diff options
Diffstat (limited to 'nixos')
67 files changed, 781 insertions, 160 deletions
diff --git a/nixos/doc/manual/administration/declarative-containers.xml b/nixos/doc/manual/administration/declarative-containers.xml index 2a98fb126231..d03dbc4d7055 100644 --- a/nixos/doc/manual/administration/declarative-containers.xml +++ b/nixos/doc/manual/administration/declarative-containers.xml @@ -15,7 +15,7 @@ containers.database = { config = { config, pkgs, ... }: { <xref linkend="opt-services.postgresql.enable"/> = true; - <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql96; + <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_9_6; }; }; </programlisting> diff --git a/nixos/doc/manual/configuration/config-file.xml b/nixos/doc/manual/configuration/config-file.xml index 8a1a39c98c10..c77cfe137baa 100644 --- a/nixos/doc/manual/configuration/config-file.xml +++ b/nixos/doc/manual/configuration/config-file.xml @@ -197,10 +197,10 @@ swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; pkgs.emacs ]; -<xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql90; +<xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_10; </programlisting> The latter option definition changes the default PostgreSQL package used - by NixOS’s PostgreSQL service to 9.0. For more information on packages, + by NixOS’s PostgreSQL service to 10.x. For more information on packages, including how to add new ones, see <xref linkend="sec-custom-packages"/>. </para> </listitem> diff --git a/nixos/doc/manual/configuration/firewall.xml b/nixos/doc/manual/configuration/firewall.xml index b66adcedce6e..47a19ac82c0f 100644 --- a/nixos/doc/manual/configuration/firewall.xml +++ b/nixos/doc/manual/configuration/firewall.xml @@ -34,13 +34,4 @@ Similarly, UDP port ranges can be opened through <xref linkend="opt-networking.firewall.allowedUDPPortRanges"/>. </para> - - <para> - Also of interest is -<programlisting> -<xref linkend="opt-networking.firewall.allowPing"/> = true; -</programlisting> - to allow the machine to respond to ping requests. (ICMPv6 pings are always - allowed.) - </para> </section> diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index 0ddf40acbfcc..8715a05f508b 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -637,6 +637,11 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' anyways for clarity. </para> </listitem> + <listitem> + <para> + Groups <literal>kvm</literal> and <literal>render</literal> are introduced now, as systemd requires them. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index 839d75b53bd1..1d9b6ecc0e2e 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -137,6 +137,41 @@ make sure to update your configuration if you want to keep <literal>proglodyte-wasm</literal> </para> </listitem> + <listitem> + <para> + OpenSMTPD has been upgraded to version 6.4.0p1. This release makes + backwards-incompatible changes to the configuration file format. See + <command>man smtpd.conf</command> for more information on the new file + format. + </para> + </listitem> + <listitem> + <para> + The versioned <varname>postgresql</varname> have been renamed to use + underscore number seperators. For example, <varname>postgresql96</varname> + has been renamed to <varname>postgresql_9_6</varname>. + </para> + </listitem> + <listitem> + <para> + Slurm introduces the new option + <literal>services.slurm.stateSaveLocation</literal>, + which is now set to <literal>/var/spool/slurm</literal> by default + (instead of <literal>/var/spool</literal>). + Make sure to move all files to the new directory or to set the option accordingly. + </para> + <para> + The slurmctld now runs as user <literal>slurm</literal> instead of <literal>root</literal>. + If you want to keep slurmctld running as <literal>root</literal>, set + <literal>services.slurm.user = root</literal>. + </para> + <para> + The options <literal>services.slurm.nodeName</literal> and + <literal>services.slurm.partitionName</literal> are now sets of + strings to correctly reflect that fact that each of these + options can occour more than once in the configuration. + </para> + </listitem> </itemizedlist> </section> @@ -155,6 +190,15 @@ Matomo version. </para> </listitem> + <listitem> + <para> + The deprecated <literal>truecrypt</literal> package has been removed + and <literal>truecrypt</literal> attribute is now an alias for + <literal>veracrypt</literal>. VeraCrypt is backward-compatible with + TrueCrypt volumes. Note that <literal>cryptsetup</literal> also + supports loading TrueCrypt volumes. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index f71e264c3478..5f05b037bdde 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -53,7 +53,8 @@ in rec { inherit prefix check; modules = modules ++ extraModules ++ baseModules ++ [ pkgsModule ]; args = extraArgs; - specialArgs = { modulesPath = ../modules; } // specialArgs; + specialArgs = + { modulesPath = builtins.toString ../modules; } // specialArgs; }) config options; # These are the extra arguments passed to every module. In diff --git a/nixos/lib/test-driver/Machine.pm b/nixos/lib/test-driver/Machine.pm index a00fe25c2b8e..abcc1c50d4d8 100644 --- a/nixos/lib/test-driver/Machine.pm +++ b/nixos/lib/test-driver/Machine.pm @@ -250,7 +250,8 @@ sub connect { $self->start; local $SIG{ALRM} = sub { die "timed out waiting for the VM to connect\n"; }; - alarm 300; + # 50 minutes -- increased as a test, see #49441 + alarm 3000; readline $self->{socket} or die "the VM quit before connecting\n"; alarm 0; diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index 1ef5313d3fdd..627cce67e97d 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -16,6 +16,13 @@ let resolvconfOptions = cfg.resolvconfOptions ++ optional cfg.dnsSingleRequest "single-request" ++ optional cfg.dnsExtensionMechanism "edns0"; + + + localhostMapped4 = cfg.hosts ? "127.0.0.1" && elem "localhost" cfg.hosts."127.0.0.1"; + localhostMapped6 = cfg.hosts ? "::1" && elem "localhost" cfg.hosts."::1"; + + localhostMultiple = any (elem "localhost") (attrValues (removeAttrs cfg.hosts [ "127.0.0.1" "::1" ])); + in { @@ -23,8 +30,7 @@ in options = { networking.hosts = lib.mkOption { - type = types.attrsOf ( types.listOf types.str ); - default = {}; + type = types.attrsOf (types.listOf types.str); example = literalExample '' { "127.0.0.1" = [ "foo.bar.baz" ]; @@ -192,6 +198,29 @@ in config = { + assertions = [{ + assertion = localhostMapped4; + message = ''`networking.hosts` doesn't map "127.0.0.1" to "localhost"''; + } { + assertion = !cfg.enableIPv6 || localhostMapped6; + message = ''`networking.hosts` doesn't map "::1" to "localhost"''; + } { + assertion = !localhostMultiple; + message = '' + `networking.hosts` maps "localhost" to something other than "127.0.0.1" + or "::1". This will break some applications. Please use + `networking.extraHosts` if you really want to add such a mapping. + ''; + }]; + + networking.hosts = { + "127.0.0.1" = [ "localhost" ]; + } // optionalAttrs (cfg.hostName != "") { + "127.0.1.1" = [ cfg.hostName ]; + } // optionalAttrs cfg.enableIPv6 { + "::1" = [ "localhost" ]; + }; + environment.etc = { # /etc/services: TCP/UDP port assignments. "services".source = pkgs.iana-etc + "/etc/services"; @@ -199,29 +228,14 @@ in # /etc/protocols: IP protocol numbers. "protocols".source = pkgs.iana-etc + "/etc/protocols"; - # /etc/rpc: RPC program numbers. - "rpc".source = pkgs.glibc.out + "/etc/rpc"; - # /etc/hosts: Hostname-to-IP mappings. - "hosts".text = - let oneToString = set : ip : ip + " " + concatStringsSep " " ( getAttr ip set ); - allToString = set : concatMapStringsSep "\n" ( oneToString set ) ( attrNames set ); - userLocalHosts = optionalString - ( builtins.hasAttr "127.0.0.1" cfg.hosts ) - ( concatStringsSep " " ( remove "localhost" cfg.hosts."127.0.0.1" )); - userLocalHosts6 = optionalString - ( builtins.hasAttr "::1" cfg.hosts ) - ( concatStringsSep " " ( remove "localhost" cfg.hosts."::1" )); - otherHosts = allToString ( removeAttrs cfg.hosts [ "127.0.0.1" "::1" ]); - in - '' - 127.0.0.1 ${userLocalHosts} localhost - ${optionalString cfg.enableIPv6 '' - ::1 ${userLocalHosts6} localhost - ''} - ${otherHosts} - ${cfg.extraHosts} - ''; + "hosts".text = let + oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip}; + allToString = set: concatMapStringsSep "\n" (oneToString set) (attrNames set); + in '' + ${allToString cfg.hosts} + ${cfg.extraHosts} + ''; # /etc/host.conf: resolver configuration file "host.conf".text = cfg.hostConf; @@ -251,6 +265,9 @@ in "resolv.conf".source = "${pkgs.systemd}/lib/systemd/resolv.conf"; } // optionalAttrs (config.services.resolved.enable && dnsmasqResolve) { "dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf"; + } // optionalAttrs (pkgs.stdenv.hostPlatform.libc == "glibc") { + # /etc/rpc: RPC program numbers. + "rpc".source = pkgs.glibc.out + "/etc/rpc"; }; networking.proxy.envVars = @@ -296,4 +313,4 @@ in }; - } +} diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index c07e19bd03c4..1793dc628edf 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -19,7 +19,9 @@ let pkgs.diffutils pkgs.findutils pkgs.gawk - pkgs.glibc # for ldd, getent + pkgs.stdenv.cc.libc + pkgs.getent + pkgs.getconf pkgs.gnugrep pkgs.gnupatch pkgs.gnused diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 426e1666a814..137ee243813d 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -266,7 +266,7 @@ let (mkIf config.isNormalUser { group = mkDefault "users"; createHome = mkDefault true; - home = mkDefault "/home/${name}"; + home = mkDefault "/home/${config.name}"; useDefaultShell = mkDefault true; isSystemUser = mkDefault false; }) diff --git a/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix b/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix index 3dc0f606bf60..bcdbffdc20b7 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix @@ -7,4 +7,6 @@ imports = [ ./installation-cd-base.nix ]; + + fonts.fontconfig.enable = false; } diff --git a/nixos/modules/installer/virtualbox-demo.nix b/nixos/modules/installer/virtualbox-demo.nix index 8ca3592f3800..2e1b4b3998b5 100644 --- a/nixos/modules/installer/virtualbox-demo.nix +++ b/nixos/modules/installer/virtualbox-demo.nix @@ -22,4 +22,42 @@ with lib; powerManagement.enable = false; system.stateVersion = mkDefault "18.03"; + + installer.cloneConfigExtra = '' + # Let demo build as a trusted user. + # nix.trustedUsers = [ "demo" ]; + + # Mount a VirtualBox shared folder. + # This is configurable in the VirtualBox menu at + # Machine / Settings / Shared Folders. + # fileSystems."/mnt" = { + # fsType = "vboxsf"; + # device = "nameofdevicetomount"; + # options = [ "rw" ]; + # }; + + # By default, the NixOS VirtualBox demo image includes SDDM and Plasma. + # If you prefer another desktop manager or display manager, you may want + # to disable the default. + # services.xserver.desktopManager.plasma5.enable = lib.mkForce false; + # services.xserver.displayManager.sddm.enable = lib.mkForce false; + + # Enable GDM/GNOME by uncommenting above two lines and two lines below. + # services.xserver.displayManager.gdm.enable = true; + # services.xserver.desktopManager.gnome3.enable = true; + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; + + # List packages installed in system profile. To search, run: + # \$ nix search wget + # environment.systemPackages = with pkgs; [ + # wget vim + # ]; + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + system.stateVersion = mkDefault "18.03"; + ''; } diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 5c30e512a1b3..16737efb1856 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -331,6 +331,8 @@ zeronet = 304; lirc = 305; lidarr = 306; + slurm = 307; + kapacitor = 308; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -622,6 +624,8 @@ zeronet = 304; lirc = 305; lidarr = 306; + slurm = 307; + kapacitor = 308; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index bd921f230bd0..37e90232da2a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -126,6 +126,7 @@ ./programs/udevil.nix ./programs/venus.nix ./programs/vim.nix + ./programs/wavemon.nix ./programs/way-cooler.nix ./programs/wireshark.nix ./programs/xfs_quota.nix @@ -432,6 +433,7 @@ ./services/monitoring/hdaps.nix ./services/monitoring/heapster.nix ./services/monitoring/incron.nix + ./services/monitoring/kapacitor.nix ./services/monitoring/longview.nix ./services/monitoring/monit.nix ./services/monitoring/munin.nix diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index 5aaffa4f1f2a..7e14b0e21143 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -7,7 +7,7 @@ # Include some utilities that are useful for installing or repairing # the system. environment.systemPackages = [ - pkgs.w3m-nox # needed for the manual anyway + pkgs.w3m-nographics # needed for the manual anyway pkgs.testdisk # useful for repairing boot problems pkgs.ms-sys # for writing Microsoft boot sectors / MBRs pkgs.efibootmgr @@ -19,6 +19,9 @@ pkgs.cryptsetup # needed for dm-crypt volumes pkgs.mkpasswd # for generating password files + # Some text editors. + pkgs.vim + # Some networking tools. pkgs.fuse pkgs.fuse3 diff --git a/nixos/modules/profiles/clone-config.nix b/nixos/modules/profiles/clone-config.nix index 99d4774584f1..3f669ba7d2e1 100644 --- a/nixos/modules/profiles/clone-config.nix +++ b/nixos/modules/profiles/clone-config.nix @@ -48,6 +48,8 @@ let { imports = [ ${toString config.installer.cloneConfigIncludes} ]; + + ${config.installer.cloneConfigExtra} } ''; @@ -73,6 +75,13 @@ in ''; }; + installer.cloneConfigExtra = mkOption { + default = ""; + description = '' + Extra text to include in the cloned configuration.nix included in this + installer. + ''; + }; }; config = { diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index d51ed195580d..580ea4a58e5b 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -63,7 +63,7 @@ with lib; # Tell the Nix evaluator to garbage collect more aggressively. # This is desirable in memory-constrained environments that don't # (yet) have swap set up. - environment.variables.GC_INITIAL_HEAP_SIZE = "100000"; + environment.variables.GC_INITIAL_HEAP_SIZE = "1M"; # Make the installer more likely to succeed in low memory # environments. The kernel's overcommit heustistics bite us @@ -87,9 +87,6 @@ with lib; # console less cumbersome if the machine has a public IP. networking.firewall.logRefusedConnections = mkDefault false; - environment.systemPackages = [ pkgs.vim ]; - - # Allow the user to log in as root without a password. users.users.root.initialHashedPassword = ""; }; diff --git a/nixos/modules/programs/shell.nix b/nixos/modules/programs/shell.nix index 6aa0262e3a4c..9842e2bef643 100644 --- a/nixos/modules/programs/shell.nix +++ b/nixos/modules/programs/shell.nix @@ -13,7 +13,7 @@ with lib; # Set up the per-user profile. mkdir -m 0755 -p "$NIX_USER_PROFILE_DIR" if [ "$(stat --printf '%u' "$NIX_USER_PROFILE_DIR")" != "$(id -u)" ]; then - echo "WARNING: bad ownership on $NIX_USER_PROFILE_DIR, should be $(id -u)" >&2 + echo "WARNING: the per-user profile dir $NIX_USER_PROFILE_DIR should belong to user id $(id -u)" >&2 fi if [ -w "$HOME" ]; then @@ -35,7 +35,7 @@ with lib; NIX_USER_GCROOTS_DIR="/nix/var/nix/gcroots/per-user/$USER" mkdir -m 0755 -p "$NIX_USER_GCROOTS_DIR" if [ "$(stat --printf '%u' "$NIX_USER_GCROOTS_DIR")" != "$(id -u)" ]; then - echo "WARNING: bad ownership on $NIX_USER_GCROOTS_DIR, should be $(id -u)" >&2 + echo "WARNING: the per-user gcroots dir $NIX_USER_GCROOTS_DIR should belong to user id $(id -u)" >&2 fi # Set up a default Nix expression from which to install stuff. diff --git a/nixos/modules/programs/wavemon.nix b/nixos/modules/programs/wavemon.nix new file mode 100644 index 000000000000..ac665fe4a023 --- /dev/null +++ b/nixos/modules/programs/wavemon.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.wavemon; +in { + options = { + programs.wavemon = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add wavemon to the global environment and configure a + setcap wrapper for it. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ wavemon ]; + security.wrappers.wavemon = { + source = "${pkgs.wavemon}/bin/wavemon"; + capabilities = "cap_net_admin+ep"; + }; + }; +} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index eb74b9bcac12..aa2b5c0b2dfb 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -28,7 +28,10 @@ with lib; (config: let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config; in if enabled then [ pkgs.gutenprint ] else [ ])) - (mkRenamedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ]) + (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ] + (config: + let value = getAttrFromPath [ "services" "ddclient" "domain" ] config; + in if value != "" then [ value ] else [])) (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "") (mkRenamedOptionModule [ "services" "elasticsearch" "host" ] [ "services" "elasticsearch" "listenAddress" ]) (mkRenamedOptionModule [ "services" "graphite" "api" "host" ] [ "services" "graphite" "api" "listenAddress" ]) diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix index dfbf5d859ba9..498c2f25d1c0 100644 --- a/nixos/modules/security/apparmor-suid.nix +++ b/nixos/modules/security/apparmor-suid.nix @@ -28,7 +28,7 @@ with lib; capability setuid, network inet raw, - ${pkgs.glibc.out}/lib/*.so mr, + ${pkgs.stdenv.cc.libc.out}/lib/*.so mr, ${pkgs.libcap.lib}/lib/libcap.so* mr, ${pkgs.attr.out}/lib/libattr.so* mr, diff --git a/nixos/modules/security/dhparams.nix b/nixos/modules/security/dhparams.nix index e2b84c3e3b38..62a499ea624d 100644 --- a/nixos/modules/security/dhparams.nix +++ b/nixos/modules/security/dhparams.nix @@ -170,4 +170,6 @@ in { ''; }) cfg.params; }; + + meta.maintainers = with lib.maintainers; [ ekleog ]; } diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix index 81e04a44b115..63e00b548120 100644 --- a/nixos/modules/security/rngd.nix +++ b/nixos/modules/security/rngd.nix @@ -20,7 +20,6 @@ with lib; KERNEL=="random", TAG+="systemd" SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" - ${if config.services.tcsd.enable then "" else ''KERNEL=="tpm0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"''} ''; systemd.services.rngd = { @@ -30,8 +29,7 @@ with lib; description = "Hardware RNG Entropy Gatherer Daemon"; - serviceConfig.ExecStart = "${pkgs.rng-tools}/sbin/rngd -f -v" + - (if config.services.tcsd.enable then " --no-tpm=1" else ""); + serviceConfig.ExecStart = "${pkgs.rng-tools}/sbin/rngd -f -v"; }; }; } diff --git a/nixos/modules/services/admin/salt/master.nix b/nixos/modules/services/admin/salt/master.nix index 165580b97837..c6b1b0cc0bd8 100644 --- a/nixos/modules/services/admin/salt/master.nix +++ b/nixos/modules/services/admin/salt/master.nix @@ -53,6 +53,9 @@ in Type = "notify"; NotifyAccess = "all"; }; + restartTriggers = [ + config.environment.etc."salt/master".source + ]; }; }; diff --git a/nixos/modules/services/admin/salt/minion.nix b/nixos/modules/services/admin/salt/minion.nix index 9ecefb32cfa8..c8fa9461a209 100644 --- a/nixos/modules/services/admin/salt/minion.nix +++ b/nixos/modules/services/admin/salt/minion.nix @@ -15,7 +15,6 @@ let # Default is in /etc/salt/pki/minion pki_dir = "/var/lib/salt/pki/minion"; } cfg.configuration; - configDir = pkgs.writeTextDir "minion" (builtins.toJSON fullConfig); in @@ -28,15 +27,24 @@ in default = {}; description = '' Salt minion configuration as Nix attribute set. - See <link xlink:href="https://docs.saltstack.com/en/latest/ref/configuration/minion.html"/> - for details. + See <link xlink:href="https://docs.saltstack.com/en/latest/ref/configuration/minion.html"/> + for details. ''; }; }; }; config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ salt ]; + environment = { + # Set this up in /etc/salt/minion so `salt-call`, etc. work. + # The alternatives are + # - passing --config-dir to all salt commands, not just the minion unit, + # - setting aglobal environment variable. + etc."salt/minion".source = pkgs.writeText "minion" ( + builtins.toJSON fullConfig + ); + systemPackages = with pkgs; [ salt ]; + }; systemd.services.salt-minion = { description = "Salt Minion"; wantedBy = [ "multi-user.target" ]; @@ -45,11 +53,14 @@ in utillinux ]; serviceConfig = { - ExecStart = "${pkgs.salt}/bin/salt-minion --config-dir=${configDir}"; + ExecStart = "${pkgs.salt}/bin/salt-minion"; LimitNOFILE = 8192; Type = "notify"; NotifyAccess = "all"; }; + restartTriggers = [ + config.environment.etc."salt/minion".source + ]; }; }; } diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index 09174ed39f5e..cd481212db2d 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -6,13 +6,18 @@ let cfg = config.services.slurm; # configuration file can be generated by http://slurm.schedmd.com/configurator.html + + defaultUser = "slurm"; + configFile = pkgs.writeTextDir "slurm.conf" '' ClusterName=${cfg.clusterName} + StateSaveLocation=${cfg.stateSaveLocation} + SlurmUser=${cfg.user} ${optionalString (cfg.controlMachine != null) ''controlMachine=${cfg.controlMachine}''} ${optionalString (cfg.controlAddr != null) ''controlAddr=${cfg.controlAddr}''} - ${optionalString (cfg.nodeName != null) ''nodeName=${cfg.nodeName}''} - ${optionalString (cfg.partitionName != null) ''partitionName=${cfg.partitionName}''} + ${toString (map (x: "NodeName=${x}\n") cfg.nodeName)} + ${toString (map (x: "PartitionName=${x}\n") cfg.partitionName)} PlugStackConfig=${plugStackConfig} ProctrackType=${cfg.procTrackType} ${cfg.extraConfig} @@ -24,12 +29,19 @@ let ${cfg.extraPlugstackConfig} ''; - cgroupConfig = pkgs.writeTextDir "cgroup.conf" '' ${cfg.extraCgroupConfig} ''; + slurmdbdConf = pkgs.writeTextDir "slurmdbd.conf" + '' + DbdHost=${cfg.dbdserver.dbdHost} + SlurmUser=${cfg.user} + StorageType=accounting_storage/mysql + ${cfg.dbdserver.extraConfig} + ''; + # slurm expects some additional config files to be # in the same directory as slurm.conf etcSlurm = pkgs.symlinkJoin { @@ -43,6 +55,8 @@ in ###### interface + meta.maintainers = [ maintainers.markuskowa ]; + options = { services.slurm = { @@ -60,6 +74,27 @@ in }; }; + dbdserver = { + enable = mkEnableOption "SlurmDBD service"; + + dbdHost = mkOption { + type = types.str; + default = config.networking.hostName; + description = '' + Hostname of the machine where <literal>slurmdbd</literal> + is running (i.e. name returned by <literal>hostname -s</literal>). + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration for <literal>slurmdbd.conf</literal> + ''; + }; + }; + client = { enable = mkEnableOption "slurm client daemon"; }; @@ -116,9 +151,9 @@ in }; nodeName = mkOption { - type = types.nullOr types.str; - default = null; - example = "linux[1-32] CPUs=1 State=UNKNOWN"; + type = types.listOf types.str; + default = []; + example = literalExample ''[ "linux[1-32] CPUs=1 State=UNKNOWN" ];''; description = '' Name that SLURM uses to refer to a node (or base partition for BlueGene systems). Typically this would be the string that "/bin/hostname -s" @@ -127,9 +162,9 @@ in }; partitionName = mkOption { - type = types.nullOr types.str; - default = null; - example = "debug Nodes=linux[1-32] Default=YES MaxTime=INFINITE State=UP"; + type = types.listOf types.str; + default = []; + example = literalExample ''[ "debug Nodes=linux[1-32] Default=YES MaxTime=INFINITE State=UP" ];''; description = '' Name by which the partition may be referenced. Note that now you have to write the partition's parameters after the name. @@ -150,7 +185,7 @@ in }; procTrackType = mkOption { - type = types.string; + type = types.str; default = "proctrack/linuxproc"; description = '' Plugin to be used for process tracking on a job step basis. @@ -159,6 +194,25 @@ in ''; }; + stateSaveLocation = mkOption { + type = types.str; + default = "/var/spool/slurmctld"; + description = '' + Directory into which the Slurm controller, slurmctld, saves its state. + ''; + }; + + user = mkOption { + type = types.str; + default = defaultUser; + description = '' + Set this option when you want to run the slurmctld daemon + as something else than the default slurm user "slurm". + Note that the UID of this user needs to be the same + on all nodes. + ''; + }; + extraConfig = mkOption { default = ""; type = types.lines; @@ -184,6 +238,8 @@ in used when <literal>procTrackType=proctrack/cgroup</literal>. ''; }; + + }; }; @@ -220,12 +276,24 @@ in ''; }; - in mkIf (cfg.enableStools || cfg.client.enable || cfg.server.enable) { + in mkIf ( cfg.enableStools || + cfg.client.enable || + cfg.server.enable || + cfg.dbdserver.enable ) { environment.systemPackages = [ wrappedSlurm ]; services.munge.enable = mkDefault true; + # use a static uid as default to ensure it is the same on all nodes + users.users.slurm = mkIf (cfg.user == defaultUser) { + name = defaultUser; + group = "slurm"; + uid = config.ids.uids.slurm; + }; + + users.groups.slurm.gid = config.ids.uids.slurm; + systemd.services.slurmd = mkIf (cfg.client.enable) { path = with pkgs; [ wrappedSlurm coreutils ] ++ lib.optional cfg.enableSrunX11 slurm-spank-x11; @@ -261,6 +329,29 @@ in PIDFile = "/run/slurmctld.pid"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; }; + + preStart = '' + mkdir -p ${cfg.stateSaveLocation} + chown -R ${cfg.user}:slurm ${cfg.stateSaveLocation} + ''; + }; + + systemd.services.slurmdbd = mkIf (cfg.dbdserver.enable) { + path = with pkgs; [ wrappedSlurm munge coreutils ]; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "munged.service" "mysql.service" ]; + requires = [ "munged.service" "mysql.service" ]; + + # slurm strips the last component off the path + environment.SLURM_CONF = "${slurmdbdConf}/slurm.conf"; + + serviceConfig = { + Type = "forking"; + ExecStart = "${cfg.package}/bin/slurmdbd"; + PIDFile = "/run/slurmdbd.pid"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; }; }; diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index de2a757196a5..6edb1503c233 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -55,7 +55,7 @@ in package = mkOption { type = types.package; - example = literalExample "pkgs.postgresql96"; + example = literalExample "pkgs.postgresql_9_6"; description = '' PostgreSQL package to use. ''; @@ -118,7 +118,7 @@ in extraPlugins = mkOption { type = types.listOf types.path; default = []; - example = literalExample "[ (pkgs.postgis.override { postgresql = pkgs.postgresql94; }) ]"; + example = literalExample "[ (pkgs.postgis.override { postgresql = pkgs.postgresql_9_4; }) ]"; description = '' When this list contains elements a new store path is created. PostgreSQL and the elements are symlinked into it. Then pg_config, @@ -167,9 +167,9 @@ in # Note: when changing the default, make it conditional on # ‘system.stateVersion’ to maintain compatibility with existing # systems! - mkDefault (if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql96 - else if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql95 - else pkgs.postgresql94); + mkDefault (if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql_9_6 + else if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql_9_5 + else pkgs.postgresql_9_4); services.postgresql.dataDir = mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}" diff --git a/nixos/modules/services/databases/postgresql.xml b/nixos/modules/services/databases/postgresql.xml index f89f0d653164..14f4d4909bc0 100644 --- a/nixos/modules/services/databases/postgresql.xml +++ b/nixos/modules/services/databases/postgresql.xml @@ -27,12 +27,12 @@ <filename>configuration.nix</filename>: <programlisting> <xref linkend="opt-services.postgresql.enable"/> = true; -<xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql94; +<xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_9_4; </programlisting> Note that you are required to specify the desired version of PostgreSQL - (e.g. <literal>pkgs.postgresql94</literal>). Since upgrading your PostgreSQL - version requires a database dump and reload (see below), NixOS cannot - provide a default value for + (e.g. <literal>pkgs.postgresql_9_4</literal>). Since upgrading your + PostgreSQL version requires a database dump and reload (see below), NixOS + cannot provide a default value for <xref linkend="opt-services.postgresql.package"/> such as the most recent release of PostgreSQL. </para> diff --git a/nixos/modules/services/hardware/trezord.nix b/nixos/modules/services/hardware/trezord.nix index dfefc1171e62..c06a0665d02f 100644 --- a/nixos/modules/services/hardware/trezord.nix +++ b/nixos/modules/services/hardware/trezord.nix @@ -27,13 +27,13 @@ in { destination = "/etc/udev/rules.d/51-trezor.rules"; text = '' # TREZOR v1 (One) - SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0666", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n" - KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0666", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl" + SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n" + KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="trezord", TAG+="uaccess" # TREZOR v2 (T) - SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0661", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n" - SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0666", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n" - KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0666", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl" + SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n" + SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n" + KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="trezord", TAG+="uaccess" ''; }); diff --git a/nixos/modules/services/hardware/upower.nix b/nixos/modules/services/hardware/upower.nix index 2198842a4511..1da47349c077 100644 --- a/nixos/modules/services/hardware/upower.nix +++ b/nixos/modules/services/hardware/upower.nix @@ -56,6 +56,32 @@ in { Type = "dbus"; BusName = "org.freedesktop.UPower"; ExecStart = "@${cfg.package}/libexec/upowerd upowerd"; + Restart = "on-failure"; + # Upstream lockdown: + # Filesystem lockdown + ProtectSystem = "strict"; + # Needed by keyboard backlight support + ProtectKernelTunables = false; + ProtectControlGroups = true; + ReadWritePaths = "/var/lib/upower"; + ProtectHome = true; + PrivateTmp = true; + + # Network + # PrivateNetwork=true would block udev's netlink socket + RestrictAddressFamilies = "AF_UNIX AF_NETLINK"; + + # Execute Mappings + MemoryDenyWriteExecute = true; + + # Modules + ProtectKernelModules = true; + + # Real-time + RestrictRealtime = true; + + # Privilege escalation + NoNewPrivileges = true; }; }; diff --git a/nixos/modules/services/mail/clamsmtp.nix b/nixos/modules/services/mail/clamsmtp.nix index 8f4f39aa7288..fc1267c5d280 100644 --- a/nixos/modules/services/mail/clamsmtp.nix +++ b/nixos/modules/services/mail/clamsmtp.nix @@ -176,4 +176,6 @@ in } ) cfg.instances); }; + + meta.maintainers = with lib.maintainers; [ ekleog ]; } diff --git a/nixos/modules/services/mail/dkimproxy-out.nix b/nixos/modules/services/mail/dkimproxy-out.nix index 894b88e25c1b..f4ac9e47007a 100644 --- a/nixos/modules/services/mail/dkimproxy-out.nix +++ b/nixos/modules/services/mail/dkimproxy-out.nix @@ -115,4 +115,6 @@ in }; }; }; + + meta.maintainers = with lib.maintainers; [ ekleog ]; } diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 0756e81612ac..2e9aa33aeeee 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -157,6 +157,7 @@ in { Restart = "on-failure"; ProtectSystem = "strict"; ReadWritePaths = "${cfg.configDir}"; + KillSignal = "SIGINT"; PrivateTmp = true; RemoveIPC = true; }; diff --git a/nixos/modules/services/monitoring/kapacitor.nix b/nixos/modules/services/monitoring/kapacitor.nix new file mode 100644 index 000000000000..1de0a8d5af2f --- /dev/null +++ b/nixos/modules/services/monitoring/kapacitor.nix @@ -0,0 +1,154 @@ +{ options, config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.kapacitor; + + kapacitorConf = pkgs.writeTextFile { + name = "kapacitord.conf"; + text = '' + hostname="${config.networking.hostName}" + data_dir="${cfg.dataDir}" + + [http] + bind-address = "${cfg.bind}:${toString cfg.port}" + log-enabled = false + auth-enabled = false + + [task] + dir = "${cfg.dataDir}/tasks" + snapshot-interval = "${cfg.taskSnapshotInterval}" + + [replay] + dir = "${cfg.dataDir}/replay" + + [storage] + boltdb = "${cfg.dataDir}/kapacitor.db" + + ${optionalString (cfg.loadDirectory != null) '' + [load] + enabled = true + dir = "${cfg.loadDirectory}" + ''} + + ${optionalString (cfg.defaultDatabase.enable) '' + [[influxdb]] + name = "default" + enabled = true + default = true + urls = [ "${cfg.defaultDatabase.url}" ] + username = "${cfg.defaultDatabase.username}" + password = "${cfg.defaultDatabase.password}" + ''} + + ${cfg.extraConfig} + ''; + }; +in +{ + options.services.kapacitor = { + enable = mkEnableOption "kapacitor"; + + dataDir = mkOption { + type = types.path; + example = "/var/lib/kapacitor"; + default = "/var/lib/kapacitor"; + description = "Location where Kapacitor stores its state"; + }; + + port = mkOption { + type = types.int; + default = 9092; + description = "Port of Kapacitor"; + }; + + bind = mkOption { + type = types.str; + default = ""; + example = literalExample "0.0.0.0"; + description = "Address to bind to. The default is to bind to all addresses"; + }; + + extraConfig = mkOption { + description = "These lines go into kapacitord.conf verbatim."; + default = ""; + type = types.lines; + }; + + user = mkOption { + type = types.str; + default = "kapacitor"; + description = "User account under which Kapacitor runs"; + }; + + group = mkOption { + type = types.str; + default = "kapacitor"; + description = "Group under which Kapacitor runs"; + }; + + taskSnapshotInterval = mkOption { + type = types.str; + description = "Specifies how often to snapshot the task state (in InfluxDB time units)"; + default = "1m0s"; + example = "1m0s"; + }; + + loadDirectory = mkOption { + type = types.nullOr types.path; + description = "Directory where to load services from, such as tasks, templates and handlers (or null to disable service loading on startup)"; + default = null; + }; + + defaultDatabase = { + enable = mkEnableOption "kapacitor.defaultDatabase"; + + url = mkOption { + description = "The URL to an InfluxDB server that serves as the default database"; + example = "http://localhost:8086"; + type = types.string; + }; + + username = mkOption { + description = "The username to connect to the remote InfluxDB server"; + type = types.string; + }; + + password = mkOption { + description = "The password to connect to the remote InfluxDB server"; + type = types.string; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.kapacitor ]; + + systemd.services.kapacitor = { + description = "Kapacitor Real-Time Stream Processing Engine"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" ]; + serviceConfig = { + ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${kapacitorConf}"; + User = "kapacitor"; + Group = "kapacitor"; + PermissionsStartOnly = true; + }; + preStart = '' + mkdir -p ${cfg.dataDir} + chown ${cfg.user}:${cfg.group} ${cfg.dataDir} + ''; + }; + + users.users.kapacitor = { + uid = config.ids.uids.kapacitor; + description = "Kapacitor user"; + home = cfg.dataDir; + }; + + users.groups.kapacitor = { + gid = config.ids.gids.kapacitor; + }; + }; +} diff --git a/nixos/modules/services/networking/bitlbee.nix b/nixos/modules/services/networking/bitlbee.nix index 46e3b7457610..274b36171608 100644 --- a/nixos/modules/services/networking/bitlbee.nix +++ b/nixos/modules/services/networking/bitlbee.nix @@ -33,7 +33,7 @@ let purple_plugin_path = lib.concatMapStringsSep ":" - (plugin: "${plugin}/lib/pidgin/") + (plugin: "${plugin}/lib/pidgin/:${plugin}/lib/purple-2/") cfg.libpurple_plugins ; diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index 9a2e13e9553c..a70967820b32 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -182,9 +182,10 @@ with lib; serviceConfig = rec { DynamicUser = true; RuntimeDirectory = StateDirectory; + RuntimeDirectoryMode = "0750"; StateDirectory = builtins.baseNameOf dataDir; Type = "oneshot"; - ExecStartPre = "!${lib.getBin pkgs.coreutils}/bin/install -m666 ${cfg.configFile} /run/${RuntimeDirectory}/ddclient.conf"; + ExecStartPre = "!${lib.getBin pkgs.coreutils}/bin/install -m660 ${cfg.configFile} /run/${RuntimeDirectory}/ddclient.conf"; ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf"; }; }; diff --git a/nixos/modules/services/networking/redsocks.nix b/nixos/modules/services/networking/redsocks.nix index a47a78f1005e..8481f9debf39 100644 --- a/nixos/modules/services/networking/redsocks.nix +++ b/nixos/modules/services/networking/redsocks.nix @@ -267,4 +267,6 @@ in "ip46tables -t nat -D OUTPUT -p tcp ${redCond block} -j ${chain} 2>/dev/null || true" ) cfg.redsocks; }; + + meta.maintainers = with lib.maintainers; [ ekleog ]; } diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index b16d299917fe..d4f7e95f859f 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -248,6 +248,14 @@ in { </itemizedlist> ''; + ppk_id = mkOptionalStrParam '' + String identifying the Postquantum Preshared Key (PPK) to be used. + ''; + + ppk_required = mkYesNoParam no '' + Whether a Postquantum Preshared Key (PPK) is required for this connection. + ''; + keyingtries = mkIntParam 1 '' Number of retransmission sequences to perform during initial connect. Instead of giving up initiation after the first retransmission @@ -922,6 +930,36 @@ in { <literal>0xffffffff</literal>. ''; + set_mark_in = mkStrParam "0/0x00000000" '' + Netfilter mark applied to packets after the inbound IPsec SA processed + them. This way it's not necessary to mark packets via Netfilter before + decryption or right afterwards to match policies or process them + differently (e.g. via policy routing). + + An additional mask may be appended to the mark, separated by + <literal>/</literal>. The default mask if omitted is 0xffffffff. The + special value <literal>%same</literal> uses the value (but not the mask) + from <option>mark_in</option> as mark value, which can be fixed, + <literal>%unique</literal> or <literal>%unique-dir</literal>. + + Setting marks in XFRM input requires Linux 4.19 or higher. + ''; + + set_mark_out = mkStrParam "0/0x00000000" '' + Netfilter mark applied to packets after the outbound IPsec SA processed + them. This allows processing ESP packets differently than the original + traffic (e.g. via policy routing). + + An additional mask may be appended to the mark, separated by + <literal>/</literal>. The default mask if omitted is 0xffffffff. The + special value <literal>%same</literal> uses the value (but not the mask) + from <option>mark_out</option> as mark value, which can be fixed, + <literal>%unique_</literal> or <literal>%unique-dir</literal>. + + Setting marks in XFRM output is supported since Linux 4.14. Setting a + mask requires at least Linux 4.19. + ''; + tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 '' Pads ESP packets with additional data to have a consistent ESP packet size for improved Traffic Flow Confidentiality. The padding defines the @@ -946,6 +984,33 @@ in { supported, but the installation does not fail otherwise. ''; + copy_df = mkYesNoParam yes '' + Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This + effectively disables Path MTU discovery (PMTUD). Controlling this + behavior is not supported by all kernel interfaces. + ''; + + copy_ecn = mkYesNoParam yes '' + Whether to copy the ECN (Explicit Congestion Notification) header field + to/from the outer IP header in tunnel mode. Controlling this behavior is + not supported by all kernel interfaces. + ''; + + copy_dscp = mkEnumParam [ "out" "in" "yes" "no" ] "out" '' + Whether to copy the DSCP (Differentiated Services Field Codepoint) + header field to/from the outer IP header in tunnel mode. The value + <literal>out</literal> only copies the field from the inner to the outer + header, the value <literal>in</literal> does the opposite and only + copies the field from the outer to the inner header when decapsulating, + the value <literal>yes</literal> copies the field in both directions, + and the value <literal>no</literal> disables copying the field + altogether. Setting this to <literal>yes</literal> or + <literal>in</literal> could allow an attacker to adversely affect other + traffic at the receiver, which is why the default is + <literal>out</literal>. Controlling this behavior is not supported by + all kernel interfaces. + ''; + start_action = mkEnumParam ["none" "trap" "start"] "none" '' Action to perform after loading the configuration. <itemizedlist> @@ -1060,6 +1125,24 @@ in { defined in a unique section having the <literal>ike</literal> prefix. ''; + ppk = mkPrefixedAttrsOfParams { + secret = mkOptionalStrParam '' + Value of the PPK. It may either be an ASCII string, a hex encoded string + if it has a <literal>0x</literal> prefix or a Base64 encoded string if + it has a <literal>0s</literal> prefix in its value. Should have at least + 256 bits of entropy for 128-bit security. + ''; + + id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' + PPK identity the PPK belongs to. Multiple unique identities may be + specified, each having an <literal>id</literal> prefix, if a secret is + shared between multiple peers. + ''; + } '' + Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is + defined in a unique section having the <literal>ppk</literal> prefix. + ''; + private = mkPrefixedAttrsOfParams { file = mkOptionalStrParam '' File name in the private folder for which this passphrase should be used. diff --git a/nixos/modules/services/networking/zerotierone.nix b/nixos/modules/services/networking/zerotierone.nix index a4cd368397e7..764af3846fe5 100644 --- a/nixos/modules/services/networking/zerotierone.nix +++ b/nixos/modules/services/networking/zerotierone.nix @@ -39,7 +39,8 @@ in systemd.services.zerotierone = { description = "ZeroTierOne"; path = [ cfg.package ]; - after = [ "network.target" ]; + bindsTo = [ "network-online.target" ]; + after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' mkdir -p /var/lib/zerotier-one/networks.d diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 508398f03ace..6c733f093ba8 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -46,7 +46,7 @@ let configFile = pkgs.writeText "nginx.conf" '' user ${cfg.user} ${cfg.group}; - error_log stderr; + error_log ${cfg.logError}; daemon off; ${cfg.config} @@ -341,6 +341,35 @@ in "; }; + logError = mkOption { + default = "stderr"; + description = " + Configures logging. + The first parameter defines a file that will store the log. The + special value stderr selects the standard error file. Logging to + syslog can be configured by specifying the “syslog:” prefix. + The second parameter determines the level of logging, and can be + one of the following: debug, info, notice, warn, error, crit, + alert, or emerg. Log levels above are listed in the order of + increasing severity. Setting a certain log level will cause all + messages of the specified and more severe log levels to be logged. + If this parameter is omitted then error is used. + "; + }; + + preStart = mkOption { + type = types.lines; + default = '' + test -d ${cfg.stateDir}/logs || mkdir -m 750 -p ${cfg.stateDir}/logs + test `stat -c %a ${cfg.stateDir}` = "750" || chmod 750 ${cfg.stateDir} + test `stat -c %a ${cfg.stateDir}/logs` = "750" || chmod 750 ${cfg.stateDir}/logs + chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir} + ''; + description = " + Shell commands executed before the service's nginx is started. + "; + }; + config = mkOption { default = ""; description = " @@ -608,9 +637,7 @@ in stopIfChanged = false; preStart = '' - mkdir -p ${cfg.stateDir}/logs - chmod 700 ${cfg.stateDir} - chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir} + ${cfg.preStart} ${cfg.package}/bin/nginx -c ${configFile} -p ${cfg.stateDir} -t ''; serviceConfig = { diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix index 013956c05466..d1ee076e9185 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix @@ -22,7 +22,7 @@ let # This wrapper ensures that we actually get themes makeWrapper ${pkgs.lightdm_gtk_greeter}/sbin/lightdm-gtk-greeter \ $out/greeter \ - --prefix PATH : "${pkgs.glibc.bin}/bin" \ + --prefix PATH : "${lib.getBin pkgs.stdenv.cc.libc}/bin" \ --set GDK_PIXBUF_MODULE_FILE "${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache" \ --set GTK_PATH "${theme}:${pkgs.gtk3.out}" \ --set GTK_EXE_PREFIX "${theme}" \ diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index b1eaf0189562..74c150a848d1 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -21,7 +21,8 @@ let [ coreutils gnugrep findutils - glibc # needed for getent + getent + stdenv.cc.libc # nscd in update-users-groups.pl shadow nettools # needed for hostname utillinux # needed for mount and mountpoint diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index f4cf9753c0a1..e7167999a6f8 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -147,7 +147,7 @@ let ${config.boot.initrd.extraUtilsCommands} # Copy ld manually since it isn't detected correctly - cp -pv ${pkgs.glibc.out}/lib/ld*.so.? $out/lib + cp -pv ${pkgs.stdenv.cc.libc.out}/lib/ld*.so.? $out/lib # Copy all of the needed libraries find $out/bin $out/lib -type f | while read BIN; do diff --git a/nixos/modules/system/boot/systemd-nspawn.nix b/nixos/modules/system/boot/systemd-nspawn.nix index f4fa09694537..4f538ccdbbe1 100644 --- a/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixos/modules/system/boot/systemd-nspawn.nix @@ -112,6 +112,7 @@ in { environment.etc."systemd/nspawn".source = generateUnits "nspawn" units [] []; + systemd.targets."multi-user".wants = [ "machines.target "]; }; } diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index a1412bc32904..89f8e8153550 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -387,7 +387,7 @@ let logindHandlerType = types.enum [ "ignore" "poweroff" "reboot" "halt" "kexec" "suspend" - "hibernate" "hybrid-sleep" "lock" + "hibernate" "hybrid-sleep" "suspend-then-hibernate" "lock" ]; in @@ -587,6 +587,15 @@ in ''; }; + services.journald.forwardToSyslog = mkOption { + default = config.services.rsyslogd.enable || config.services.syslog-ng.enable; + defaultText = "config.services.rsyslogd.enable || config.services.syslog-ng.enable"; + type = types.bool; + description = '' + Whether to forward log messages to syslog. + ''; + }; + services.logind.extraConfig = mkOption { default = ""; type = types.lines; @@ -754,6 +763,9 @@ in ForwardToConsole=yes TTYPath=${config.services.journald.console} ''} + ${optionalString (config.services.journald.forwardToSyslog) '' + ForwardToSyslog=yes + ''} ${config.services.journald.extraConfig} ''; diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 8fe59badd335..2fcc0f254256 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -243,6 +243,9 @@ let Restart = "on-failure"; + Slice = "machine.slice"; + Delegate = true; + # Hack: we don't want to kill systemd-nspawn, since we call # "machinectl poweroff" in preStop to shut down the # container cleanly. But systemd requires sending a signal @@ -606,7 +609,7 @@ in { config = { config, pkgs, ... }: { services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql96; + services.postgresql.package = pkgs.postgresql_9_6; system.stateVersion = "17.03"; }; @@ -657,6 +660,8 @@ in serviceConfig = serviceDirectives dummyConfig; }; in { + systemd.targets."multi-user".wants = [ "machines.target" ]; + systemd.services = listToAttrs (filter (x: x.value != null) ( # The generic container template used by imperative containers [{ name = "container@"; value = unit; }] @@ -680,7 +685,7 @@ in } // ( if config.autoStart then { - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "machines.target" ]; wants = [ "network.target" ]; after = [ "network.target" ]; restartTriggers = [ config.path ]; diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 3e38662f5b0f..f4d7af1664af 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -196,6 +196,8 @@ in { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ coreutils libvirt gawk ]; restartIfChanged = false; + + environment.ON_SHUTDOWN = "${cfg.onShutdown}"; }; systemd.sockets.virtlogd = { diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix index 60048911658c..037c0d2f0d82 100644 --- a/nixos/modules/virtualisation/virtualbox-image.nix +++ b/nixos/modules/virtualisation/virtualbox-image.nix @@ -12,7 +12,7 @@ in { virtualbox = { baseImageSize = mkOption { type = types.int; - default = 10 * 1024; + default = 50 * 1024; description = '' The size of the VirtualBox base image in MiB. ''; @@ -61,7 +61,7 @@ in { export HOME=$PWD export PATH=${pkgs.virtualbox}/bin:$PATH - echo "creating VirtualBox pass-through disk wrapper (no copying invovled)..." + echo "creating VirtualBox pass-through disk wrapper (no copying involved)..." VBoxManage internalcommands createrawvmdk -filename disk.vmdk -rawdisk $diskImage echo "creating VirtualBox VM..." @@ -72,9 +72,9 @@ in { --memory ${toString cfg.memorySize} --acpi on --vram 32 \ ${optionalString (pkgs.stdenv.hostPlatform.system == "i686-linux") "--pae on"} \ --nictype1 virtio --nic1 nat \ - --audiocontroller ac97 --audio alsa \ + --audiocontroller ac97 --audio alsa --audioout on \ --rtcuseutc on \ - --usb on --mouse usbtablet + --usb on --usbehci on --mouse usbtablet VBoxManage storagectl "$vmName" --name SATA --add sata --portcount 4 --bootable on --hostiocache on VBoxManage storageattach "$vmName" --storagectl SATA --port 0 --device 0 --type hdd \ --medium disk.vmdk @@ -82,7 +82,7 @@ in { echo "exporting VirtualBox VM..." mkdir -p $out fn="$out/${cfg.vmFileName}" - VBoxManage export "$vmName" --output "$fn" + VBoxManage export "$vmName" --output "$fn" --options manifest rm -v $diskImage diff --git a/nixos/release.nix b/nixos/release.nix index 5412080cca18..51505d6aab9d 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -399,6 +399,7 @@ in rec { tests.radicale = callTest tests/radicale.nix {}; tests.redmine = callTest tests/redmine.nix {}; tests.rspamd = callSubTests tests/rspamd.nix {}; + tests.rsyslogd = callSubTests tests/rsyslogd.nix {}; tests.runInMachine = callTest tests/run-in-machine.nix {}; tests.rxe = callTest tests/rxe.nix {}; tests.samba = callTest tests/samba.nix {}; @@ -467,7 +468,7 @@ in rec { { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql93; + services.postgresql.package = pkgs.postgresql_9_3; environment.systemPackages = [ pkgs.php ]; }); }; diff --git a/nixos/tests/ceph.nix b/nixos/tests/ceph.nix index dd45f0157b01..7408029c460e 100644 --- a/nixos/tests/ceph.nix +++ b/nixos/tests/ceph.nix @@ -10,9 +10,8 @@ import ./make-test.nix ({pkgs, ...}: rec { emptyDiskImages = [ 20480 20480 ]; vlans = [ 1 ]; }; - + networking = { - firewall.allowPing = true; useDHCP = false; interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } @@ -54,7 +53,7 @@ import ./make-test.nix ({pkgs, ...}: rec { }; }; }; - + testScript = { ... }: '' startAll; @@ -83,7 +82,7 @@ import ./make-test.nix ({pkgs, ...}: rec { # Can't check ceph status until a mon is up $aio->succeed("ceph -s | grep 'mon: 1 daemons'"); - + # Start the ceph-mgr daemon, it has no deps and hardly any setup $aio->mustSucceed( "ceph auth get-or-create mgr.aio mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/ceph-aio/keyring", diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index c341e83961a8..fcc55a59a216 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -12,8 +12,10 @@ with pkgs.lib; mapAttrs (channel: chromiumPkg: makeTest rec { name = "chromium-${channel}"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ aszlig ]; + meta = { + maintainers = with maintainers; [ aszlig ]; + # https://github.com/NixOS/hydra/issues/591#issuecomment-435125621 + inherit (chromiumPkg.meta) timeout; }; enableOCR = true; diff --git a/nixos/tests/cjdns.nix b/nixos/tests/cjdns.nix index ab5f8e0bcf3e..e03bb9882540 100644 --- a/nixos/tests/cjdns.nix +++ b/nixos/tests/cjdns.nix @@ -13,9 +13,6 @@ let # CJDNS output is incompatible with the XML log. systemd.services.cjdns.serviceConfig.StandardOutput = "null"; - #networking.firewall.enable = true; - networking.firewall.allowPing = true; - #networking.firewall.rejectPackets = true; }; in diff --git a/nixos/tests/containers-bridge.nix b/nixos/tests/containers-bridge.nix index bd8bd5dee9c8..777cf9a7e7f9 100644 --- a/nixos/tests/containers-bridge.nix +++ b/nixos/tests/containers-bridge.nix @@ -42,7 +42,6 @@ import ./make-test.nix ({ pkgs, ...} : { { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; networking.firewall.allowedTCPPorts = [ 80 ]; - networking.firewall.allowPing = true; }; }; diff --git a/nixos/tests/containers-extra_veth.nix b/nixos/tests/containers-extra_veth.nix index 8f874b3585dc..b4c48afe48ba 100644 --- a/nixos/tests/containers-extra_veth.nix +++ b/nixos/tests/containers-extra_veth.nix @@ -43,7 +43,6 @@ import ./make-test.nix ({ pkgs, ...} : { config = { networking.firewall.allowedTCPPorts = [ 80 ]; - networking.firewall.allowPing = true; }; }; diff --git a/nixos/tests/containers-ipv4.nix b/nixos/tests/containers-ipv4.nix index 4affe3d9d56d..5f83a33b1079 100644 --- a/nixos/tests/containers-ipv4.nix +++ b/nixos/tests/containers-ipv4.nix @@ -20,7 +20,6 @@ import ./make-test.nix ({ pkgs, ...} : { { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; networking.firewall.allowedTCPPorts = [ 80 ]; - networking.firewall.allowPing = true; system.stateVersion = "18.03"; }; }; diff --git a/nixos/tests/containers-ipv6.nix b/nixos/tests/containers-ipv6.nix index 7db389a18e72..5866e51b731d 100644 --- a/nixos/tests/containers-ipv6.nix +++ b/nixos/tests/containers-ipv6.nix @@ -25,7 +25,6 @@ import ./make-test.nix ({ pkgs, ...} : { { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; networking.firewall.allowedTCPPorts = [ 80 ]; - networking.firewall.allowPing = true; }; }; diff --git a/nixos/tests/containers-portforward.nix b/nixos/tests/containers-portforward.nix index be83f82445ed..d2dda926fc0e 100644 --- a/nixos/tests/containers-portforward.nix +++ b/nixos/tests/containers-portforward.nix @@ -28,7 +28,6 @@ import ./make-test.nix ({ pkgs, ...} : { { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; networking.firewall.allowedTCPPorts = [ 80 ]; - networking.firewall.allowPing = true; }; }; diff --git a/nixos/tests/containers-restart_networking.nix b/nixos/tests/containers-restart_networking.nix index aeb0a6e68e21..0fb3b591e9f9 100644 --- a/nixos/tests/containers-restart_networking.nix +++ b/nixos/tests/containers-restart_networking.nix @@ -10,7 +10,6 @@ let hostBridge = "br0"; config = { networking.firewall.enable = false; - networking.firewall.allowPing = true; networking.interfaces.eth0.ipv4.addresses = [ { address = "192.168.1.122"; prefixLength = 24; } ]; diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix index 2d74b59bca46..0b3da0d59c68 100644 --- a/nixos/tests/home-assistant.nix +++ b/nixos/tests/home-assistant.nix @@ -74,7 +74,6 @@ in { print "$log\n"; # Check that no errors were logged - # The timer can get out of sync due to Hydra's load, so this error is ignored - $hass->fail("cat ${configDir}/home-assistant.log | grep -vF 'Timer got out of sync' | grep -qF ERROR"); + $hass->fail("cat ${configDir}/home-assistant.log | grep -qF ERROR"); ''; }) diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 9c280fe8b5b6..04b4f0f045f0 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -11,7 +11,6 @@ import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, lib.mkMerge [ { virtualisation.vlans = [ 2 1 ]; networking.firewall.enable = withFirewall; - networking.firewall.allowPing = true; networking.nat.internalIPs = [ "192.168.1.0/24" ]; networking.nat.externalInterface = "eth1"; } @@ -33,7 +32,6 @@ import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, { pkgs, nodes, ... }: lib.mkMerge [ { virtualisation.vlans = [ 1 ]; - networking.firewall.allowPing = true; networking.defaultGateway = (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ipv4.addresses).address; } diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index 87a8c4c0e196..d1d4fd41dda6 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -17,7 +17,6 @@ let networking = { useDHCP = false; useNetworkd = networkd; - firewall.allowPing = true; firewall.checkReversePath = true; firewall.allowedUDPPorts = [ 547 ]; interfaces = mkOverride 0 (listToAttrs (flip map vlanIfs (n: @@ -86,7 +85,6 @@ let virtualisation.vlans = [ 1 2 ]; networking = { useNetworkd = networkd; - firewall.allowPing = true; useDHCP = false; defaultGateway = "192.168.1.1"; interfaces.eth1.ipv4.addresses = mkOverride 0 [ @@ -139,7 +137,6 @@ let virtualisation.vlans = [ 1 2 ]; networking = { useNetworkd = networkd; - firewall.allowPing = true; useDHCP = true; interfaces.eth1 = { ipv4.addresses = mkOverride 0 [ ]; @@ -194,7 +191,6 @@ let virtualisation.vlans = [ 1 2 ]; networking = { useNetworkd = networkd; - firewall.allowPing = true; useDHCP = false; interfaces.eth1 = { ipv4.addresses = mkOverride 0 [ ]; @@ -234,7 +230,6 @@ let virtualisation.vlans = [ 1 2 ]; networking = { useNetworkd = networkd; - firewall.allowPing = true; useDHCP = false; bonds.bond = { interfaces = [ "eth1" "eth2" ]; @@ -271,7 +266,6 @@ let virtualisation.vlans = [ vlan ]; networking = { useNetworkd = networkd; - firewall.allowPing = true; useDHCP = false; interfaces.eth1.ipv4.addresses = mkOverride 0 [ { inherit address; prefixLength = 24; } ]; @@ -285,7 +279,6 @@ let virtualisation.vlans = [ 1 2 ]; networking = { useNetworkd = networkd; - firewall.allowPing = true; useDHCP = false; bridges.bridge.interfaces = [ "eth1" "eth2" ]; interfaces.eth1.ipv4.addresses = mkOverride 0 [ ]; @@ -329,7 +322,6 @@ let # reverse path filtering rules for the macvlan interface seem # to be incorrect, causing the test to fail. Disable temporarily. firewall.checkReversePath = false; - firewall.allowPing = true; useDHCP = true; macvlans.macvlan.interface = "eth1"; interfaces.eth1.ipv4.addresses = mkOverride 0 [ ]; @@ -415,7 +407,6 @@ let #virtualisation.vlans = [ 1 ]; networking = { useNetworkd = networkd; - firewall.allowPing = true; useDHCP = false; vlans.vlan = { id = 1; diff --git a/nixos/tests/opensmtpd.nix b/nixos/tests/opensmtpd.nix index 4c0cbca21010..4d3479168f70 100644 --- a/nixos/tests/opensmtpd.nix +++ b/nixos/tests/opensmtpd.nix @@ -17,11 +17,12 @@ import ./make-test.nix { extraServerArgs = [ "-v" ]; serverConfiguration = '' listen on 0.0.0.0 + action do_relay relay # DO NOT DO THIS IN PRODUCTION! # Setting up authentication requires a certificate which is painful in # a test environment, but THIS WOULD BE DANGEROUS OUTSIDE OF A # WELL-CONTROLLED ENVIRONMENT! - accept from any for any relay + match from any for any action do_relay ''; }; }; @@ -41,8 +42,9 @@ import ./make-test.nix { extraServerArgs = [ "-v" ]; serverConfiguration = '' listen on 0.0.0.0 - accept from any for local deliver to mda \ + action dovecot_deliver mda \ "${pkgs.dovecot}/libexec/dovecot/deliver -d %{user.username}" + match from any for local action dovecot_deliver ''; }; services.dovecot2 = { diff --git a/nixos/tests/plasma5.nix b/nixos/tests/plasma5.nix index eb705536827e..788c8719c8d2 100644 --- a/nixos/tests/plasma5.nix +++ b/nixos/tests/plasma5.nix @@ -26,31 +26,20 @@ import ./make-test.nix ({ pkgs, ...} : services.xserver.displayManager.sddm.theme = "breeze-ocr-theme"; services.xserver.desktopManager.plasma5.enable = true; services.xserver.desktopManager.default = "plasma5"; + services.xserver.displayManager.sddm.autoLogin = { + enable = true; + user = "alice"; + }; virtualisation.memorySize = 1024; environment.systemPackages = [ sddm_theme ]; - - # fontconfig-penultimate-0.3.3 -> 0.3.4 broke OCR apparently, but no idea why. - nixpkgs.config.packageOverrides = superPkgs: { - fontconfig-penultimate = superPkgs.fontconfig-penultimate.override { - version = "0.3.3"; - sha256 = "1z76jbkb0nhf4w7fy647yyayqr4q02fgk6w58k0yi700p0m3h4c9"; - }; - }; }; - enableOCR = true; - testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; xdo = "${pkgs.xdotool}/bin/xdotool"; in '' startAll; - # Wait for display manager to start - $machine->waitForText(qr/${user.description}/); - $machine->screenshot("sddm"); - - # Log in - $machine->sendChars("${user.password}\n"); + # wait for log in $machine->waitForFile("/home/alice/.Xauthority"); $machine->succeed("xauth merge ~alice/.Xauthority"); diff --git a/nixos/tests/postgis.nix b/nixos/tests/postgis.nix index f8b63c5b6a27..49be0672a8e5 100644 --- a/nixos/tests/postgis.nix +++ b/nixos/tests/postgis.nix @@ -9,7 +9,7 @@ import ./make-test.nix ({ pkgs, ...} : { { pkgs, ... }: { - services.postgresql = let mypg = pkgs.postgresql100; in { + services.postgresql = let mypg = pkgs.postgresql_11; in { enable = true; package = mypg; extraPlugins = [ (pkgs.postgis.override { postgresql = mypg; }) ]; diff --git a/nixos/tests/quagga.nix b/nixos/tests/quagga.nix index 0ff14a21584a..6aee7ea57f03 100644 --- a/nixos/tests/quagga.nix +++ b/nixos/tests/quagga.nix @@ -66,7 +66,6 @@ import ./make-test.nix ({ pkgs, ... }: virtualisation.vlans = [ 3 ]; networking.defaultGateway = ifAddr nodes.router2 "eth1"; networking.firewall.allowedTCPPorts = [ 80 ]; - networking.firewall.allowPing = true; services.httpd.enable = true; services.httpd.adminAddr = "foo@example.com"; }; diff --git a/nixos/tests/rsyslogd.nix b/nixos/tests/rsyslogd.nix new file mode 100644 index 000000000000..969d59e0f2c2 --- /dev/null +++ b/nixos/tests/rsyslogd.nix @@ -0,0 +1,38 @@ +{ system ? builtins.currentSystem }: + +with import ../lib/testing.nix { inherit system; }; +with pkgs.lib; +{ + test1 = makeTest { + name = "rsyslogd-test1"; + meta.maintainers = [ maintainers.aanderse ]; + + machine = + { config, pkgs, ... }: + { services.rsyslogd.enable = true; + services.journald.forwardToSyslog = false; + }; + + # ensure rsyslogd isn't receiving messages from journald if explicitly disabled + testScript = '' + $machine->waitForUnit("default.target"); + $machine->fail("test -f /var/log/messages"); + ''; + }; + + test2 = makeTest { + name = "rsyslogd-test2"; + meta.maintainers = [ maintainers.aanderse ]; + + machine = + { config, pkgs, ... }: + { services.rsyslogd.enable = true; + }; + + # ensure rsyslogd is receiving messages from journald + testScript = '' + $machine->waitForUnit("default.target"); + $machine->succeed("test -f /var/log/messages"); + ''; + }; +} diff --git a/nixos/tests/slurm.nix b/nixos/tests/slurm.nix index 60f44c3c8459..7f9c266cbff6 100644 --- a/nixos/tests/slurm.nix +++ b/nixos/tests/slurm.nix @@ -1,22 +1,27 @@ -import ./make-test.nix ({ ... }: -let mungekey = "mungeverryweakkeybuteasytointegratoinatest"; +import ./make-test.nix ({ lib, ... }: +let + mungekey = "mungeverryweakkeybuteasytointegratoinatest"; + slurmconfig = { controlMachine = "control"; - nodeName = '' - control - NodeName=node[1-3] CPUs=1 State=UNKNOWN + nodeName = [ "node[1-3] CPUs=1 State=UNKNOWN" ]; + partitionName = [ "debug Nodes=node[1-3] Default=YES MaxTime=INFINITE State=UP" ]; + extraConfig = '' + AccountingStorageHost=dbd + AccountingStorageType=accounting_storage/slurmdbd ''; - partitionName = "debug Nodes=node[1-3] Default=YES MaxTime=INFINITE State=UP"; }; in { name = "slurm"; + meta.maintainers = [ lib.maintainers.markuskowa ]; + nodes = let computeNode = { ...}: { - # TODO slrumd port and slurmctld port should be configurations and + # TODO slurmd port and slurmctld port should be configurations and # automatically allowed by the firewall. networking.firewall.enable = false; services.slurm = { @@ -43,6 +48,24 @@ in { } // slurmconfig; }; + dbd = + { pkgs, ... } : + { + networking.firewall.enable = false; + services.slurm.dbdserver = { + enable = true; + }; + services.mysql = { + enable = true; + package = pkgs.mysql; + ensureDatabases = [ "slurm_acct_db" ]; + ensureUsers = [{ + ensurePermissions = { "slurm_acct_db.*" = "ALL PRIVILEGES"; }; + name = "slurm"; + }]; + }; + }; + node1 = computeNode; node2 = computeNode; node3 = computeNode; @@ -54,7 +77,7 @@ in { startAll; # Set up authentification across the cluster - foreach my $node (($submit,$control,$node1,$node2,$node3)) + foreach my $node (($submit,$control,$dbd,$node1,$node2,$node3)) { $node->waitForUnit("default.target"); @@ -63,10 +86,22 @@ in { $node->succeed("chmod 0400 /etc/munge/munge.key"); $node->succeed("chown munge:munge /etc/munge/munge.key"); $node->succeed("systemctl restart munged"); - } + + $node->waitForUnit("munged"); + }; # Restart the services since they have probably failed due to the munge init # failure + subtest "can_start_slurmdbd", sub { + $dbd->succeed("systemctl restart slurmdbd"); + $dbd->waitForUnit("slurmdbd.service"); + }; + + # there needs to be an entry for the current + # cluster in the database before slurmctld is restarted + subtest "add_account", sub { + $control->succeed("sacctmgr -i add cluster default"); + }; subtest "can_start_slurmctld", sub { $control->succeed("systemctl restart slurmctld"); @@ -81,12 +116,17 @@ in { } }; - # Test that the cluster work and can distribute jobs; + # Test that the cluster works and can distribute jobs; subtest "run_distributed_command", sub { # Run `hostname` on 3 nodes of the partition (so on all the 3 nodes). # The output must contain the 3 different names $submit->succeed("srun -N 3 hostname | sort | uniq | wc -l | xargs test 3 -eq"); }; + + subtest "check_slurm_dbd", sub { + # find the srun job from above in the database + $submit->succeed("sacct | grep hostname"); + }; ''; }) |