diff options
Diffstat (limited to 'nixos')
21 files changed, 347 insertions, 143 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 2d5197b2e100..aa421f8837b9 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -13,6 +13,13 @@ <itemizedlist> <listitem> <para> + GNOME has been upgraded to 43. Please take a look at their + <link xlink:href="https://release.gnome.org/43/">Release + Notes</link> for details. + </para> + </listitem> + <listitem> + <para> During cross-compilation, tests are now executed if the test suite can be executed by the build platform. This is the case when doing “native” cross-compilation where the build and host @@ -652,6 +659,12 @@ </listitem> <listitem> <para> + The default <literal>kops</literal> version is now 1.25.1 and + support for 1.22 and older has been dropped. + </para> + </listitem> + <listitem> + <para> <literal>k3s</literal> no longer supports docker as runtime due to upstream dropping support. </para> @@ -749,6 +762,14 @@ </listitem> <listitem> <para> + The <literal>guake</literal> package has been updated from + 3.6.3 to 3.9.0, see the + <link xlink:href="https://github.com/Guake/guake/releases">changelog</link> + for more details. + </para> + </listitem> + <listitem> + <para> <literal>dockerTools.buildImage</literal> deprecates the misunderstood <literal>contents</literal> parameter, in favor of <literal>copyToRoot</literal>. Use diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 341ae7c9c2d4..2172aebafe23 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -6,6 +6,9 @@ Support is planned until the end of June 2023, handing over to 23.05. In addition to numerous new and upgraded packages, this release has the following highlights: +- GNOME has been upgraded to 43. Please take a look at their [Release + Notes](https://release.gnome.org/43/) for details. + - During cross-compilation, tests are now executed if the test suite can be executed by the build platform. This is the case when doing “native” cross-compilation where the build and host platforms are largely the same, but the nixpkgs' cross @@ -212,6 +215,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). Use `configure.packages` instead. - Neovim can not be configured with plug anymore (still works for vim). +- The default `kops` version is now 1.25.1 and support for 1.22 and older has been dropped. + - `k3s` no longer supports docker as runtime due to upstream dropping support. - `k3s` supports `clusterInit` option, and it is enabled by default, for servers. @@ -240,6 +245,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details. +- The `guake` package has been updated from 3.6.3 to 3.9.0, see the [changelog](https://github.com/Guake/guake/releases) for more details. + - `dockerTools.buildImage` deprecates the misunderstood `contents` parameter, in favor of `copyToRoot`. Use `copyToRoot = buildEnv { ... };` or similar if you intend to add packages to `/bin`. diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix index c5976166fb31..4a00c52916f6 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix @@ -38,9 +38,9 @@ with lib; # VM guest additions to improve host-guest interaction services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; - virtualisation.vmware.guest.enable = true; + virtualisation.vmware.guest.enable = pkgs.stdenv.hostPlatform.isx86; virtualisation.hypervGuest.enable = true; - services.xe-guest-utilities.enable = true; + services.xe-guest-utilities.enable = pkgs.stdenv.hostPlatform.isx86; # The VirtualBox guest additions rely on an out-of-tree kernel module # which lags behind kernel releases, potentially causing broken builds. virtualisation.virtualbox.guest.enable = false; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 494df03e3a36..9fc3af4b1ce6 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -391,9 +391,9 @@ ./services/desktops/pipewire/pipewire-media-session.nix ./services/desktops/pipewire/wireplumber.nix ./services/desktops/gnome/at-spi2-core.nix - ./services/desktops/gnome/chrome-gnome-shell.nix ./services/desktops/gnome/evolution-data-server.nix ./services/desktops/gnome/glib-networking.nix + ./services/desktops/gnome/gnome-browser-connector.nix ./services/desktops/gnome/gnome-initial-setup.nix ./services/desktops/gnome/gnome-keyring.nix ./services/desktops/gnome/gnome-online-accounts.nix diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix index 65fe34b2d39e..869ed5d9976c 100644 --- a/nixos/modules/services/backup/restic.nix +++ b/nixos/modules/services/backup/restic.nix @@ -196,6 +196,18 @@ in ]; }; + checkOpts = mkOption { + type = types.listOf types.str; + default = [ ]; + description = lib.mdDoc '' + A list of options for 'restic check', which is run after + pruning. + ''; + example = [ + "--with-cache" + ]; + }; + dynamicFilesFrom = mkOption { type = with types; nullOr str; default = null; @@ -270,8 +282,8 @@ in then if (backup.paths != null) then concatStringsSep " " backup.paths else "" else "--files-from ${filesFromTmpFile}"; pruneCmd = optionals (builtins.length backup.pruneOpts > 0) [ - (resticCmd + " forget --prune " + (concatStringsSep " " backup.pruneOpts)) - (resticCmd + " check") + (resticCmd + " forget --prune --cache-dir=%C/restic-backups-${name} " + (concatStringsSep " " backup.pruneOpts)) + (resticCmd + " check --cache-dir=%C/restic-backups-${name} " + (concatStringsSep " " backup.checkOpts)) ]; # Helper functions for rclone remotes rcloneRemoteName = builtins.elemAt (splitString ":" backup.repository) 1; diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index fb148e7cffb5..2050e04d55cd 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -453,6 +453,43 @@ in }; }); }; + clear-docker-cache = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to periodically prune gitlab runner's Docker resources. If + enabled, a systemd timer will run {command}`clear-docker-cache` as + specified by the `dates` option. + ''; + }; + + flags = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "prune" ]; + description = lib.mdDoc '' + Any additional flags passed to {command}`clear-docker-cache`. + ''; + }; + + dates = mkOption { + default = "weekly"; + type = types.str; + description = lib.mdDoc '' + Specification (in the format described by + {manpage}`systemd.time(7)`) of the time at + which the prune will occur. + ''; + }; + + package = mkOption { + default = config.virtualisation.docker.package; + defaultText = literalExpression "config.virtualisation.docker.package"; + example = literalExpression "pkgs.docker"; + description = lib.mdDoc "Docker package to use for clearing up docker cache."; + }; + }; }; config = mkIf cfg.enable { warnings = (mapAttrsToList @@ -497,6 +534,22 @@ in KillMode = "process"; }; }; + # Enable periodic clear-docker-cache script + systemd.services.gitlab-runner-clear-docker-cache = { + description = "Prune gitlab-runner docker resources"; + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig.Type = "oneshot"; + + path = [ cfg.clear-docker-cache.package pkgs.gawk ]; + + script = '' + ${pkgs.gitlab-runner}/bin/clear-docker-cache ${toString cfg.clear-docker-cache.flags} + ''; + + startAt = optional cfg.clear-docker-cache.enable cfg.clear-docker-cache.dates; + }; # Enable docker if `docker` executor is used in any service virtualisation.docker.enable = mkIf ( any (s: s.executor == "docker") (attrValues cfg.services) diff --git a/nixos/modules/services/desktops/gnome/chrome-gnome-shell.nix b/nixos/modules/services/desktops/gnome/chrome-gnome-shell.nix deleted file mode 100644 index 7d0ee9ed0221..000000000000 --- a/nixos/modules/services/desktops/gnome/chrome-gnome-shell.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Chrome GNOME Shell native host connector. -{ config, lib, pkgs, ... }: - -with lib; - -{ - meta = { - maintainers = teams.gnome.members; - }; - - # Added 2021-05-07 - imports = [ - (mkRenamedOptionModule - [ "services" "gnome3" "chrome-gnome-shell" "enable" ] - [ "services" "gnome" "chrome-gnome-shell" "enable" ] - ) - ]; - - ###### interface - options = { - services.gnome.chrome-gnome-shell.enable = mkEnableOption (lib.mdDoc '' - Chrome GNOME Shell native host connector, a DBus service - allowing to install GNOME Shell extensions from a web browser. - ''); - }; - - - ###### implementation - config = mkIf config.services.gnome.chrome-gnome-shell.enable { - environment.etc = { - "chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json".source = "${pkgs.chrome-gnome-shell}/etc/chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json"; - "opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json".source = "${pkgs.chrome-gnome-shell}/etc/opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json"; - }; - - environment.systemPackages = [ pkgs.chrome-gnome-shell ]; - - services.dbus.packages = [ pkgs.chrome-gnome-shell ]; - - nixpkgs.config.firefox.enableGnomeExtensions = true; - }; -} diff --git a/nixos/modules/services/desktops/gnome/gnome-browser-connector.nix b/nixos/modules/services/desktops/gnome/gnome-browser-connector.nix new file mode 100644 index 000000000000..5d4ddce94220 --- /dev/null +++ b/nixos/modules/services/desktops/gnome/gnome-browser-connector.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mdDoc mkEnableOption mkIf mkRenamedOptionModule teams; +in + +{ + meta = { + maintainers = teams.gnome.members; + }; + + imports = [ + # Added 2021-05-07 + (mkRenamedOptionModule + [ "services" "gnome3" "chrome-gnome-shell" "enable" ] + [ "services" "gnome" "gnome-browser-connector" "enable" ] + ) + # Added 2022-07-25 + (mkRenamedOptionModule + [ "services" "gnome" "chrome-gnome-shell" "enable" ] + [ "services" "gnome" "gnome-browser-connector" "enable" ] + ) + ]; + + options = { + services.gnome.gnome-browser-connector.enable = mkEnableOption (mdDoc '' + Native host connector for the GNOME Shell browser extension, a DBus service + allowing to install GNOME Shell extensions from a web browser. + ''); + }; + + config = mkIf config.services.gnome.gnome-browser-connector.enable { + environment.etc = { + "chromium/native-messaging-hosts/org.gnome.browser_connector.json".source = "${pkgs.gnome-browser-connector}/etc/chromium/native-messaging-hosts/org.gnome.browser_connector.json"; + "opt/chrome/native-messaging-hosts/org.gnome.browser_connector.json".source = "${pkgs.gnome-browser-connector}/etc/opt/chrome/native-messaging-hosts/org.gnome.browser_connector.json"; + # Legacy paths. + "chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json".source = "${pkgs.gnome-browser-connector}/etc/chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json"; + "opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json".source = "${pkgs.gnome-browser-connector}/etc/opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json"; + }; + + environment.systemPackages = [ pkgs.gnome-browser-connector ]; + + services.dbus.packages = [ pkgs.gnome-browser-connector ]; + + nixpkgs.config.firefox.enableGnomeExtensions = true; + }; +} diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix index ca60682b4b8b..42d55056084d 100644 --- a/nixos/modules/services/networking/mullvad-vpn.nix +++ b/nixos/modules/services/networking/mullvad-vpn.nix @@ -39,7 +39,7 @@ with lib; startLimitBurst = 5; startLimitIntervalSec = 20; serviceConfig = { - ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps"; + ExecStart = "${pkgs.mullvad}/bin/mullvad-daemon -v --disable-stdout-timestamps"; Restart = "always"; RestartSec = 1; }; diff --git a/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixos/modules/services/x11/desktop-managers/gnome.nix index d3db98cb4e2a..9c1978e362bc 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -389,8 +389,8 @@ in ++ utils.removePackagesByName optionalPackages config.environment.gnome.excludePackages; services.colord.enable = mkDefault true; - services.gnome.chrome-gnome-shell.enable = mkDefault true; services.gnome.glib-networking.enable = true; + services.gnome.gnome-browser-connector.enable = mkDefault true; services.gnome.gnome-initial-setup.enable = mkDefault true; services.gnome.gnome-remote-desktop.enable = mkDefault true; services.gnome.gnome-settings-daemon.enable = true; @@ -520,7 +520,7 @@ in # Let nautilus find extensions # TODO: Create nautilus-with-extensions package - environment.sessionVariables.NAUTILUS_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-3.0"; + environment.sessionVariables.NAUTILUS_4_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-4"; # Override default mimeapps for nautilus environment.sessionVariables.XDG_DATA_DIRS = [ "${mimeAppsList}/share" ]; diff --git a/nixos/modules/services/x11/desktop-managers/pantheon.nix b/nixos/modules/services/x11/desktop-managers/pantheon.nix index 90a8787ed227..5c0203224e13 100644 --- a/nixos/modules/services/x11/desktop-managers/pantheon.nix +++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix @@ -285,7 +285,7 @@ in elementary-music elementary-photos elementary-screenshot - elementary-tasks + # elementary-tasks elementary-terminal elementary-videos epiphany diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index b0c841f4fe59..03d03cb348e8 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -481,8 +481,8 @@ let ++ optional v.allowDiscards "discard" ++ optionals v.bypassWorkqueues [ "no-read-workqueue" "no-write-workqueue" ] ++ optional (v.header != null) "header=${v.header}" - ++ optional (v.keyFileOffset != null) "keyfile-offset=${v.keyFileOffset}" - ++ optional (v.keyFileSize != null) "keyfile-size=${v.keyFileSize}" + ++ optional (v.keyFileOffset != null) "keyfile-offset=${toString v.keyFileOffset}" + ++ optional (v.keyFileSize != null) "keyfile-size=${toString v.keyFileSize}" ; in "${n} ${v.device} ${if v.keyFile == null then "-" else v.keyFile} ${lib.concatStringsSep "," opts}") luks.devices)); diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index e8677f7e1e97..a11ee31ab8d0 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -4,8 +4,8 @@ { nixpkgs ? { outPath = (import ../lib).cleanSource ./..; revCount = 56789; shortRev = "gfedcba"; } , stableBranch ? false -, supportedSystems ? [ "x86_64-linux" ] -, limitedSupportedSystems ? [ "i686-linux" "aarch64-linux" ] +, supportedSystems ? [ "aarch64-linux" "x86_64-linux" ] +, limitedSupportedSystems ? [ "i686-linux" ] }: let @@ -50,17 +50,17 @@ in rec { (onFullSupported "nixos.dummy") (onAllSupported "nixos.iso_minimal") (onSystems ["x86_64-linux" "aarch64-linux"] "nixos.amazonImage") - (onSystems ["x86_64-linux"] "nixos.iso_plasma5") - (onSystems ["x86_64-linux"] "nixos.iso_gnome") + (onFullSupported "nixos.iso_plasma5") + (onFullSupported "nixos.iso_gnome") (onFullSupported "nixos.manual") (onSystems ["x86_64-linux"] "nixos.ova") (onSystems ["aarch64-linux"] "nixos.sd_image") (onSystems ["x86_64-linux"] "nixos.tests.boot.biosCdrom") (onSystems ["x86_64-linux"] "nixos.tests.boot.biosUsb") (onFullSupported "nixos.tests.boot-stage1") - (onSystems ["x86_64-linux"] "nixos.tests.boot.uefiCdrom") - (onSystems ["x86_64-linux"] "nixos.tests.boot.uefiUsb") - (onSystems ["x86_64-linux"] "nixos.tests.chromium") + (onFullSupported "nixos.tests.boot.uefiCdrom") + (onFullSupported "nixos.tests.boot.uefiUsb") + (onFullSupported "nixos.tests.chromium") (onFullSupported "nixos.tests.containers-imperative") (onFullSupported "nixos.tests.containers-ip") (onSystems ["x86_64-linux"] "nixos.tests.docker") diff --git a/nixos/release-small.nix b/nixos/release-small.nix index 8367610fb7f7..1719d6738c5c 100644 --- a/nixos/release-small.nix +++ b/nixos/release-small.nix @@ -4,7 +4,7 @@ { nixpkgs ? { outPath = (import ../lib).cleanSource ./..; revCount = 56789; shortRev = "gfedcba"; } , stableBranch ? false -, supportedSystems ? [ "x86_64-linux" ] # no i686-linux +, supportedSystems ? [ "aarch64-linux" "x86_64-linux" ] # no i686-linux }: let @@ -53,7 +53,8 @@ in rec { }; boot = { inherit (nixos'.tests.boot) - biosCdrom; + biosCdrom + uefiCdrom; }; }; }; @@ -83,45 +84,56 @@ in rec { vim; }; - tested = pkgs.releaseTools.aggregate { + tested = let + onSupported = x: map (system: "${x}.${system}") supportedSystems; + onSystems = systems: x: map (system: "${x}.${system}") + (pkgs.lib.intersectLists systems supportedSystems); + in pkgs.releaseTools.aggregate { name = "nixos-${nixos.channel.version}"; meta = { description = "Release-critical builds for the NixOS channel"; maintainers = [ lib.maintainers.eelco ]; }; - constituents = - [ "nixos.channel" - "nixos.dummy.x86_64-linux" - "nixos.iso_minimal.x86_64-linux" - "nixos.amazonImage.x86_64-linux" - "nixos.manual.x86_64-linux" - "nixos.tests.boot.biosCdrom.x86_64-linux" - "nixos.tests.containers-imperative.x86_64-linux" - "nixos.tests.containers-ip.x86_64-linux" - "nixos.tests.firewall.x86_64-linux" - "nixos.tests.installer.lvm.x86_64-linux" - "nixos.tests.installer.separateBoot.x86_64-linux" - "nixos.tests.installer.simple.x86_64-linux" - "nixos.tests.ipv6.x86_64-linux" - "nixos.tests.login.x86_64-linux" - "nixos.tests.misc.x86_64-linux" - "nixos.tests.nat.firewall-conntrack.x86_64-linux" - "nixos.tests.nat.firewall.x86_64-linux" - "nixos.tests.nat.standalone.x86_64-linux" - # fails with kernel >= 5.15 https://github.com/NixOS/nixpkgs/pull/152505#issuecomment-1005049314 - #"nixos.tests.nfs3.simple.x86_64-linux" - "nixos.tests.openssh.x86_64-linux" - "nixos.tests.php.fpm.x86_64-linux" - "nixos.tests.php.pcre.x86_64-linux" - "nixos.tests.predictable-interface-names.predictable.x86_64-linux" - "nixos.tests.predictable-interface-names.predictableNetworkd.x86_64-linux" - "nixos.tests.predictable-interface-names.unpredictable.x86_64-linux" - "nixos.tests.predictable-interface-names.unpredictableNetworkd.x86_64-linux" - "nixos.tests.proxy.x86_64-linux" - "nixos.tests.simple.x86_64-linux" - "nixpkgs.jdk.x86_64-linux" + constituents = lib.flatten [ + [ + "nixos.channel" "nixpkgs.tarball" - ]; + ] + (map (onSystems [ "x86_64-linux" ]) [ + "nixos.tests.boot.biosCdrom" + "nixos.tests.installer.lvm" + "nixos.tests.installer.separateBoot" + "nixos.tests.installer.simple" + ]) + (map onSupported [ + "nixos.dummy" + "nixos.iso_minimal" + "nixos.amazonImage" + "nixos.manual" + "nixos.tests.boot.uefiCdrom" + "nixos.tests.containers-imperative" + "nixos.tests.containers-ip" + "nixos.tests.firewall" + "nixos.tests.ipv6" + "nixos.tests.login" + "nixos.tests.misc" + "nixos.tests.nat.firewall-conntrack" + "nixos.tests.nat.firewall" + "nixos.tests.nat.standalone" + # fails with kernel >= 5.15 https://github.com/NixOS/nixpkgs/pull/152505#issuecomment-1005049314 + #"nixos.tests.nfs3.simple" + "nixos.tests.openssh" + "nixos.tests.php.fpm" + "nixos.tests.php.pcre" + "nixos.tests.predictable-interface-names.predictable" + "nixos.tests.predictable-interface-names.predictableNetworkd" + "nixos.tests.predictable-interface-names.unpredictable" + "nixos.tests.predictable-interface-names.unpredictableNetworkd" + "nixos.tests.proxy" + "nixos.tests.simple" + "nixpkgs.jdk" + ]) + ]; }; } diff --git a/nixos/release.nix b/nixos/release.nix index 4f27e5dbb215..919aa86a2d63 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -169,13 +169,13 @@ in rec { inherit system; }); - iso_plasma5 = forMatchingSystems [ "x86_64-linux" ] (system: makeIso { + iso_plasma5 = forMatchingSystems supportedSystems (system: makeIso { module = ./modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix; type = "plasma5"; inherit system; }); - iso_gnome = forMatchingSystems [ "x86_64-linux" ] (system: makeIso { + iso_gnome = forMatchingSystems supportedSystems (system: makeIso { module = ./modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix; type = "gnome"; inherit system; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 8c74290aaf71..8943e7d41e97 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -119,7 +119,7 @@ in { certmgr = handleTest ./certmgr.nix {}; cfssl = handleTestOn ["x86_64-linux"] ./cfssl.nix {}; charliecloud = handleTest ./charliecloud.nix {}; - chromium = (handleTestOn ["x86_64-linux"] ./chromium.nix {}).stable or {}; + chromium = (handleTestOn ["aarch64-linux" "x86_64-linux"] ./chromium.nix {}).stable or {}; cinnamon = handleTest ./cinnamon.nix {}; cjdns = handleTest ./cjdns.nix {}; clickhouse = handleTest ./clickhouse.nix {}; @@ -638,6 +638,8 @@ in { traefik = handleTestOn ["x86_64-linux"] ./traefik.nix {}; trafficserver = handleTest ./trafficserver.nix {}; transmission = handleTest ./transmission.nix {}; + # tracee requires bpf + tracee = handleTestOn ["x86_64-linux"] ./tracee.nix {}; trezord = handleTest ./trezord.nix {}; trickster = handleTest ./trickster.nix {}; trilium-server = handleTestOn ["x86_64-linux"] ./trilium-server.nix {}; diff --git a/nixos/tests/installed-tests/default.nix b/nixos/tests/installed-tests/default.nix index 2eaa98005209..78a6325a245e 100644 --- a/nixos/tests/installed-tests/default.nix +++ b/nixos/tests/installed-tests/default.nix @@ -101,7 +101,6 @@ in json-glib = callInstalledTest ./json-glib.nix {}; ibus = callInstalledTest ./ibus.nix {}; libgdata = callInstalledTest ./libgdata.nix {}; - librsvg = callInstalledTest ./librsvg.nix {}; glib-testing = callInstalledTest ./glib-testing.nix {}; libjcat = callInstalledTest ./libjcat.nix {}; libxmlb = callInstalledTest ./libxmlb.nix {}; diff --git a/nixos/tests/installed-tests/librsvg.nix b/nixos/tests/installed-tests/librsvg.nix deleted file mode 100644 index 378e7cce3ff4..000000000000 --- a/nixos/tests/installed-tests/librsvg.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, makeInstalledTest, ... }: - -makeInstalledTest { - tested = pkgs.librsvg; - - testConfig = { - virtualisation.memorySize = 2047; - }; -} diff --git a/nixos/tests/restic.nix b/nixos/tests/restic.nix index 75fffe9d9a84..16dd5f8c5c8a 100644 --- a/nixos/tests/restic.nix +++ b/nixos/tests/restic.nix @@ -68,6 +68,9 @@ import ./make-test-python.nix ( package = pkgs.writeShellScriptBin "restic" '' echo "$@" >> /tmp/fake-restic.log; ''; + + pruneOpts = [ "--keep-last 1" ]; + checkOpts = [ "--some-check-option" ]; }; }; @@ -98,6 +101,7 @@ import ./make-test-python.nix ( '${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"', "systemctl start restic-backups-custompackage.service", "grep 'backup .* /opt' /tmp/fake-restic.log", + "grep 'check .* --some-check-option' /tmp/fake-restic.log", "timedatectl set-time '2017-12-13 13:45'", "systemctl start restic-backups-remotebackup.service", "rm /opt/backupCleanupCommand", diff --git a/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix b/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix index 37a89fc21e44..bf5049251c72 100644 --- a/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix +++ b/nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix @@ -7,10 +7,10 @@ # - VLAN 1 is the connection between the ISP and the router # - VLAN 2 is the connection between the router and the client -import ./make-test-python.nix ({pkgs, ...}: { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "systemd-networkd-ipv6-prefix-delegation"; - meta = with pkgs.lib.maintainers; { - maintainers = [ andir ]; + meta = with lib.maintainers; { + maintainers = [ andir hexa ]; }; nodes = { @@ -22,26 +22,38 @@ import ./make-test-python.nix ({pkgs, ...}: { # # Note: On the ISPs device we don't really care if we are using networkd in # this example. That being said we can't use it (yet) as networkd doesn't - # implement the serving side of DHCPv6. We will use ISC's well aged dhcpd6 - # for that task. + # implement the serving side of DHCPv6. We will use ISC Kea for that task. isp = { lib, pkgs, ... }: { virtualisation.vlans = [ 1 ]; networking = { useDHCP = false; firewall.enable = false; - interfaces.eth1.ipv4.addresses = lib.mkForce []; # no need for legacy IP - interfaces.eth1.ipv6.addresses = lib.mkForce [ - { address = "2001:DB8::1"; prefixLength = 64; } - ]; + interfaces.eth1 = lib.mkForce {}; # Don't use scripted networking + }; + + systemd.network = { + enable = true; + + networks = { + "eth1" = { + matchConfig.Name = "eth1"; + address = [ + "2001:DB8::1/64" + ]; + networkConfig.IPForward = true; + }; + }; }; # Since we want to program the routes that we delegate to the "customer" - # into our routing table we must give dhcpd the required privs. - systemd.services.dhcpd6.serviceConfig.AmbientCapabilities = - [ "CAP_NET_ADMIN" ]; + # into our routing table we must provide kea with the required capability. + systemd.services.kea-dhcp6-server.serviceConfig = { + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; + }; services = { - # Configure the DHCPv6 server + # Configure the DHCPv6 server to hand out both IA_NA and IA_PD. # # We will hand out /48 prefixes from the subnet 2001:DB8:F000::/36. # That gives us ~8k prefixes. That should be enough for this test. @@ -49,31 +61,70 @@ import ./make-test-python.nix ({pkgs, ...}: { # Since (usually) you will not receive a prefix with the router # advertisements we also hand out /128 leases from the range # 2001:DB8:0000:0000:FFFF::/112. - dhcpd6 = { + kea.dhcp6 = { enable = true; - interfaces = [ "eth1" ]; - extraConfig = '' - subnet6 2001:DB8::/36 { - range6 2001:DB8:0000:0000:FFFF:: 2001:DB8:0000:0000:FFFF::FFFF; - prefix6 2001:DB8:F000:: 2001:DB8:FFFF:: /48; - } - - # This is the secret sauce. We have to extract the prefix and the - # next hop when commiting the lease to the database. dhcpd6 - # (rightfully) has not concept of adding routes to the systems - # routing table. It really depends on the setup. + settings = { + interfaces-config.interfaces = [ "eth1" ]; + subnet6 = [ { + interface = "eth1"; + subnet = "2001:DB8:F::/36"; + pd-pools = [ { + prefix = "2001:DB8:F::"; + prefix-len = 36; + delegated-len = 48; + } ]; + pools = [ { + pool = "2001:DB8:0000:0000:FFFF::-2001:DB8:0000:0000:FFFF::FFFF"; + } ]; + } ]; + + # This is the glue between Kea and the Kernel FIB. DHCPv6 + # rightfully has no concept of setting up a route in your + # FIB. This step really depends on your setup. # - # In a production environment your DHCPv6 server is likely not the - # router. You might want to consider BGP, custom NetConf calls, … - # in those cases. - on commit { - set IP = pick-first-value(binary-to-ascii(16, 16, ":", substring(option dhcp6.ia-na, 16, 16)), "n/a"); - set Prefix = pick-first-value(binary-to-ascii(16, 16, ":", suffix(option dhcp6.ia-pd, 16)), "n/a"); - set PrefixLength = pick-first-value(binary-to-ascii(10, 8, ":", substring(suffix(option dhcp6.ia-pd, 17), 0, 1)), "n/a"); - log(concat(IP, " ", Prefix, " ", PrefixLength)); - execute("${pkgs.iproute2}/bin/ip", "-6", "route", "replace", concat(Prefix,"/",PrefixLength), "via", IP); - } - ''; + # In a production environment your DHCPv6 server is likely + # not the router. You might want to consider BGP, NETCONF + # calls, … in those cases. + # + # In this example we use the run script hook, that lets use + # execute anything and passes information via the environment. + # https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html#run-script-run-script-support-for-external-hook-scripts + hooks-libraries = [ { + library = "${pkgs.kea}/lib/kea/hooks/libdhcp_run_script.so"; + parameters = { + name = pkgs.writeShellScript "kea-run-hooks" '' + export PATH="${lib.makeBinPath (with pkgs; [ coreutils iproute2 ])}" + + set -euxo pipefail + + leases6_committed() { + for i in $(seq $LEASES6_SIZE); do + idx=$((i-1)) + prefix_var="LEASES6_AT''${idx}_ADDRESS" + plen_var="LEASES6_AT''${idx}_PREFIX_LEN" + + ip -6 route replace ''${!prefix_var}/''${!plen_var} via $QUERY6_REMOTE_ADDR dev $QUERY6_IFACE_NAME + done + } + + unknown_handler() { + echo "Unhandled function call ''${*}" + exit 123 + } + + case "$1" in + "leases6_committed") + leases6_committed + ;; + *) + unknown_handler "''${@}" + ;; + esac + ''; + sync = false; + }; + } ]; + }; }; # Finally we have to set up the router advertisements. While we could be diff --git a/nixos/tests/tracee.nix b/nixos/tests/tracee.nix new file mode 100644 index 000000000000..26d0ada931b1 --- /dev/null +++ b/nixos/tests/tracee.nix @@ -0,0 +1,46 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "tracee-integration"; + nodes = { + machine = { config, pkgs, ... }: { + # EventFilters/trace_only_events_from_new_containers requires docker + # podman with docker compat will suffice + virtualisation.podman.enable = true; + virtualisation.podman.dockerCompat = true; + + environment.systemPackages = [ + # build the go integration tests as a binary + (pkgs.tracee.overrideAttrs (oa: { + pname = oa.pname + "-integration"; + patches = oa.patches or [] ++ [ + # change the prefix from /usr/bin to /run to find nix processes + ../../pkgs/tools/security/tracee/test-EventFilters-prefix-nix-friendly.patch + # skip magic_write test that currently fails + ../../pkgs/tools/security/tracee/test-EventFilters-magic_write-skip.patch + ]; + buildPhase = '' + runHook preBuild + # just build the static lib we need for the go test binary + make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES} bpf-core ./dist/btfhub ./dist/libbpf/libbpf.a + # then compile the tests to be ran later + CGO_CFLAGS="-I$PWD/dist/libbpf" CGO_LDFLAGS="-lelf -lz $PWD/dist/libbpf/libbpf.a" go test -tags core,ebpf,integration -p 1 -c -o $GOPATH/tracee-integration ./tests/integration/... + runHook postBuild + ''; + doCheck = false; + installPhase = '' + mkdir -p $out/bin + cp $GOPATH/tracee-integration $out/bin + ''; + doInstallCheck = false; + })) + ]; + }; + }; + + testScript = '' + with subtest("run integration tests"): + # EventFilters/trace_only_events_from_new_containers also requires a container called "alpine" + machine.succeed('tar cv -C ${pkgs.pkgsStatic.busybox} . | podman import - alpine --change ENTRYPOINT=sleep') + + print(machine.succeed('TRC_BIN="${pkgs.tracee}" tracee-integration -test.v')) + ''; +}) |