the system. + This rate limiting is applied per-service, so that two services + which log do not interfere with each other's limit. + + Note that the effective rate limit is multiplied by a factor derived + from the available free disk space for the journal as described on + <link xlink:href="https://www.freedesktop.org/software/systemd/man/journald.conf.html"> + journald.conf(5)</link>. + + Note that the total amount of logs stored is limited by journald settings + such as <literal>SystemMaxUse</literal>, which defaults to a 4 GB cap. + + It is thus recommended to compute what period of time that you will be + able to store logs for when an application logs at full burst rate. + With default settings for log lines that are 100 Bytes long, this can + amount to just a few hours. + ''; + }; + + services.journald.extraConfig = mkOption { + default = ""; + type = types.lines; + example = "Storage=volatile"; + description = '' + Extra config options for systemd-journald. See man journald.conf + for available options. + ''; + }; + + services.journald.enableHttpGateway = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable the HTTP gateway to the journal. + ''; + }; + + services.journald.forwardToSyslog = mkOption { + default = config.services.rsyslogd.enable || config.services.syslog-ng.enable; + defaultText = literalExpression "services.rsyslogd.enable || services.syslog-ng.enable"; + type = types.bool; + description = '' + Whether to forward log messages to syslog. + ''; + }; + }; + + config = { + systemd.additionalUpstreamSystemUnits = [ + "systemd-journald.socket" + "systemd-journald@.socket" + "systemd-journald-varlink@.socket" + "systemd-journald.service" + "systemd-journald@.service" + "systemd-journal-flush.service" + "systemd-journal-catalog-update.service" + ] ++ (optional (!config.boot.isContainer) "systemd-journald-audit.socket") ++ [ + "systemd-journald-dev-log.socket" + "syslog.socket" + ] ++ optionals cfg.enableHttpGateway [ + "systemd-journal-gatewayd.socket" + "systemd-journal-gatewayd.service" + ]; + + environment.etc = { + "systemd/journald.conf".text = '' + [Journal] + Storage=persistent + RateLimitInterval=${cfg.rateLimitInterval} + RateLimitBurst=${toString cfg.rateLimitBurst} + ${optionalString (cfg.console != "") '' + ForwardToConsole=yes + TTYPath=${cfg.console} + ''} + ${optionalString (cfg.forwardToSyslog) '' + ForwardToSyslog=yes + ''} + ${cfg.extraConfig} + ''; + }; + + users.groups.systemd-journal.gid = config.ids.gids.systemd-journal; + users.users.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway; + users.users.systemd-journal-gateway.group = "systemd-journal-gateway"; + users.groups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway; + + systemd.sockets.systemd-journal-gatewayd.wantedBy = + optional cfg.enableHttpGateway "sockets.target"; + + systemd.services.systemd-journal-flush.restartIfChanged = false; + systemd.services.systemd-journald.restartTriggers = [ config.environment.etc."systemd/journald.conf".source ]; + systemd.services.systemd-journald.stopIfChanged = false; + systemd.services."systemd-journald@".restartTriggers = [ config.environment.etc."systemd/journald.conf".source ]; + systemd.services."systemd-journald@".stopIfChanged = false; + }; +} diff --git a/nixpkgs/nixos/modules/system/boot/systemd/logind.nix b/nixpkgs/nixos/modules/system/boot/systemd/logind.nix new file mode 100644 index 000000000000..c1e6cfe61d04 --- /dev/null +++ b/nixpkgs/nixos/modules/system/boot/systemd/logind.nix @@ -0,0 +1,114 @@ +{ config, lib, pkgs, utils, ... }: + +with lib; + +let + cfg = config.services.logind; + + logindHandlerType = types.enum [ + "ignore" "poweroff" "reboot" "halt" "kexec" "suspend" + "hibernate" "hybrid-sleep" "suspend-then-hibernate" "lock" + ]; +in +{ + options = { + services.logind.extraConfig = mkOption { + default = ""; + type = types.lines; + example = "IdleAction=lock"; + description = '' + Extra config options for systemd-logind. See + <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html"> + logind.conf(5)</link> for available options. + ''; + }; + + services.logind.killUserProcesses = mkOption { + default = false; + type = types.bool; + description = '' + Specifies whether the processes of a user should be killed + when the user logs out. If true, the scope unit corresponding + to the session and all processes inside that scope will be + terminated. If false, the scope is "abandoned" (see + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.scope.html#"> + systemd.scope(5)</link>), and processes are not killed. + </para> + + <para> + See <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=">logind.conf(5)</link> + for more details. + ''; + }; + + services.logind.lidSwitch = mkOption { + default = "suspend"; + example = "ignore"; + type = logindHandlerType; + + description = '' + Specifies what to be done when the laptop lid is closed. + ''; + }; + + services.logind.lidSwitchDocked = mkOption { + default = "ignore"; + example = "suspend"; + type = logindHandlerType; + + description = '' + Specifies what to be done when the laptop lid is closed + and another screen is added. + ''; + }; + + services.logind.lidSwitchExternalPower = mkOption { + default = cfg.lidSwitch; + defaultText = literalExpression "services.logind.lidSwitch"; + example = "ignore"; + type = logindHandlerType; + + description = '' + Specifies what to do when the laptop lid is closed and the system is + on external power. By default use the same action as specified in + services.logind.lidSwitch. + ''; + }; + }; + + config = { + systemd.additionalUpstreamSystemUnits = [ + "systemd-logind.service" + "autovt@.service" + "systemd-user-sessions.service" + "dbus-org.freedesktop.import1.service" + "dbus-org.freedesktop.machine1.service" + "dbus-org.freedesktop.login1.service" + "user@.service" + "user-runtime-dir@.service" + ]; + + environment.etc = { + "systemd/logind.conf".text = '' + [Login] + KillUserProcesses=${if cfg.killUserProcesses then "yes" else "no"} + HandleLidSwitch=${cfg.lidSwitch} + HandleLidSwitchDocked=${cfg.lidSwitchDocked} + HandleLidSwitchExternalPower=${cfg.lidSwitchExternalPower} + ${cfg.extraConfig} + ''; + }; + + # Restarting systemd-logind breaks X11 + # - upstream commit: https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101 + # - systemd announcement: https://github.com/systemd/systemd/blob/22043e4317ecd2bc7834b48a6d364de76bb26d91/NEWS#L103-L112 + # - this might be addressed in the future by xorg + #systemd.services.systemd-logind.restartTriggers = [ config.environment.etc."systemd/logind.conf".source ]; + systemd.services.systemd-logind.restartIfChanged = false; + systemd.services.systemd-logind.stopIfChanged = false; + + # The user-runtime-dir@ service is managed by systemd-logind we should not touch it or else we break the users' sessions. + systemd.services."user-runtime-dir@".stopIfChanged = false; + systemd.services."user-runtime-dir@".restartIfChanged = false; + }; +} diff --git a/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix b/nixpkgs/nixos/modules/system/boot/systemd/nspawn.nix index 0c6822319a5b..0c6822319a5b 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd/nspawn.nix diff --git a/nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix b/nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix new file mode 100644 index 000000000000..f626d66dcffe --- /dev/null +++ b/nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix @@ -0,0 +1,106 @@ +{ config, lib, pkgs, utils, ... }: + +with lib; + +let + cfg = config.systemd.tmpfiles; + systemd = config.systemd.package; +in +{ + options = { + systemd.tmpfiles.rules = mkOption { + type = types.listOf types.str; + default = []; + example = [ "d /tmp 1777 root root 10d" ]; + description = '' + Rules for creation, deletion and cleaning of volatile and temporary files + automatically. See + <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for the exact format. + ''; + }; + + systemd.tmpfiles.packages = mkOption { + type = types.listOf types.package; + default = []; + example = literalExpression "[ pkgs.lvm2 ]"; + apply = map getLib; + description = '' + List of packages containing <command>systemd-tmpfiles</command> rules. + + All files ending in .conf found in + <filename><replaceable>pkg</replaceable>/lib/tmpfiles.d</filename> + will be included. + If this folder does not exist or does not contain any files an error will be returned instead. + + If a <filename>lib</filename> output is available, rules are searched there and only there. + If there is no <filename>lib</filename> output it will fall back to <filename>out</filename> + and if that does not exist either, the default output will be used. + ''; + }; + }; + + config = { + systemd.additionalUpstreamSystemUnits = [ + "systemd-tmpfiles-clean.service" + "systemd-tmpfiles-clean.timer" + "systemd-tmpfiles-setup.service" + "systemd-tmpfiles-setup-dev.service" + ]; + + systemd.additionalUpstreamUserUnits = [ + "systemd-tmpfiles-clean.service" + "systemd-tmpfiles-clean.timer" + "systemd-tmpfiles-setup.service" + ]; + + environment.etc = { + "tmpfiles.d".source = (pkgs.symlinkJoin { + name = "tmpfiles.d"; + paths = map (p: p + "/lib/tmpfiles.d") cfg.packages; + postBuild = '' + for i in $(cat $pathsPath); do + (test -d "$i" && test $(ls "$i"/*.conf | wc -l) -ge 1) || ( + echo "ERROR: The path '$i' from systemd.tmpfiles.packages contains no *.conf files." + exit 1 + ) + done + '' + concatMapStrings (name: optionalString (hasPrefix "tmpfiles.d/" name) '' + rm -f $out/${removePrefix "tmpfiles.d/" name} + '') config.system.build.etc.passthru.targets; + }) + "/*"; + }; + + systemd.tmpfiles.packages = [ + # Default tmpfiles rules provided by systemd + (pkgs.runCommand "systemd-default-tmpfiles" {} '' + mkdir -p $out/lib/tmpfiles.d + cd $out/lib/tmpfiles.d + + # home.conf creates /srv (which we don't want), and /home, which + # is handled by NixOS anyway. + # ln -s "${systemd}/example/tmpfiles.d/home.conf" + ln -s "${systemd}/example/tmpfiles.d/journal-nocow.conf" + ln -s "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf" + ln -s "${systemd}/example/tmpfiles.d/systemd.conf" + ln -s "${systemd}/example/tmpfiles.d/systemd-nologin.conf" + ln -s "${systemd}/example/tmpfiles.d/systemd-nspawn.conf" + ln -s "${systemd}/example/tmpfiles.d/systemd-tmp.conf" + ln -s "${systemd}/example/tmpfiles.d/tmp.conf" + ln -s "${systemd}/example/tmpfiles.d/var.conf" + ln -s "${systemd}/example/tmpfiles.d/x11.conf" + '') + # User-specified tmpfiles rules + (pkgs.writeTextFile { + name = "nixos-tmpfiles.d"; + destination = "/lib/tmpfiles.d/00-nixos.conf"; + text = '' + # This file is created automatically and should not be modified. + # Please change the option ‘systemd.tmpfiles.rules’ instead. + + ${concatStringsSep "\n" cfg.rules} + ''; + }) + ]; + }; +} diff --git a/nixpkgs/nixos/modules/system/boot/systemd/user.nix b/nixpkgs/nixos/modules/system/boot/systemd/user.nix new file mode 100644 index 000000000000..e30f83f3457f --- /dev/null +++ b/nixpkgs/nixos/modules/system/boot/systemd/user.nix @@ -0,0 +1,158 @@ +{ config, lib, pkgs, utils, ... }: +with utils; +with systemdUtils.unitOptions; +with lib; + +let + cfg = config.systemd.user; + + systemd = config.systemd.package; + + inherit + (systemdUtils.lib) + makeUnit + generateUnits + makeJobScript + unitConfig + serviceConfig + commonUnitText + targetToUnit + serviceToUnit + socketToUnit + timerToUnit + pathToUnit; + + upstreamUserUnits = [ + "app.slice" + "background.slice" + "basic.target" + "bluetooth.target" + "default.target" + "exit.target" + "graphical-session-pre.target" + "graphical-session.target" + "paths.target" + "printer.target" + "session.slice" + "shutdown.target" + "smartcard.target" + "sockets.target" + "sound.target" + "systemd-exit.service" + "timers.target" + "xdg-desktop-autostart.target" + ] ++ config.systemd.additionalUpstreamUserUnits; +in { + options = { + systemd.user.extraConfig = mkOption { + default = ""; + type = types.lines; + example = "DefaultCPUAccounting=yes"; + description = '' + Extra config options for systemd user instances. See man systemd-user.conf for + available options. + ''; + }; + + systemd.user.units = mkOption { + description = "Definition of systemd per-user units."; + default = {}; + type = with types; attrsOf (submodule ( + { name, config, ... }: + { options = concreteUnitOptions; + config = { + unit = mkDefault (makeUnit name config); + }; + })); + }; + + systemd.user.paths = mkOption { + default = {}; + type = with types; attrsOf (submodule [ { options = pathOptions; } unitConfig ]); + description = "Definition of systemd per-user path units."; + }; + + systemd.user.services = mkOption { + default = {}; + type = with types; attrsOf (submodule [ { options = serviceOptions; } unitConfig serviceConfig ] ); + description = "Definition of systemd per-user service units."; + }; + + systemd.user.slices = mkOption { + default = {}; + type = with types; attrsOf (submodule [ { options = sliceOptions; } unitConfig ] ); + description = "Definition of systemd per-user slice units."; + }; + + systemd.user.sockets = mkOption { + default = {}; + type = with types; attrsOf (submodule [ { options = socketOptions; } unitConfig ] ); + description = "Definition of systemd per-user socket units."; + }; + + systemd.user.targets = mkOption { + default = {}; + type = with types; attrsOf (submodule [ { options = targetOptions; } unitConfig] ); + description = "Definition of systemd per-user target units."; + }; + + systemd.user.timers = mkOption { + default = {}; + type = with types; attrsOf (submodule [ { options = timerOptions; } unitConfig ] ); + description = "Definition of systemd per-user timer units."; + }; + + systemd.additionalUpstreamUserUnits = mkOption { + default = []; + type = types.listOf types.str; + example = []; + description = '' + Additional units shipped with systemd that should be enabled for per-user systemd instances. + ''; + internal = true; + }; + }; + + config = { + systemd.additionalUpstreamSystemUnits = [ + "user.slice" + ]; + + environment.etc = { + "systemd/user".source = generateUnits "user" cfg.units upstreamUserUnits []; + + "systemd/user.conf".text = '' + [Manager] + ${cfg.extraConfig} + ''; + }; + + systemd.user.units = + mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit n v)) cfg.paths + // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services + // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit n v)) cfg.slices + // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.sockets + // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit n v)) cfg.targets + // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit n v)) cfg.timers; + + # Generate timer units for all services that have a ‘startAt’ value. + systemd.user.timers = + mapAttrs (name: service: { + wantedBy = ["timers.target"]; + timerConfig.OnCalendar = service.startAt; + }) + (filterAttrs (name: service: service.startAt != []) cfg.services); + + # Provide the systemd-user PAM service, required to run systemd + # user instances. + security.pam.services.systemd-user = + { # Ensure that pam_systemd gets included. This is special-cased + # in systemd to provide XDG_RUNTIME_DIR. + startSession = true; + }; + + # Some overrides to upstream units. + systemd.services."user@".restartIfChanged = false; + systemd.services.systemd-user-sessions.restartIfChanged = false; # Restart kills all active sessions. + }; +} diff --git a/nixpkgs/nixos/modules/tasks/auto-upgrade.nix b/nixpkgs/nixos/modules/tasks/auto-upgrade.nix index b931b27ad817..1404dcbaf7c0 100644 --- a/nixpkgs/nixos/modules/tasks/auto-upgrade.nix +++ b/nixpkgs/nixos/modules/tasks/auto-upgrade.nix @@ -80,6 +80,7 @@ in { Reboot the system into the new generation instead of a switch if the new generation uses a different kernel, kernel modules or initrd than the booted system. + See <option>rebootWindow</option> for configuring the times at which a reboot is allowed. ''; }; @@ -96,6 +97,32 @@ in { ''; }; + rebootWindow = mkOption { + description = '' + Define a lower and upper time value (in HH:MM format) which + constitute a time window during which reboots are allowed after an upgrade. + This option only has an effect when <option>allowReboot</option> is enabled. + The default value of <literal>null</literal> means that reboots are allowed at any time. + ''; + default = null; + example = { lower = "01:00"; upper = "05:00"; }; + type = with types; nullOr (submodule { + options = { + lower = mkOption { + description = "Lower limit of the reboot window"; + type = types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}"; + example = "01:00"; + }; + + upper = mkOption { + description = "Upper limit of the reboot window"; + type = types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}"; + example = "05:00"; + }; + }; + }); + }; + }; }; @@ -110,12 +137,10 @@ in { }]; system.autoUpgrade.flags = (if cfg.flake == null then - [ "--no-build-output" ] ++ (if cfg.channel == null then - [ "--upgrade" ] - else [ + [ "--no-build-output" ] ++ optionals (cfg.channel != null) [ "-I" "nixpkgs=${cfg.channel}/nixexprs.tar.xz" - ]) + ] else [ "--flake ${cfg.flake}" ]); @@ -143,19 +168,52 @@ in { ]; script = let - nixos-rebuild = - "${config.system.build.nixos-rebuild}/bin/nixos-rebuild"; + nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild"; + date = "${pkgs.coreutils}/bin/date"; + readlink = "${pkgs.coreutils}/bin/readlink"; + shutdown = "${pkgs.systemd}/bin/shutdown"; + upgradeFlag = optional (cfg.channel == null) "--upgrade"; in if cfg.allowReboot then '' - ${nixos-rebuild} boot ${toString cfg.flags} - booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" - built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" - if [ "$booted" = "$built" ]; then + ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)} + booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})" + built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" + + ${optionalString (cfg.rebootWindow != null) '' + current_time="$(${date} +%H:%M)" + + lower="${cfg.rebootWindow.lower}" + upper="${cfg.rebootWindow.upper}" + + if [[ "''${lower}" < "''${upper}" ]]; then + if [[ "''${current_time}" > "''${lower}" ]] && \ + [[ "''${current_time}" < "''${upper}" ]]; then + do_reboot="true" + else + do_reboot="false" + fi + else + # lower > upper, so we are crossing midnight (e.g. lower=23h, upper=6h) + # we want to reboot if cur > 23h or cur < 6h + if [[ "''${current_time}" < "''${upper}" ]] || \ + [[ "''${current_time}" > "''${lower}" ]]; then + do_reboot="true" + else + do_reboot="false" + fi + fi + ''} + + if [ "''${booted}" = "''${built}" ]; then ${nixos-rebuild} switch ${toString cfg.flags} + ${optionalString (cfg.rebootWindow != null) '' + elif [ "''${do_reboot}" != true ]; then + echo "Outside of configured reboot window, skipping." + ''} else - /run/current-system/sw/bin/shutdown -r +1 + ${shutdown} -r +1 fi '' else '' - ${nixos-rebuild} switch ${toString cfg.flags} + ${nixos-rebuild} switch ${toString (cfg.flags ++ upgradeFlag)} ''; startAt = cfg.dates; @@ -167,3 +225,4 @@ in { }; } + diff --git a/nixpkgs/nixos/modules/tasks/filesystems.nix b/nixpkgs/nixos/modules/tasks/filesystems.nix index f3da6771197e..d68edd8d7d39 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems.nix @@ -215,6 +215,35 @@ in ''; }; + boot.devSize = mkOption { + default = "5%"; + example = "32m"; + type = types.str; + description = '' + Size limit for the /dev tmpfs. Look at mount(8), tmpfs size option, + for the accepted syntax. + ''; + }; + + boot.devShmSize = mkOption { + default = "50%"; + example = "256m"; + type = types.str; + description = '' + Size limit for the /dev/shm tmpfs. Look at mount(8), tmpfs size option, + for the accepted syntax. + ''; + }; + + boot.runSize = mkOption { + default = "25%"; + example = "256m"; + type = types.str; + description = '' + Size limit for the /run tmpfs. Look at mount(8), tmpfs size option, + for the accepted syntax. + ''; + }; }; diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix b/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix index 19f2be2c4a25..b0f160c1dbf9 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces-scripted.nix @@ -535,6 +535,7 @@ let createGreDevice = n: v: nameValuePair "${n}-netdev" (let deps = deviceDependency v.dev; + ttlarg = if lib.hasPrefix "ip6" v.type then "hoplimit" else "ttl"; in { description = "GRE Tunnel Interface ${n}"; wantedBy = [ "network-setup.service" (subsystemDevice n) ]; @@ -551,6 +552,7 @@ let ip link add name "${n}" type ${v.type} \ ${optionalString (v.remote != null) "remote \"${v.remote}\""} \ ${optionalString (v.local != null) "local \"${v.local}\""} \ + ${optionalString (v.ttl != null) "${ttlarg} ${toString v.ttl}"} \ ${optionalString (v.dev != null) "dev \"${v.dev}\""} ip link set "${n}" up ''; diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix index 8a5e1b5af114..8654539b6629 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix @@ -318,6 +318,8 @@ in Remote = gre.remote; }) // (optionalAttrs (gre.local != null) { Local = gre.local; + }) // (optionalAttrs (gre.ttl != null) { + TTL = gre.ttl; }); }; networks = mkIf (gre.dev != null) { diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces.nix b/nixpkgs/nixos/modules/tasks/network-interfaces.nix index 06117ab451d3..8ca4ad7b7d86 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces.nix @@ -1020,6 +1020,14 @@ in local = "10.0.0.22"; dev = "enp4s0f0"; type = "tap"; + ttl = 255; + }; + gre6Tunnel = { + remote = "fd7a:5634::1"; + local = "fd7a:5634::2"; + dev = "enp4s0f0"; + type = "tun6"; + ttl = 255; }; } ''; @@ -1057,11 +1065,25 @@ in ''; }; + ttl = mkOption { + type = types.nullOr types.int; + default = null; + example = 255; + description = '' + The time-to-live/hoplimit of the connection to the remote tunnel endpoint. + ''; + }; + type = mkOption { - type = with types; enum [ "tun" "tap" ]; + type = with types; enum [ "tun" "tap" "tun6" "tap6" ]; default = "tap"; example = "tap"; - apply = v: if v == "tun" then "gre" else "gretap"; + apply = v: { + tun = "gre"; + tap = "gretap"; + tun6 = "ip6gre"; + tap6 = "ip6gretap"; + }.${v}; description = '' Whether the tunnel routes layer 2 (tap) or layer 3 (tun) traffic. ''; @@ -1429,7 +1451,7 @@ in sysctl-value = tempaddrValues.${cfg.tempAddresses}.sysctl; in '' # enable and prefer IPv6 privacy addresses by default - ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo ${sysctl-value} > /proc/sys/net/ipv6/conf/%k/use_tempaddr'" + ACTION=="add", SUBSYSTEM=="net", RUN+="${pkgs.bash}/bin/sh -c 'echo ${sysctl-value} > /proc/sys/net/ipv6/conf/$name/use_tempaddr'" ''; }) (pkgs.writeTextFile rec { diff --git a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix index 514389358947..dacbb64a2dac 100644 --- a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix @@ -796,7 +796,7 @@ in # allow `system.build.toplevel' to be included. (If we had a direct # reference to ${regInfo} here, then we would get a cyclic # dependency.) - boot.postBootCommands = + boot.postBootCommands = lib.mkIf config.nix.enable '' if [[ "$(cat /proc/cmdline)" =~ regInfo=([^ ]*) ]]; then ${config.nix.package.out}/bin/nix-store --load-db < ''${BASH_REMATCH[1]} diff --git a/nixpkgs/nixos/modules/virtualisation/waydroid.nix b/nixpkgs/nixos/modules/virtualisation/waydroid.nix index 4fc798ff39f8..2c0b658948dd 100644 --- a/nixpkgs/nixos/modules/virtualisation/waydroid.nix +++ b/nixpkgs/nixos/modules/virtualisation/waydroid.nix @@ -56,8 +56,6 @@ in wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ getent iptables iproute kmod nftables util-linux which ]; - unitConfig = { ConditionPathExists = "/var/lib/waydroid/lxc/waydroid"; }; @@ -68,6 +66,10 @@ in ExecStopPost = "${pkgs.waydroid}/bin/waydroid session stop"; }; }; + + systemd.tmpfiles.rules = [ + "d /var/lib/misc 0755 root root -" # for dnsmasq.leases + ]; }; } diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index 98ca2e081086..ab6906cd24e2 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -132,6 +132,7 @@ in domination = handleTest ./domination.nix {}; dovecot = handleTest ./dovecot.nix {}; drbd = handleTest ./drbd.nix {}; + earlyoom = handleTestOn ["x86_64-linux"] ./earlyoom.nix {}; ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {}; ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {}; ecryptfs = handleTest ./ecryptfs.nix {}; @@ -189,9 +190,9 @@ in grocy = handleTest ./grocy.nix {}; grub = handleTest ./grub.nix {}; gvisor = handleTest ./gvisor.nix {}; - hadoop.all = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./hadoop/hadoop.nix {}; - hadoop.hdfs = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./hadoop/hdfs.nix {}; - hadoop.yarn = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./hadoop/yarn.nix {}; + hadoop = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop; }; + hadoop_3_2 = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop_3_2; }; + hadoop2 = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop2; }; haka = handleTest ./haka.nix {}; haproxy = handleTest ./haproxy.nix {}; hardened = handleTest ./hardened.nix {}; @@ -286,6 +287,7 @@ in mailhog = handleTest ./mailhog.nix {}; man = handleTest ./man.nix {}; mariadb-galera = handleTest ./mysql/mariadb-galera.nix {}; + mastodon = handleTestOn ["x86_64-linux" "i686-linux" "aarch64-linux"] ./web-apps/mastodon.nix {}; matomo = handleTest ./matomo.nix {}; matrix-appservice-irc = handleTest ./matrix-appservice-irc.nix {}; matrix-conduit = handleTest ./matrix-conduit.nix {}; @@ -307,6 +309,7 @@ in molly-brown = handleTest ./molly-brown.nix {}; mongodb = handleTest ./mongodb.nix {}; moodle = handleTest ./moodle.nix {}; + moonraker = handleTest ./moonraker.nix {}; morty = handleTest ./morty.nix {}; mosquitto = handleTest ./mosquitto.nix {}; moosefs = handleTest ./moosefs.nix {}; @@ -355,6 +358,7 @@ in nginx-sso = handleTest ./nginx-sso.nix {}; nginx-variants = handleTest ./nginx-variants.nix {}; nitter = handleTest ./nitter.nix {}; + nix-ld = handleTest ./nix-ld {}; nix-serve = handleTest ./nix-serve.nix {}; nix-serve-ssh = handleTest ./nix-serve-ssh.nix {}; nixops = handleTest ./nixops/default.nix {}; @@ -384,6 +388,7 @@ in os-prober = handleTestOn ["x86_64-linux"] ./os-prober.nix {}; osrm-backend = handleTest ./osrm-backend.nix {}; overlayfs = handleTest ./overlayfs.nix {}; + pacemaker = handleTest ./pacemaker.nix {}; packagekit = handleTest ./packagekit.nix {}; pam-file-contents = handleTest ./pam/pam-file-contents.nix {}; pam-oath-login = handleTest ./pam/pam-oath-login.nix {}; @@ -467,6 +472,7 @@ in seafile = handleTest ./seafile.nix {}; searx = handleTest ./searx.nix {}; service-runner = handleTest ./service-runner.nix {}; + sfxr-qt = handleTest ./sfxr-qt.nix {}; shadow = handleTest ./shadow.nix {}; shadowsocks = handleTest ./shadowsocks {}; shattered-pixel-dungeon = handleTest ./shattered-pixel-dungeon.nix {}; @@ -484,7 +490,7 @@ in sonarr = handleTest ./sonarr.nix {}; sourcehut = handleTest ./sourcehut.nix {}; spacecookie = handleTest ./spacecookie.nix {}; - spark = handleTestOn ["x86_64-linux"] ./spark {}; + spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {}; sslh = handleTest ./sslh.nix {}; sssd = handleTestOn ["x86_64-linux"] ./sssd.nix {}; sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {}; @@ -514,12 +520,13 @@ in systemd-networkd-vrf = handleTest ./systemd-networkd-vrf.nix {}; systemd-nspawn = handleTest ./systemd-nspawn.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; - systemd-unit-path = handleTest ./systemd-unit-path.nix {}; + systemd-misc = handleTest ./systemd-misc.nix {}; taskserver = handleTest ./taskserver.nix {}; teeworlds = handleTest ./teeworlds.nix {}; telegraf = handleTest ./telegraf.nix {}; teleport = handleTest ./teleport.nix {}; thelounge = handleTest ./thelounge.nix {}; + terminal-emulators = handleTest ./terminal-emulators.nix {}; tiddlywiki = handleTest ./tiddlywiki.nix {}; tigervnc = handleTest ./tigervnc.nix {}; timezone = handleTest ./timezone.nix {}; diff --git a/nixpkgs/nixos/tests/avahi.nix b/nixpkgs/nixos/tests/avahi.nix index ebb46838325f..c53a95903291 100644 --- a/nixpkgs/nixos/tests/avahi.nix +++ b/nixpkgs/nixos/tests/avahi.nix @@ -59,7 +59,7 @@ import ./make-test-python.nix { two.succeed("test `wc -l < out` -gt 0") # More DNS-SD. - one.execute('avahi-publish -s "This is a test" _test._tcp 123 one=1 &') + one.execute('avahi-publish -s "This is a test" _test._tcp 123 one=1 >&2 &') one.sleep(5) two.succeed("avahi-browse -r -t _test._tcp | tee out >&2") two.succeed("test `wc -l < out` -gt 0") diff --git a/nixpkgs/nixos/tests/boot.nix b/nixpkgs/nixos/tests/boot.nix index cf5565667131..ec2a9f6527c9 100644 --- a/nixpkgs/nixos/tests/boot.nix +++ b/nixpkgs/nixos/tests/boot.nix @@ -38,7 +38,6 @@ let } // extraConfig); in makeTest { - inherit iso; name = "boot-" + name; nodes = { }; testScript = diff --git a/nixpkgs/nixos/tests/caddy.nix b/nixpkgs/nixos/tests/caddy.nix index 0902904b2086..16436ab52800 100644 --- a/nixpkgs/nixos/tests/caddy.nix +++ b/nixpkgs/nixos/tests/caddy.nix @@ -7,7 +7,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { nodes = { webserver = { pkgs, lib, ... }: { services.caddy.enable = true; - services.caddy.config = '' + services.caddy.extraConfig = '' http://localhost { encode gzip @@ -22,7 +22,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { ''; specialisation.etag.configuration = { - services.caddy.config = lib.mkForce '' + services.caddy.extraConfig = lib.mkForce '' http://localhost { encode gzip @@ -38,7 +38,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { }; specialisation.config-reload.configuration = { - services.caddy.config = '' + services.caddy.extraConfig = '' http://localhost:8080 { } ''; diff --git a/nixpkgs/nixos/tests/ceph-multi-node.nix b/nixpkgs/nixos/tests/ceph-multi-node.nix index 29e7c279d69a..556546beee76 100644 --- a/nixpkgs/nixos/tests/ceph-multi-node.nix +++ b/nixpkgs/nixos/tests/ceph-multi-node.nix @@ -48,7 +48,7 @@ let sudo ceph xfsprogs - netcat-openbsd + libressl.nc ]; boot.kernelModules = [ "xfs" ]; diff --git a/nixpkgs/nixos/tests/chromium.nix b/nixpkgs/nixos/tests/chromium.nix index 8965646bc5dc..3815dca76220 100644 --- a/nixpkgs/nixos/tests/chromium.nix +++ b/nixpkgs/nixos/tests/chromium.nix @@ -15,26 +15,9 @@ with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; -mapAttrs (channel: chromiumPkg: makeTest rec { - name = "chromium-${channel}"; - meta = { - maintainers = with maintainers; [ aszlig primeos ]; - # https://github.com/NixOS/hydra/issues/591#issuecomment-435125621 - inherit (chromiumPkg.meta) timeout; - }; - - enableOCR = true; - +let user = "alice"; - machine.imports = [ ./common/user-account.nix ./common/x11.nix ]; - machine.virtualisation.memorySize = 2047; - machine.test-support.displayManager.auto.user = user; - machine.environment = { - systemPackages = [ chromiumPkg ]; - variables."XAUTHORITY" = "/home/alice/.Xauthority"; - }; - startupHTML = pkgs.writeText "chromium-startup.html" '' <!DOCTYPE html> <html> @@ -50,6 +33,25 @@ mapAttrs (channel: chromiumPkg: makeTest rec { </body> </html> ''; +in + +mapAttrs (channel: chromiumPkg: makeTest { + name = "chromium-${channel}"; + meta = { + maintainers = with maintainers; [ aszlig primeos ]; + # https://github.com/NixOS/hydra/issues/591#issuecomment-435125621 + inherit (chromiumPkg.meta) timeout; + }; + + enableOCR = true; + + machine.imports = [ ./common/user-account.nix ./common/x11.nix ]; + machine.virtualisation.memorySize = 2047; + machine.test-support.displayManager.auto.user = user; + machine.environment = { + systemPackages = [ chromiumPkg ]; + variables."XAUTHORITY" = "/home/alice/.Xauthority"; + }; testScript = let xdo = name: text: let diff --git a/nixpkgs/nixos/tests/cri-o.nix b/nixpkgs/nixos/tests/cri-o.nix index 91d46657f241..d3a8713d6a9b 100644 --- a/nixpkgs/nixos/tests/cri-o.nix +++ b/nixpkgs/nixos/tests/cri-o.nix @@ -1,7 +1,7 @@ # This test runs CRI-O and verifies via critest import ./make-test-python.nix ({ pkgs, ... }: { name = "cri-o"; - maintainers = with pkgs.lib.maintainers; teams.podman.members; + meta.maintainers = with pkgs.lib.maintainers; teams.podman.members; nodes = { crio = { diff --git a/nixpkgs/nixos/tests/earlyoom.nix b/nixpkgs/nixos/tests/earlyoom.nix new file mode 100644 index 000000000000..75bdf56899b3 --- /dev/null +++ b/nixpkgs/nixos/tests/earlyoom.nix @@ -0,0 +1,16 @@ +import ./make-test-python.nix ({ lib, ... }: { + name = "earlyoom"; + meta = { + maintainers = with lib.maintainers; [ ncfavier ]; + }; + + machine = { + services.earlyoom = { + enable = true; + }; + }; + + testScript = '' + machine.wait_for_unit("earlyoom.service") + ''; +}) diff --git a/nixpkgs/nixos/tests/gitolite-fcgiwrap.nix b/nixpkgs/nixos/tests/gitolite-fcgiwrap.nix index 38f8d5c883fd..abf1db37003a 100644 --- a/nixpkgs/nixos/tests/gitolite-fcgiwrap.nix +++ b/nixpkgs/nixos/tests/gitolite-fcgiwrap.nix @@ -20,7 +20,7 @@ import ./make-test-python.nix ( nodes = { server = - { ... }: + { config, ... }: { networking.firewall.allowedTCPPorts = [ 80 ]; diff --git a/nixpkgs/nixos/tests/gnome-xorg.nix b/nixpkgs/nixos/tests/gnome-xorg.nix index 6264b87af4ec..d7be531e364e 100644 --- a/nixpkgs/nixos/tests/gnome-xorg.nix +++ b/nixpkgs/nixos/tests/gnome-xorg.nix @@ -24,6 +24,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.debug = true; services.xserver.displayManager.defaultSession = "gnome-xorg"; + programs.gnome-terminal.enable = true; systemd.user.services = { "org.gnome.Shell@x11" = { diff --git a/nixpkgs/nixos/tests/gnome.nix b/nixpkgs/nixos/tests/gnome.nix index 06f387ecad67..ca49183fe442 100644 --- a/nixpkgs/nixos/tests/gnome.nix +++ b/nixpkgs/nixos/tests/gnome.nix @@ -22,6 +22,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.debug = true; + programs.gnome-terminal.enable = true; environment.systemPackages = [ (pkgs.makeAutostartItem { diff --git a/nixpkgs/nixos/tests/hadoop/default.nix b/nixpkgs/nixos/tests/hadoop/default.nix new file mode 100644 index 000000000000..d2a97cbeffb8 --- /dev/null +++ b/nixpkgs/nixos/tests/hadoop/default.nix @@ -0,0 +1,7 @@ +{ handleTestOn, package, ... }: + +{ + all = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./hadoop.nix { inherit package; }; + hdfs = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./hdfs.nix { inherit package; }; + yarn = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./yarn.nix { inherit package; }; +} diff --git a/nixpkgs/nixos/tests/hadoop/hadoop.nix b/nixpkgs/nixos/tests/hadoop/hadoop.nix index 48737debab54..b132f4fa58b0 100644 --- a/nixpkgs/nixos/tests/hadoop/hadoop.nix +++ b/nixpkgs/nixos/tests/hadoop/hadoop.nix @@ -1,121 +1,148 @@ # This test is very comprehensive. It tests whether all hadoop services work well with each other. # Run this when updating the Hadoop package or making significant changes to the hadoop module. # For a more basic test, see hdfs.nix and yarn.nix -import ../make-test-python.nix ({pkgs, ...}: { - - nodes = let - package = pkgs.hadoop; - coreSite = { - "fs.defaultFS" = "hdfs://ns1"; - }; - hdfsSite = { - "dfs.namenode.rpc-bind-host" = "0.0.0.0"; - "dfs.namenode.http-bind-host" = "0.0.0.0"; - "dfs.namenode.servicerpc-bind-host" = "0.0.0.0"; - - # HA Quorum Journal Manager configuration - "dfs.nameservices" = "ns1"; - "dfs.ha.namenodes.ns1" = "nn1,nn2"; - "dfs.namenode.shared.edits.dir.ns1.nn1" = "qjournal://jn1:8485;jn2:8485;jn3:8485/ns1"; - "dfs.namenode.shared.edits.dir.ns1.nn2" = "qjournal://jn1:8485;jn2:8485;jn3:8485/ns1"; - "dfs.namenode.rpc-address.ns1.nn1" = "nn1:8020"; - "dfs.namenode.rpc-address.ns1.nn2" = "nn2:8020"; - "dfs.namenode.servicerpc-address.ns1.nn1" = "nn1:8022"; - "dfs.namenode.servicerpc-address.ns1.nn2" = "nn2:8022"; - "dfs.namenode.http-address.ns1.nn1" = "nn1:9870"; - "dfs.namenode.http-address.ns1.nn2" = "nn2:9870"; - - # Automatic failover configuration - "dfs.client.failover.proxy.provider.ns1" = "org.apache.hadoop.hdfs.server.namenode.ha.ConfiguredFailoverProxyProvider"; - "dfs.ha.automatic-failover.enabled.ns1" = "true"; - "dfs.ha.fencing.methods" = "shell(true)"; - "ha.zookeeper.quorum" = "zk1:2181"; - }; - yarnSiteHA = { - "yarn.resourcemanager.zk-address" = "zk1:2181"; - "yarn.resourcemanager.ha.enabled" = "true"; - "yarn.resourcemanager.ha.rm-ids" = "rm1,rm2"; - "yarn.resourcemanager.hostname.rm1" = "rm1"; - "yarn.resourcemanager.hostname.rm2" = "rm2"; - "yarn.resourcemanager.ha.automatic-failover.enabled" = "true"; - "yarn.resourcemanager.cluster-id" = "cluster1"; - # yarn.resourcemanager.webapp.address needs to be defined even though yarn.resourcemanager.hostname is set. This shouldn't be necessary, but there's a bug in - # hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/amfilter/AmFilterInitializer.java:70 - # that causes AM containers to fail otherwise. - "yarn.resourcemanager.webapp.address.rm1" = "rm1:8088"; - "yarn.resourcemanager.webapp.address.rm2" = "rm2:8088"; - }; - in { - zk1 = { ... }: { - services.zookeeper.enable = true; - networking.firewall.allowedTCPPorts = [ 2181 ]; - }; - - # HDFS cluster - nn1 = {pkgs, options, ...}: { - services.hadoop = { - inherit package coreSite hdfsSite; - hdfs.namenode.enable = true; - hdfs.zkfc.enable = true; +import ../make-test-python.nix ({ package, ... }: { + name = "hadoop-combined"; + + nodes = + let + coreSite = { + "fs.defaultFS" = "hdfs://ns1"; + }; + hdfsSite = { + # HA Quorum Journal Manager configuration + "dfs.nameservices" = "ns1"; + "dfs.ha.namenodes.ns1" = "nn1,nn2"; + "dfs.namenode.shared.edits.dir.ns1" = "qjournal://jn1:8485;jn2:8485;jn3:8485/ns1"; + "dfs.namenode.rpc-address.ns1.nn1" = "nn1:8020"; + "dfs.namenode.rpc-address.ns1.nn2" = "nn2:8020"; + "dfs.namenode.servicerpc-address.ns1.nn1" = "nn1:8022"; + "dfs.namenode.servicerpc-address.ns1.nn2" = "nn2:8022"; + "dfs.namenode.http-address.ns1.nn1" = "nn1:9870"; + "dfs.namenode.http-address.ns1.nn2" = "nn2:9870"; + + # Automatic failover configuration + "dfs.client.failover.proxy.provider.ns1" = "org.apache.hadoop.hdfs.server.namenode.ha.ConfiguredFailoverProxyProvider"; + "dfs.ha.automatic-failover.enabled.ns1" = "true"; + "dfs.ha.fencing.methods" = "shell(true)"; + "ha.zookeeper.quorum" = "zk1:2181"; + }; + yarnSite = { + "yarn.resourcemanager.zk-address" = "zk1:2181"; + "yarn.resourcemanager.ha.enabled" = "true"; + "yarn.resourcemanager.ha.rm-ids" = "rm1,rm2"; + "yarn.resourcemanager.hostname.rm1" = "rm1"; + "yarn.resourcemanager.hostname.rm2" = "rm2"; + "yarn.resourcemanager.ha.automatic-failover.enabled" = "true"; + "yarn.resourcemanager.cluster-id" = "cluster1"; + # yarn.resourcemanager.webapp.address needs to be defined even though yarn.resourcemanager.hostname is set. This shouldn't be necessary, but there's a bug in + # hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/amfilter/AmFilterInitializer.java:70 + # that causes AM containers to fail otherwise. + "yarn.resourcemanager.webapp.address.rm1" = "rm1:8088"; + "yarn.resourcemanager.webapp.address.rm2" = "rm2:8088"; + }; + in + { + zk1 = { ... }: { + services.zookeeper.enable = true; + networking.firewall.allowedTCPPorts = [ 2181 ]; }; - }; - nn2 = {pkgs, options, ...}: { - services.hadoop = { - inherit package coreSite hdfsSite; - hdfs.namenode.enable = true; - hdfs.zkfc.enable = true; + + # HDFS cluster + nn1 = { ... }: { + services.hadoop = { + inherit package coreSite hdfsSite; + hdfs.namenode = { + enable = true; + openFirewall = true; + }; + hdfs.zkfc.enable = true; + }; + }; + nn2 = { ... }: { + services.hadoop = { + inherit package coreSite hdfsSite; + hdfs.namenode = { + enable = true; + openFirewall = true; + }; + hdfs.zkfc.enable = true; + }; }; - }; - jn1 = {pkgs, options, ...}: { - services.hadoop = { - inherit package coreSite hdfsSite; - hdfs.journalnode.enable = true; + jn1 = { ... }: { + services.hadoop = { + inherit package coreSite hdfsSite; + hdfs.journalnode = { + enable = true; + openFirewall = true; + }; + }; }; - }; - jn2 = {pkgs, options, ...}: { - services.hadoop = { - inherit package coreSite hdfsSite; - hdfs.journalnode.enable = true; + jn2 = { ... }: { + services.hadoop = { + inherit package coreSite hdfsSite; + hdfs.journalnode = { + enable = true; + openFirewall = true; + }; + }; }; - }; - jn3 = {pkgs, options, ...}: { - services.hadoop = { - inherit package coreSite hdfsSite; - hdfs.journalnode.enable = true; + jn3 = { ... }: { + services.hadoop = { + inherit package coreSite hdfsSite; + hdfs.journalnode = { + enable = true; + openFirewall = true; + }; + }; + }; + + dn1 = { ... }: { + services.hadoop = { + inherit package coreSite hdfsSite; + hdfs.datanode = { + enable = true; + openFirewall = true; + }; + }; }; - }; - dn1 = {pkgs, options, ...}: { - services.hadoop = { - inherit package coreSite hdfsSite; - hdfs.datanode.enable = true; + # YARN cluster + rm1 = { options, ... }: { + services.hadoop = { + inherit package coreSite hdfsSite yarnSite; + yarn.resourcemanager = { + enable = true; + openFirewall = true; + }; + }; }; - }; - - # YARN cluster - rm1 = {pkgs, options, ...}: { - services.hadoop = { - inherit package coreSite hdfsSite; - yarnSite = options.services.hadoop.yarnSite.default // yarnSiteHA; - yarn.resourcemanager.enable = true; + rm2 = { options, ... }: { + services.hadoop = { + inherit package coreSite hdfsSite yarnSite; + yarn.resourcemanager = { + enable = true; + openFirewall = true; + }; + }; }; - }; - rm2 = {pkgs, options, ...}: { - services.hadoop = { - inherit package coreSite hdfsSite; - yarnSite = options.services.hadoop.yarnSite.default // yarnSiteHA; - yarn.resourcemanager.enable = true; + nm1 = { options, ... }: { + virtualisation.memorySize = 2048; + services.hadoop = { + inherit package coreSite hdfsSite yarnSite; + yarn.nodemanager = { + enable = true; + openFirewall = true; + }; + }; }; - }; - nm1 = {pkgs, options, ...}: { - virtualisation.memorySize = 2048; - services.hadoop = { - inherit package coreSite hdfsSite; - yarnSite = options.services.hadoop.yarnSite.default // yarnSiteHA; - yarn.nodemanager.enable = true; + client = { options, ... }: { + services.hadoop = { + gatewayRole.enable = true; + inherit package coreSite hdfsSite yarnSite; + }; }; - }; }; testScript = '' @@ -173,26 +200,26 @@ import ../make-test-python.nix ({pkgs, ...}: { # DN should have started by now, but confirm anyway dn1.wait_for_unit("hdfs-datanode") # Print states of namenodes - dn1.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") + client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") # Wait for cluster to exit safemode - dn1.succeed("sudo -u hdfs hdfs dfsadmin -safemode wait") - dn1.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") + client.succeed("sudo -u hdfs hdfs dfsadmin -safemode wait") + client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") # test R/W - dn1.succeed("echo testfilecontents | sudo -u hdfs hdfs dfs -put - /testfile") - assert "testfilecontents" in dn1.succeed("sudo -u hdfs hdfs dfs -cat /testfile") + client.succeed("echo testfilecontents | sudo -u hdfs hdfs dfs -put - /testfile") + assert "testfilecontents" in client.succeed("sudo -u hdfs hdfs dfs -cat /testfile") # Test NN failover nn1.succeed("systemctl stop hdfs-namenode") - assert "active" in dn1.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState") - dn1.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") - assert "testfilecontents" in dn1.succeed("sudo -u hdfs hdfs dfs -cat /testfile") + assert "active" in client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState") + client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") + assert "testfilecontents" in client.succeed("sudo -u hdfs hdfs dfs -cat /testfile") nn1.succeed("systemctl start hdfs-namenode") nn1.wait_for_open_port(9870) nn1.wait_for_open_port(8022) nn1.wait_for_open_port(8020) - assert "standby" in dn1.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState") - dn1.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") + assert "standby" in client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState") + client.succeed("sudo -u hdfs hdfs haadmin -getAllServiceState | systemd-cat") #### YARN tests #### @@ -208,21 +235,21 @@ import ../make-test-python.nix ({pkgs, ...}: { nm1.wait_for_unit("yarn-nodemanager") nm1.wait_for_open_port(8042) nm1.wait_for_open_port(8040) - nm1.wait_until_succeeds("yarn node -list | grep Nodes:1") - nm1.succeed("sudo -u yarn yarn rmadmin -getAllServiceState | systemd-cat") - nm1.succeed("sudo -u yarn yarn node -list | systemd-cat") + client.wait_until_succeeds("yarn node -list | grep Nodes:1") + client.succeed("sudo -u yarn yarn rmadmin -getAllServiceState | systemd-cat") + client.succeed("sudo -u yarn yarn node -list | systemd-cat") # Test RM failover rm1.succeed("systemctl stop yarn-resourcemanager") - assert "standby" not in nm1.succeed("sudo -u yarn yarn rmadmin -getAllServiceState") - nm1.succeed("sudo -u yarn yarn rmadmin -getAllServiceState | systemd-cat") + assert "standby" not in client.succeed("sudo -u yarn yarn rmadmin -getAllServiceState") + client.succeed("sudo -u yarn yarn rmadmin -getAllServiceState | systemd-cat") rm1.succeed("systemctl start yarn-resourcemanager") rm1.wait_for_unit("yarn-resourcemanager") rm1.wait_for_open_port(8088) - assert "standby" in nm1.succeed("sudo -u yarn yarn rmadmin -getAllServiceState") - nm1.succeed("sudo -u yarn yarn rmadmin -getAllServiceState | systemd-cat") + assert "standby" in client.succeed("sudo -u yarn yarn rmadmin -getAllServiceState") + client.succeed("sudo -u yarn yarn rmadmin -getAllServiceState | systemd-cat") - assert "Estimated value of Pi is" in nm1.succeed("HADOOP_USER_NAME=hdfs yarn jar $(readlink $(which yarn) | sed -r 's~bin/yarn~lib/hadoop-*/share/hadoop/mapreduce/hadoop-mapreduce-examples-*.jar~g') pi 2 10") - assert "SUCCEEDED" in nm1.succeed("yarn application -list -appStates FINISHED") + assert "Estimated value of Pi is" in client.succeed("HADOOP_USER_NAME=hdfs yarn jar $(readlink $(which yarn) | sed -r 's~bin/yarn~lib/hadoop-*/share/hadoop/mapreduce/hadoop-mapreduce-examples-*.jar~g') pi 2 10") + assert "SUCCEEDED" in client.succeed("yarn application -list -appStates FINISHED") ''; }) diff --git a/nixpkgs/nixos/tests/hadoop/hdfs.nix b/nixpkgs/nixos/tests/hadoop/hdfs.nix index b63cbf480327..9415500463de 100644 --- a/nixpkgs/nixos/tests/hadoop/hdfs.nix +++ b/nixpkgs/nixos/tests/hadoop/hdfs.nix @@ -1,32 +1,46 @@ # Test a minimal HDFS cluster with no HA -import ../make-test-python.nix ({...}: { - nodes = { - namenode = {pkgs, ...}: { +import ../make-test-python.nix ({ package, lib, ... }: +with lib; +{ + name = "hadoop-hdfs"; + + nodes = let + coreSite = { + "fs.defaultFS" = "hdfs://namenode:8020"; + "hadoop.proxyuser.httpfs.groups" = "*"; + "hadoop.proxyuser.httpfs.hosts" = "*"; + }; + in { + namenode = { pkgs, ... }: { services.hadoop = { - package = pkgs.hadoop; + inherit package; hdfs = { namenode = { enable = true; + openFirewall = true; formatOnInit = true; }; - httpfs.enable = true; - }; - coreSite = { - "fs.defaultFS" = "hdfs://namenode:8020"; - "hadoop.proxyuser.httpfs.groups" = "*"; - "hadoop.proxyuser.httpfs.hosts" = "*"; + httpfs = { + # The NixOS hadoop module only support webHDFS on 3.3 and newer + enable = mkIf (versionAtLeast package.version "3.3") true; + openFirewall = true; + }; }; + inherit coreSite; }; }; - datanode = {pkgs, ...}: { + datanode = { pkgs, ... }: { services.hadoop = { - package = pkgs.hadoop; - hdfs.datanode.enable = true; - coreSite = { - "fs.defaultFS" = "hdfs://namenode:8020"; - "hadoop.proxyuser.httpfs.groups" = "*"; - "hadoop.proxyuser.httpfs.hosts" = "*"; + inherit package; + hdfs.datanode = { + enable = true; + openFirewall = true; + dataDirs = [{ + type = "DISK"; + path = "/tmp/dn1"; + }]; }; + inherit coreSite; }; }; }; @@ -37,21 +51,32 @@ import ../make-test-python.nix ({...}: { namenode.wait_for_unit("hdfs-namenode") namenode.wait_for_unit("network.target") namenode.wait_for_open_port(8020) + namenode.succeed("ss -tulpne | systemd-cat") + namenode.succeed("cat /etc/hadoop*/hdfs-site.xml | systemd-cat") namenode.wait_for_open_port(9870) datanode.wait_for_unit("hdfs-datanode") datanode.wait_for_unit("network.target") + '' + ( if versionAtLeast package.version "3" then '' datanode.wait_for_open_port(9864) datanode.wait_for_open_port(9866) datanode.wait_for_open_port(9867) - namenode.succeed("curl -f http://namenode:9870") datanode.succeed("curl -f http://datanode:9864") + '' else '' + datanode.wait_for_open_port(50075) + datanode.wait_for_open_port(50010) + datanode.wait_for_open_port(50020) + + datanode.succeed("curl -f http://datanode:50075") + '' ) + '' + namenode.succeed("curl -f http://namenode:9870") datanode.succeed("sudo -u hdfs hdfs dfsadmin -safemode wait") datanode.succeed("echo testfilecontents | sudo -u hdfs hdfs dfs -put - /testfile") assert "testfilecontents" in datanode.succeed("sudo -u hdfs hdfs dfs -cat /testfile") + '' + optionalString ( versionAtLeast package.version "3.3" ) '' namenode.wait_for_unit("hdfs-httpfs") namenode.wait_for_open_port(14000) assert "testfilecontents" in datanode.succeed("curl -f \"http://namenode:14000/webhdfs/v1/testfile?user.name=hdfs&op=OPEN\" 2>&1") diff --git a/nixpkgs/nixos/tests/hadoop/yarn.nix b/nixpkgs/nixos/tests/hadoop/yarn.nix index 09bdb35791c7..1bf8e3831f67 100644 --- a/nixpkgs/nixos/tests/hadoop/yarn.nix +++ b/nixpkgs/nixos/tests/hadoop/yarn.nix @@ -1,22 +1,30 @@ # This only tests if YARN is able to start its services -import ../make-test-python.nix ({...}: { +import ../make-test-python.nix ({ package, ... }: { + name = "hadoop-yarn"; + nodes = { - resourcemanager = {pkgs, ...}: { - services.hadoop.package = pkgs.hadoop; - services.hadoop.yarn.resourcemanager.enable = true; - services.hadoop.yarnSite = { - "yarn.resourcemanager.scheduler.class" = "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler"; + resourcemanager = { ... }: { + services.hadoop = { + inherit package; + yarn.resourcemanager = { + enable = true; + openFirewall = true; + }; }; }; - nodemanager = {pkgs, ...}: { - services.hadoop.package = pkgs.hadoop; - services.hadoop.yarn.nodemanager.enable = true; - services.hadoop.yarnSite = { - "yarn.resourcemanager.hostname" = "resourcemanager"; - "yarn.nodemanager.log-dirs" = "/tmp/userlogs"; + nodemanager = { options, lib, ... }: { + services.hadoop = { + inherit package; + yarn.nodemanager = { + enable = true; + openFirewall = true; + }; + yarnSite = options.services.hadoop.yarnSite.default // { + "yarn.resourcemanager.hostname" = "resourcemanager"; + "yarn.nodemanager.log-dirs" = "/tmp/userlogs"; + }; }; }; - }; testScript = '' diff --git a/nixpkgs/nixos/tests/installed-tests/gjs.nix b/nixpkgs/nixos/tests/installed-tests/gjs.nix index 1656e9de171b..d12487cba249 100644 --- a/nixpkgs/nixos/tests/installed-tests/gjs.nix +++ b/nixpkgs/nixos/tests/installed-tests/gjs.nix @@ -3,4 +3,10 @@ makeInstalledTest { tested = pkgs.gjs; withX11 = true; + + testConfig = { + environment.systemPackages = [ + pkgs.gjs + ]; + }; } diff --git a/nixpkgs/nixos/tests/installer.nix b/nixpkgs/nixos/tests/installer.nix index 5525c3117b79..2cfadf85c935 100644 --- a/nixpkgs/nixos/tests/installer.nix +++ b/nixpkgs/nixos/tests/installer.nix @@ -568,7 +568,7 @@ in { "pvcreate /dev/vda1 /dev/vda2", "vgcreate MyVolGroup /dev/vda1 /dev/vda2", "lvcreate --size 1G --name swap MyVolGroup", - "lvcreate --size 3G --name nixos MyVolGroup", + "lvcreate --size 6G --name nixos MyVolGroup", "mkswap -f /dev/MyVolGroup/swap -L swap", "swapon -L swap", "mkfs.xfs -L nixos /dev/MyVolGroup/nixos", diff --git a/nixpkgs/nixos/tests/ipfs.nix b/nixpkgs/nixos/tests/ipfs.nix index f8683b0a8580..5e7c967028e4 100644 --- a/nixpkgs/nixos/tests/ipfs.nix +++ b/nixpkgs/nixos/tests/ipfs.nix @@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { # Also will add a unix domain socket socket API address, see module. startWhenNeeded = true; apiAddress = "/ip4/127.0.0.1/tcp/2324"; + dataDir = "/mnt/ipfs"; }; }; @@ -35,5 +36,9 @@ import ./make-test-python.nix ({ pkgs, ...} : { machine.succeed( f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2" ) + + # Test if setting dataDir works properly with the hardened systemd unit + machine.succeed("test -e /mnt/ipfs/config") + machine.succeed("test ! -e /var/lib/ipfs/") ''; }) diff --git a/nixpkgs/nixos/tests/jitsi-meet.nix b/nixpkgs/nixos/tests/jitsi-meet.nix index d95f7c2ea9ea..41d53bc73800 100644 --- a/nixpkgs/nixos/tests/jitsi-meet.nix +++ b/nixpkgs/nixos/tests/jitsi-meet.nix @@ -21,9 +21,9 @@ import ./make-test-python.nix ({ pkgs, ... }: { forceSSL = true; }; - security.acme.email = "me@example.org"; security.acme.acceptTerms = true; - security.acme.server = "https://example.com"; # self-signed only + security.acme.defaults.email = "me@example.org"; + security.acme.defaults.server = "https://example.com"; # self-signed only }; }; diff --git a/nixpkgs/nixos/tests/keepassxc.nix b/nixpkgs/nixos/tests/keepassxc.nix index 685a200b3187..924c137a9032 100644 --- a/nixpkgs/nixos/tests/keepassxc.nix +++ b/nixpkgs/nixos/tests/keepassxc.nix @@ -15,20 +15,54 @@ import ./make-test-python.nix ({ pkgs, ...} : ]; services.xserver.enable = true; + + # Regression test for https://github.com/NixOS/nixpkgs/issues/163482 + qt5 = { + enable = true; + platformTheme = "gnome"; + style = "adwaita-dark"; + }; + test-support.displayManager.auto.user = "alice"; - environment.systemPackages = [ pkgs.keepassxc ]; + environment.systemPackages = with pkgs; [ + keepassxc + xdotool + ]; }; enableOCR = true; - testScript = { nodes, ... }: '' - start_all() - machine.wait_for_x() + testScript = { nodes, ... }: let + aliceDo = cmd: ''machine.succeed("su - alice -c '${cmd}' >&2 &");''; + in '' + with subtest("Ensure X starts"): + start_all() + machine.wait_for_x() + + with subtest("Can create database and entry with CLI"): + ${aliceDo "keepassxc-cli db-create -k foo.keyfile foo.kdbx"} + ${aliceDo "keepassxc-cli add --no-password -k foo.keyfile foo.kdbx bar"} + + with subtest("Ensure KeePassXC starts"): + # start KeePassXC window + ${aliceDo "keepassxc >&2 &"} - # start KeePassXC window - machine.execute("su - alice -c keepassxc >&2 &") + machine.wait_for_text("KeePassXC ${pkgs.keepassxc.version}") + machine.screenshot("KeePassXC") - machine.wait_for_text("KeePassXC ${pkgs.keepassxc.version}") - machine.screenshot("KeePassXC") + with subtest("Can open existing database"): + machine.send_key("ctrl-o") + machine.sleep(5) + # Regression #163482: keepassxc did not crash + machine.succeed("ps -e | grep keepassxc") + machine.wait_for_text("foo.kdbx") + machine.send_key("ret") + machine.sleep(1) + # Click on "Browse" button to select keyfile + machine.send_key("tab") + machine.send_chars("/home/alice/foo.keyfile") + machine.send_key("ret") + # Passwords folder is displayed + machine.wait_for_text("Passwords") ''; }) diff --git a/nixpkgs/nixos/tests/keycloak.nix b/nixpkgs/nixos/tests/keycloak.nix index 6367ed808e06..fce8df2b7e3a 100644 --- a/nixpkgs/nixos/tests/keycloak.nix +++ b/nixpkgs/nixos/tests/keycloak.nix @@ -16,8 +16,7 @@ let }; nodes = { - keycloak = { ... }: { - + keycloak = { config, ... }: { security.pki.certificateFiles = [ certs.ca.cert ]; @@ -36,6 +35,10 @@ let username = "bogus"; passwordFile = pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH"; }; + plugins = with config.services.keycloak.package.plugins; [ + keycloak-discord + keycloak-metrics-spi + ]; }; environment.systemPackages = with pkgs; [ @@ -102,8 +105,21 @@ let ### Realm Setup ### # Get an admin interface access token + keycloak.succeed(""" + curl -sSf -d 'client_id=admin-cli' \ + -d 'username=admin' \ + -d 'password=${initialAdminPassword}' \ + -d 'grant_type=password' \ + '${frontendUrl}/realms/master/protocol/openid-connect/token' \ + | jq -r '"Authorization: bearer " + .access_token' >admin_auth_header + """) + + # Register the metrics SPI keycloak.succeed( - "curl -sSf -d 'client_id=admin-cli' -d 'username=admin' -d 'password=${initialAdminPassword}' -d 'grant_type=password' '${frontendUrl}/realms/master/protocol/openid-connect/token' | jq -r '\"Authorization: bearer \" + .access_token' >admin_auth_header" + "${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt", + "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' ${pkgs.keycloak}/bin/kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password '${initialAdminPassword}'", + "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' ${pkgs.keycloak}/bin/kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'", + "curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'" ) # Publish the realm, including a test OIDC client and user diff --git a/nixpkgs/nixos/tests/misc.nix b/nixpkgs/nixos/tests/misc.nix index 0587912c9a22..02513c4726c1 100644 --- a/nixpkgs/nixos/tests/misc.nix +++ b/nixpkgs/nixos/tests/misc.nix @@ -1,13 +1,13 @@ # Miscellaneous small tests that don't warrant their own VM run. -import ./make-test-python.nix ({ pkgs, ...} : rec { +import ./make-test-python.nix ({ pkgs, ...} : let + foo = pkgs.writeText "foo" "Hello World"; +in { name = "misc"; meta = with pkgs.lib.maintainers; { maintainers = [ eelco ]; }; - foo = pkgs.writeText "foo" "Hello World"; - machine = { lib, ... }: with lib; diff --git a/nixpkgs/nixos/tests/moonraker.nix b/nixpkgs/nixos/tests/moonraker.nix new file mode 100644 index 000000000000..b0a93a4a608b --- /dev/null +++ b/nixpkgs/nixos/tests/moonraker.nix @@ -0,0 +1,45 @@ +import ./make-test-python.nix ({ pkgs, ...} : { + name = "moonraker"; + meta = with pkgs.lib.maintainers; { + maintainers = [ zhaofengli ]; + }; + + nodes = { + printer = { config, pkgs, ... }: { + security.polkit.enable = true; + + services.moonraker = { + enable = true; + allowSystemControl = true; + + settings = { + authorization = { + trusted_clients = [ "127.0.0.0/8" "::1/128" ]; + }; + }; + }; + + services.klipper = { + enable = true; + + user = "moonraker"; + group = "moonraker"; + + # No mcu configured so won't even enter `ready` state + settings = {}; + }; + }; + }; + + testScript = '' + printer.start() + + printer.wait_for_unit("klipper.service") + printer.wait_for_unit("moonraker.service") + printer.wait_until_succeeds("curl http://localhost:7125/printer/info | grep -v 'Not Found' >&2", timeout=30) + + with subtest("Check that we can perform system-level operations"): + printer.succeed("curl -X POST http://localhost:7125/machine/services/stop?service=klipper | grep ok >&2") + printer.wait_until_succeeds("systemctl --no-pager show klipper.service | grep ActiveState=inactive", timeout=10) + ''; +}) diff --git a/nixpkgs/nixos/tests/networking.nix b/nixpkgs/nixos/tests/networking.nix index 8c9df19f2d58..dc7938a436aa 100644 --- a/nixpkgs/nixos/tests/networking.nix +++ b/nixpkgs/nixos/tests/networking.nix @@ -498,6 +498,7 @@ let networking = { useNetworkd = networkd; useDHCP = false; + firewall.extraCommands = "ip6tables -A nixos-fw -p gre -j nixos-fw-accept"; }; }; in { @@ -506,21 +507,35 @@ let mkMerge [ (node args) { - virtualisation.vlans = [ 1 2 ]; + virtualisation.vlans = [ 1 2 4 ]; networking = { greTunnels = { greTunnel = { local = "192.168.2.1"; remote = "192.168.2.2"; dev = "eth2"; + ttl = 225; type = "tap"; }; + gre6Tunnel = { + local = "fd00:1234:5678:4::1"; + remote = "fd00:1234:5678:4::2"; + dev = "eth3"; + ttl = 255; + type = "tun6"; + }; }; bridges.bridge.interfaces = [ "greTunnel" "eth1" ]; interfaces.eth1.ipv4.addresses = mkOverride 0 []; interfaces.bridge.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ]; + interfaces.eth3.ipv6.addresses = [ + { address = "fd00:1234:5678:4::1"; prefixLength = 64; } + ]; + interfaces.gre6Tunnel.ipv6.addresses = mkOverride 0 [ + { address = "fc00::1"; prefixLength = 64; } + ]; }; } ]; @@ -528,26 +543,41 @@ let mkMerge [ (node args) { - virtualisation.vlans = [ 2 3 ]; + virtualisation.vlans = [ 2 3 4 ]; networking = { greTunnels = { greTunnel = { local = "192.168.2.2"; remote = "192.168.2.1"; dev = "eth1"; + ttl = 225; type = "tap"; }; + gre6Tunnel = { + local = "fd00:1234:5678:4::2"; + remote = "fd00:1234:5678:4::1"; + dev = "eth3"; + ttl = 255; + type = "tun6"; + }; }; bridges.bridge.interfaces = [ "greTunnel" "eth2" ]; interfaces.eth2.ipv4.addresses = mkOverride 0 []; interfaces.bridge.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ]; + interfaces.eth3.ipv6.addresses = [ + { address = "fd00:1234:5678:4::2"; prefixLength = 64; } + ]; + interfaces.gre6Tunnel.ipv6.addresses = mkOverride 0 [ + { address = "fc00::2"; prefixLength = 64; } + ]; }; } ]; testScript = { ... }: '' + import json start_all() with subtest("Wait for networking to be configured"): @@ -562,6 +592,17 @@ let client1.wait_until_succeeds("ping -c 1 192.168.1.2") client2.wait_until_succeeds("ping -c 1 192.168.1.1") + + client1.wait_until_succeeds("ping -c 1 fc00::2") + + client2.wait_until_succeeds("ping -c 1 fc00::1") + + with subtest("Test GRE tunnel TTL"): + links = json.loads(client1.succeed("ip -details -json link show greTunnel")) + assert links[0]['linkinfo']['info_data']['ttl'] == 225, "ttl not set for greTunnel" + + links = json.loads(client2.succeed("ip -details -json link show gre6Tunnel")) + assert links[0]['linkinfo']['info_data']['ttl'] == 255, "ttl not set for gre6Tunnel" ''; }; vlan = let diff --git a/nixpkgs/nixos/tests/nextcloud/default.nix b/nixpkgs/nixos/tests/nextcloud/default.nix index 34d3c345354c..b7b1c5c66002 100644 --- a/nixpkgs/nixos/tests/nextcloud/default.nix +++ b/nixpkgs/nixos/tests/nextcloud/default.nix @@ -18,4 +18,4 @@ foldl }; }) { } - [ 21 22 23 ] + [ 22 23 ] diff --git a/nixpkgs/nixos/tests/nix-ld.nix b/nixpkgs/nixos/tests/nix-ld.nix new file mode 100644 index 000000000000..5c886182d969 --- /dev/null +++ b/nixpkgs/nixos/tests/nix-ld.nix @@ -0,0 +1,20 @@ +import ./make-test-python.nix ({ lib, pkgs, ...} : +{ + name = "nix-ld"; + nodes.machine = { pkgs, ... }: { + programs.nix-ld.enable = true; + environment.systemPackages = [ + (pkgs.runCommand "patched-hello" {} '' + install -D -m755 ${pkgs.hello}/bin/hello $out/bin/hello + patchelf $out/bin/hello --set-interpreter ${pkgs.nix-ld.ldPath} + '') + ]; + }; + testScript = '' + start_all() + path = "${pkgs.stdenv.cc}/nix-support/dynamic-linker" + with open(path) as f: + real_ld = f.read().strip() + machine.succeed(f"NIX_LD={real_ld} hello") + ''; +}) diff --git a/nixpkgs/nixos/tests/pacemaker.nix b/nixpkgs/nixos/tests/pacemaker.nix new file mode 100644 index 000000000000..684557614953 --- /dev/null +++ b/nixpkgs/nixos/tests/pacemaker.nix @@ -0,0 +1,110 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: rec { + name = "pacemaker"; + meta = with pkgs.lib.maintainers; { + maintainers = [ astro ]; + }; + + nodes = + let + node = i: { + networking.interfaces.eth1.ipv4.addresses = [ { + address = "192.168.0.${toString i}"; + prefixLength = 24; + } ]; + + services.corosync = { + enable = true; + clusterName = "zentralwerk-network"; + nodelist = lib.imap (i: name: { + nodeid = i; + inherit name; + ring_addrs = [ + (builtins.head nodes.${name}.networking.interfaces.eth1.ipv4.addresses).address + ]; + }) (builtins.attrNames nodes); + }; + environment.etc."corosync/authkey" = { + source = builtins.toFile "authkey" + # minimum length: 128 bytes + "testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest"; + mode = "0400"; + }; + + services.pacemaker.enable = true; + + # used for pacemaker resource + systemd.services.ha-cat = { + description = "Highly available netcat"; + serviceConfig.ExecStart = "${pkgs.netcat}/bin/nc -l discard"; + }; + }; + in { + node1 = node 1; + node2 = node 2; + node3 = node 3; + }; + + # sets up pacemaker with resources configuration, then crashes a + # node and waits for service restart on another node + testScript = + let + resources = builtins.toFile "cib-resources.xml" '' + <resources> + <primitive id="cat" class="systemd" type="ha-cat"> + <operations> + <op id="stop-cat" name="start" interval="0" timeout="1s"/> + <op id="start-cat" name="start" interval="0" timeout="1s"/> + <op id="monitor-cat" name="monitor" interval="1s" timeout="1s"/> + </operations> + </primitive> + </resources> + ''; + in '' + import re + import time + + start_all() + + ${lib.concatMapStrings (node: '' + ${node}.wait_until_succeeds("corosync-quorumtool") + ${node}.wait_for_unit("pacemaker.service") + '') (builtins.attrNames nodes)} + + # No STONITH device + node1.succeed("crm_attribute -t crm_config -n stonith-enabled -v false") + # Configure the cat resource + node1.succeed("cibadmin --replace --scope resources --xml-file ${resources}") + + # wait until the service is started + while True: + output = node1.succeed("crm_resource -r cat --locate") + match = re.search("is running on: (.+)", output) + if match: + for machine in machines: + if machine.name == match.group(1): + current_node = machine + break + time.sleep(1) + + current_node.log("Service running here!") + current_node.crash() + + # pick another node that's still up + for machine in machines: + if machine.booted: + check_node = machine + # find where the service has been started next + while True: + output = check_node.succeed("crm_resource -r cat --locate") + match = re.search("is running on: (.+)", output) + # output will remain the old current_node until the crash is detected by pacemaker + if match and match.group(1) != current_node.name: + for machine in machines: + if machine.name == match.group(1): + next_node = machine + break + time.sleep(1) + + next_node.log("Service migrated here!") + ''; +}) diff --git a/nixpkgs/nixos/tests/pleroma.nix b/nixpkgs/nixos/tests/pleroma.nix index bf3623fce38b..90a9a2511044 100644 --- a/nixpkgs/nixos/tests/pleroma.nix +++ b/nixpkgs/nixos/tests/pleroma.nix @@ -32,8 +32,7 @@ import ./make-test-python.nix ({ pkgs, ... }: # system one. Overriding this pretty bad default behaviour. export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt - export TOOT_LOGIN_CLI_PASSWORD="jamy-password" - toot login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test" + echo "jamy-password" | toot login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test" echo "Login OK" # Send a toot then verify it's part of the public timeline @@ -168,21 +167,6 @@ import ./make-test-python.nix ({ pkgs, ... }: cp key.pem cert.pem $out ''; - /* Toot is preventing users from feeding login_cli a password non - interactively. While it makes sense most of the times, it's - preventing us to login in this non-interactive test. This patch - introduce a TOOT_LOGIN_CLI_PASSWORD env variable allowing us to - provide a password to toot login_cli - - If https://github.com/ihabunek/toot/pull/180 gets merged at some - point, feel free to remove this patch. */ - custom-toot = pkgs.toot.overrideAttrs(old:{ - patches = [ (pkgs.fetchpatch { - url = "https://github.com/NinjaTrappeur/toot/commit/b4a4c30f41c0cb7e336714c2c4af9bc9bfa0c9f2.patch"; - sha256 = "sha256-0xxNwjR/fStLjjUUhwzCCfrghRVts+fc+fvVJqVcaFg="; - }) ]; - }); - hosts = nodes: '' ${nodes.pleroma.config.networking.primaryIPAddress} pleroma.nixos.test ${nodes.client.config.networking.primaryIPAddress} client.nixos.test @@ -194,7 +178,7 @@ import ./make-test-python.nix ({ pkgs, ... }: security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ]; networking.extraHosts = hosts nodes; environment.systemPackages = with pkgs; [ - custom-toot + toot send-toot ]; }; diff --git a/nixpkgs/nixos/tests/powerdns.nix b/nixpkgs/nixos/tests/powerdns.nix index d025934ad2b3..70060bad87b6 100644 --- a/nixpkgs/nixos/tests/powerdns.nix +++ b/nixpkgs/nixos/tests/powerdns.nix @@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { services.powerdns.extraConfig = '' launch=gmysql gmysql-user=pdns + zone-cache-refresh-interval=0 ''; services.mysql = { diff --git a/nixpkgs/nixos/tests/rstudio-server.nix b/nixpkgs/nixos/tests/rstudio-server.nix index c7ac7670fbd4..dd5fe3e5b440 100644 --- a/nixpkgs/nixos/tests/rstudio-server.nix +++ b/nixpkgs/nixos/tests/rstudio-server.nix @@ -14,12 +14,6 @@ import ./make-test-python.nix ({ pkgs, ... }: }; }; - users.testuser = { - uid = 1000; - group = "testgroup"; - }; - groups.testgroup.gid = 1000; - testScript = '' machine.wait_for_unit("rstudio-server.service") machine.succeed("curl -f -vvv -s http://127.0.0.1:8787") diff --git a/nixpkgs/nixos/tests/sfxr-qt.nix b/nixpkgs/nixos/tests/sfxr-qt.nix new file mode 100644 index 000000000000..976b9b11fc66 --- /dev/null +++ b/nixpkgs/nixos/tests/sfxr-qt.nix @@ -0,0 +1,32 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "sfxr-qt"; + meta = with pkgs.lib.maintainers; { + maintainers = [ fgaz ]; + }; + + machine = { config, pkgs, ... }: { + imports = [ + ./common/x11.nix + ]; + + services.xserver.enable = true; + sound.enable = true; + environment.systemPackages = [ pkgs.sfxr-qt ]; + }; + + enableOCR = true; + + testScript = + '' + machine.wait_for_x() + # Add a dummy sound card, or the program won't start + machine.execute("modprobe snd-dummy") + + machine.execute("sfxr-qt >&2 &") + + machine.wait_for_window(r"sfxr") + machine.sleep(10) + machine.wait_for_text("requency") + machine.screenshot("screen") + ''; +}) diff --git a/nixpkgs/nixos/tests/step-ca.nix b/nixpkgs/nixos/tests/step-ca.nix index b22bcb060f2b..f21bd5366266 100644 --- a/nixpkgs/nixos/tests/step-ca.nix +++ b/nixpkgs/nixos/tests/step-ca.nix @@ -42,8 +42,8 @@ import ./make-test-python.nix ({ pkgs, ... }: caclient = { config, pkgs, ... }: { - security.acme.server = "https://caserver:8443/acme/acme/directory"; - security.acme.email = "root@example.org"; + security.acme.defaults.server = "https://caserver:8443/acme/acme/directory"; + security.acme.defaults.email = "root@example.org"; security.acme.acceptTerms = true; security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; diff --git a/nixpkgs/nixos/tests/switch-test.nix b/nixpkgs/nixos/tests/switch-test.nix index 93eee4babc2d..0198866b6ff8 100644 --- a/nixpkgs/nixos/tests/switch-test.nix +++ b/nixpkgs/nixos/tests/switch-test.nix @@ -51,6 +51,12 @@ in { environment.systemPackages = [ pkgs.socat ]; # for the socket activation stuff users.mutableUsers = false; + # For boot/switch testing + system.build.installBootLoader = lib.mkForce (pkgs.writeShellScript "install-dummy-loader" '' + echo "installing dummy bootloader" + touch /tmp/bootloader-installed + ''); + specialisation = rec { simpleService.configuration = { systemd.services.test = { @@ -502,10 +508,33 @@ in { machine.succeed( "${stderrRunner} ${originalSystem}/bin/switch-to-configuration test" ) + # This tests whether the /etc/os-release parser works which is a fallback + # when /etc/NIXOS is missing. If the parser does not work, switch-to-configuration + # would fail. + machine.succeed("rm /etc/NIXOS") machine.succeed( "${stderrRunner} ${otherSystem}/bin/switch-to-configuration test" ) + + with subtest("actions"): + # boot action + machine.fail("test -f /tmp/bootloader-installed") + out = switch_to_specialisation("${machine}", "simpleService", action="boot") + assert_contains(out, "installing dummy bootloader") + assert_lacks(out, "activating the configuration...") # good indicator of a system activation + machine.succeed("test -f /tmp/bootloader-installed") + machine.succeed("rm /tmp/bootloader-installed") + + # switch action + machine.fail("test -f /tmp/bootloader-installed") + out = switch_to_specialisation("${machine}", "", action="switch") + assert_contains(out, "installing dummy bootloader") + assert_contains(out, "activating the configuration...") # good indicator of a system activation + machine.succeed("test -f /tmp/bootloader-installed") + + # test and dry-activate actions are tested further down below + with subtest("services"): switch_to_specialisation("${machine}", "") # Nothing happens when nothing is changed @@ -519,6 +548,7 @@ in { # Start a simple service out = switch_to_specialisation("${machine}", "simpleService") + assert_lacks(out, "installing dummy bootloader") # test does not install a bootloader assert_lacks(out, "stopping the following units:") assert_lacks(out, "NOT restarting the following changed units:") assert_contains(out, "reloading the following units: dbus.service\n") # huh diff --git a/nixpkgs/nixos/tests/systemd-unit-path.nix b/nixpkgs/nixos/tests/systemd-misc.nix index 5998a187188a..e416baa8b5f5 100644 --- a/nixpkgs/nixos/tests/systemd-unit-path.nix +++ b/nixpkgs/nixos/tests/systemd-misc.nix @@ -29,10 +29,23 @@ let }; in { - name = "systemd-unit-path"; + name = "systemd-misc"; machine = { pkgs, lib, ... }: { boot.extraSystemdUnitPaths = [ "/etc/systemd-rw/system" ]; + + users.users.limited = { + isNormalUser = true; + uid = 1000; + }; + + systemd.units."user-1000.slice.d/limits.conf" = { + text = '' + [Slice] + TasksAccounting=yes + TasksMax=100 + ''; + }; }; testScript = '' @@ -43,5 +56,7 @@ in ) machine.succeed("systemctl start example.service") machine.succeed("systemctl status example.service | grep 'Active: active'") + + machine.succeed("systemctl show --property TasksMax --value user-1000.slice | grep 100") ''; }) diff --git a/nixpkgs/nixos/tests/terminal-emulators.nix b/nixpkgs/nixos/tests/terminal-emulators.nix new file mode 100644 index 000000000000..6ea0f1c18725 --- /dev/null +++ b/nixpkgs/nixos/tests/terminal-emulators.nix @@ -0,0 +1,207 @@ +# Terminal emulators all present a pretty similar interface. +# That gives us an opportunity to easily test their basic functionality with a single codebase. +# +# There are two tests run on each terminal emulator +# - can it successfully execute a command passed on the cmdline? +# - can it successfully display a colour? +# the latter is used as a proxy for "can it display text?", without going through all the intricacies of OCR. +# +# 256-colour terminal mode is used to display the test colour, since it has a universally-applicable palette (unlike 8- and 16- colour, where the colours are implementation-defined), and it is widely supported (unlike 24-bit colour). +# +# Future work: +# - Wayland support (both for testing the existing terminals, and for testing wayland-only terminals like foot and havoc) +# - Test keyboard input? (skipped for now, to eliminate the possibility of race conditions and focus issues) + +{ system ? builtins.currentSystem, + config ? {}, + pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +let tests = { + alacritty.pkg = p: p.alacritty; + + contour.pkg = p: p.contour; + contour.cmd = "contour $command"; + + cool-retro-term.pkg = p: p.cool-retro-term; + cool-retro-term.colourTest = false; # broken by gloss effect + + ctx.pkg = p: p.ctx; + ctx.pinkValue = "#FE0065"; + + darktile.pkg = p: p.darktile; + + eterm.pkg = p: p.eterm; + eterm.executable = "Eterm"; + eterm.pinkValue = "#D40055"; + + germinal.pkg = p: p.germinal; + + gnome-terminal.pkg = p: p.gnome.gnome-terminal; + + guake.pkg = p: p.guake; + guake.cmd = "SHELL=$command guake --show"; + guake.kill = true; + + hyper.pkg = p: p.hyper; + + kermit.pkg = p: p.kermit-terminal; + + kgx.pkg = p: p.kgx; + kgx.cmd = "kgx -e $command"; + kgx.kill = true; + + kitty.pkg = p: p.kitty; + kitty.cmd = "kitty $command"; + + konsole.pkg = p: p.plasma5Packages.konsole; + + lxterminal.pkg = p: p.lxterminal; + + mate-terminal.pkg = p: p.mate.mate-terminal; + mate-terminal.cmd = "SHELL=$command mate-terminal --disable-factory"; # factory mode uses dbus, and we don't have a proper dbus session set up + + mlterm.pkg = p: p.mlterm; + + mrxvt.pkg = p: p.mrxvt; + + qterminal.pkg = p: p.lxqt.qterminal; + qterminal.kill = true; + + roxterm.pkg = p: p.roxterm; + roxterm.cmd = "roxterm -e $command"; + + sakura.pkg = p: p.sakura; + + st.pkg = p: p.st; + st.kill = true; + + stupidterm.pkg = p: p.stupidterm; + stupidterm.cmd = "stupidterm -- $command"; + + terminator.pkg = p: p.terminator; + terminator.cmd = "terminator -e $command"; + + terminology.pkg = p: p.enlightenment.terminology; + terminology.cmd = "SHELL=$command terminology --no-wizard=true"; + terminology.colourTest = false; # broken by gloss effect + + termite.pkg = p: p.termite; + + termonad.pkg = p: p.termonad; + + tilda.pkg = p: p.tilda; + + tilix.pkg = p: p.tilix; + tilix.cmd = "tilix -e $command"; + + urxvt.pkg = p: p.rxvt-unicode; + + wayst.pkg = p: p.wayst; + wayst.pinkValue = "#FF0066"; + + wezterm.pkg = p: p.wezterm; + + xfce4-terminal.pkg = p: p.xfce.xfce4-terminal; + + xterm.pkg = p: p.xterm; + }; +in mapAttrs (name: { pkg, executable ? name, cmd ? "SHELL=$command ${executable}", colourTest ? true, pinkValue ? "#FF0087", kill ? false }: makeTest +{ + name = "terminal-emulator-${name}"; + meta = with pkgs.lib.maintainers; { + maintainers = [ jjjollyjim ]; + }; + + machine = { pkgsInner, ... }: + + { + imports = [ ./common/x11.nix ./common/user-account.nix ]; + + # Hyper (and any other electron-based terminals) won't run as root + test-support.displayManager.auto.user = "alice"; + + environment.systemPackages = [ + (pkg pkgs) + (pkgs.writeShellScriptBin "report-success" '' + echo 1 > /tmp/term-ran-successfully + ${optionalString kill "pkill ${executable}"} + '') + (pkgs.writeShellScriptBin "display-colour" '' + # A 256-colour background colour code for pink, then spaces. + # + # Background is used rather than foreground to minimize the effect of anti-aliasing. + # + # Keep adding more in case the window is partially offscreen to the left or requires + # a change to correctly redraw after initialising the window (as with ctx). + + while : + do + echo -ne "\e[48;5;198m " + sleep 0.5 + done + sleep infinity + '') + (pkgs.writeShellScriptBin "run-in-this-term" "sudo -u alice run-in-this-term-wrapped $1") + + (pkgs.writeShellScriptBin "run-in-this-term-wrapped" "command=\"$(which \"$1\")\"; ${cmd}") + ]; + + # Helpful reminder to add this test to passthru.tests + warnings = if !((pkg pkgs) ? "passthru" && (pkg pkgs).passthru ? "tests") then [ "The package for ${name} doesn't have a passthru.tests" ] else [ ]; + }; + + # We need imagemagick, though not tesseract + enableOCR = true; + + testScript = { nodes, ... }: let + in '' + with subtest("wait for x"): + start_all() + machine.wait_for_x() + + with subtest("have the terminal run a command"): + # We run this command synchronously, so we can be certain the exit codes are happy + machine.${if kill then "execute" else "succeed"}("run-in-this-term report-success") + machine.wait_for_file("/tmp/term-ran-successfully") + ${optionalString colourTest '' + + import tempfile + import subprocess + + + def check_for_pink(final=False) -> bool: + with tempfile.NamedTemporaryFile() as tmpin: + machine.send_monitor_command("screendump {}".format(tmpin.name)) + + cmd = 'convert {} -define histogram:unique-colors=true -format "%c" histogram:info:'.format( + tmpin.name + ) + ret = subprocess.run(cmd, shell=True, capture_output=True) + if ret.returncode != 0: + raise Exception( + "image analysis failed with exit code {}".format(ret.returncode) + ) + + text = ret.stdout.decode("utf-8") + return "${pinkValue}" in text + + + with subtest("ensuring no pink is present without the terminal"): + assert ( + check_for_pink() == False + ), "Pink was present on the screen before we even launched a terminal!" + + with subtest("have the terminal display a colour"): + # We run this command in the background + machine.shell.send(b"(run-in-this-term display-colour |& systemd-cat -t terminal) &\n") + + with machine.nested("Waiting for the screen to have pink on it:"): + retry(check_for_pink) + ''}''; +} + + ) tests diff --git a/nixpkgs/nixos/tests/tor.nix b/nixpkgs/nixos/tests/tor.nix index c061f59226cf..71ec9df4641f 100644 --- a/nixpkgs/nixos/tests/tor.nix +++ b/nixpkgs/nixos/tests/tor.nix @@ -1,24 +1,19 @@ import ./make-test-python.nix ({ lib, ... }: with lib; -rec { +{ name = "tor"; meta.maintainers = with maintainers; [ joachifm ]; - common = - { ... }: - { boot.kernelParams = [ "audit=0" "apparmor=0" "quiet" ]; - networking.firewall.enable = false; - networking.useDHCP = false; - }; + nodes.client = { pkgs, ... }: { + boot.kernelParams = [ "audit=0" "apparmor=0" "quiet" ]; + networking.firewall.enable = false; + networking.useDHCP = false; - nodes.client = - { pkgs, ... }: - { imports = [ common ]; - environment.systemPackages = with pkgs; [ netcat ]; - services.tor.enable = true; - services.tor.client.enable = true; - services.tor.settings.ControlPort = 9051; - }; + environment.systemPackages = with pkgs; [ netcat ]; + services.tor.enable = true; + services.tor.client.enable = true; + services.tor.settings.ControlPort = 9051; + }; testScript = '' client.wait_for_unit("tor.service") diff --git a/nixpkgs/nixos/tests/web-apps/mastodon.nix b/nixpkgs/nixos/tests/web-apps/mastodon.nix new file mode 100644 index 000000000000..279a1c59169f --- /dev/null +++ b/nixpkgs/nixos/tests/web-apps/mastodon.nix @@ -0,0 +1,170 @@ +import ../make-test-python.nix ({pkgs, ...}: +let + test-certificates = pkgs.runCommandLocal "test-certificates" { } '' + mkdir -p $out + echo insecure-root-password > $out/root-password-file + echo insecure-intermediate-password > $out/intermediate-password-file + ${pkgs.step-cli}/bin/step certificate create "Example Root CA" $out/root_ca.crt $out/root_ca.key --password-file=$out/root-password-file --profile root-ca + ${pkgs.step-cli}/bin/step certificate create "Example Intermediate CA 1" $out/intermediate_ca.crt $out/intermediate_ca.key --password-file=$out/intermediate-password-file --ca-password-file=$out/root-password-file --profile intermediate-ca --ca $out/root_ca.crt --ca-key $out/root_ca.key + ''; + + hosts = '' + 192.168.2.10 ca.local + 192.168.2.11 mastodon.local + ''; + +in +{ + name = "mastodon"; + meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin ]; + + nodes = { + ca = { pkgs, ... }: { + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.10"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + }; + services.step-ca = { + enable = true; + address = "0.0.0.0"; + port = 8443; + openFirewall = true; + intermediatePasswordFile = "${test-certificates}/intermediate-password-file"; + settings = { + dnsNames = [ "ca.local" ]; + root = "${test-certificates}/root_ca.crt"; + crt = "${test-certificates}/intermediate_ca.crt"; + key = "${test-certificates}/intermediate_ca.key"; + db = { + type = "badger"; + dataSource = "/var/lib/step-ca/db"; + }; + authority = { + provisioners = [ + { + type = "ACME"; + name = "acme"; + } + ]; + }; + }; + }; + }; + + server = { pkgs, ... }: { + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.11"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + firewall.allowedTCPPorts = [ 80 443 ]; + }; + + security = { + acme = { + acceptTerms = true; + defaults.server = "https://ca.local:8443/acme/acme/directory"; + defaults.email = "mastodon@mastodon.local"; + }; + pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; + }; + + services.redis.servers.mastodon = { + enable = true; + bind = "127.0.0.1"; + port = 31637; + }; + + services.mastodon = { + enable = true; + configureNginx = true; + localDomain = "mastodon.local"; + enableUnixSocket = false; + redis = { + createLocally = true; + host = "127.0.0.1"; + port = 31637; + }; + database = { + createLocally = true; + host = "/run/postgresql"; + port = 5432; + }; + smtp = { + createLocally = false; + fromAddress = "mastodon@mastodon.local"; + }; + extraConfig = { + EMAIL_DOMAIN_ALLOWLIST = "example.com"; + }; + }; + }; + + client = { pkgs, ... }: { + environment.systemPackages = [ pkgs.jq ]; + networking = { + interfaces.eth1 = { + ipv4.addresses = [ + { address = "192.168.2.12"; prefixLength = 24; } + ]; + }; + extraHosts = hosts; + }; + + security = { + pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; + }; + }; + }; + + testScript = '' + start_all() + + ca.wait_for_unit("step-ca.service") + ca.wait_for_open_port(8443) + + server.wait_for_unit("nginx.service") + server.wait_for_unit("redis-mastodon.service") + server.wait_for_unit("postgresql.service") + server.wait_for_unit("mastodon-sidekiq.service") + server.wait_for_unit("mastodon-streaming.service") + server.wait_for_unit("mastodon-web.service") + server.wait_for_open_port(55000) + server.wait_for_open_port(55001) + + # Check Mastodon version from remote client + client.succeed("curl --fail https://mastodon.local/api/v1/instance | jq -r '.version' | grep '${pkgs.mastodon.version}'") + + # Check using admin CLI + # Check Mastodon version + server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl version' | grep '${pkgs.mastodon.version}'") + + # Manage accounts + server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks add example.com'") + server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks list' | grep 'example.com'") + server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks list' | grep 'mastodon.local'") + server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts create alice --email=alice@example.com'") + server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks remove example.com'") + server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts create bob --email=bob@example.com'") + server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts approve bob'") + server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts delete bob'") + + # Manage IP access + server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks add 192.168.0.0/16 --severity=no_access'") + server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks export' | grep '192.168.0.0/16'") + server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl p_blocks export' | grep '172.16.0.0/16'") + client.fail("curl --fail https://mastodon.local/about") + server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks remove 192.168.0.0/16'") + client.succeed("curl --fail https://mastodon.local/about") + + ca.shutdown() + server.shutdown() + client.shutdown() + ''; +}) diff --git a/nixpkgs/nixos/tests/web-apps/peertube.nix b/nixpkgs/nixos/tests/web-apps/peertube.nix index 38b31f6c3325..706c598338e8 100644 --- a/nixpkgs/nixos/tests/web-apps/peertube.nix +++ b/nixpkgs/nixos/tests/web-apps/peertube.nix @@ -120,6 +120,9 @@ import ../make-test-python.nix ({pkgs, ...}: # Check if PeerTube is running client.succeed("curl --fail http://peertube.local:9000/api/v1/config/about | jq -r '.instance.name' | grep 'PeerTube\ Test\ Server'") + # Check PeerTube CLI version + assert "${pkgs.peertube.version}" in server.succeed('su - peertube -s /bin/sh -c "peertube --version"') + client.shutdown() server.shutdown() database.shutdown() diff --git a/nixpkgs/nixos/tests/wine.nix b/nixpkgs/nixos/tests/wine.nix index cc449864c762..8135cb90a591 100644 --- a/nixpkgs/nixos/tests/wine.nix +++ b/nixpkgs/nixos/tests/wine.nix @@ -3,7 +3,7 @@ }: let - inherit (pkgs.lib) concatMapStrings listToAttrs; + inherit (pkgs.lib) concatMapStrings listToAttrs optionals optionalString; inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest; hello32 = "${pkgs.pkgsCross.mingw32.hello}/bin/hello.exe"; @@ -27,6 +27,9 @@ let "bash -c 'wine ${exe} 2> >(tee wine-stderr >&2)'" ) assert 'Hello, world!' in greeting + '' + # only the full version contains Gecko, but the error is not printed reliably in other variants + + optionalString (variant == "full") '' machine.fail( "fgrep 'Could not find Wine Gecko. HTML rendering will be disabled.' wine-stderr" ) @@ -37,5 +40,9 @@ let variants = [ "base" "full" "minimal" "staging" "unstable" "wayland" ]; -in listToAttrs (map (makeWineTest "winePackages" [ hello32 ]) variants - ++ map (makeWineTest "wineWowPackages" [ hello32 hello64 ]) variants) +in +listToAttrs ( + map (makeWineTest "winePackages" [ hello32 ]) variants + ++ optionals pkgs.stdenv.is64bit + (map (makeWineTest "wineWowPackages" [ hello32 hello64 ]) variants) +) diff --git a/nixpkgs/nixos/tests/without-nix.nix b/nixpkgs/nixos/tests/without-nix.nix index 2fc00b04144f..b21e9f2844f5 100644 --- a/nixpkgs/nixos/tests/without-nix.nix +++ b/nixpkgs/nixos/tests/without-nix.nix @@ -4,14 +4,23 @@ import ./make-test-python.nix ({ lib, ... }: { maintainers = [ ericson2314 ]; }; - nixpkgs.overlays = [ - (self: super: { - nix = throw "don't want to use this"; - }) - ]; - nodes.machine = { ... }: { nix.enable = false; + nixpkgs.overlays = [ + (self: super: { + nix = throw "don't want to use pkgs.nix"; + nixVersions = lib.mapAttrs (k: throw "don't want to use pkgs.nixVersions.${k}") super.nixVersions; + # aliases, some deprecated + nix_2_3 = throw "don't want to use pkgs.nix_2_3"; + nix_2_4 = throw "don't want to use pkgs.nix_2_4"; + nix_2_5 = throw "don't want to use pkgs.nix_2_5"; + nix_2_6 = throw "don't want to use pkgs.nix_2_6"; + nixFlakes = throw "don't want to use pkgs.nixFlakes"; + nixStable = throw "don't want to use pkgs.nixStable"; + nixUnstable = throw "don't want to use pkgs.nixUnstable"; + nixStatic = throw "don't want to use pkgs.nixStatic"; + }) + ]; }; testScript = '' |