diff options
Diffstat (limited to 'nixos')
154 files changed, 3281 insertions, 1733 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 05c06ebcac1b..b5973c19a2c4 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -20,11 +20,23 @@ In addition to numerous new and upgraded packages, this release has the followin - This can be disabled through the `environment.stub-ld.enable` option. - If you use `programs.nix-ld.enable`, no changes are needed. The stub will be disabled automatically. +- On flake-based NixOS configurations using `nixpkgs.lib.nixosSystem`, NixOS will automatically set `NIX_PATH` and the system-wide flake registry (`/etc/nix/registry.json`) to point `<nixpkgs>` and the unqualified flake path `nixpkgs` to the version of nixpkgs used to build the system. + + This makes `nix run nixpkgs#hello` and `nix-build '<nixpkgs>' -A hello` work out of the box with no added configuration, reusing dependencies already on the system. + + This may be undesirable if nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled. + + To disable this, set [nixpkgs.flake.setNixPath](#opt-nixpkgs.flake.setNixPath) and [nixpkgs.flake.setFlakeRegistry](#opt-nixpkgs.flake.setFlakeRegistry) to false. + - Julia environments can now be built with arbitrary packages from the ecosystem using the `.withPackages` function. For example: `julia.withPackages ["Plots"]`. - A new option `systemd.sysusers.enable` was added. If enabled, users and groups are created with systemd-sysusers instead of with a custom perl script. +- A new option `virtualisation.containers.cdi` was added. It contains `static` and `dynamic` attributes (corresponding to `/etc/cdi` and `/run/cdi` respectively) to configure the Container Device Interface (CDI). + +- `virtualisation.docker.enableNvidia` and `virtualisation.podman.enableNvidia` options are deprecated. `virtualisation.containers.cdi.dynamic.nvidia.enable` should be used instead. This option will expose GPUs on containers with the `--device` CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature. + - A new option `system.etc.overlay.enable` was added. If enabled, `/etc` is mounted via an overlayfs instead of being created by a custom perl script. @@ -71,6 +83,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable). +- [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable). + - [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable). - [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable). @@ -79,6 +93,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [RustDesk](https://rustdesk.com), a full-featured open source remote control alternative for self-hosting and security with minimal configuration. Alternative to TeamViewer. +- [Scrutiny](https://github.com/AnalogJ/scrutiny), a S.M.A.R.T monitoring tool for hard disks with a web frontend. + - [systemd-lock-handler](https://git.sr.ht/~whynothugo/systemd-lock-handler/), a bridge between logind D-Bus events and systemd targets. Available as [services.systemd-lock-handler.enable](#opt-services.systemd-lock-handler.enable). ## Backward Incompatibilities {#sec-release-24.05-incompatibilities} @@ -103,6 +119,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `nitter` requires a `guest_accounts.jsonl` to be provided as a path or loaded into the default location at `/var/lib/nitter/guest_accounts.jsonl`. See [Guest Account Branch Deployment](https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment) for details. +- `boot.supportedFilesystems` and `boot.initrd.supportedFilesystems` are now attribute sets instead of lists. Assignment from lists as done previously is still supported, but checking whether a filesystem is enabled must now by done using `supportedFilesystems.fs or false` instead of using `lib.elem "fs" supportedFilesystems` as was done previously. + - `services.aria2.rpcSecret` has been replaced with `services.aria2.rpcSecretFile`. This was done so that secrets aren't stored in the world-readable nix store. To migrate, you will have create a file with the same exact string, and change @@ -153,6 +171,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the [Lua manual](https://www.lua.org/manual/5.2/manual.html#8) for more information. - The WebSocket API [was rewritten](https://github.com/MCJack123/craftos2/issues/337), which introduced breaking changes. +- The `gtest` package has been updated past v1.13.0, which requires C++14 or higher. + - The latest available version of Nextcloud is v28 (available as `pkgs.nextcloud28`). The installation logic is as follows: - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**) - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud28` will be installed by default. @@ -163,10 +183,18 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The `cudaPackages` package scope has been updated to `cudaPackages_12`. +- Ada packages (libraries and tools) have been moved into the `gnatPackages` scope. `gnatPackages` uses the default GNAT compiler, `gnat12Packages` and `gnat13Packages` use the respective matching compiler version. + +- `spark2014` has been renamed to `gnatprove`. A version of `gnatprove` matching different GNAT versions is available from the different `gnatPackages` sets. + - `services.resolved.fallbackDns` can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead. - `xxd` has been moved from `vim` default output to its own output to reduce closure size. The canonical way to reference it across all platforms is `unixtools.xxd`. +- The `stalwart-mail` package has been updated to v0.5.3, which includes [breaking changes](https://github.com/stalwartlabs/mail-server/blob/v0.5.3/UPGRADING.md). + +- `services.zope2` has been removed as `zope2` is unmaintained and was relying on Python2. + - `services.avahi.nssmdns` got split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switch for IPv4 and IPv6 respectively. Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts. @@ -175,6 +203,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m `wants`), because the dependency that `multi-user.target` has on `network-online.target` is planned for removal. +- `services.pgbouncer` now has systemd support enabled and will log to journald. The default setting for `services.pgbouncer.logFile` is now `null` to disable logging to a separate log file. + - `services.archisteamfarm` no longer uses the abbreviation `asf` for its state directory (`/var/lib/asf`), user and group (both `asf`). Instead the long name `archisteamfarm` is used. Configurations with `system.stateVersion` 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory. @@ -286,6 +316,10 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m [fileSystems.overlay](#opt-fileSystems._name_.overlay.lowerdir). See also the [NixOS docs](#sec-overlayfs). +- systemd units can now specify the `Upholds=` and `UpheldBy=` unit dependencies via the aptly + named `upholds` and `upheldBy` options. These options get systemd to enforce that the + dependencies remain continuosly running for as long as the dependent unit is in a running state. + - `stdenv`: The `--replace` flag in `substitute`, `substituteInPlace`, `substituteAll`, `substituteAllStream`, and `substituteStream` is now deprecated if favor of the new `--replace-fail`, `--replace-warn` and `--replace-quiet`. The deprecated `--replace` equates to `--replace-warn`. - A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`. @@ -331,8 +365,12 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The `services.paperless` module no longer uses the previously downloaded NLTK data stored in `/var/cache/paperless/nltk`. This directory can be removed. +- The `services.teeworlds` module now has a wealth of configuration options, including a new `package` option. + - The `hardware.pulseaudio` module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes [issue 114399](https://github.com/NixOS/nixpkgs/issues/114399). +- The module `services.github-runner` has been removed. To configure a single GitHub Actions Runner refer to `services.github-runners.*`. Note that this will trigger a new runner registration. + - The `btrbk` module now automatically selects and provides required compression program depending on the configured `stream_compress` option. Since this replaces the need for the `extraPackages` option, this option will be @@ -345,3 +383,4 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - QtMultimedia has changed its default backend to `QT_MEDIA_BACKEND=ffmpeg` (previously `gstreamer` on Linux or `darwin` on MacOS). The previous native backends remain available but are now minimally maintained. Refer to [upstream documentation](https://doc.qt.io/qt-6/qtmultimedia-index.html#ffmpeg-as-the-default-backend) for further details about each platform. +- The oil shell is now using the c++ version by default. The python based build is still available as `oil-python` diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index 1a33abd01ea1..047e72e2ac0d 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -536,6 +536,9 @@ let format' = format; in let concatStringsSep " " (lib.optional useEFIBoot "-drive if=pflash,format=raw,unit=0,readonly=on,file=${efiFirmware}" ++ lib.optionals touchEFIVars [ "-drive if=pflash,format=raw,unit=1,file=$efiVars" + ] ++ lib.optionals (OVMF.systemManagementModeRequired or false) [ + "-machine" "q35,smm=on" + "-global" "driver=cfi.pflash01,property=secure,value=on" ] ); inherit memSize; diff --git a/nixos/lib/systemd-lib.nix b/nixos/lib/systemd-lib.nix index 347ee7303936..c9cca619ed70 100644 --- a/nixos/lib/systemd-lib.nix +++ b/nixos/lib/systemd-lib.nix @@ -242,7 +242,7 @@ in rec { ln -sfn '${name}' $out/'${name2}' '') (unit.aliases or [])) units)} - # Create .wants and .requires symlinks from the wantedBy and + # Create .wants, .upholds and .requires symlinks from the wantedBy, upheldBy and # requiredBy options. ${concatStrings (mapAttrsToList (name: unit: concatMapStrings (name2: '' @@ -252,6 +252,12 @@ in rec { ${concatStrings (mapAttrsToList (name: unit: concatMapStrings (name2: '' + mkdir -p $out/'${name2}.upholds' + ln -sfn '../${name}' $out/'${name2}.upholds'/ + '') (unit.upheldBy or [])) units)} + + ${concatStrings (mapAttrsToList (name: unit: + concatMapStrings (name2: '' mkdir -p $out/'${name2}.requires' ln -sfn '../${name}' $out/'${name2}.requires'/ '') (unit.requiredBy or [])) units)} @@ -289,6 +295,8 @@ in rec { { Requires = toString config.requires; } // optionalAttrs (config.wants != []) { Wants = toString config.wants; } + // optionalAttrs (config.upholds != []) + { Upholds = toString config.upholds; } // optionalAttrs (config.after != []) { After = toString config.after; } // optionalAttrs (config.before != []) diff --git a/nixos/lib/systemd-unit-options.nix b/nixos/lib/systemd-unit-options.nix index 9c69bda471bb..bc7880da9fe0 100644 --- a/nixos/lib/systemd-unit-options.nix +++ b/nixos/lib/systemd-unit-options.nix @@ -6,7 +6,7 @@ with lib; let checkService = checkUnitConfig "Service" [ (assertValueOneOf "Type" [ - "exec" "simple" "forking" "oneshot" "dbus" "notify" "idle" + "exec" "simple" "forking" "oneshot" "dbus" "notify" "notify-reload" "idle" ]) (assertValueOneOf "Restart" [ "no" "on-success" "on-failure" "on-abnormal" "on-abort" "always" @@ -74,6 +74,15 @@ in rec { ''; }; + upheldBy = mkOption { + default = []; + type = types.listOf unitNameType; + description = lib.mdDoc '' + Keep this unit running as long as the listed units are running. This is a continuously + enforced version of wantedBy. + ''; + }; + wantedBy = mkOption { default = []; type = types.listOf unitNameType; @@ -147,6 +156,14 @@ in rec { ''; }; + upholds = mkOption { + default = []; + type = types.listOf unitNameType; + description = lib.mdDoc '' + Keeps the specified running while this unit is running. A continuous version of `wants`. + ''; + }; + after = mkOption { default = []; type = types.listOf unitNameType; diff --git a/nixos/lib/test-driver/pyproject.toml b/nixos/lib/test-driver/pyproject.toml index 8638f14dfdae..17b7130a4bad 100644 --- a/nixos/lib/test-driver/pyproject.toml +++ b/nixos/lib/test-driver/pyproject.toml @@ -37,7 +37,6 @@ target-version = ['py39'] include = '\.pyi?$' [tool.mypy] -python_version = "3.10" warn_redundant_casts = true disallow_untyped_calls = true disallow_untyped_defs = true diff --git a/nixos/maintainers/scripts/lxd/lxd-container-image-inner.nix b/nixos/maintainers/scripts/lxd/lxd-container-image-inner.nix index ef00c6f86cbd..4698971de8ff 100644 --- a/nixos/maintainers/scripts/lxd/lxd-container-image-inner.nix +++ b/nixos/maintainers/scripts/lxd/lxd-container-image-inner.nix @@ -13,8 +13,23 @@ ./lxd.nix ]; - networking.useDHCP = false; - networking.interfaces.eth0.useDHCP = true; + networking = { + dhcpcd.enable = false; + useDHCP = false; + useHostResolvConf = false; + }; + + systemd.network = { + enable = true; + networks."50-eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; system.stateVersion = "@stateVersion@"; # Did you read the comment? } diff --git a/nixos/maintainers/scripts/lxd/lxd-container-image.nix b/nixos/maintainers/scripts/lxd/lxd-container-image.nix index b77f9f5aabe0..930ab34af385 100644 --- a/nixos/maintainers/scripts/lxd/lxd-container-image.nix +++ b/nixos/maintainers/scripts/lxd/lxd-container-image.nix @@ -20,12 +20,25 @@ }; in '' if [ ! -e /etc/nixos/configuration.nix ]; then - mkdir -p /etc/nixos - cp ${config} /etc/nixos/configuration.nix + install -m 644 -D ${config} /etc/nixos/configuration.nix fi ''; - # Network - networking.useDHCP = false; - networking.interfaces.eth0.useDHCP = true; + networking = { + dhcpcd.enable = false; + useDHCP = false; + useHostResolvConf = false; + }; + + systemd.network = { + enable = true; + networks."50-eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; } diff --git a/nixos/maintainers/scripts/lxd/lxd-virtual-machine-image-inner.nix b/nixos/maintainers/scripts/lxd/lxd-virtual-machine-image-inner.nix index c1c50b32ff5b..d1264fa04304 100644 --- a/nixos/maintainers/scripts/lxd/lxd-virtual-machine-image-inner.nix +++ b/nixos/maintainers/scripts/lxd/lxd-virtual-machine-image-inner.nix @@ -13,8 +13,23 @@ ./lxd.nix ]; - networking.useDHCP = false; - networking.interfaces.eth0.useDHCP = true; + networking = { + dhcpcd.enable = false; + useDHCP = false; + useHostResolvConf = false; + }; + + systemd.network = { + enable = true; + networks."50-enp5s0" = { + matchConfig.Name = "enp5s0"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; system.stateVersion = "@stateVersion@"; # Did you read the comment? } diff --git a/nixos/maintainers/scripts/lxd/lxd-virtual-machine-image.nix b/nixos/maintainers/scripts/lxd/lxd-virtual-machine-image.nix index 0d96eea0e2d2..bbbdd1f3fa17 100644 --- a/nixos/maintainers/scripts/lxd/lxd-virtual-machine-image.nix +++ b/nixos/maintainers/scripts/lxd/lxd-virtual-machine-image.nix @@ -26,6 +26,21 @@ ''; # Network - networking.useDHCP = false; - networking.interfaces.enp5s0.useDHCP = true; + networking = { + dhcpcd.enable = false; + useDHCP = false; + useHostResolvConf = false; + }; + + systemd.network = { + enable = true; + networks."50-enp5s0" = { + matchConfig.Name = "enp5s0"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; } diff --git a/nixos/modules/config/ldso.nix b/nixos/modules/config/ldso.nix index 72ae3958d886..bd6f0dc5a83b 100644 --- a/nixos/modules/config/ldso.nix +++ b/nixos/modules/config/ldso.nix @@ -6,9 +6,9 @@ let libDir = pkgs.stdenv.hostPlatform.libDir; ldsoBasename = builtins.unsafeDiscardStringContext (last (splitString "/" pkgs.stdenv.cc.bintools.dynamicLinker)); - pkgs32 = pkgs.pkgsi686Linux; - libDir32 = pkgs32.stdenv.hostPlatform.libDir; - ldsoBasename32 = builtins.unsafeDiscardStringContext (last (splitString "/" pkgs32.stdenv.cc.bintools.dynamicLinker)); + # Hard-code to avoid creating another instance of nixpkgs. Also avoids eval errors in some cases. + libDir32 = "lib"; # pkgs.pkgsi686Linux.stdenv.hostPlatform.libDir + ldsoBasename32 = "ld-linux.so.2"; # last (splitString "/" pkgs.pkgsi686Linux.stdenv.cc.bintools.dynamicLinker) in { options = { environment.ldso = mkOption { diff --git a/nixos/modules/config/nix.nix b/nixos/modules/config/nix.nix index 2769d8b25ef6..e6a74bbb73fc 100644 --- a/nixos/modules/config/nix.nix +++ b/nixos/modules/config/nix.nix @@ -1,5 +1,5 @@ /* - Manages /etc/nix.conf. + Manages /etc/nix/nix.conf. See also - ./nix-channel.nix diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 2f763290e32d..870b3fe77cca 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -67,7 +67,7 @@ with lib; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; pango = super.pango.override { x11Support = false; }; pinentry = super.pinentry.override { enabledFlavors = [ "curses" "tty" "emacs" ]; withLibsecret = false; }; - pipewire = super.pipewire.override { x11Support = false; }; + pipewire = super.pipewire.override { vulkanSupport = false; x11Support = false; }; pythonPackagesExtensions = super.pythonPackagesExtensions ++ [ (python-final: python-prev: { # tk feature requires wayland which fails to compile @@ -83,6 +83,7 @@ with lib; # translateManpages -> perlPackages.po4a -> texlive-combined-basic -> texlive-core-big -> libX11 util-linux = super.util-linux.override { translateManpages = false; }; vim-full = super.vim-full.override { guiSupport = false; }; + vte = super.vte.override { gtkVersion = null; }; zbar = super.zbar.override { enableVideo = false; withXorg = false; }; })); }; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 967ad0846d75..dd34771c0b42 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -649,7 +649,6 @@ in { home = "/root"; shell = mkDefault cfg.defaultUserShell; group = "root"; - initialHashedPassword = mkDefault "!"; }; nobody = { uid = ids.uids.nobody; @@ -897,7 +896,26 @@ in { )); warnings = - builtins.filter (x: x != null) ( + flip concatMap (attrValues cfg.users) (user: let + unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([ + user.hashedPassword + user.hashedPasswordFile + user.password + ] ++ optionals cfg.mutableUsers [ + # For immutable users, initialHashedPassword is set to hashedPassword, + # so using these options would always trigger the assertion. + user.initialHashedPassword + user.initialPassword + ])); + in optional (!unambiguousPasswordConfiguration) '' + The user '${user.name}' has multiple of the options + `hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword` + & `initialHashedPassword` set to a non-null value. + The options silently discard others by the order of precedence + given above which can lead to surprising results. To resolve this warning, + set at most one of the options above to a non-`null` value. + '') + ++ builtins.filter (x: x != null) ( flip mapAttrsToList cfg.users (_: user: # This regex matches a subset of the Modular Crypto Format (MCF)[1] # informal standard. Since this depends largely on the OS or the diff --git a/nixos/modules/config/vte.nix b/nixos/modules/config/vte.nix index a969607f6e0b..48f85246560a 100644 --- a/nixos/modules/config/vte.nix +++ b/nixos/modules/config/vte.nix @@ -1,5 +1,3 @@ -# VTE - { config, pkgs, lib, ... }: with lib; @@ -9,7 +7,7 @@ let vteInitSnippet = '' # Show current working directory in VTE terminals window title. # Supports both bash and zsh, requires interactive shell. - . ${pkgs.vte}/etc/profile.d/vte.sh + . ${pkgs.vte.override { gtkVersion = null; }}/etc/profile.d/vte.sh ''; in diff --git a/nixos/modules/config/xdg/portal.nix b/nixos/modules/config/xdg/portal.nix index 07d4fa76c2e8..5aa23377f9ff 100644 --- a/nixos/modules/config/xdg/portal.nix +++ b/nixos/modules/config/xdg/portal.nix @@ -119,19 +119,6 @@ in let cfg = config.xdg.portal; packages = [ pkgs.xdg-desktop-portal ] ++ cfg.extraPortals; - configPackages = cfg.configPackages; - - joinedPortals = pkgs.buildEnv { - name = "xdg-portals"; - paths = packages; - pathsToLink = [ "/share/xdg-desktop-portal/portals" "/share/applications" ]; - }; - - joinedPortalConfigs = pkgs.buildEnv { - name = "xdg-portal-configs"; - paths = configPackages; - pathsToLink = [ "/share/xdg-desktop-portal" ]; - }; in mkIf cfg.enable { warnings = lib.optional (cfg.configPackages == [ ] && cfg.config == { }) '' @@ -158,17 +145,18 @@ in systemd.packages = packages; environment = { - # fixes screen sharing on plasmawayland on non-chromium apps by linking - # share/applications/*.desktop files - # see https://github.com/NixOS/nixpkgs/issues/145174 - systemPackages = [ joinedPortals ]; - pathsToLink = [ "/share/applications" ]; + systemPackages = packages ++ cfg.configPackages; + pathsToLink = [ + # Portal definitions and upstream desktop environment portal configurations. + "/share/xdg-desktop-portal" + # .desktop files to register fallback icon and app name. + "/share/applications" + ]; sessionVariables = { GTK_USE_PORTAL = mkIf cfg.gtkUsePortal "1"; NIXOS_XDG_OPEN_USE_PORTAL = mkIf cfg.xdgOpenUsePortal "1"; - XDG_DESKTOP_PORTAL_DIR = "${joinedPortals}/share/xdg-desktop-portal/portals"; - NIXOS_XDG_DESKTOP_PORTAL_CONFIG_DIR = mkIf (cfg.configPackages != [ ]) "${joinedPortalConfigs}/share/xdg-desktop-portal"; + NIX_XDG_DESKTOP_PORTAL_DIR = "/run/current-system/sw/share/xdg-desktop-portal/portals"; }; etc = lib.concatMapAttrs diff --git a/nixos/modules/hardware/printers.nix b/nixos/modules/hardware/printers.nix index 846ff6f3fb4f..4fb6a192cdd2 100644 --- a/nixos/modules/hardware/printers.nix +++ b/nixos/modules/hardware/printers.nix @@ -2,18 +2,23 @@ with lib; let cfg = config.hardware.printers; - ppdOptionsString = options: optionalString (options != {}) - (concatStringsSep " " - (mapAttrsToList (name: value: "-o '${name}'='${value}'") options) - ); - ensurePrinter = p: '' - ${pkgs.cups}/bin/lpadmin -p '${p.name}' -E \ - ${optionalString (p.location != null) "-L '${p.location}'"} \ - ${optionalString (p.description != null) "-D '${p.description}'"} \ - -v '${p.deviceUri}' \ - -m '${p.model}' \ - ${ppdOptionsString p.ppdOptions} + + ensurePrinter = p: let + args = cli.toGNUCommandLineShell {} ({ + p = p.name; + v = p.deviceUri; + m = p.model; + } // optionalAttrs (p.location != null) { + L = p.location; + } // optionalAttrs (p.description != null) { + D = p.description; + } // optionalAttrs (p.ppdOptions != {}) { + o = mapAttrsToList (name: value: "'${name}'='${value}'") p.ppdOptions; + }); + in '' + ${pkgs.cups}/bin/lpadmin ${args} -E ''; + ensureDefaultPrinter = name: '' ${pkgs.cups}/bin/lpadmin -d '${name}' ''; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix b/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix index 9d09cdbe0206..fc3cb08bdbbb 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix @@ -1,15 +1,7 @@ -{ pkgs, ... }: +{ lib, ... }: { imports = [ ./installation-cd-minimal-new-kernel.nix ]; - # Makes `availableOn` fail for zfs, see <nixos/modules/profiles/base.nix>. - # This is a workaround since we cannot remove the `"zfs"` string from `supportedFilesystems`. - # The proper fix would be to make `supportedFilesystems` an attrset with true/false which we - # could then `lib.mkForce false` - nixpkgs.overlays = [(final: super: { - zfs = super.zfs.overrideAttrs(_: { - meta.platforms = []; - }); - })]; + boot.supportedFilesystems.zfs = lib.mkForce false; } diff --git a/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix b/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix index 0e5055960294..da5410057887 100644 --- a/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix +++ b/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix @@ -1,15 +1,7 @@ -{ pkgs, ... }: +{ lib, ... }: { imports = [ ./sd-image-aarch64-new-kernel-installer.nix ]; - # Makes `availableOn` fail for zfs, see <nixos/modules/profiles/base.nix>. - # This is a workaround since we cannot remove the `"zfs"` string from `supportedFilesystems`. - # The proper fix would be to make `supportedFilesystems` an attrset with true/false which we - # could then `lib.mkForce false` - nixpkgs.overlays = [(final: super: { - zfs = super.zfs.overrideAttrs(_: { - meta.platforms = []; - }); - })]; + boot.supportedFilesystems.zfs = lib.mkForce false; } diff --git a/nixos/modules/misc/nixpkgs-flake.nix b/nixos/modules/misc/nixpkgs-flake.nix new file mode 100644 index 000000000000..8bfe05ca1994 --- /dev/null +++ b/nixos/modules/misc/nixpkgs-flake.nix @@ -0,0 +1,105 @@ +{ config, options, lib, pkgs, ... }: + +with lib; + +let + cfg = config.nixpkgs.flake; +in +{ + options.nixpkgs.flake = { + source = mkOption { + # In newer Nix versions, particularly with lazy trees, outPath of + # flakes becomes a Nix-language path object. We deliberately allow this + # to gracefully come through the interface in discussion with @roberth. + # + # See: https://github.com/NixOS/nixpkgs/pull/278522#discussion_r1460292639 + type = types.nullOr (types.either types.str types.path); + + default = null; + defaultText = "if (using nixpkgsFlake.lib.nixosSystem) then self.outPath else null"; + + example = ''builtins.fetchTarball { name = "source"; sha256 = "${lib.fakeHash}"; url = "https://github.com/nixos/nixpkgs/archive/somecommit.tar.gz"; }''; + + description = mdDoc '' + The path to the nixpkgs sources used to build the system. This is automatically set up to be + the store path of the nixpkgs flake used to build the system if using + `nixpkgs.lib.nixosSystem`, and is otherwise null by default. + + This can also be optionally set if the NixOS system is not built with a flake but still uses + pinned sources: set this to the store path for the nixpkgs sources used to build the system, + as may be obtained by `builtins.fetchTarball`, for example. + + Note: the name of the store path must be "source" due to + <https://github.com/NixOS/nix/issues/7075>. + ''; + }; + + setNixPath = mkOption { + type = types.bool; + + default = cfg.source != null; + defaultText = "config.nixpkgs.flake.source != null"; + + description = mdDoc '' + Whether to set {env}`NIX_PATH` to include `nixpkgs=flake:nixpkgs` such that `<nixpkgs>` + lookups receive the version of nixpkgs that the system was built with, in concert with + {option}`nixpkgs.flake.setFlakeRegistry`. + + This is on by default for NixOS configurations built with flakes. + + This makes {command}`nix-build '<nixpkgs>' -A hello` work out of the box on flake systems. + + Note that this option makes the NixOS closure depend on the nixpkgs sources, which may add + undesired closure size if the system will not have any nix commands run on it. + ''; + }; + + setFlakeRegistry = mkOption { + type = types.bool; + + default = cfg.source != null; + defaultText = "config.nixpkgs.flake.source != null"; + + description = mdDoc '' + Whether to pin nixpkgs in the system-wide flake registry (`/etc/nix/registry.json`) to the + store path of the sources of nixpkgs used to build the NixOS system. + + This is on by default for NixOS configurations built with flakes. + + This option makes {command}`nix run nixpkgs#hello` reuse dependencies from the system, avoid + refetching nixpkgs, and have a consistent result every time. + + Note that this option makes the NixOS closure depend on the nixpkgs sources, which may add + undesired closure size if the system will not have any nix commands run on it. + ''; + }; + }; + + config = mkIf (cfg.source != null) (mkMerge [ + { + assertions = [ + { + assertion = cfg.setNixPath -> cfg.setFlakeRegistry; + message = '' + Setting `nixpkgs.flake.setNixPath` requires that `nixpkgs.flake.setFlakeRegistry` also + be set, since it is implemented in terms of indirection through the flake registry. + ''; + } + ]; + } + (mkIf cfg.setFlakeRegistry { + nix.registry.nixpkgs.to = mkDefault { + type = "path"; + path = cfg.source; + }; + }) + (mkIf cfg.setNixPath { + # N.B. This does not include nixos-config in NIX_PATH unlike modules/config/nix-channel.nix + # because we would need some kind of evil shim taking the *calling* flake's self path, + # perhaps, to ever make that work (in order to know where the Nix expr for the system came + # from and how to call it). + nix.nixPath = mkDefault ([ "nixpkgs=flake:nixpkgs" ] + ++ optional config.nix.channel.enable "/nix/var/nix/profiles/per-user/root/channels"); + }) + ]); +} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c9e6c3794ffe..8683af5ed439 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -133,6 +133,7 @@ ./misc/meta.nix ./misc/nixops-autoluks.nix ./misc/nixpkgs.nix + ./misc/nixpkgs-flake.nix ./misc/passthru.nix ./misc/version.nix ./misc/wordlist.nix @@ -241,6 +242,7 @@ ./programs/proxychains.nix ./programs/qdmr.nix ./programs/qt5ct.nix + ./programs/quark-goldleaf.nix ./programs/regreet.nix ./programs/rog-control-center.nix ./programs/rust-motd.nix @@ -410,7 +412,6 @@ ./services/continuous-integration/buildbot/worker.nix ./services/continuous-integration/buildkite-agents.nix ./services/continuous-integration/gitea-actions-runner.nix - ./services/continuous-integration/github-runner.nix ./services/continuous-integration/github-runners.nix ./services/continuous-integration/gitlab-runner.nix ./services/continuous-integration/gocd-agent/default.nix @@ -546,6 +547,7 @@ ./services/hardware/kanata.nix ./services/hardware/lcd.nix ./services/hardware/lirc.nix + ./services/hardware/nvidia-container-toolkit-cdi-generator ./services/hardware/nvidia-optimus.nix ./services/hardware/openrgb.nix ./services/hardware/pcscd.nix @@ -840,6 +842,7 @@ ./services/monitoring/riemann.nix ./services/monitoring/rustdesk-server.nix ./services/monitoring/scollector.nix + ./services/monitoring/scrutiny.nix ./services/monitoring/smartd.nix ./services/monitoring/snmpd.nix ./services/monitoring/statsd.nix @@ -898,7 +901,6 @@ ./services/networking/autossh.nix ./services/networking/avahi-daemon.nix ./services/networking/babeld.nix - ./services/networking/bee-clef.nix ./services/networking/bee.nix ./services/networking/biboumi.nix ./services/networking/bind.nix @@ -963,6 +965,7 @@ ./services/networking/gns3-server.nix ./services/networking/gnunet.nix ./services/networking/go-autoconfig.nix + ./services/networking/go-camo.nix ./services/networking/go-neb.nix ./services/networking/go-shadowsocks2.nix ./services/networking/gobgpd.nix @@ -1401,7 +1404,6 @@ ./services/web-servers/unit/default.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix - ./services/web-servers/zope2.nix ./services/x11/clight.nix ./services/x11/colord.nix ./services/x11/desktop-managers/default.nix diff --git a/nixos/modules/programs/ccache.nix b/nixos/modules/programs/ccache.nix index 567c853e8c7d..7972b2ac4a56 100644 --- a/nixos/modules/programs/ccache.nix +++ b/nixos/modules/programs/ccache.nix @@ -1,35 +1,43 @@ { config, pkgs, lib, ... }: -with lib; let cfg = config.programs.ccache; in { options.programs.ccache = { # host configuration - enable = mkEnableOption (lib.mdDoc "CCache"); - cacheDir = mkOption { - type = types.path; + enable = lib.mkEnableOption (lib.mdDoc "CCache"); + cacheDir = lib.mkOption { + type = lib.types.path; description = lib.mdDoc "CCache directory"; default = "/var/cache/ccache"; }; # target configuration - packageNames = mkOption { - type = types.listOf types.str; + packageNames = lib.mkOption { + type = lib.types.listOf lib.types.str; description = lib.mdDoc "Nix top-level packages to be compiled using CCache"; default = []; example = [ "wxGTK32" "ffmpeg" "libav_all" ]; }; + owner = lib.mkOption { + type = lib.types.str; + default = "root"; + description = lib.mdDoc "Owner of CCache directory"; + }; + group = lib.mkOption { + type = lib.types.str; + default = "nixbld"; + description = lib.mdDoc "Group owner of CCache directory"; + }; }; - config = mkMerge [ + config = lib.mkMerge [ # host configuration - (mkIf cfg.enable { - systemd.tmpfiles.rules = [ "d ${cfg.cacheDir} 0770 root nixbld -" ]; + (lib.mkIf cfg.enable { + systemd.tmpfiles.rules = [ "d ${cfg.cacheDir} 0770 ${cfg.owner} ${cfg.group} -" ]; # "nix-ccache --show-stats" and "nix-ccache --clear" security.wrappers.nix-ccache = { - owner = "root"; - group = "nixbld"; + inherit (cfg) owner group; setuid = false; setgid = true; source = pkgs.writeScript "nix-ccache.pl" '' @@ -50,9 +58,9 @@ in { }) # target configuration - (mkIf (cfg.packageNames != []) { + (lib.mkIf (cfg.packageNames != []) { nixpkgs.overlays = [ - (self: super: genAttrs cfg.packageNames (pn: super.${pn}.override { stdenv = builtins.trace "with ccache: ${pn}" self.ccacheStdenv; })) + (self: super: lib.genAttrs cfg.packageNames (pn: super.${pn}.override { stdenv = builtins.trace "with ccache: ${pn}" self.ccacheStdenv; })) (self: super: { ccacheWrapper = super.ccacheWrapper.override { @@ -65,7 +73,7 @@ in { echo "Directory '$CCACHE_DIR' does not exist" echo "Please create it with:" echo " sudo mkdir -m0770 '$CCACHE_DIR'" - echo " sudo chown root:nixbld '$CCACHE_DIR'" + echo " sudo chown ${cfg.owner}:${cfg.group} '$CCACHE_DIR'" echo "=====" exit 1 fi diff --git a/nixos/modules/programs/chromium.nix b/nixos/modules/programs/chromium.nix index 287d93c82cad..45a9e9e2a689 100644 --- a/nixos/modules/programs/chromium.nix +++ b/nixos/modules/programs/chromium.nix @@ -23,7 +23,7 @@ in enablePlasmaBrowserIntegration = mkEnableOption (lib.mdDoc "Native Messaging Host for Plasma Browser Integration"); - plasmaBrowserIntegrationPackage = mkPackageOption pkgs "plasma5Packages.plasma-browser-integration" { }; + plasmaBrowserIntegrationPackage = mkPackageOption pkgs [ "plasma5Packages" "plasma-browser-integration" ] { }; extensions = mkOption { type = with types; nullOr (listOf str); diff --git a/nixos/modules/programs/quark-goldleaf.nix b/nixos/modules/programs/quark-goldleaf.nix new file mode 100644 index 000000000000..71aadc8c594e --- /dev/null +++ b/nixos/modules/programs/quark-goldleaf.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.programs.quark-goldleaf; +in +{ + options = { + programs.quark-goldleaf = { + enable = lib.mkEnableOption "quark-goldleaf with udev rules applied"; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.quark-goldleaf ]; + services.udev.packages = [ pkgs.quark-goldleaf ]; + }; + + meta.maintainers = pkgs.quark-goldleaf.meta.maintainers; +} diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix index 29c449c16946..c7f1e622f7ba 100644 --- a/nixos/modules/programs/steam.nix +++ b/nixos/modules/programs/steam.nix @@ -82,6 +82,14 @@ in { ''; }; + localNetworkGameTransfers.openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Open ports in the firewall for Steam Local Network Game Transfers. + ''; + }; + gamescopeSession = mkOption { description = mdDoc "Run a GameScope driven Steam session from your display-manager"; default = {}; @@ -139,15 +147,23 @@ in { ] ++ lib.optional cfg.gamescopeSession.enable steam-gamescope; networking.firewall = lib.mkMerge [ + (mkIf (cfg.remotePlay.openFirewall || cfg.localNetworkGameTransfers.openFirewall) { + allowedUDPPorts = [ 27036 ]; # Peer discovery + }) + (mkIf cfg.remotePlay.openFirewall { allowedTCPPorts = [ 27036 ]; - allowedUDPPortRanges = [ { from = 27031; to = 27036; } ]; + allowedUDPPortRanges = [ { from = 27031; to = 27035; } ]; }) (mkIf cfg.dedicatedServer.openFirewall { allowedTCPPorts = [ 27015 ]; # SRCDS Rcon port allowedUDPPorts = [ 27015 ]; # Gameplay traffic }) + + (mkIf cfg.localNetworkGameTransfers.openFirewall { + allowedTCPPorts = [ 27040 ]; # Data transfers + }) ]; }; diff --git a/nixos/modules/programs/yazi.nix b/nixos/modules/programs/yazi.nix index 273a7eeed05f..338eddb60d80 100644 --- a/nixos/modules/programs/yazi.nix +++ b/nixos/modules/programs/yazi.nix @@ -22,7 +22,7 @@ in description = lib.mdDoc '' Configuration included in `${name}.toml`. - See https://github.com/sxyazi/yazi/blob/v${cfg.package.version}/config/docs/${name}.md for documentation. + See https://yazi-rs.github.io/docs/configuration/${name}/ for documentation. ''; })) names); @@ -47,7 +47,5 @@ in }; meta = { maintainers = with lib.maintainers; [ linsui ]; - # The version of the package is used in the doc. - buildDocsInSandbox = false; }; } diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 3cd56bff04d1..ae188ea709dd 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -11,7 +11,8 @@ let extraCertificateFiles = cfg.certificateFiles; extraCertificateStrings = cfg.certificates; }; - caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; + caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt"; + caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}"; in @@ -23,6 +24,17 @@ in internal = true; }; + security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle. + + Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, + which is a OpenSSL specific PEM format. + + It is known to be incompatible with certain software stacks. + + Nevertheless, enabling this will strip all additional trust rules provided by the + certificates themselves, this can have security consequences depending on your usecases. + ''; + security.pki.certificateFiles = mkOption { type = types.listOf types.path; default = []; diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 3fb916c76971..a920b6cb1268 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -285,7 +285,7 @@ in { systemd.tmpfiles.rules = [ "d /opt/cni/bin 0755 root root -" "d /run/kubernetes 0755 kubernetes kubernetes -" - "d /var/lib/kubernetes 0755 kubernetes kubernetes -" + "d ${cfg.dataDir} 0755 kubernetes kubernetes -" ]; users.users.kubernetes = { @@ -294,6 +294,7 @@ in { group = "kubernetes"; home = cfg.dataDir; createHome = true; + homeMode = "755"; }; users.groups.kubernetes.gid = config.ids.gids.kubernetes; diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index fd2dce7ee6a2..313dbe234018 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -33,6 +33,41 @@ let kubeconfig = top.lib.mkKubeConfig "kubelet" cfg.kubeconfig; + # Flag based settings are deprecated, use the `--config` flag with a + # `KubeletConfiguration` struct. + # https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ + # + # NOTE: registerWithTaints requires a []core/v1.Taint, therefore requires + # additional work to be put in config format. + # + kubeletConfig = pkgs.writeText "kubelet-config" (builtins.toJSON ({ + apiVersion = "kubelet.config.k8s.io/v1beta1"; + kind = "KubeletConfiguration"; + address = cfg.address; + port = cfg.port; + authentication = { + x509 = lib.optionalAttrs (cfg.clientCaFile != null) { clientCAFile = cfg.clientCaFile; }; + webhook = { + enabled = true; + cacheTTL = "10s"; + }; + }; + authorization = { + mode = "Webhook"; + }; + cgroupDriver = "systemd"; + hairpinMode = "hairpin-veth"; + registerNode = cfg.registerNode; + containerRuntimeEndpoint = cfg.containerRuntimeEndpoint; + healthzPort = cfg.healthz.port; + healthzBindAddress = cfg.healthz.bind; + } // lib.optionalAttrs (cfg.tlsCertFile != null) { tlsCertFile = cfg.tlsCertFile; } + // lib.optionalAttrs (cfg.tlsKeyFile != null) { tlsPrivateKeyFile = cfg.tlsKeyFile; } + // lib.optionalAttrs (cfg.clusterDomain != "") { clusterDomain = cfg.clusterDomain; } + // lib.optionalAttrs (cfg.clusterDns != "") { clusterDNS = [ cfg.clusterDns ] ; } + // lib.optionalAttrs (cfg.featureGates != []) { featureGates = cfg.featureGates; } + )); + manifestPath = "kubernetes/manifests"; taintOptions = with lib.types; { name, ... }: { @@ -294,21 +329,7 @@ in Restart = "on-failure"; RestartSec = "1000ms"; ExecStart = ''${top.package}/bin/kubelet \ - --address=${cfg.address} \ - --authentication-token-webhook \ - --authentication-token-webhook-cache-ttl="10s" \ - --authorization-mode=Webhook \ - ${optionalString (cfg.clientCaFile != null) - "--client-ca-file=${cfg.clientCaFile}"} \ - ${optionalString (cfg.clusterDns != "") - "--cluster-dns=${cfg.clusterDns}"} \ - ${optionalString (cfg.clusterDomain != "") - "--cluster-domain=${cfg.clusterDomain}"} \ - ${optionalString (cfg.featureGates != []) - "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --hairpin-mode=hairpin-veth \ - --healthz-bind-address=${cfg.healthz.bind} \ - --healthz-port=${toString cfg.healthz.port} \ + --config=${kubeletConfig} \ --hostname-override=${cfg.hostname} \ --kubeconfig=${kubeconfig} \ ${optionalString (cfg.nodeIp != null) @@ -316,18 +337,10 @@ in --pod-infra-container-image=pause \ ${optionalString (cfg.manifests != {}) "--pod-manifest-path=/etc/${manifestPath}"} \ - --port=${toString cfg.port} \ - --register-node=${boolToString cfg.registerNode} \ ${optionalString (taints != "") "--register-with-taints=${taints}"} \ --root-dir=${top.dataDir} \ - ${optionalString (cfg.tlsCertFile != null) - "--tls-cert-file=${cfg.tlsCertFile}"} \ - ${optionalString (cfg.tlsKeyFile != null) - "--tls-private-key-file=${cfg.tlsKeyFile}"} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ - --container-runtime-endpoint=${cfg.containerRuntimeEndpoint} \ - --cgroup-driver=systemd \ ${cfg.extraOpts} ''; WorkingDirectory = top.dataDir; diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index c47ceb218e66..a4b5cb8eda86 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -174,7 +174,7 @@ in '') (optionalString cfg.genCfsslAPIToken '' if [ ! -f "${cfsslAPITokenPath}" ]; then - install -u cfssl -m 400 <(head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ') "${cfsslAPITokenPath}" + install -o cfssl -m 400 <(head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ') "${cfsslAPITokenPath}" fi '')]); @@ -192,7 +192,8 @@ in mkdir -p "$(dirname "${certmgrAPITokenPath}")" if [ -f "${cfsslAPITokenPath}" ]; then ln -fs "${cfsslAPITokenPath}" "${certmgrAPITokenPath}" - else + elif [ ! -f "${certmgrAPITokenPath}" ]; then + # Don't remove the token if it already exists install -m 600 /dev/null "${certmgrAPITokenPath}" fi '' diff --git a/nixos/modules/services/continuous-integration/github-runner.nix b/nixos/modules/services/continuous-integration/github-runner.nix deleted file mode 100644 index 27cfee92c75a..000000000000 --- a/nixos/modules/services/continuous-integration/github-runner.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config -, pkgs -, lib -, ... -}@args: - -with lib; - -let - cfg = config.services.github-runner; -in - -{ - options.services.github-runner = import ./github-runner/options.nix (args // { - # Users don't need to specify options.services.github-runner.name; it will default - # to the hostname. - includeNameDefault = true; - }); - - config = mkIf cfg.enable { - services.github-runners.${cfg.name} = cfg; - }; - - meta.maintainers = with maintainers; [ veehaitch newam thomasjm ]; -} diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix index b9b1ea05e967..193261fc2a9f 100644 --- a/nixos/modules/services/continuous-integration/github-runner/options.nix +++ b/nixos/modules/services/continuous-integration/github-runner/options.nix @@ -1,213 +1,266 @@ -{ config -, lib +{ lib , pkgs -, includeNameDefault , ... }: with lib; - { - enable = mkOption { - default = false; - example = true; - description = lib.mdDoc '' - Whether to enable GitHub Actions runner. - - Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: - [About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). - ''; - type = lib.types.bool; - }; - - url = mkOption { - type = types.str; - description = lib.mdDoc '' - Repository to add the runner to. - - Changing this option triggers a new runner registration. - - IMPORTANT: If your token is org-wide (not per repository), you need to - provide a github org link, not a single repository, so do it like this - `https://github.com/nixos`, not like this - `https://github.com/nixos/nixpkgs`. - Otherwise, you are going to get a `404 NotFound` - from `POST https://api.github.com/actions/runner-registration` - in the configure script. - ''; - example = "https://github.com/nixos/nixpkgs"; - }; - - tokenFile = mkOption { - type = types.path; - description = lib.mdDoc '' - The full path to a file which contains either - - * a fine-grained personal access token (PAT), - * a classic PAT - * or a runner registration token - - Changing this option or the `tokenFile`’s content triggers a new runner registration. - - We suggest using the fine-grained PATs. A runner registration token is valid - only for 1 hour after creation, so the next time the runner configuration changes - this will give you hard-to-debug HTTP 404 errors in the configure step. - - The file should contain exactly one line with the token without any newline. - (Use `echo -n '…token…' > …token file…` to make sure no newlines sneak in.) - - If the file contains a PAT, the service creates a new registration token - on startup as needed. - If a registration token is given, it can be used to re-register a runner of the same - name but is time-limited as noted above. - - For fine-grained PATs: - - Give it "Read and Write access to organization/repository self hosted runners", - depending on whether it is organization wide or per-repository. You might have to - experiment a little, fine-grained PATs are a `beta` Github feature and still subject - to change; nonetheless they are the best option at the moment. - - For classic PATs: - - Make sure the PAT has a scope of `admin:org` for organization-wide registrations - or a scope of `repo` for a single repository. - - For runner registration tokens: - - Nothing special needs to be done, but updating will break after one hour, - so these are not recommended. - ''; - example = "/run/secrets/github-runner/nixos.token"; - }; - - name = let - # Same pattern as for `networking.hostName` - baseType = types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$"; - in mkOption { - type = if includeNameDefault then baseType else types.nullOr baseType; - description = lib.mdDoc '' - Name of the runner to configure. Defaults to the hostname. - - Changing this option triggers a new runner registration. - ''; - example = "nixos"; - } // (if includeNameDefault then { - default = config.networking.hostName; - defaultText = literalExpression "config.networking.hostName"; - } else { - default = null; - }); - - runnerGroup = mkOption { - type = types.nullOr types.str; - description = lib.mdDoc '' - Name of the runner group to add this runner to (defaults to the default runner group). - - Changing this option triggers a new runner registration. - ''; - default = null; - }; - - extraLabels = mkOption { - type = types.listOf types.str; - description = lib.mdDoc '' - Extra labels in addition to the default (`["self-hosted", "Linux", "X64"]`). - - Changing this option triggers a new runner registration. - ''; - example = literalExpression ''[ "nixos" ]''; - default = [ ]; - }; - - replace = mkOption { - type = types.bool; - description = lib.mdDoc '' - Replace any existing runner with the same name. - - Without this flag, registering a new runner with the same name fails. - ''; - default = false; - }; - - extraPackages = mkOption { - type = types.listOf types.package; - description = lib.mdDoc '' - Extra packages to add to `PATH` of the service to make them available to workflows. - ''; - default = [ ]; - }; - - extraEnvironment = mkOption { - type = types.attrs; - description = lib.mdDoc '' - Extra environment variables to set for the runner, as an attrset. - ''; - example = { - GIT_CONFIG = "/path/to/git/config"; - }; - default = {}; - }; - - serviceOverrides = mkOption { - type = types.attrs; - description = lib.mdDoc '' - Modify the systemd service. Can be used to, e.g., adjust the sandboxing options. - See {manpage}`systemd.exec(5)` for more options. + options.services.github-runners = mkOption { + description = mdDoc '' + Multiple GitHub Runners. ''; example = { - ProtectHome = false; - RestrictAddressFamilies = [ "AF_PACKET" ]; + runner1 = { + enable = true; + url = "https://github.com/owner/repo"; + name = "runner1"; + tokenFile = "/secrets/token1"; + }; + + runner2 = { + enable = true; + url = "https://github.com/owner/repo"; + name = "runner2"; + tokenFile = "/secrets/token2"; + }; }; - default = {}; - }; - - package = mkPackageOption pkgs "github-runner" { }; - - ephemeral = mkOption { - type = types.bool; - description = lib.mdDoc '' - If enabled, causes the following behavior: - - - Passes the `--ephemeral` flag to the runner configuration script - - De-registers and stops the runner with GitHub after it has processed one job - - On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option) - - Restarts the service after its successful exit - - On start, wipes the state directory and configures a new runner - - You should only enable this option if `tokenFile` points to a file which contains a - personal access token (PAT). If you're using the option with a registration token, restarting the - service will fail as soon as the registration token expired. - ''; - default = false; - }; - - user = mkOption { - type = types.nullOr types.str; - description = lib.mdDoc '' - User under which to run the service. If null, will use a systemd dynamic user. - ''; - default = null; - defaultText = literalExpression "username"; - }; - - workDir = mkOption { - type = with types; nullOr str; - description = lib.mdDoc '' - Working directory, available as `$GITHUB_WORKSPACE` during workflow runs - and used as a default for [repository checkouts](https://github.com/actions/checkout). - The service cleans this directory on every service start. - - A value of `null` will default to the systemd `RuntimeDirectory`. - ''; - default = null; - }; - - nodeRuntimes = mkOption { - type = with types; nonEmptyListOf (enum [ "node16" "node20" ]); - default = [ "node20" ]; - description = mdDoc '' - List of Node.js runtimes the runner should support. - ''; + default = { }; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + enable = mkOption { + default = false; + example = true; + description = mdDoc '' + Whether to enable GitHub Actions runner. + + Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: + [About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). + ''; + type = types.bool; + }; + + url = mkOption { + type = types.str; + description = mdDoc '' + Repository to add the runner to. + + Changing this option triggers a new runner registration. + + IMPORTANT: If your token is org-wide (not per repository), you need to + provide a github org link, not a single repository, so do it like this + `https://github.com/nixos`, not like this + `https://github.com/nixos/nixpkgs`. + Otherwise, you are going to get a `404 NotFound` + from `POST https://api.github.com/actions/runner-registration` + in the configure script. + ''; + example = "https://github.com/nixos/nixpkgs"; + }; + + tokenFile = mkOption { + type = types.path; + description = mdDoc '' + The full path to a file which contains either + + * a fine-grained personal access token (PAT), + * a classic PAT + * or a runner registration token + + Changing this option or the `tokenFile`’s content triggers a new runner registration. + + We suggest using the fine-grained PATs. A runner registration token is valid + only for 1 hour after creation, so the next time the runner configuration changes + this will give you hard-to-debug HTTP 404 errors in the configure step. + + The file should contain exactly one line with the token without any newline. + (Use `echo -n '…token…' > …token file…` to make sure no newlines sneak in.) + + If the file contains a PAT, the service creates a new registration token + on startup as needed. + If a registration token is given, it can be used to re-register a runner of the same + name but is time-limited as noted above. + + For fine-grained PATs: + + Give it "Read and Write access to organization/repository self hosted runners", + depending on whether it is organization wide or per-repository. You might have to + experiment a little, fine-grained PATs are a `beta` Github feature and still subject + to change; nonetheless they are the best option at the moment. + + For classic PATs: + + Make sure the PAT has a scope of `admin:org` for organization-wide registrations + or a scope of `repo` for a single repository. + + For runner registration tokens: + + Nothing special needs to be done, but updating will break after one hour, + so these are not recommended. + ''; + example = "/run/secrets/github-runner/nixos.token"; + }; + + name = mkOption { + type = types.nullOr types.str; + description = mdDoc '' + Name of the runner to configure. If null, defaults to the hostname. + + Changing this option triggers a new runner registration. + ''; + example = "nixos"; + default = name; + }; + + runnerGroup = mkOption { + type = types.nullOr types.str; + description = mdDoc '' + Name of the runner group to add this runner to (defaults to the default runner group). + + Changing this option triggers a new runner registration. + ''; + default = null; + }; + + extraLabels = mkOption { + type = types.listOf types.str; + description = mdDoc '' + Extra labels in addition to the default (unless disabled through the `noDefaultLabels` option). + + Changing this option triggers a new runner registration. + ''; + example = literalExpression ''[ "nixos" ]''; + default = [ ]; + }; + + noDefaultLabels = mkOption { + type = types.bool; + description = mdDoc '' + Disables adding the default labels. Also see the `extraLabels` option. + + Changing this option triggers a new runner registration. + ''; + default = false; + }; + + replace = mkOption { + type = types.bool; + description = mdDoc '' + Replace any existing runner with the same name. + + Without this flag, registering a new runner with the same name fails. + ''; + default = false; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + description = mdDoc '' + Extra packages to add to `PATH` of the service to make them available to workflows. + ''; + default = [ ]; + }; + + extraEnvironment = mkOption { + type = types.attrs; + description = mdDoc '' + Extra environment variables to set for the runner, as an attrset. + ''; + example = { + GIT_CONFIG = "/path/to/git/config"; + }; + default = { }; + }; + + serviceOverrides = mkOption { + type = types.attrs; + description = mdDoc '' + Modify the systemd service. Can be used to, e.g., adjust the sandboxing options. + See {manpage}`systemd.exec(5)` for more options. + ''; + example = { + ProtectHome = false; + RestrictAddressFamilies = [ "AF_PACKET" ]; + }; + default = { }; + }; + + package = mkPackageOption pkgs "github-runner" { }; + + ephemeral = mkOption { + type = types.bool; + description = mdDoc '' + If enabled, causes the following behavior: + + - Passes the `--ephemeral` flag to the runner configuration script + - De-registers and stops the runner with GitHub after it has processed one job + - On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option) + - Restarts the service after its successful exit + - On start, wipes the state directory and configures a new runner + + You should only enable this option if `tokenFile` points to a file which contains a + personal access token (PAT). If you're using the option with a registration token, restarting the + service will fail as soon as the registration token expired. + + Changing this option triggers a new runner registration. + ''; + default = false; + }; + + user = mkOption { + type = types.nullOr types.str; + description = mdDoc '' + User under which to run the service. + + If this option and the `group` option is set to `null`, + the service runs as a dynamically allocated user. + + Also see the `group` option for an overview on the effects of the `user` and `group` settings. + ''; + default = null; + defaultText = literalExpression "username"; + }; + + group = mkOption { + type = types.nullOr types.str; + description = mdDoc '' + Group under which to run the service. + + The effect of this option depends on the value of the `user` option: + + - `group == null` and `user == null`: + The service runs with a dynamically allocated user and group. + - `group == null` and `user != null`: + The service runs as the given user and its default group. + - `group != null` and `user == null`: + This configuration is invalid. In this case, the service would use the given group + but run as root implicitly. If this is really what you want, set `user = "root"` explicitly. + ''; + default = null; + defaultText = literalExpression "groupname"; + }; + + workDir = mkOption { + type = with types; nullOr str; + description = mdDoc '' + Working directory, available as `$GITHUB_WORKSPACE` during workflow runs + and used as a default for [repository checkouts](https://github.com/actions/checkout). + The service cleans this directory on every service start. + + A value of `null` will default to the systemd `RuntimeDirectory`. + + Changing this option triggers a new runner registration. + ''; + default = null; + }; + + nodeRuntimes = mkOption { + type = with types; nonEmptyListOf (enum [ "node20" ]); + default = [ "node20" ]; + description = mdDoc '' + List of Node.js runtimes the runner should support. + ''; + }; + }; + })); }; } diff --git a/nixos/modules/services/continuous-integration/github-runner/service.nix b/nixos/modules/services/continuous-integration/github-runner/service.nix index 784aea0edea7..fccdcc116a21 100644 --- a/nixos/modules/services/continuous-integration/github-runner/service.nix +++ b/nixos/modules/services/continuous-integration/github-runner/service.nix @@ -1,269 +1,299 @@ { config , lib , pkgs - -, cfg ? config.services.github-runner -, svcName - -, systemdDir ? "${svcName}/${cfg.name}" - # %t: Runtime directory root (usually /run); see systemd.unit(5) -, runtimeDir ? "%t/${systemdDir}" - # %S: State directory root (usually /var/lib); see systemd.unit(5) -, stateDir ? "%S/${systemdDir}" - # %L: Log directory root (usually /var/log); see systemd.unit(5) -, logsDir ? "%L/${systemdDir}" - # Name of file stored in service state directory -, currentConfigTokenFilename ? ".current-token" - , ... }: with lib; - -let - workDir = if cfg.workDir == null then runtimeDir else cfg.workDir; - # Support old github-runner versions which don't have the `nodeRuntimes` arg yet. - package = cfg.package.override (old: optionalAttrs (hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; }); -in { - description = "GitHub Actions runner"; + config.assertions = flatten ( + flip mapAttrsToList config.services.github-runners (name: cfg: map (mkIf cfg.enable) [ + { + assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]); + message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set"; + } + { + assertion = cfg.group == null || cfg.user != null; + message = ''`services.github-runners.${name}`: Setting `group` while leaving `user` unset runs the service as `root`. If this is really what you want, set `user = "root"` explicitly''; + } + ]) + ); - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network.target" "network-online.target" ]; + config.systemd.services = flip mapAttrs' config.services.github-runners (name: cfg: + let + svcName = "github-runner-${name}"; + systemdDir = "github-runner/${name}"; - environment = { - HOME = workDir; - RUNNER_ROOT = stateDir; - } // cfg.extraEnvironment; + # %t: Runtime directory root (usually /run); see systemd.unit(5) + runtimeDir = "%t/${systemdDir}"; + # %S: State directory root (usually /var/lib); see systemd.unit(5) + stateDir = "%S/${systemdDir}"; + # %L: Log directory root (usually /var/log); see systemd.unit(5) + logsDir = "%L/${systemdDir}"; + # Name of file stored in service state directory + currentConfigTokenFilename = ".current-token"; - path = (with pkgs; [ - bash - coreutils - git - gnutar - gzip - ]) ++ [ - config.nix.package - ] ++ cfg.extraPackages; + workDir = if cfg.workDir == null then runtimeDir else cfg.workDir; + # Support old github-runner versions which don't have the `nodeRuntimes` arg yet. + package = cfg.package.override (old: optionalAttrs (hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; }); + in + nameValuePair svcName { + description = "GitHub Actions runner"; - serviceConfig = mkMerge [ - { - ExecStart = "${package}/bin/Runner.Listener run --startuptype service"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; - # Does the following, sequentially: - # - If the module configuration or the token has changed, purge the state directory, - # and create the current and the new token file with the contents of the configured - # token. While both files have the same content, only the later is accessible by - # the service user. - # - Configure the runner using the new token file. When finished, delete it. - # - Set up the directory structure by creating the necessary symlinks. - ExecStartPre = - let - # Wrapper script which expects the full path of the state, working and logs - # directory as arguments. Overrides the respective systemd variables to provide - # unambiguous directory names. This becomes relevant, for example, if the - # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory= - # to contain more than one directory. This causes systemd to set the respective - # environment variables with the path of all of the given directories, separated - # by a colon. - writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" '' - set -euo pipefail + environment = { + HOME = workDir; + RUNNER_ROOT = stateDir; + } // cfg.extraEnvironment; - STATE_DIRECTORY="$1" - WORK_DIRECTORY="$2" - LOGS_DIRECTORY="$3" + path = (with pkgs; [ + bash + coreutils + git + gnutar + gzip + ]) ++ [ + config.nix.package + ] ++ cfg.extraPackages; - ${lines} - ''; - runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" "workDir" ] cfg; - newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig); - currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json"; - newConfigTokenPath = "$STATE_DIRECTORY/.new-token"; - currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}"; + serviceConfig = mkMerge [ + { + ExecStart = "${package}/bin/Runner.Listener run --startuptype service"; - runnerCredFiles = [ - ".credentials" - ".credentials_rsaparams" - ".runner" - ]; - unconfigureRunner = writeScript "unconfigure" '' - copy_tokens() { - # Copy the configured token file to the state dir and allow the service user to read the file - install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}" - # Also copy current file to allow for a diff on the next start - install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}" - } - clean_state() { - find "$STATE_DIRECTORY/" -mindepth 1 -delete - copy_tokens - } - diff_config() { - changed=0 - # Check for module config changes - [[ -f "${currentConfigPath}" ]] \ - && ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \ - || changed=1 - # Also check the content of the token file - [[ -f "${currentConfigTokenPath}" ]] \ - && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \ - || changed=1 - # If the config has changed, remove old state and copy tokens - if [[ "$changed" -eq 1 ]]; then - echo "Config has changed, removing old runner state." - echo "The old runner will still appear in the GitHub Actions UI." \ - "You have to remove it manually." - clean_state - fi - } - if [[ "${optionalString cfg.ephemeral "1"}" ]]; then - # In ephemeral mode, we always want to start with a clean state - clean_state - elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then - # There are state files from a previous run; diff them to decide if we need a new registration - diff_config - else - # The state directory is entirely empty which indicates a first start - copy_tokens - fi - # Always clean workDir - find -H "$WORK_DIRECTORY" -mindepth 1 -delete - ''; - configureRunner = writeScript "configure" '' - if [[ -e "${newConfigTokenPath}" ]]; then - echo "Configuring GitHub Actions Runner" - args=( - --unattended - --disableupdate - --work "$WORK_DIRECTORY" - --url ${escapeShellArg cfg.url} - --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} - --name ${escapeShellArg cfg.name} - ${optionalString cfg.replace "--replace"} - ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} - ${optionalString cfg.ephemeral "--ephemeral"} - ) - # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option, - # if it is not a PAT, we assume it contains a registration token and use the --token option - token=$(<"${newConfigTokenPath}") - if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then - args+=(--pat "$token") - else - args+=(--token "$token") - fi - ${package}/bin/Runner.Listener configure "''${args[@]}" - # Move the automatically created _diag dir to the logs dir - mkdir -p "$STATE_DIRECTORY/_diag" - cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/" - rm -rf "$STATE_DIRECTORY/_diag/" - # Cleanup token from config - rm "${newConfigTokenPath}" - # Symlink to new config - ln -s '${newConfigPath}' "${currentConfigPath}" - fi - ''; - setupWorkDir = writeScript "setup-work-dirs" '' - # Link _diag dir - ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag" + # Does the following, sequentially: + # - If the module configuration or the token has changed, purge the state directory, + # and create the current and the new token file with the contents of the configured + # token. While both files have the same content, only the later is accessible by + # the service user. + # - Configure the runner using the new token file. When finished, delete it. + # - Set up the directory structure by creating the necessary symlinks. + ExecStartPre = + let + # Wrapper script which expects the full path of the state, working and logs + # directory as arguments. Overrides the respective systemd variables to provide + # unambiguous directory names. This becomes relevant, for example, if the + # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory= + # to contain more than one directory. This causes systemd to set the respective + # environment variables with the path of all of the given directories, separated + # by a colon. + writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" '' + set -euo pipefail - # Link the runner credentials to the work dir - ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/" - ''; - in - map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [ - "+${unconfigureRunner}" # runs as root - configureRunner - setupWorkDir - ]; + STATE_DIRECTORY="$1" + WORK_DIRECTORY="$2" + LOGS_DIRECTORY="$3" - # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner) - # to trigger a fresh registration. - Restart = if cfg.ephemeral then "on-success" else "no"; - # If the runner exits with `ReturnCode.RetryableError = 2`, always restart the service: - # https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146 - RestartForceExitStatus = [ 2 ]; + ${lines} + ''; + runnerRegistrationConfig = getAttrs [ + "ephemeral" + "extraLabels" + "name" + "noDefaultLabels" + "runnerGroup" + "tokenFile" + "url" + "workDir" + ] + cfg; + newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig); + currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json"; + newConfigTokenPath = "$STATE_DIRECTORY/.new-token"; + currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}"; - # Contains _diag - LogsDirectory = [ systemdDir ]; - # Default RUNNER_ROOT which contains ephemeral Runner data - RuntimeDirectory = [ systemdDir ]; - # Home of persistent runner data, e.g., credentials - StateDirectory = [ systemdDir ]; - StateDirectoryMode = "0700"; - WorkingDirectory = workDir; + runnerCredFiles = [ + ".credentials" + ".credentials_rsaparams" + ".runner" + ]; + unconfigureRunner = writeScript "unconfigure" '' + copy_tokens() { + # Copy the configured token file to the state dir and allow the service user to read the file + install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}" + # Also copy current file to allow for a diff on the next start + install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}" + } + clean_state() { + find "$STATE_DIRECTORY/" -mindepth 1 -delete + copy_tokens + } + diff_config() { + changed=0 + # Check for module config changes + [[ -f "${currentConfigPath}" ]] \ + && ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \ + || changed=1 + # Also check the content of the token file + [[ -f "${currentConfigTokenPath}" ]] \ + && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \ + || changed=1 + # If the config has changed, remove old state and copy tokens + if [[ "$changed" -eq 1 ]]; then + echo "Config has changed, removing old runner state." + echo "The old runner will still appear in the GitHub Actions UI." \ + "You have to remove it manually." + clean_state + fi + } + if [[ "${optionalString cfg.ephemeral "1"}" ]]; then + # In ephemeral mode, we always want to start with a clean state + clean_state + elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then + # There are state files from a previous run; diff them to decide if we need a new registration + diff_config + else + # The state directory is entirely empty which indicates a first start + copy_tokens + fi + # Always clean workDir + find -H "$WORK_DIRECTORY" -mindepth 1 -delete + ''; + configureRunner = writeScript "configure" '' + if [[ -e "${newConfigTokenPath}" ]]; then + echo "Configuring GitHub Actions Runner" + args=( + --unattended + --disableupdate + --work "$WORK_DIRECTORY" + --url ${escapeShellArg cfg.url} + --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} + ${optionalString (cfg.name != null ) "--name ${escapeShellArg cfg.name}"} + ${optionalString cfg.replace "--replace"} + ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} + ${optionalString cfg.ephemeral "--ephemeral"} + ${optionalString cfg.noDefaultLabels "--no-default-labels"} + ) + # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option, + # if it is not a PAT, we assume it contains a registration token and use the --token option + token=$(<"${newConfigTokenPath}") + if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then + args+=(--pat "$token") + else + args+=(--token "$token") + fi + ${package}/bin/Runner.Listener configure "''${args[@]}" + # Move the automatically created _diag dir to the logs dir + mkdir -p "$STATE_DIRECTORY/_diag" + cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/" + rm -rf "$STATE_DIRECTORY/_diag/" + # Cleanup token from config + rm "${newConfigTokenPath}" + # Symlink to new config + ln -s '${newConfigPath}' "${currentConfigPath}" + fi + ''; + setupWorkDir = writeScript "setup-work-dirs" '' + # Link _diag dir + ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag" - InaccessiblePaths = [ - # Token file path given in the configuration, if visible to the service - "-${cfg.tokenFile}" - # Token file in the state directory - "${stateDir}/${currentConfigTokenFilename}" - ]; + # Link the runner credentials to the work dir + ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/" + ''; + in + map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [ + "+${unconfigureRunner}" # runs as root + configureRunner + setupWorkDir + ]; - KillSignal = "SIGINT"; + # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner) + # to trigger a fresh registration. + Restart = if cfg.ephemeral then "on-success" else "no"; + # If the runner exits with `ReturnCode.RetryableError = 2`, always restart the service: + # https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146 + RestartForceExitStatus = [ 2 ]; - # Hardening (may overlap with DynamicUser=) - # The following options are only for optimizing: - # systemd-analyze security github-runner - AmbientCapabilities = mkBefore [ "" ]; - CapabilityBoundingSet = mkBefore [ "" ]; - # ProtectClock= adds DeviceAllow=char-rtc r - DeviceAllow = mkBefore [ "" ]; - NoNewPrivileges = mkDefault true; - PrivateDevices = mkDefault true; - PrivateMounts = mkDefault true; - PrivateTmp = mkDefault true; - PrivateUsers = mkDefault true; - ProtectClock = mkDefault true; - ProtectControlGroups = mkDefault true; - ProtectHome = mkDefault true; - ProtectHostname = mkDefault true; - ProtectKernelLogs = mkDefault true; - ProtectKernelModules = mkDefault true; - ProtectKernelTunables = mkDefault true; - ProtectSystem = mkDefault "strict"; - RemoveIPC = mkDefault true; - RestrictNamespaces = mkDefault true; - RestrictRealtime = mkDefault true; - RestrictSUIDSGID = mkDefault true; - UMask = mkDefault "0066"; - ProtectProc = mkDefault "invisible"; - SystemCallFilter = mkBefore [ - "~@clock" - "~@cpu-emulation" - "~@module" - "~@mount" - "~@obsolete" - "~@raw-io" - "~@reboot" - "~capset" - "~setdomainname" - "~sethostname" - ]; - RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; + # Contains _diag + LogsDirectory = [ systemdDir ]; + # Default RUNNER_ROOT which contains ephemeral Runner data + RuntimeDirectory = [ systemdDir ]; + # Home of persistent runner data, e.g., credentials + StateDirectory = [ systemdDir ]; + StateDirectoryMode = "0700"; + WorkingDirectory = workDir; - BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ]; + InaccessiblePaths = [ + # Token file path given in the configuration, if visible to the service + "-${cfg.tokenFile}" + # Token file in the state directory + "${stateDir}/${currentConfigTokenFilename}" + ]; + + KillSignal = "SIGINT"; + + # Hardening (may overlap with DynamicUser=) + # The following options are only for optimizing: + # systemd-analyze security github-runner + AmbientCapabilities = mkBefore [ "" ]; + CapabilityBoundingSet = mkBefore [ "" ]; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = mkBefore [ "" ]; + NoNewPrivileges = mkDefault true; + PrivateDevices = mkDefault true; + PrivateMounts = mkDefault true; + PrivateTmp = mkDefault true; + PrivateUsers = mkDefault true; + ProtectClock = mkDefault true; + ProtectControlGroups = mkDefault true; + ProtectHome = mkDefault true; + ProtectHostname = mkDefault true; + ProtectKernelLogs = mkDefault true; + ProtectKernelModules = mkDefault true; + ProtectKernelTunables = mkDefault true; + ProtectSystem = mkDefault "strict"; + RemoveIPC = mkDefault true; + RestrictNamespaces = mkDefault true; + RestrictRealtime = mkDefault true; + RestrictSUIDSGID = mkDefault true; + UMask = mkDefault "0066"; + ProtectProc = mkDefault "invisible"; + SystemCallFilter = mkBefore [ + "~@clock" + "~@cpu-emulation" + "~@module" + "~@mount" + "~@obsolete" + "~@raw-io" + "~@reboot" + "~capset" + "~setdomainname" + "~sethostname" + ]; + RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; + + BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ]; - # Needs network access - PrivateNetwork = mkDefault false; - # Cannot be true due to Node - MemoryDenyWriteExecute = mkDefault false; + # Needs network access + PrivateNetwork = mkDefault false; + # Cannot be true due to Node + MemoryDenyWriteExecute = mkDefault false; - # The more restrictive "pid" option makes `nix` commands in CI emit - # "GC Warning: Couldn't read /proc/stat" - # You may want to set this to "pid" if not using `nix` commands - ProcSubset = mkDefault "all"; - # Coverage programs for compiled code such as `cargo-tarpaulin` disable - # ASLR (address space layout randomization) which requires the - # `personality` syscall - # You may want to set this to `true` if not using coverage tooling on - # compiled code - LockPersonality = mkDefault false; + # The more restrictive "pid" option makes `nix` commands in CI emit + # "GC Warning: Couldn't read /proc/stat" + # You may want to set this to "pid" if not using `nix` commands + ProcSubset = mkDefault "all"; + # Coverage programs for compiled code such as `cargo-tarpaulin` disable + # ASLR (address space layout randomization) which requires the + # `personality` syscall + # You may want to set this to `true` if not using coverage tooling on + # compiled code + LockPersonality = mkDefault false; - # Note that this has some interactions with the User setting; so you may - # want to consult the systemd docs if using both. - DynamicUser = mkDefault true; + DynamicUser = mkDefault true; + } + (mkIf (cfg.user != null) { + DynamicUser = false; + User = cfg.user; + }) + (mkIf (cfg.group != null) { + DynamicUser = false; + Group = cfg.group; + }) + cfg.serviceOverrides + ]; } - (mkIf (cfg.user != null) { User = cfg.user; }) - cfg.serviceOverrides - ]; + ); } diff --git a/nixos/modules/services/continuous-integration/github-runners.nix b/nixos/modules/services/continuous-integration/github-runners.nix index 66ace9580eca..4a4608c2e4f8 100644 --- a/nixos/modules/services/continuous-integration/github-runners.nix +++ b/nixos/modules/services/continuous-integration/github-runners.nix @@ -1,58 +1,10 @@ -{ config -, pkgs -, lib -, ... -}@args: - -with lib; - -let - cfg = config.services.github-runners; - -in - +{ lib, ... }: { - options.services.github-runners = mkOption { - default = {}; - type = with types; attrsOf (submodule { options = import ./github-runner/options.nix (args // { - # services.github-runners.${name}.name doesn't have a default; it falls back to ${name} below. - includeNameDefault = false; - }); }); - example = { - runner1 = { - enable = true; - url = "https://github.com/owner/repo"; - name = "runner1"; - tokenFile = "/secrets/token1"; - }; - - runner2 = { - enable = true; - url = "https://github.com/owner/repo"; - name = "runner2"; - tokenFile = "/secrets/token2"; - }; - }; - description = lib.mdDoc '' - Multiple GitHub Runners. - ''; - }; - - config = { - systemd.services = flip mapAttrs' cfg (n: v: - let - svcName = "github-runner-${n}"; - in - nameValuePair svcName - (import ./github-runner/service.nix (args // { - inherit svcName; - cfg = v // { - name = if v.name != null then v.name else n; - }; - systemdDir = "github-runner/${n}"; - })) - ); - }; + imports = [ + (lib.mkRemovedOptionModule [ "services" "github-runner" ] "Use `services.github-runners.*` instead") + ./github-runner/options.nix + ./github-runner/service.nix + ]; - meta.maintainers = with maintainers; [ veehaitch newam ]; + meta.maintainers = with lib.maintainers; [ veehaitch newam ]; } diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index 54bbe69703f9..b1d44e67658b 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -39,7 +39,7 @@ let hydra-package = let - makeWrapperArgs = concatStringsSep " " (mapAttrsToList (key: value: "--set \"${key}\" \"${value}\"") hydraEnv); + makeWrapperArgs = concatStringsSep " " (mapAttrsToList (key: value: "--set-default \"${key}\" \"${value}\"") hydraEnv); in pkgs.buildEnv rec { name = "hydra-env"; nativeBuildInputs = [ pkgs.makeWrapper ]; diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 128bb0862175..a6d71cca88de 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -7,6 +7,9 @@ let cfg = config.services.mysql; isMariaDB = lib.getName cfg.package == lib.getName pkgs.mariadb; + isOracle = lib.getName cfg.package == lib.getName pkgs.mysql80; + # Oracle MySQL has supported "notify" service type since 8.0 + hasNotify = isMariaDB || (isOracle && versionAtLeast cfg.package.version "8.0"); mysqldOptions = "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${cfg.package}"; @@ -377,19 +380,11 @@ in # The super user account to use on *first* run of MySQL server superUser = if isMariaDB then cfg.user else "root"; in '' - ${optionalString (!isMariaDB) '' + ${optionalString (!hasNotify) '' # Wait until the MySQL server is available for use - count=0 while [ ! -e /run/mysqld/mysqld.sock ] do - if [ $count -eq 30 ] - then - echo "Tried 30 times, giving up..." - exit 1 - fi - echo "MySQL daemon not yet started. Waiting for 1 second..." - count=$((count++)) sleep 1 done ''} @@ -477,7 +472,7 @@ in serviceConfig = mkMerge [ { - Type = if isMariaDB then "notify" else "simple"; + Type = if hasNotify then "notify" else "simple"; Restart = "on-abort"; RestartSec = "5s"; diff --git a/nixos/modules/services/databases/pgbouncer.nix b/nixos/modules/services/databases/pgbouncer.nix index 65b287e84442..157d49c13161 100644 --- a/nixos/modules/services/databases/pgbouncer.nix +++ b/nixos/modules/services/databases/pgbouncer.nix @@ -66,9 +66,6 @@ let ${optionalString (cfg.adminUsers != null) "admin_users = ${cfg.adminUsers}"} ${optionalString (cfg.statsUsers != null) "stats_users = ${cfg.statsUsers}"} - # linux - pidfile = /run/pgbouncer/pgbouncer.pid - # extra ${cfg.extraConfig} ''; @@ -96,10 +93,9 @@ in { logFile = mkOption { type = types.nullOr types.str; - default = "pgbouncer.log"; + default = null; description = lib.mdDoc '' - Specifies the log file. - Either this or syslog has to be specified. + Specifies a log file in addition to journald. ''; }; @@ -601,22 +597,21 @@ in { systemd.services.pgbouncer = { description = "PgBouncer - PostgreSQL connection pooler"; - wants = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; + wants = [ "network-online.target" ] ++ lib.optional config.services.postgresql.enable "postgresql.service"; + after = [ "network-online.target" ] ++ lib.optional config.services.postgresql.enable "postgresql.service"; wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "forking"; + Type = "notify"; User = cfg.user; Group = cfg.group; - ExecStart = "${pkgs.pgbouncer}/bin/pgbouncer -d ${confFile}"; + ExecStart = "${lib.getExe pkgs.pgbouncer} ${confFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; RuntimeDirectory = "pgbouncer"; - PIDFile = "/run/pgbouncer/pgbouncer.pid"; LimitNOFILE = cfg.openFilesLimit; }; }; - networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; + networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.listenPort; }; diff --git a/nixos/modules/services/development/lorri.nix b/nixos/modules/services/development/lorri.nix index 74f56f5890fc..df3d814d7444 100644 --- a/nixos/modules/services/development/lorri.nix +++ b/nixos/modules/services/development/lorri.nix @@ -44,8 +44,7 @@ in { serviceConfig = { ExecStart = "${cfg.package}/bin/lorri daemon"; PrivateTmp = true; - ProtectSystem = "strict"; - ProtectHome = "read-only"; + ProtectSystem = "full"; Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/display-managers/greetd.nix b/nixos/modules/services/display-managers/greetd.nix index 2212f97a9ffe..c2d345152de9 100644 --- a/nixos/modules/services/display-managers/greetd.nix +++ b/nixos/modules/services/display-managers/greetd.nix @@ -78,7 +78,7 @@ in serviceConfig = { ExecStart = "${pkgs.greetd.greetd}/bin/greetd --config ${settingsFormat.generate "greetd.toml" cfg.settings}"; - Restart = mkIf cfg.restart "always"; + Restart = mkIf cfg.restart "on-success"; # Defaults from greetd upstream configuration IgnoreSIGPIPE = false; diff --git a/nixos/modules/services/games/archisteamfarm.nix b/nixos/modules/services/games/archisteamfarm.nix index c00ae8116b39..4bb7234f430f 100644 --- a/nixos/modules/services/games/archisteamfarm.nix +++ b/nixos/modules/services/games/archisteamfarm.nix @@ -270,6 +270,6 @@ in meta = { buildDocsInSandbox = false; - maintainers = with lib.maintainers; [ lom SuperSandro2000 ]; + maintainers = with lib.maintainers; [ SuperSandro2000 ]; }; } diff --git a/nixos/modules/services/games/teeworlds.nix b/nixos/modules/services/games/teeworlds.nix index bd0df1ffca57..04b611fb3cb1 100644 --- a/nixos/modules/services/games/teeworlds.nix +++ b/nixos/modules/services/games/teeworlds.nix @@ -6,13 +6,86 @@ let cfg = config.services.teeworlds; register = cfg.register; + bool = b: if b != null && b then "1" else "0"; + optionalSetting = s: setting: optionalString (s != null) "${setting} ${s}"; + lookup = attrs: key: default: if attrs ? key then attrs."${key}" else default; + + inactivePenaltyOptions = { + "spectator" = "1"; + "spectator/kick" = "2"; + "kick" = "3"; + }; + skillLevelOptions = { + "casual" = "0"; + "normal" = "1"; + "competitive" = "2"; + }; + tournamentModeOptions = { + "disable" = "0"; + "enable" = "1"; + "restrictSpectators" = "2"; + }; + teeworldsConf = pkgs.writeText "teeworlds.cfg" '' sv_port ${toString cfg.port} - sv_register ${if cfg.register then "1" else "0"} - ${optionalString (cfg.name != null) "sv_name ${cfg.name}"} - ${optionalString (cfg.motd != null) "sv_motd ${cfg.motd}"} - ${optionalString (cfg.password != null) "password ${cfg.password}"} - ${optionalString (cfg.rconPassword != null) "sv_rcon_password ${cfg.rconPassword}"} + sv_register ${bool cfg.register} + sv_name ${cfg.name} + ${optionalSetting cfg.motd "sv_motd"} + ${optionalSetting cfg.password "password"} + ${optionalSetting cfg.rconPassword "sv_rcon_password"} + + ${optionalSetting cfg.server.bindAddr "bindaddr"} + ${optionalSetting cfg.server.hostName "sv_hostname"} + sv_high_bandwidth ${bool cfg.server.enableHighBandwidth} + sv_inactivekick ${lookup inactivePenaltyOptions cfg.server.inactivePenalty "spectator/kick"} + sv_inactivekick_spec ${bool cfg.server.kickInactiveSpectators} + sv_inactivekick_time ${toString cfg.server.inactiveTime} + sv_max_clients ${toString cfg.server.maxClients} + sv_max_clients_per_ip ${toString cfg.server.maxClientsPerIP} + sv_skill_level ${lookup skillLevelOptions cfg.server.skillLevel "normal"} + sv_spamprotection ${bool cfg.server.enableSpamProtection} + + sv_gametype ${cfg.game.gameType} + sv_map ${cfg.game.map} + sv_match_swap ${bool cfg.game.swapTeams} + sv_player_ready_mode ${bool cfg.game.enableReadyMode} + sv_player_slots ${toString cfg.game.playerSlots} + sv_powerups ${bool cfg.game.enablePowerups} + sv_scorelimit ${toString cfg.game.scoreLimit} + sv_strict_spectate_mode ${bool cfg.game.restrictSpectators} + sv_teamdamage ${bool cfg.game.enableTeamDamage} + sv_timelimit ${toString cfg.game.timeLimit} + sv_tournament_mode ${lookup tournamentModeOptions cfg.server.tournamentMode "disable"} + sv_vote_kick ${bool cfg.game.enableVoteKick} + sv_vote_kick_bantime ${toString cfg.game.voteKickBanTime} + sv_vote_kick_min ${toString cfg.game.voteKickMinimumPlayers} + + ${optionalSetting cfg.server.bindAddr "bindaddr"} + ${optionalSetting cfg.server.hostName "sv_hostname"} + sv_high_bandwidth ${bool cfg.server.enableHighBandwidth} + sv_inactivekick ${lookup inactivePenaltyOptions cfg.server.inactivePenalty "spectator/kick"} + sv_inactivekick_spec ${bool cfg.server.kickInactiveSpectators} + sv_inactivekick_time ${toString cfg.server.inactiveTime} + sv_max_clients ${toString cfg.server.maxClients} + sv_max_clients_per_ip ${toString cfg.server.maxClientsPerIP} + sv_skill_level ${lookup skillLevelOptions cfg.server.skillLevel "normal"} + sv_spamprotection ${bool cfg.server.enableSpamProtection} + + sv_gametype ${cfg.game.gameType} + sv_map ${cfg.game.map} + sv_match_swap ${bool cfg.game.swapTeams} + sv_player_ready_mode ${bool cfg.game.enableReadyMode} + sv_player_slots ${toString cfg.game.playerSlots} + sv_powerups ${bool cfg.game.enablePowerups} + sv_scorelimit ${toString cfg.game.scoreLimit} + sv_strict_spectate_mode ${bool cfg.game.restrictSpectators} + sv_teamdamage ${bool cfg.game.enableTeamDamage} + sv_timelimit ${toString cfg.game.timeLimit} + sv_tournament_mode ${lookup tournamentModeOptions cfg.server.tournamentMode "disable"} + sv_vote_kick ${bool cfg.game.enableVoteKick} + sv_vote_kick_bantime ${toString cfg.game.voteKickBanTime} + sv_vote_kick_min ${toString cfg.game.voteKickMinimumPlayers} + ${concatStringsSep "\n" cfg.extraOptions} ''; @@ -22,17 +95,19 @@ in services.teeworlds = { enable = mkEnableOption (lib.mdDoc "Teeworlds Server"); + package = mkPackageOptionMD pkgs "teeworlds-server" { }; + openPorts = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether to open firewall ports for Teeworlds"; + description = lib.mdDoc "Whether to open firewall ports for Teeworlds."; }; name = mkOption { - type = types.nullOr types.str; - default = null; + type = types.str; + default = "unnamed server"; description = lib.mdDoc '' - Name of the server. Defaults to 'unnamed server'. + Name of the server. ''; }; @@ -41,7 +116,7 @@ in example = true; default = false; description = lib.mdDoc '' - Whether the server registers as public server in the global server list. This is disabled by default because of privacy. + Whether the server registers as a public server in the global server list. This is disabled by default for privacy reasons. ''; }; @@ -49,7 +124,7 @@ in type = types.nullOr types.str; default = null; description = lib.mdDoc '' - Set the server message of the day text. + The server's message of the day text. ''; }; @@ -85,6 +160,217 @@ in ''; example = [ "sv_map dm1" "sv_gametype dm" ]; }; + + server = { + bindAddr = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + The address the server will bind to. + ''; + }; + + enableHighBandwidth = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable high bandwidth mode on LAN servers. This will double the amount of bandwidth required for running the server. + ''; + }; + + hostName = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + Hostname for the server. + ''; + }; + + inactivePenalty = mkOption { + type = types.enum [ "spectator" "spectator/kick" "kick" ]; + example = "spectator"; + default = "spectator/kick"; + description = lib.mdDoc '' + Specify what to do when a client goes inactive (see [](#opt-services.teeworlds.server.inactiveTime)). + + - `spectator`: send the client into spectator mode + + - `spectator/kick`: send the client into a free spectator slot, otherwise kick the client + + - `kick`: kick the client + ''; + }; + + kickInactiveSpectators = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to kick inactive spectators. + ''; + }; + + inactiveTime = mkOption { + type = types.ints.unsigned; + default = 3; + description = lib.mdDoc '' + The amount of minutes a client has to idle before it is considered inactive. + ''; + }; + + maxClients = mkOption { + type = types.ints.unsigned; + default = 12; + description = lib.mdDoc '' + The maximum amount of clients that can be connected to the server at the same time. + ''; + }; + + maxClientsPerIP = mkOption { + type = types.ints.unsigned; + default = 12; + description = lib.mdDoc '' + The maximum amount of clients with the same IP address that can be connected to the server at the same time. + ''; + }; + + skillLevel = mkOption { + type = types.enum [ "casual" "normal" "competitive" ]; + default = "normal"; + description = lib.mdDoc '' + The skill level shown in the server browser. + ''; + }; + + enableSpamProtection = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to enable chat spam protection. + ''; + }; + }; + + game = { + gameType = mkOption { + type = types.str; + example = "ctf"; + default = "dm"; + description = lib.mdDoc '' + The game type to use on the server. + + The default gametypes are `dm`, `tdm`, `ctf`, `lms`, and `lts`. + ''; + }; + + map = mkOption { + type = types.str; + example = "ctf5"; + default = "dm1"; + description = lib.mdDoc '' + The map to use on the server. + ''; + }; + + swapTeams = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to swap teams each round. + ''; + }; + + enableReadyMode = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable "ready mode"; where players can pause/unpause the game + and start the game in warmup, using their ready state. + ''; + }; + + playerSlots = mkOption { + type = types.ints.unsigned; + default = 8; + description = lib.mdDoc '' + The amount of slots to reserve for players (as opposed to spectators). + ''; + }; + + enablePowerups = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to allow powerups such as the ninja. + ''; + }; + + scoreLimit = mkOption { + type = types.ints.unsigned; + example = 400; + default = 20; + description = lib.mdDoc '' + The score limit needed to win a round. + ''; + }; + + restrictSpectators = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to restrict access to information such as health, ammo and armour in spectator mode. + ''; + }; + + enableTeamDamage = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable team damage; whether to allow team mates to inflict damage on one another. + ''; + }; + + timeLimit = mkOption { + type = types.ints.unsigned; + default = 0; + description = lib.mdDoc '' + Time limit of the game. In cases of equal points, there will be sudden death. + Setting this to 0 disables a time limit. + ''; + }; + + tournamentMode = mkOption { + type = types.enum [ "disable" "enable" "restrictSpectators" ]; + default = "disable"; + description = lib.mdDoc '' + Whether to enable tournament mode. In tournament mode, players join as spectators. + If this is set to `restrictSpectators`, tournament mode is enabled but spectator chat is restricted. + ''; + }; + + enableVoteKick = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to enable voting to kick players. + ''; + }; + + voteKickBanTime = mkOption { + type = types.ints.unsigned; + default = 5; + description = lib.mdDoc '' + The amount of minutes that a player is banned for if they get kicked by a vote. + ''; + }; + + voteKickMinimumPlayers = mkOption { + type = types.ints.unsigned; + default = 5; + description = lib.mdDoc '' + The minimum amount of players required to start a kick vote. + ''; + }; + }; }; }; @@ -100,7 +386,7 @@ in serviceConfig = { DynamicUser = true; - ExecStart = "${pkgs.teeworlds-server}/bin/teeworlds_srv -f ${teeworldsConf}"; + ExecStart = "${cfg.package}/bin/teeworlds_srv -f ${teeworldsConf}"; # Hardening CapabilityBoundingSet = false; diff --git a/nixos/modules/services/hardware/asusd.nix b/nixos/modules/services/hardware/asusd.nix index ebbdea26c051..ff9a751e5be8 100644 --- a/nixos/modules/services/hardware/asusd.nix +++ b/nixos/modules/services/hardware/asusd.nix @@ -8,6 +8,8 @@ in services.asusd = { enable = lib.mkEnableOption (lib.mdDoc "the asusd service for ASUS ROG laptops"); + package = lib.mkPackageOption pkgs "asusctl" { }; + enableUserService = lib.mkOption { type = lib.types.bool; default = false; @@ -73,7 +75,7 @@ in }; config = lib.mkIf cfg.enable { - environment.systemPackages = [ pkgs.asusctl ]; + environment.systemPackages = [ cfg.package ]; environment.etc = let @@ -92,9 +94,9 @@ in }; services.dbus.enable = true; - systemd.packages = [ pkgs.asusctl ]; - services.dbus.packages = [ pkgs.asusctl ]; - services.udev.packages = [ pkgs.asusctl ]; + systemd.packages = [ cfg.package ]; + services.dbus.packages = [ cfg.package ]; + services.udev.packages = [ cfg.package ]; services.supergfxd.enable = lib.mkDefault true; systemd.user.services.asusd-user.enable = cfg.enableUserService; diff --git a/nixos/modules/services/hardware/bolt.nix b/nixos/modules/services/hardware/bolt.nix index 6990a9ea63b3..3bdf67cc1758 100644 --- a/nixos/modules/services/hardware/bolt.nix +++ b/nixos/modules/services/hardware/bolt.nix @@ -1,14 +1,13 @@ -# Thunderbolt 3 device manager - { config, lib, pkgs, ...}: with lib; +let + cfg = config.services.hardware.bolt; +in { options = { - services.hardware.bolt = { - enable = mkOption { type = types.bool; default = false; @@ -20,15 +19,13 @@ with lib; ''; }; + package = mkPackageOption pkgs "bolt" { }; }; - }; - config = mkIf config.services.hardware.bolt.enable { - - environment.systemPackages = [ pkgs.bolt ]; - services.udev.packages = [ pkgs.bolt ]; - systemd.packages = [ pkgs.bolt ]; - + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + services.udev.packages = [ cfg.package ]; + systemd.packages = [ cfg.package ]; }; } diff --git a/nixos/modules/services/hardware/brltty.nix b/nixos/modules/services/hardware/brltty.nix index 3133804f485f..f96760e92c57 100644 --- a/nixos/modules/services/hardware/brltty.nix +++ b/nixos/modules/services/hardware/brltty.nix @@ -34,6 +34,7 @@ in { users.users.brltty = { description = "BRLTTY daemon user"; group = "brltty"; + isSystemUser = true; }; users.groups = { brltty = { }; diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index ebb6fa09aadb..8a9e38d0547b 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -123,6 +123,7 @@ in { }; TestDevices = mkOption { + internal = true; type = types.bool; default = false; description = lib.mdDoc '' @@ -155,6 +156,7 @@ in { (mkRenamedOptionModule [ "services" "fwupd" "blacklistPlugins"] [ "services" "fwupd" "daemonSettings" "DisabledPlugins" ]) (mkRenamedOptionModule [ "services" "fwupd" "disabledDevices" ] [ "services" "fwupd" "daemonSettings" "DisabledDevices" ]) (mkRenamedOptionModule [ "services" "fwupd" "disabledPlugins" ] [ "services" "fwupd" "daemonSettings" "DisabledPlugins" ]) + (mkRemovedOptionModule [ "services" "fwupd" "enableTestRemote" ] "This option was removed after being removed upstream. It only provided a method for testing fwupd functionality, and should not have been exposed for use outside of nix tests.") ]; ###### implementation diff --git a/nixos/modules/services/hardware/hddfancontrol.nix b/nixos/modules/services/hardware/hddfancontrol.nix index f472b5774cbf..746154e7aa17 100644 --- a/nixos/modules/services/hardware/hddfancontrol.nix +++ b/nixos/modules/services/hardware/hddfancontrol.nix @@ -60,6 +60,10 @@ in systemd.services.hddfancontrol = { wantedBy = [ "multi-user.target" ]; environment.HDDFANCONTROL_ARGS = lib.escapeShellArgs args; + serviceConfig = { + # Hardening + PrivateNetwork = true; + }; }; } ); diff --git a/nixos/modules/services/hardware/nvidia-container-toolkit-cdi-generator/cdi-generate.nix b/nixos/modules/services/hardware/nvidia-container-toolkit-cdi-generator/cdi-generate.nix new file mode 100644 index 000000000000..a90d234f65c0 --- /dev/null +++ b/nixos/modules/services/hardware/nvidia-container-toolkit-cdi-generator/cdi-generate.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs }: let + mountOptions = { options = ["ro" "nosuid" "nodev" "bind"]; }; + mounts = [ + { hostPath = "${lib.getBin config.hardware.nvidia.package}/bin/nvidia-cuda-mps-control"; + containerPath = "/usr/bin/nvidia-cuda-mps-control"; } + { hostPath = "${lib.getBin config.hardware.nvidia.package}/bin/nvidia-cuda-mps-server"; + containerPath = "/usr/bin/nvidia-cuda-mps-server"; } + { hostPath = "${lib.getBin config.hardware.nvidia.package}/bin/nvidia-debugdump"; + containerPath = "/usr/bin/nvidia-debugdump"; } + { hostPath = "${lib.getBin config.hardware.nvidia.package}/bin/nvidia-powerd"; + containerPath = "/usr/bin/nvidia-powerd"; } + { hostPath = "${lib.getBin config.hardware.nvidia.package}/bin/nvidia-smi"; + containerPath = "/usr/bin/nvidia-smi"; } + { hostPath = "${pkgs.nvidia-container-toolkit}/bin/nvidia-ctk"; + containerPath = "/usr/bin/nvidia-ctk"; } + { hostPath = "${pkgs.glibc}/lib"; + containerPath = "${pkgs.glibc}/lib"; } + { hostPath = "${pkgs.glibc}/lib64"; + containerPath = "${pkgs.glibc}/lib64"; } + ]; + jqAddMountExpression = ".containerEdits.mounts[.containerEdits.mounts | length] |= . +"; + mountsToJq = lib.concatMap + (mount: + ["${pkgs.jq}/bin/jq '${jqAddMountExpression} ${builtins.toJSON (mount // mountOptions)}'"]) + mounts; +in '' +#! ${pkgs.runtimeShell} + +function cdiGenerate { + ${pkgs.nvidia-container-toolkit}/bin/nvidia-ctk cdi generate \ + --format json \ + --ldconfig-path ${pkgs.glibc.bin}/bin/ldconfig \ + --library-search-path ${config.hardware.nvidia.package}/lib \ + --nvidia-ctk-path ${pkgs.nvidia-container-toolkit}/bin/nvidia-ctk +} + +cdiGenerate | \ + ${lib.concatStringsSep " | " mountsToJq} > $RUNTIME_DIRECTORY/nvidia-container-toolkit.json +'' diff --git a/nixos/modules/services/hardware/nvidia-container-toolkit-cdi-generator/default.nix b/nixos/modules/services/hardware/nvidia-container-toolkit-cdi-generator/default.nix new file mode 100644 index 000000000000..3c96e9c41be5 --- /dev/null +++ b/nixos/modules/services/hardware/nvidia-container-toolkit-cdi-generator/default.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, ... }: + +{ + + options = { + + hardware.nvidia-container-toolkit-cdi-generator.enable = lib.mkOption { + default = false; + internal = true; + visible = false; + type = lib.types.bool; + description = lib.mdDoc '' + Enable dynamic CDI configuration for NVidia devices by running + nvidia-container-toolkit on boot. + ''; + }; + + }; + + config = { + + systemd.services.nvidia-container-toolkit-cdi-generator = lib.mkIf config.hardware.nvidia-container-toolkit-cdi-generator.enable { + description = "Container Device Interface (CDI) for Nvidia generator"; + wantedBy = [ "multi-user.target" ]; + after = [ "systemd-udev-settle.service" ]; + serviceConfig = { + RuntimeDirectory = "cdi"; + RemainAfterExit = true; + ExecStart = let + script = (pkgs.writeScriptBin "nvidia-cdi-generator" + (import ./cdi-generate.nix { inherit config lib pkgs; })); in (lib.getExe script); + Type = "oneshot"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/hardware/pcscd.nix b/nixos/modules/services/hardware/pcscd.nix index b5963e1d29a3..77c2d9b53f03 100644 --- a/nixos/modules/services/hardware/pcscd.nix +++ b/nixos/modules/services/hardware/pcscd.nix @@ -3,6 +3,7 @@ with lib; let + cfg = config.services.pcscd; cfgFile = pkgs.writeText "reader.conf" config.services.pcscd.readerConfig; package = if config.security.polkit.enable @@ -41,6 +42,12 @@ in See {manpage}`reader.conf(5)` for valid options. ''; }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + description = lib.mdDoc "Extra command line arguments to be passed to the PCSC daemon."; + }; }; config = mkIf config.services.pcscd.enable { @@ -64,7 +71,7 @@ in # around it, we force the path to the cfgFile. # # https://github.com/NixOS/nixpkgs/issues/121088 - serviceConfig.ExecStart = [ "" "${package}/bin/pcscd -f -x -c ${cfgFile}" ]; + serviceConfig.ExecStart = [ "" "${lib.getExe package} -f -x -c ${cfgFile} ${lib.escapeShellArgs cfg.extraArgs}" ]; }; }; } diff --git a/nixos/modules/services/hardware/thinkfan.nix b/nixos/modules/services/hardware/thinkfan.nix index cca35f492b8e..b62fb5e9f8c9 100644 --- a/nixos/modules/services/hardware/thinkfan.nix +++ b/nixos/modules/services/hardware/thinkfan.nix @@ -217,8 +217,13 @@ in { systemd.services = { thinkfan.environment.THINKFAN_ARGS = escapeShellArgs ([ "-c" configFile ] ++ cfg.extraArgs); - thinkfan.serviceConfig.Restart = "on-failure"; - thinkfan.serviceConfig.RestartSec = "30s"; + thinkfan.serviceConfig = { + Restart = "on-failure"; + RestartSec = "30s"; + + # Hardening + PrivateNetwork = true; + }; # must be added manually, see issue #81138 thinkfan.wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/hardware/undervolt.nix b/nixos/modules/services/hardware/undervolt.nix index 67d8171587bb..c4d4c6791a21 100644 --- a/nixos/modules/services/hardware/undervolt.nix +++ b/nixos/modules/services/hardware/undervolt.nix @@ -12,6 +12,7 @@ let inherit (cfg) verbose temp + turbo ; # `core` and `cache` are both intentionally set to `cfg.coreOffset` as according to the undervolt docs: # @@ -105,6 +106,14 @@ in ''; }; + turbo = mkOption { + type = types.nullOr types.int; + default = null; + description = lib.mdDoc '' + Changes the Intel Turbo feature status (1 is disabled and 0 is enabled). + ''; + }; + p1.limit = mkOption { type = with types; nullOr int; default = null; diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index a01628968966..3423eebe9ed6 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -52,7 +52,7 @@ let hasAttrByPath (splitString "." component) cfg.config || useComponentPlatform component || useExplicitComponent component - || builtins.elem component cfg.extraComponents; + || builtins.elem component (cfg.extraComponents ++ cfg.defaultIntegrations); # Final list of components passed into the package to include required dependencies extraComponents = filter useComponent availableComponents; @@ -103,6 +103,45 @@ in { description = lib.mdDoc "The config directory, where your {file}`configuration.yaml` is located."; }; + defaultIntegrations = mkOption { + type = types.listOf (types.enum availableComponents); + # https://github.com/home-assistant/core/blob/dev/homeassistant/bootstrap.py#L109 + default = [ + "application_credentials" + "frontend" + "hardware" + "logger" + "network" + "system_health" + + # key features + "automation" + "person" + "scene" + "script" + "tag" + "zone" + + # built-in helpers + "counter" + "input_boolean" + "input_button" + "input_datetime" + "input_number" + "input_select" + "input_text" + "schedule" + "timer" + + # non-supervisor + "backup" + ]; + readOnly = true; + description = '' + List of integrations set are always set up, unless in recovery mode. + ''; + }; + extraComponents = mkOption { type = types.listOf (types.enum availableComponents); default = [ @@ -533,6 +572,7 @@ in { "inkbird" "improv_ble" "keymitt_ble" + "leaone-ble" "led_ble" "medcom_ble" "melnor" diff --git a/nixos/modules/services/mail/stalwart-mail.nix b/nixos/modules/services/mail/stalwart-mail.nix index f576a426b318..8ab3497f7a17 100644 --- a/nixos/modules/services/mail/stalwart-mail.nix +++ b/nixos/modules/services/mail/stalwart-mail.nix @@ -32,10 +32,15 @@ in { global.tracing.level = mkDefault "info"; queue.path = mkDefault "${dataDir}/queue"; report.path = mkDefault "${dataDir}/reports"; + store.db.type = mkDefault "sqlite"; store.db.path = mkDefault "${dataDir}/data/index.sqlite3"; - store.blob.type = mkDefault "local"; - store.blob.local.path = mkDefault "${dataDir}/data/blobs"; + store.blob.type = mkDefault "fs"; + store.blob.path = mkDefault "${dataDir}/data/blobs"; + storage.data = mkDefault "db"; + storage.fts = mkDefault "db"; + storage.blob = mkDefault "blob"; resolver.type = mkDefault "system"; + resolver.public-suffix = mkDefault ["https://publicsuffix.org/list/public_suffix_list.dat"]; }; systemd.services.stalwart-mail = { @@ -57,8 +62,8 @@ in { KillSignal = "SIGINT"; Restart = "on-failure"; RestartSec = 5; - StandardOutput = "syslog"; - StandardError = "syslog"; + StandardOutput = "journal"; + StandardError = "journal"; SyslogIdentifier = "stalwart-mail"; DynamicUser = true; diff --git a/nixos/modules/services/misc/atuin.nix b/nixos/modules/services/misc/atuin.nix index 2d6ffc510ce5..7e89929884d6 100644 --- a/nixos/modules/services/misc/atuin.nix +++ b/nixos/modules/services/misc/atuin.nix @@ -8,6 +8,8 @@ in services.atuin = { enable = lib.mkEnableOption (mdDoc "Atuin server for shell history sync"); + package = lib.mkPackageOption pkgs "atuin" { }; + openRegistration = mkOption { type = types.bool; default = false; @@ -52,10 +54,13 @@ in }; uri = mkOption { - type = types.str; + type = types.nullOr types.str; default = "postgresql:///atuin?host=/run/postgresql"; example = "postgresql://atuin@localhost:5432/atuin"; - description = mdDoc "URI to the database"; + description = mdDoc '' + URI to the database. + Can be set to null in which case ATUIN_DB_URI should be set through an EnvironmentFile + ''; }; }; }; @@ -85,7 +90,7 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pkgs.atuin}/bin/atuin server start"; + ExecStart = "${lib.getExe cfg.package} server start"; RuntimeDirectory = "atuin"; RuntimeDirectoryMode = "0700"; DynamicUser = true; @@ -132,9 +137,10 @@ in ATUIN_PORT = toString cfg.port; ATUIN_MAX_HISTORY_LENGTH = toString cfg.maxHistoryLength; ATUIN_OPEN_REGISTRATION = lib.boolToString cfg.openRegistration; - ATUIN_DB_URI = cfg.database.uri; ATUIN_PATH = cfg.path; ATUIN_CONFIG_DIR = "/run/atuin"; # required to start, but not used as configuration is via environment variables + } // lib.optionalAttrs (cfg.database.uri != null) { + ATUIN_DB_URI = cfg.database.uri; }; }; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index d0135b2ba7ac..08feea853e47 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -681,6 +681,11 @@ in optional (cfg.database.password != "") "config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead." ++ optional (cfg.extraConfig != null) '' services.gitea.`extraConfig` is deprecated, please use services.gitea.`settings`. + '' ++ + optional (lib.getName cfg.package == "forgejo") '' + Running forgejo via services.gitea.package is no longer supported. + Please use services.forgejo instead. + See https://nixos.org/manual/nixos/unstable/#module-forgejo for migration instructions. ''; # Create database passwordFile default when password is configured. diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 7042b491ffa4..a1d3910bd93b 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -1,109 +1,149 @@ { config, pkgs, lib, ... }: -with lib; - let + inherit (lib) mkIf getExe maintainers mkEnableOption mkOption mkPackageOption; + inherit (lib.types) str path bool; cfg = config.services.jellyfin; in { options = { services.jellyfin = { - enable = mkEnableOption (lib.mdDoc "Jellyfin Media Server"); + enable = mkEnableOption "Jellyfin Media Server"; + + package = mkPackageOption pkgs "jellyfin" { }; user = mkOption { - type = types.str; + type = str; default = "jellyfin"; - description = lib.mdDoc "User account under which Jellyfin runs."; + description = "User account under which Jellyfin runs."; }; - package = mkPackageOption pkgs "jellyfin" { }; - group = mkOption { - type = types.str; + type = str; default = "jellyfin"; - description = lib.mdDoc "Group under which jellyfin runs."; + description = "Group under which jellyfin runs."; + }; + + dataDir = mkOption { + type = path; + default = "/var/lib/jellyfin"; + description = '' + Base data directory, + passed with `--datadir` see [#data-directory](https://jellyfin.org/docs/general/administration/configuration/#data-directory) + ''; + }; + + configDir = mkOption { + type = path; + default = "${cfg.dataDir}/config"; + defaultText = "\${cfg.dataDir}/config"; + description = '' + Directory containing the server configuration files, + passed with `--configdir` see [configuration-directory](https://jellyfin.org/docs/general/administration/configuration/#configuration-directory) + ''; + }; + + cacheDir = mkOption { + type = path; + default = "/var/cache/jellyfin"; + description = '' + Directory containing the jellyfin server cache, + passed with `--cachedir` see [#cache-directory](https://jellyfin.org/docs/general/administration/configuration/#cache-directory) + ''; + }; + + logDir = mkOption { + type = path; + default = "${cfg.dataDir}/log"; + defaultText = "\${cfg.dataDir}/log"; + description = '' + Directory where the Jellyfin logs will be stored, + passed with `--logdir` see [#log-directory](https://jellyfin.org/docs/general/administration/configuration/#log-directory) + ''; }; openFirewall = mkOption { - type = types.bool; + type = bool; default = false; - description = lib.mdDoc '' + description = '' Open the default ports in the firewall for the media server. The HTTP/HTTPS ports can be changed in the Web UI, so this option should - only be used if they are unchanged. + only be used if they are unchanged, see [Port Bindings](https://jellyfin.org/docs/general/networking/#port-bindings). ''; }; }; }; config = mkIf cfg.enable { - systemd.services.jellyfin = { - description = "Jellyfin Media Server"; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - - # This is mostly follows: https://github.com/jellyfin/jellyfin/blob/master/fedora/jellyfin.service - # Upstream also disable some hardenings when running in LXC, we do the same with the isContainer option - serviceConfig = rec { - Type = "simple"; - User = cfg.user; - Group = cfg.group; - StateDirectory = "jellyfin"; - StateDirectoryMode = "0700"; - CacheDirectory = "jellyfin"; - CacheDirectoryMode = "0700"; - UMask = "0077"; - WorkingDirectory = "/var/lib/jellyfin"; - ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; - Restart = "on-failure"; - TimeoutSec = 15; - SuccessExitStatus = ["0" "143"]; - - # Security options: - NoNewPrivileges = true; - SystemCallArchitectures = "native"; - # AF_NETLINK needed because Jellyfin monitors the network connection - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; - RestrictNamespaces = !config.boot.isContainer; - RestrictRealtime = true; - RestrictSUIDSGID = true; - ProtectControlGroups = !config.boot.isContainer; - ProtectHostname = true; - ProtectKernelLogs = !config.boot.isContainer; - ProtectKernelModules = !config.boot.isContainer; - ProtectKernelTunables = !config.boot.isContainer; - LockPersonality = true; - PrivateTmp = !config.boot.isContainer; - # needed for hardware acceleration - PrivateDevices = false; - PrivateUsers = true; - RemoveIPC = true; - - SystemCallFilter = [ - "~@clock" - "~@aio" - "~@chown" - "~@cpu-emulation" - "~@debug" - "~@keyring" - "~@memlock" - "~@module" - "~@mount" - "~@obsolete" - "~@privileged" - "~@raw-io" - "~@reboot" - "~@setuid" - "~@swap" - ]; - SystemCallErrorNumber = "EPERM"; + systemd = { + tmpfiles.settings.jellyfinDirs = { + "${cfg.dataDir}"."d" = { + mode = "700"; + inherit (cfg) user group; + }; + "${cfg.configDir}"."d" = { + mode = "700"; + inherit (cfg) user group; + }; + "${cfg.logDir}"."d" = { + mode = "700"; + inherit (cfg) user group; + }; + "${cfg.cacheDir}"."d" = { + mode = "700"; + inherit (cfg) user group; + }; + }; + services.jellyfin = { + description = "Jellyfin Media Server"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + # This is mostly follows: https://github.com/jellyfin/jellyfin/blob/master/fedora/jellyfin.service + # Upstream also disable some hardenings when running in LXC, we do the same with the isContainer option + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + UMask = "0077"; + WorkingDirectory = cfg.dataDir; + ExecStart = "${getExe cfg.package} --datadir '${cfg.dataDir}' --configdir '${cfg.configDir}' --cachedir '${cfg.cacheDir}' --logdir '${cfg.logDir}'"; + Restart = "on-failure"; + TimeoutSec = 15; + SuccessExitStatus = ["0" "143"]; + + # Security options: + NoNewPrivileges = true; + SystemCallArchitectures = "native"; + # AF_NETLINK needed because Jellyfin monitors the network connection + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictNamespaces = !config.boot.isContainer; + RestrictRealtime = true; + RestrictSUIDSGID = true; + ProtectControlGroups = !config.boot.isContainer; + ProtectHostname = true; + ProtectKernelLogs = !config.boot.isContainer; + ProtectKernelModules = !config.boot.isContainer; + ProtectKernelTunables = !config.boot.isContainer; + LockPersonality = true; + PrivateTmp = !config.boot.isContainer; + # needed for hardware acceleration + PrivateDevices = false; + PrivateUsers = true; + RemoveIPC = true; + + SystemCallFilter = [ + "~@clock" "~@aio" "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" "~@mount" "~@obsolete" "~@privileged" "~@raw-io" "~@reboot" "~@setuid" "~@swap" + ]; + SystemCallErrorNumber = "EPERM"; + }; }; }; users.users = mkIf (cfg.user == "jellyfin") { jellyfin = { - group = cfg.group; + inherit (cfg) group; isSystemUser = true; }; }; @@ -120,5 +160,5 @@ in }; - meta.maintainers = with lib.maintainers; [ minijackson ]; + meta.maintainers = with maintainers; [ minijackson nu-nu-ko ]; } diff --git a/nixos/modules/services/misc/sourcehut/default.nix b/nixos/modules/services/misc/sourcehut/default.nix index 80a6162b2168..557d6d7e7168 100644 --- a/nixos/modules/services/misc/sourcehut/default.nix +++ b/nixos/modules/services/misc/sourcehut/default.nix @@ -790,13 +790,21 @@ in ''; }; systemd.tmpfiles.settings."10-sourcehut-gitsrht" = mkIf cfg.git.enable ( - builtins.listToAttrs (map (name: { - name = "/var/log/sourcehut/gitsrht-${name}"; - value.f = { - inherit (cfg.git) user group; - mode = "0644"; - }; - }) [ "keys" "shell" "update-hook" ]) + mkMerge [ + (builtins.listToAttrs (map (name: { + name = "/var/log/sourcehut/gitsrht-${name}"; + value.f = { + inherit (cfg.git) user group; + mode = "0644"; + }; + }) [ "keys" "shell" "update-hook" ])) + { + ${cfg.settings."git.sr.ht".repos}.d = { + inherit (cfg.git) user group; + mode = "0644"; + }; + } + ] ); systemd.services.sshd = { preStart = mkIf cfg.hg.enable '' diff --git a/nixos/modules/services/misc/tandoor-recipes.nix b/nixos/modules/services/misc/tandoor-recipes.nix index 6c51a9bb8555..a8300ecd5233 100644 --- a/nixos/modules/services/misc/tandoor-recipes.nix +++ b/nixos/modules/services/misc/tandoor-recipes.nix @@ -17,14 +17,11 @@ let lib.mapAttrs (_: toString) cfg.extraConfig ); - manage = - let - setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env); - in - pkgs.writeShellScript "manage" '' - ${setupEnv} - exec ${pkg}/bin/tandoor-recipes "$@" - ''; + manage = pkgs.writeShellScript "manage" '' + set -o allexport # Export the following env vars + ${lib.toShellVars env} + exec ${pkg}/bin/tandoor-recipes "$@" + ''; in { meta.maintainers = with maintainers; [ ambroisie ]; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/fastly.nix b/nixos/modules/services/monitoring/prometheus/exporters/fastly.nix index 36409caccf2e..2a8b7fc0818d 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/fastly.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/fastly.nix @@ -1,41 +1,54 @@ -{ config, lib, pkgs, options }: +{ config +, lib +, pkgs +, options +}: -with lib; +let + inherit (lib) + escapeShellArgs + mkOption + optionals + types + ; -let cfg = config.services.prometheus.exporters.fastly; + cfg = config.services.prometheus.exporters.fastly; in { port = 9118; - extraOpts = { - debug = mkEnableOption (lib.mdDoc "Debug logging mode for fastly-exporter"); - + extraOpts = with types; { configFile = mkOption { - type = types.nullOr types.path; + type = nullOr path; default = null; - description = lib.mdDoc '' + example = "./fastly-exporter-config.txt"; + description = '' Path to a fastly-exporter configuration file. Example one can be generated with `fastly-exporter --config-file-example`. ''; - example = "./fastly-exporter-config.txt"; }; tokenPath = mkOption { - type = types.nullOr types.path; - apply = final: if final == null then null else toString final; - description = lib.mdDoc '' + type = path; + description = '' A run-time path to the token file, which is supposed to be provisioned outside of Nix store. ''; }; }; serviceOpts = { - script = '' - ${optionalString (cfg.tokenPath != null) - "export FASTLY_API_TOKEN=$(cat ${toString cfg.tokenPath})"} - ${pkgs.prometheus-fastly-exporter}/bin/fastly-exporter \ - -listen http://${cfg.listenAddress}:${toString cfg.port} - ${optionalString cfg.debug "-debug true"} \ - ${optionalString (cfg.configFile != null) "-config-file ${cfg.configFile}"} + serviceConfig = { + LoadCredential = "fastly-api-token:${cfg.tokenPath}"; + }; + script = let + call = escapeShellArgs ([ + "${pkgs.prometheus-fastly-exporter}/bin/fastly-exporter" + "-listen" "${cfg.listenAddress}:${toString cfg.port}" + ] ++ optionals (cfg.configFile != null) [ + "--config-file" cfg.configFile + ] ++ cfg.extraFlags); + in '' + export FASTLY_API_TOKEN="$(cat $CREDENTIALS_DIRECTORY/fastly-api-token)" + ${call} ''; }; } diff --git a/nixos/modules/services/monitoring/rustdesk-server.nix b/nixos/modules/services/monitoring/rustdesk-server.nix index 0a6a8e71672f..fcfd57167dd8 100644 --- a/nixos/modules/services/monitoring/rustdesk-server.nix +++ b/nixos/modules/services/monitoring/rustdesk-server.nix @@ -24,6 +24,24 @@ in { The public facing IP of the RustDesk relay. ''; }; + + extraSignalArgs = mkOption { + type = listOf str; + default = []; + example = [ "-k" "_" ]; + description = '' + A list of extra command line arguments to pass to the `hbbs` process. + ''; + }; + + extraRelayArgs = mkOption { + type = listOf str; + default = []; + example = [ "-k" "_" ]; + description = '' + A list of extra command line arguments to pass to the `hbbr` process. + ''; + }; }; config = let @@ -83,11 +101,11 @@ in { }; systemd.services.rustdesk-signal = lib.mkMerge [ serviceDefaults { - serviceConfig.ExecStart = "${cfg.package}/bin/hbbs -r ${cfg.relayIP}"; + serviceConfig.ExecStart = "${cfg.package}/bin/hbbs -r ${cfg.relayIP} ${lib.escapeShellArgs cfg.extraSignalArgs}"; } ]; systemd.services.rustdesk-relay = lib.mkMerge [ serviceDefaults { - serviceConfig.ExecStart = "${cfg.package}/bin/hbbr"; + serviceConfig.ExecStart = "${cfg.package}/bin/hbbr ${lib.escapeShellArgs cfg.extraRelayArgs}"; } ]; }; diff --git a/nixos/modules/services/monitoring/scrutiny.nix b/nixos/modules/services/monitoring/scrutiny.nix new file mode 100644 index 000000000000..454668a9a128 --- /dev/null +++ b/nixos/modules/services/monitoring/scrutiny.nix @@ -0,0 +1,221 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.scrutiny; + # Define the settings format used for this program + settingsFormat = pkgs.formats.yaml { }; +in +{ + options = { + services.scrutiny = { + enable = lib.mkEnableOption "Enables the scrutiny web application."; + + package = lib.mkPackageOptionMD pkgs "scrutiny" { }; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Open the default ports in the firewall for Scrutiny."; + }; + + influxdb.enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enables InfluxDB on the host system using the `services.influxdb2` NixOS module + with default options. + + If you already have InfluxDB configured, or wish to connect to an external InfluxDB + instance, disable this option. + ''; + }; + + settings = lib.mkOption { + description = lib.mdDoc '' + Scrutiny settings to be rendered into the configuration file. + + See https://github.com/AnalogJ/scrutiny/blob/master/example.scrutiny.yaml. + ''; + default = { }; + type = lib.types.submodule { + freeformType = settingsFormat.type; + + options.web.listen.port = lib.mkOption { + type = lib.types.port; + default = 8080; + description = lib.mdDoc "Port for web application to listen on."; + }; + + options.web.listen.host = lib.mkOption { + type = lib.types.str; + default = "0.0.0.0"; + description = lib.mdDoc "Interface address for web application to bind to."; + }; + + options.web.listen.basepath = lib.mkOption { + type = lib.types.str; + default = ""; + example = "/scrutiny"; + description = lib.mdDoc '' + If Scrutiny will be behind a path prefixed reverse proxy, you can override this + value to serve Scrutiny on a subpath. + ''; + }; + + options.log.level = lib.mkOption { + type = lib.types.enum [ "INFO" "DEBUG" ]; + default = "INFO"; + description = lib.mdDoc "Log level for Scrutiny."; + }; + + options.web.influxdb.scheme = lib.mkOption { + type = lib.types.str; + default = "http"; + description = lib.mdDoc "URL scheme to use when connecting to InfluxDB."; + }; + + options.web.influxdb.host = lib.mkOption { + type = lib.types.str; + default = "0.0.0.0"; + description = lib.mdDoc "IP or hostname of the InfluxDB instance."; + }; + + options.web.influxdb.port = lib.mkOption { + type = lib.types.port; + default = 8086; + description = lib.mdDoc "The port of the InfluxDB instance."; + }; + + options.web.influxdb.tls.insecure_skip_verify = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc "Skip TLS verification when connecting to InfluxDB."; + }; + + options.web.influxdb.token = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = lib.mdDoc "Authentication token for connecting to InfluxDB."; + }; + + options.web.influxdb.org = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = lib.mdDoc "InfluxDB organisation under which to store data."; + }; + + options.web.influxdb.bucket = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = lib.mdDoc "InfluxDB bucket in which to store data."; + }; + }; + }; + + collector = { + enable = lib.mkEnableOption "Enables the scrutiny metrics collector."; + + package = lib.mkPackageOptionMD pkgs "scrutiny-collector" { }; + + schedule = lib.mkOption { + type = lib.types.str; + default = "*:0/15"; + description = lib.mdDoc '' + How often to run the collector in systemd calendar format. + ''; + }; + + settings = lib.mkOption { + description = lib.mdDoc '' + Collector settings to be rendered into the collector configuration file. + + See https://github.com/AnalogJ/scrutiny/blob/master/example.collector.yaml. + ''; + default = { }; + type = lib.types.submodule { + freeformType = settingsFormat.type; + + options.host.id = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = lib.mdDoc "Host ID for identifying/labelling groups of disks"; + }; + + options.api.endpoint = lib.mkOption { + type = lib.types.str; + default = "http://localhost:8080"; + description = lib.mdDoc "Scrutiny app API endpoint for sending metrics to."; + }; + + options.log.level = lib.mkOption { + type = lib.types.enum [ "INFO" "DEBUG" ]; + default = "INFO"; + description = lib.mdDoc "Log level for Scrutiny collector."; + }; + }; + }; + }; + }; + }; + + config = lib.mkIf (cfg.enable || cfg.collector.enable) { + services.influxdb2.enable = cfg.influxdb.enable; + + networking.firewall = lib.mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.settings.web.listen.port ]; + }; + + services.smartd = lib.mkIf cfg.collector.enable { + enable = true; + extraOptions = [ + "-A /var/log/smartd/" + "--interval=600" + ]; + }; + + systemd = { + services = { + scrutiny = lib.mkIf cfg.enable { + description = "Hard Drive S.M.A.R.T Monitoring, Historical Trends & Real World Failure Thresholds"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = { + SCRUTINY_VERSION = "1"; + SCRUTINY_WEB_DATABASE_LOCATION = "/var/lib/scrutiny/scrutiny.db"; + SCRUTINY_WEB_SRC_FRONTEND_PATH = "${cfg.package}/share/scrutiny"; + }; + serviceConfig = { + DynamicUser = true; + ExecStart = "${lib.getExe cfg.package} start --config ${settingsFormat.generate "scrutiny.yaml" cfg.settings}"; + Restart = "always"; + StateDirectory = "scrutiny"; + StateDirectoryMode = "0750"; + }; + }; + + scrutiny-collector = lib.mkIf cfg.collector.enable { + description = "Scrutiny Collector Service"; + environment = { + COLLECTOR_VERSION = "1"; + COLLECTOR_API_ENDPOINT = cfg.collector.settings.api.endpoint; + }; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${lib.getExe cfg.collector.package} run --config ${settingsFormat.generate "scrutiny-collector.yaml" cfg.collector.settings}"; + }; + }; + }; + + timers = lib.mkIf cfg.collector.enable { + scrutiny-collector = { + timerConfig = { + OnCalendar = cfg.collector.schedule; + Persistent = true; + Unit = "scrutiny-collector.service"; + }; + }; + }; + }; + }; + + meta.maintainers = [ lib.maintainers.jnsgruk ]; +} diff --git a/nixos/modules/services/networking/bee-clef.nix b/nixos/modules/services/networking/bee-clef.nix deleted file mode 100644 index 75e76f019a71..000000000000 --- a/nixos/modules/services/networking/bee-clef.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ config, lib, pkgs, ... }: - -# NOTE for now nothing is installed into /etc/bee-clef/. the config files are used as read-only from the nix store. - -with lib; -let - cfg = config.services.bee-clef; -in { - meta = { - maintainers = with maintainers; [ attila-lendvai ]; - }; - - ### interface - - options = { - services.bee-clef = { - enable = mkEnableOption (lib.mdDoc "clef external signer instance for Ethereum Swarm Bee"); - - dataDir = mkOption { - type = types.nullOr types.str; - default = "/var/lib/bee-clef"; - description = lib.mdDoc '' - Data dir for bee-clef. Beware that some helper scripts may not work when changed! - The service itself should work fine, though. - ''; - }; - - passwordFile = mkOption { - type = types.nullOr types.str; - default = "/var/lib/bee-clef/password"; - description = lib.mdDoc "Password file for bee-clef."; - }; - - user = mkOption { - type = types.str; - default = "bee-clef"; - description = lib.mdDoc '' - User the bee-clef daemon should execute under. - ''; - }; - - group = mkOption { - type = types.str; - default = "bee-clef"; - description = lib.mdDoc '' - Group the bee-clef daemon should execute under. - ''; - }; - }; - }; - - ### implementation - - config = mkIf cfg.enable { - # if we ever want to have rules.js under /etc/bee-clef/ - # environment.etc."bee-clef/rules.js".source = ${pkgs.bee-clef}/rules.js - - systemd.packages = [ pkgs.bee-clef ]; # include the upstream bee-clef.service file - - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}/' 0750 ${cfg.user} ${cfg.group}" - "d '${cfg.dataDir}/keystore' 0700 ${cfg.user} ${cfg.group}" - ]; - - systemd.services.bee-clef = { - path = [ - # these are needed for the ensure-clef-account script - pkgs.coreutils - pkgs.gnused - pkgs.gawk - ]; - - wantedBy = [ "bee.service" "multi-user.target" ]; - - serviceConfig = { - User = cfg.user; - Group = cfg.group; - ExecStartPre = ''${pkgs.bee-clef}/share/bee-clef/ensure-clef-account "${cfg.dataDir}" "${pkgs.bee-clef}/share/bee-clef/"''; - ExecStart = [ - "" # this hides/overrides what's in the original entry - "${pkgs.bee-clef}/share/bee-clef/bee-clef-service start" - ]; - ExecStop = [ - "" # this hides/overrides what's in the original entry - "${pkgs.bee-clef}/share/bee-clef/bee-clef-service stop" - ]; - Environment = [ - "CONFIGDIR=${cfg.dataDir}" - "PASSWORD_FILE=${cfg.passwordFile}" - ]; - }; - }; - - users.users = optionalAttrs (cfg.user == "bee-clef") { - bee-clef = { - group = cfg.group; - home = cfg.dataDir; - isSystemUser = true; - description = "Daemon user for the bee-clef service"; - }; - }; - - users.groups = optionalAttrs (cfg.group == "bee-clef") { - bee-clef = {}; - }; - }; -} diff --git a/nixos/modules/services/networking/bee.nix b/nixos/modules/services/networking/bee.nix index 962cfd30c3fe..a4d20494bf6b 100644 --- a/nixos/modules/services/networking/bee.nix +++ b/nixos/modules/services/networking/bee.nix @@ -8,7 +8,7 @@ let in { meta = { # doc = ./bee.xml; - maintainers = with maintainers; [ attila-lendvai ]; + maintainers = with maintainers; [ ]; }; ### interface @@ -73,13 +73,10 @@ in { } ]; - warnings = optional (! config.services.bee-clef.enable) "The bee service requires an external signer. Consider setting `config.services.bee-clef.enable` = true"; - services.bee.settings = { data-dir = lib.mkDefault "/var/lib/bee"; password-file = lib.mkDefault "/var/lib/bee/password"; clef-signer-enable = lib.mkDefault true; - clef-signer-endpoint = lib.mkDefault "/var/lib/bee-clef/clef.ipc"; swap-endpoint = lib.mkDefault "https://rpc.slock.it/goerli"; }; @@ -90,9 +87,6 @@ in { ]; systemd.services.bee = { - requires = optional config.services.bee-clef.enable - "bee-clef.service"; - wantedBy = [ "multi-user.target" ]; serviceConfig = { @@ -120,7 +114,6 @@ Bee has SWAP enabled by default and it needs ethereum endpoint to operate. It is recommended to use external signer with bee. Check documentation for more info: - SWAP https://docs.ethswarm.org/docs/installation/manual#swap-bandwidth-incentives -- External signer https://docs.ethswarm.org/docs/installation/bee-clef After you finish configuration run 'sudo bee-get-addr'." fi @@ -133,8 +126,6 @@ After you finish configuration run 'sudo bee-get-addr'." home = cfg.settings.data-dir; isSystemUser = true; description = "Daemon user for Ethereum Swarm Bee"; - extraGroups = optional config.services.bee-clef.enable - config.services.bee-clef.group; }; }; diff --git a/nixos/modules/services/networking/go-camo.nix b/nixos/modules/services/networking/go-camo.nix new file mode 100644 index 000000000000..cb3b6eade464 --- /dev/null +++ b/nixos/modules/services/networking/go-camo.nix @@ -0,0 +1,73 @@ +{ lib, pkgs, config, ... }: + +let + cfg = config.services.go-camo; + inherit (lib) mkOption mkEnableOption mkIf mkMerge types optionalString; +in +{ + options.services.go-camo = { + enable = mkEnableOption "go-camo service"; + listen = mkOption { + type = types.nullOr types.str; + default = null; + description = "Address:Port to bind to for HTTP (default: 0.0.0.0:8080)."; + apply = v: optionalString (v != null) "--listen=${v}"; + }; + sslListen = mkOption { + type = types.nullOr types.str; + default = null; + description = "Address:Port to bind to for HTTPS."; + apply = v: optionalString (v != null) "--ssl-listen=${v}"; + }; + sslKey = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to TLS private key."; + apply = v: optionalString (v != null) "--ssl-key=${v}"; + }; + sslCert = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to TLS certificate."; + apply = v: optionalString (v != null) "--ssl-cert=${v}"; + }; + keyFile = mkOption { + type = types.path; + default = null; + description = '' + A file containing the HMAC key to use for signing URLs. + The file can contain any string. Can be generated using "openssl rand -base64 18 > the_file". + ''; + }; + extraOptions = mkOption { + type = with types; listOf str; + default = []; + description = "Extra options passed to the go-camo command."; + }; + }; + + config = mkIf cfg.enable { + systemd.services.go-camo = { + description = "go-camo service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = { + GOCAMO_HMAC_FILE = "%d/hmac"; + }; + script = '' + export GOCAMO_HMAC=$(cat "$GOCAMO_HMAC_FILE") + exec ${lib.escapeShellArgs(lib.lists.remove "" ([ "${pkgs.go-camo}/bin/go-camo" cfg.listen cfg.sslListen cfg.sslKey cfg.sslCert ] ++ cfg.extraOptions))} + ''; + serviceConfig = { + NoNewPrivileges = true; + ProtectSystem = "strict"; + DynamicUser = true; + User = "gocamo"; + Group = "gocamo"; + LoadCredential = [ + "hmac:${cfg.keyFile}" + ]; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index 00482e59acf3..40542155ed63 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -909,7 +909,7 @@ in { in { settings = { ssid = bssCfg.ssid; - utf8_ssid = bssCfg.ssid; + utf8_ssid = bssCfg.utf8Ssid; logger_syslog = mkDefault (-1); logger_syslog_level = bssCfg.logLevel; diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix index 94c32586736a..6488a159b3b7 100644 --- a/nixos/modules/services/networking/knot.nix +++ b/nixos/modules/services/networking/knot.nix @@ -1,8 +1,36 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: -with lib; let + inherit (lib) + attrNames + concatMapStrings + concatMapStringsSep + concatStrings + concatStringsSep + elem + filter + flip + hasAttr + hasPrefix + isAttrs + isBool + isDerivation + isList + mapAttrsToList + mkChangedOptionModule + mkEnableOption + mkIf + mkOption + mkPackageOption + optionals + types + ; + + inherit (utils) + escapeSystemdExecArgs + ; + cfg = config.services.knot; yamlConfig = let @@ -113,8 +141,7 @@ let mkConfigFile = configString: pkgs.writeTextFile { name = "knot.conf"; text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" + configString; - # TODO: maybe we could do some checks even when private keys complicate this? - checkPhase = lib.optionalString (cfg.keyFiles == []) '' + checkPhase = lib.optionalString cfg.checkConfig '' ${cfg.package}/bin/knotc --config=$out conf-check ''; }; @@ -142,12 +169,45 @@ let in { options = { services.knot = { - enable = mkEnableOption (lib.mdDoc "Knot authoritative-only DNS server"); + enable = mkEnableOption "Knot authoritative-only DNS server"; + + enableXDP = mkOption { + type = types.bool; + default = lib.hasAttrByPath [ "xdp" "listen" ] cfg.settings; + defaultText = '' + Enabled when the `xdp.listen` setting is configured through `settings`. + ''; + example = true; + description = '' + Extends the systemd unit with permissions to allow for the use of + the eXpress Data Path (XDP). + + ::: {.note} + Make sure to read up on functional [limitations](https://www.knot-dns.cz/docs/latest/singlehtml/index.html#mode-xdp-limitations) + when running in XDP mode. + ::: + ''; + }; + + checkConfig = mkOption { + type = types.bool; + # TODO: maybe we could do some checks even when private keys complicate this? + # conf-check fails hard on missing IPs/devices with XDP + default = cfg.keyFiles == [] && !cfg.enableXDP; + defaultText = '' + Disabled when the config uses `keyFiles` or `enableXDP`. + ''; + example = false; + description = '' + Toggles the configuration test at build time. It runs in a + sandbox, and therefore cannot be used in all scenarios. + ''; + }; extraArgs = mkOption { type = types.listOf types.str; default = []; - description = lib.mdDoc '' + description = '' List of additional command line parameters for knotd ''; }; @@ -155,7 +215,7 @@ in { keyFiles = mkOption { type = types.listOf types.path; default = []; - description = lib.mdDoc '' + description = '' A list of files containing additional configuration to be included using the include directive. This option allows to include configuration like TSIG keys without @@ -168,7 +228,7 @@ in { settings = mkOption { type = types.attrs; default = {}; - description = lib.mdDoc '' + description = '' Extra configuration as nix values. ''; }; @@ -176,7 +236,7 @@ in { settingsFile = mkOption { type = types.nullOr types.path; default = null; - description = lib.mdDoc '' + description = '' As alternative to ``settings``, you can provide whole configuration directly in the almost-YAML format of Knot DNS. You might want to utilize ``pkgs.writeText "knot.conf" "longConfigString"`` for this. @@ -210,19 +270,35 @@ in { wants = [ "network.target" ]; after = ["network.target" ]; - serviceConfig = { + serviceConfig = let + # https://www.knot-dns.cz/docs/3.3/singlehtml/index.html#pre-requisites + xdpCapabilities = lib.optionals (cfg.enableXDP) [ + "CAP_NET_ADMIN" + "CAP_NET_RAW" + "CAP_SYS_ADMIN" + "CAP_IPC_LOCK" + ] ++ lib.optionals (lib.versionOlder config.boot.kernelPackages.kernel.version "5.11") [ + "CAP_SYS_RESOURCE" + ]; + in { Type = "notify"; - ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}"; - ExecReload = "${knot-cli-wrappers}/bin/knotc reload"; + ExecStart = escapeSystemdExecArgs ([ + (lib.getExe cfg.package) + "--config=${configFile}" + "--socket=${socketFile}" + ] ++ cfg.extraArgs); + ExecReload = escapeSystemdExecArgs [ + "${knot-cli-wrappers}/bin/knotc" "reload" + ]; User = "knot"; Group = "knot"; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" - ]; + ] ++ xdpCapabilities; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" - ]; + ] ++ xdpCapabilities; DeviceAllow = ""; DevicePolicy = "closed"; LockPersonality = true; @@ -247,6 +323,9 @@ in { "AF_INET" "AF_INET6" "AF_UNIX" + ] ++ optionals (cfg.enableXDP) [ + "AF_NETLINK" + "AF_XDP" ]; RestrictNamespaces = true; RestrictRealtime =true; @@ -258,6 +337,8 @@ in { SystemCallFilter = [ "@system-service" "~@privileged" + ] ++ optionals (cfg.enableXDP) [ + "bpf" ]; UMask = "0077"; }; diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index db4d2f7f0ba0..a44cac93d5f6 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -133,9 +133,6 @@ in "ipsec.d/01-nixos.conf".source = configFile; } // policyFiles; - # Create NSS database directory - systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ]; - systemd.services.ipsec = { description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; wantedBy = [ "multi-user.target" ]; @@ -153,6 +150,10 @@ in echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects ''; + serviceConfig = { + StateDirectory = "ipsec/nss"; + StateDirectoryMode = 0700; + }; }; }; diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index 46fa9d2de046..2351ebf4b707 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -185,6 +185,19 @@ in can be loaded using "nft -f". The ruleset is updated atomically. ''; }; + + networking.nftables.flattenRulesetFile = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Use `builtins.readFile` rather than `include` to handle {option}`networking.nftables.rulesetFile`. It is useful when you want to apply {option}`networking.nftables.preCheckRuleset` to {option}`networking.nftables.rulesetFile`. + + ::: {.note} + It is expected that {option}`networking.nftables.rulesetFile` can be accessed from the build sandbox. + ::: + ''; + }; + networking.nftables.tables = mkOption { type = types.attrsOf (types.submodule tableSubmodule); @@ -295,9 +308,13 @@ in } '') enabledTables)} ${cfg.ruleset} - ${lib.optionalString (cfg.rulesetFile != null) '' - include "${cfg.rulesetFile}" - ''} + ${if cfg.rulesetFile != null then + if cfg.flattenRulesetFile then + builtins.readFile cfg.rulesetFile + else '' + include "${cfg.rulesetFile}" + '' + else ""} ''; checkPhase = lib.optionalString cfg.checkRuleset '' cp $out ruleset.conf diff --git a/nixos/modules/services/networking/sabnzbd.nix b/nixos/modules/services/networking/sabnzbd.nix index cff2622b38e9..2f0d17ad3d17 100644 --- a/nixos/modules/services/networking/sabnzbd.nix +++ b/nixos/modules/services/networking/sabnzbd.nix @@ -36,6 +36,14 @@ in default = "sabnzbd"; description = lib.mdDoc "Group to run the service as"; }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Open ports in the firewall for the sabnzbd web interface + ''; + }; }; }; @@ -43,17 +51,16 @@ in ###### implementation config = mkIf cfg.enable { - - users.users.sabnzbd = { - uid = config.ids.uids.sabnzbd; - group = "sabnzbd"; - description = "sabnzbd user"; - home = "/var/lib/sabnzbd/"; - createHome = true; + users.users = mkIf (cfg.user == "sabnzbd") { + sabnzbd = { + uid = config.ids.uids.sabnzbd; + group = cfg.group; + description = "sabnzbd user"; + }; }; - users.groups.sabnzbd = { - gid = config.ids.gids.sabnzbd; + users.groups = mkIf (cfg.group == "sabnzbd") { + sabnzbd.gid = config.ids.gids.sabnzbd; }; systemd.services.sabnzbd = { @@ -63,10 +70,15 @@ in serviceConfig = { Type = "forking"; GuessMainPID = "no"; - User = "${cfg.user}"; - Group = "${cfg.group}"; + User = cfg.user; + Group = cfg.group; + StateDirectory = "sabnzbd"; ExecStart = "${lib.getBin cfg.package}/bin/sabnzbd -d -f ${cfg.configFile}"; }; }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ 8080 ]; + }; }; } diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix index 97ac3a72804c..42cf8159f3ea 100644 --- a/nixos/modules/services/security/opensnitch.nix +++ b/nixos/modules/services/security/opensnitch.nix @@ -36,7 +36,8 @@ in { description = mdDoc '' Declarative configuration of firewall rules. - All rules will be stored in `/var/lib/opensnitch/rules`. + All rules will be stored in `/var/lib/opensnitch/rules` by default. + Rules path can be configured with `settings.Rules.Path`. See [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Rules) for available options. ''; @@ -79,15 +80,6 @@ in { ''; }; - DefaultDuration = mkOption { - type = types.enum [ - "once" "always" "until restart" "30s" "5m" "15m" "30m" "1h" - ]; - description = mdDoc '' - Default duration of firewall rule. - ''; - }; - InterceptUnknown = mkOption { type = types.bool; description = mdDoc '' @@ -134,6 +126,30 @@ in { }; }; + + Ebpf.ModulesPath = mkOption { + type = types.path; + default = if cfg.settings.ProcMonitorMethod == "ebpf" then "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd" else null; + defaultText = literalExpression '' + if cfg.settings.ProcMonitorMethod == "ebpf" then + "\\$\\{config.boot.kernelPackages.opensnitch-ebpf\\}/etc/opensnitchd" + else null; + ''; + description = mdDoc '' + Configure eBPF modules path. Used when + `settings.ProcMonitorMethod` is set to `ebpf`. + ''; + }; + + Rules.Path = mkOption { + type = types.path; + default = "/var/lib/opensnitch/rules"; + description = mdDoc '' + Path to the directory where firewall rules can be found and will + get stored by the NixOS module. + ''; + }; + }; }; description = mdDoc '' @@ -151,40 +167,42 @@ in { systemd = { packages = [ pkgs.opensnitch ]; - services.opensnitchd.wantedBy = [ "multi-user.target" ]; + services.opensnitchd = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = [ + "" + "${pkgs.opensnitch}/bin/opensnitchd --config-file ${format.generate "default-config.json" cfg.settings}" + ]; + }; + preStart = mkIf (cfg.rules != {}) (let + rules = flip mapAttrsToList predefinedRules (file: content: { + inherit (content) file; + local = "${cfg.settings.Rules.Path}/${file}.json"; + }); + in '' + # Remove all firewall rules from rules path (configured with + # cfg.settings.Rules.Path) that are symlinks to a store-path, but aren't + # declared in `cfg.rules` (i.e. all networks that were "removed" from + # `cfg.rules`). + find ${cfg.settings.Rules.Path} -type l -lname '${builtins.storeDir}/*' ${optionalString (rules != {}) '' + -not \( ${concatMapStringsSep " -o " ({ local, ... }: + "-name '${baseNameOf local}*'") + rules} \) \ + ''} -delete + ${concatMapStrings ({ file, local }: '' + ln -sf '${file}' "${local}" + '') rules} + ''); + }; + tmpfiles.rules = [ + "d ${cfg.settings.Rules.Path} 0750 root root - -" + "L+ /etc/opensnitchd/system-fw.json - - - - ${pkgs.opensnitch}/etc/opensnitchd/system-fw.json" + ]; }; - systemd.services.opensnitchd.preStart = mkIf (cfg.rules != {}) (let - rules = flip mapAttrsToList predefinedRules (file: content: { - inherit (content) file; - local = "/var/lib/opensnitch/rules/${file}.json"; - }); - in '' - # Remove all firewall rules from `/var/lib/opensnitch/rules` that are symlinks to a store-path, - # but aren't declared in `cfg.rules` (i.e. all networks that were "removed" from - # `cfg.rules`). - find /var/lib/opensnitch/rules -type l -lname '${builtins.storeDir}/*' ${optionalString (rules != {}) '' - -not \( ${concatMapStringsSep " -o " ({ local, ... }: - "-name '${baseNameOf local}*'") - rules} \) \ - ''} -delete - ${concatMapStrings ({ file, local }: '' - ln -sf '${file}' "${local}" - '') rules} - - if [ ! -f /etc/opensnitchd/system-fw.json ]; then - cp "${pkgs.opensnitch}/etc/opensnitchd/system-fw.json" "/etc/opensnitchd/system-fw.json" - fi - ''); - - environment.etc = mkMerge [ ({ - "opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings; - }) (mkIf (cfg.settings.ProcMonitorMethod == "ebpf") { - "opensnitchd/opensnitch.o".source = "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd/opensnitch.o"; - "opensnitchd/opensnitch-dns.o".source = "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd/opensnitch-dns.o"; - "opensnitchd/opensnitch-procs.o".source = "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd/opensnitch-procs.o"; - })]; - }; + + meta.maintainers = with lib.maintainers; [ onny ]; } diff --git a/nixos/modules/services/system/automatic-timezoned.nix b/nixos/modules/services/system/automatic-timezoned.nix index 8934ed3a7ef2..7d3cd004a7ba 100644 --- a/nixos/modules/services/system/automatic-timezoned.nix +++ b/nixos/modules/services/system/automatic-timezoned.nix @@ -50,7 +50,7 @@ in serviceConfig = { Type = "exec"; User = "automatic-timezoned"; - ExecStart = "${cfg.package}/bin/automatic-timezoned --zoneinfo-path=${pkgs.tzdata}/share/zoneinfo/zone1970.tab"; + ExecStart = "${cfg.package}/bin/automatic-timezoned"; }; wantedBy = [ "default.target" ]; }; diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 5dd02eb33163..a9fb123b981e 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -74,7 +74,7 @@ in description = lib.mdDoc ""; }; options.message-level = mkOption { - type = types.ints.between 0 3; + type = types.ints.between 0 6; default = 2; description = lib.mdDoc "Set verbosity of transmission messages."; }; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 8d09d1b97828..7fc710c6fcec 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -4,7 +4,8 @@ let cfg = config.services.mastodon; opt = options.services.mastodon; - # We only want to create a database if we're actually going to connect to it. + # We only want to create a Redis and PostgreSQL databases if we're actually going to connect to it local. + redisActuallyCreateLocally = cfg.redis.createLocally && (cfg.redis.host == "127.0.0.1" || cfg.redis.enableUnixSocket); databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "/run/postgresql"; env = { @@ -33,6 +34,7 @@ let TRUSTED_PROXY_IP = cfg.trustedProxy; } + // lib.optionalAttrs (cfg.redis.createLocally && cfg.redis.enableUnixSocket) { REDIS_URL = "unix://${config.services.redis.servers.mastodon.unixSocket}"; } // lib.optionalAttrs (cfg.database.host != "/run/postgresql" && cfg.database.port != null) { DB_PORT = toString cfg.database.port; } // lib.optionalAttrs cfg.smtp.authenticate { SMTP_LOGIN = cfg.smtp.user; } // lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_HOST = cfg.elasticsearch.host; } @@ -116,9 +118,11 @@ let threads = toString (if processCfg.threads == null then cfg.sidekiqThreads else processCfg.threads); in { after = [ "network.target" "mastodon-init-dirs.service" ] + ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" ++ lib.optional databaseActuallyCreateLocally "postgresql.service" ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; requires = [ "mastodon-init-dirs.service" ] + ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" ++ lib.optional databaseActuallyCreateLocally "postgresql.service" ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; description = "Mastodon sidekiq${jobClassLabel}"; @@ -146,9 +150,11 @@ let name = "mastodon-streaming-${toString i}"; value = { after = [ "network.target" "mastodon-init-dirs.service" ] + ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" ++ lib.optional databaseActuallyCreateLocally "postgresql.service" ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; requires = [ "mastodon-init-dirs.service" ] + ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" ++ lib.optional databaseActuallyCreateLocally "postgresql.service" ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; wantedBy = [ "mastodon.target" "mastodon-streaming.target" ]; @@ -404,6 +410,19 @@ in { type = lib.types.port; default = 31637; }; + + passwordFile = lib.mkOption { + description = lib.mdDoc "A file containing the password for Redis database."; + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/keys/mastodon-redis-password"; + }; + + enableUnixSocket = lib.mkOption { + description = lib.mdDoc "Use Unix socket"; + type = lib.types.bool; + default = true; + }; }; database = { @@ -613,6 +632,13 @@ in { config = lib.mkIf cfg.enable (lib.mkMerge [{ assertions = [ { + assertion = redisActuallyCreateLocally -> (!cfg.redis.enableUnixSocket || cfg.redis.passwordFile == null); + message = '' + <option>services.mastodon.redis.enableUnixSocket</option> needs to be disabled if + <option>services.mastodon.redis.passwordFile</option> is used. + ''; + } + { assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user && cfg.database.user == cfg.database.name); message = '' For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer @@ -689,6 +715,8 @@ in { OTP_SECRET="$(cat ${cfg.otpSecretFile})" VAPID_PRIVATE_KEY="$(cat ${cfg.vapidPrivateKeyFile})" VAPID_PUBLIC_KEY="$(cat ${cfg.vapidPublicKeyFile})" + '' + lib.optionalString (cfg.redis.passwordFile != null)'' + REDIS_PASSWORD="$(cat ${cfg.redis.passwordFile})" '' + lib.optionalString (cfg.database.passwordFile != null) '' DB_PASS="$(cat ${cfg.database.passwordFile})" '' + lib.optionalString cfg.smtp.authenticate '' @@ -751,9 +779,11 @@ in { systemd.services.mastodon-web = { after = [ "network.target" "mastodon-init-dirs.service" ] + ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" ++ lib.optional databaseActuallyCreateLocally "postgresql.service" ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; requires = [ "mastodon-init-dirs.service" ] + ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service" ++ lib.optional databaseActuallyCreateLocally "postgresql.service" ++ lib.optional cfg.automaticMigrations "mastodon-init-db.service"; wantedBy = [ "mastodon.target" ]; @@ -834,11 +864,14 @@ in { enable = true; hostname = lib.mkDefault "${cfg.localDomain}"; }; - services.redis.servers.mastodon = lib.mkIf (cfg.redis.createLocally && cfg.redis.host == "127.0.0.1") { - enable = true; - port = cfg.redis.port; - bind = "127.0.0.1"; - }; + services.redis.servers.mastodon = lib.mkIf redisActuallyCreateLocally (lib.mkMerge [ + { + enable = true; + } + (lib.mkIf (!cfg.redis.enableUnixSocket) { + port = cfg.redis.port; + }) + ]); services.postgresql = lib.mkIf databaseActuallyCreateLocally { enable = true; ensureUsers = [ @@ -859,6 +892,7 @@ in { }; }) (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package pkgs.imagemagick ]) + (lib.mkIf (cfg.redis.createLocally && cfg.redis.enableUnixSocket) {${config.services.mastodon.user}.extraGroups = [ "redis-mastodon" ];}) ]; users.groups.${cfg.group}.members = lib.optional cfg.configureNginx config.services.nginx.user; diff --git a/nixos/modules/services/web-apps/photoprism.nix b/nixos/modules/services/web-apps/photoprism.nix index d3773cc9cf78..ccf995fccf3e 100644 --- a/nixos/modules/services/web-apps/photoprism.nix +++ b/nixos/modules/services/web-apps/photoprism.nix @@ -12,17 +12,14 @@ let lib.mapAttrs (_: toString) cfg.settings ); - manage = - let - setupEnv = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: val: "export ${name}=${lib.escapeShellArg val}") env); - in - pkgs.writeShellScript "manage" '' - ${setupEnv} - eval "$(${config.systemd.package}/bin/systemctl show -pUID,MainPID photoprism.service | ${pkgs.gnused}/bin/sed "s/UID/ServiceUID/")" - exec ${pkgs.util-linux}/bin/nsenter \ - -t $MainPID -m -S $ServiceUID -G $ServiceUID --wdns=${cfg.storagePath} \ - ${cfg.package}/bin/photoprism "$@" - ''; + manage = pkgs.writeShellScript "manage" '' + set -o allexport # Export the following env vars + ${lib.toShellVars env} + eval "$(${config.systemd.package}/bin/systemctl show -pUID,MainPID photoprism.service | ${pkgs.gnused}/bin/sed "s/UID/ServiceUID/")" + exec ${pkgs.util-linux}/bin/nsenter \ + -t $MainPID -m -S $ServiceUID -G $ServiceUID --wdns=${cfg.storagePath} \ + ${cfg.package}/bin/photoprism "$@" + ''; in { meta.maintainers = with lib.maintainers; [ stunkymonkey ]; diff --git a/nixos/modules/services/web-servers/garage.nix b/nixos/modules/services/web-servers/garage.nix index 47b4c6ab416e..48dd5b34757c 100644 --- a/nixos/modules/services/web-servers/garage.nix +++ b/nixos/modules/services/web-servers/garage.nix @@ -30,7 +30,7 @@ in }; logLevel = mkOption { - type = types.enum ([ "info" "debug" "trace" ]); + type = types.enum ([ "error" "warn" "info" "debug" "trace" ]); default = "info"; example = "debug"; description = lib.mdDoc "Garage log level, see <https://garagehq.deuxfleurs.fr/documentation/quick-start/#launching-the-garage-server> for examples."; diff --git a/nixos/modules/services/web-servers/ttyd.nix b/nixos/modules/services/web-servers/ttyd.nix index e545869ca432..14361df2bb66 100644 --- a/nixos/modules/services/web-servers/ttyd.nix +++ b/nixos/modules/services/web-servers/ttyd.nix @@ -1,11 +1,17 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.services.ttyd; + inherit (lib) + optionals + types + concatLists + mapAttrsToList + mkOption + ; + # Command line arguments for the ttyd daemon args = [ "--port" (toString cfg.port) ] ++ optionals (cfg.socket != null) [ "--interface" cfg.socket ] @@ -14,6 +20,7 @@ let ++ (concatLists (mapAttrsToList (_k: _v: [ "--client-option" "${_k}=${_v}" ]) cfg.clientOptions)) ++ [ "--terminal-type" cfg.terminalType ] ++ optionals cfg.checkOrigin [ "--check-origin" ] + ++ optionals cfg.writeable [ "--writable" ] # the typo is correct ++ [ "--max-clients" (toString cfg.maxClients) ] ++ optionals (cfg.indexFile != null) [ "--index" cfg.indexFile ] ++ optionals cfg.enableIPv6 [ "--ipv6" ] @@ -30,40 +37,40 @@ in options = { services.ttyd = { - enable = mkEnableOption (lib.mdDoc "ttyd daemon"); + enable = lib.mkEnableOption ("ttyd daemon"); port = mkOption { type = types.port; default = 7681; - description = lib.mdDoc "Port to listen on (use 0 for random port)"; + description = "Port to listen on (use 0 for random port)"; }; socket = mkOption { type = types.nullOr types.path; default = null; example = "/var/run/ttyd.sock"; - description = lib.mdDoc "UNIX domain socket path to bind."; + description = "UNIX domain socket path to bind."; }; interface = mkOption { type = types.nullOr types.str; default = null; example = "eth0"; - description = lib.mdDoc "Network interface to bind."; + description = "Network interface to bind."; }; username = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc "Username for basic authentication."; + description = "Username for basic http authentication."; }; passwordFile = mkOption { type = types.nullOr types.path; default = null; apply = value: if value == null then null else toString value; - description = lib.mdDoc '' - File containing the password to use for basic authentication. + description = '' + File containing the password to use for basic http authentication. For insecurely putting the password in the globally readable store use `pkgs.writeText "ttydpw" "MyPassword"`. ''; @@ -72,19 +79,46 @@ in signal = mkOption { type = types.ints.u8; default = 1; - description = lib.mdDoc "Signal to send to the command on session close."; + description = "Signal to send to the command on session close."; + }; + + entrypoint = mkOption { + type = types.listOf types.str; + default = [ "${pkgs.shadow}/bin/login" ]; + defaultText = lib.literalExpression '' + [ "''${pkgs.shadow}/bin/login" ] + ''; + example = lib.literalExpression '' + [ (lib.getExe pkgs.htop) ] + ''; + description = "Which command ttyd runs."; + apply = lib.escapeShellArgs; + }; + + user = mkOption { + type = types.str; + # `login` needs to be run as root + default = "root"; + description = "Which unix user ttyd should run as."; + }; + + writeable = mkOption { + type = types.nullOr types.bool; + default = null; # null causes an eval error, forcing the user to consider attack surface + example = true; + description = "Allow clients to write to the TTY."; }; clientOptions = mkOption { type = types.attrsOf types.str; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { fontSize = "16"; fontFamily = "Fira Code"; } ''; - description = lib.mdDoc '' + description = '' Attribute set of client options for xtermjs. <https://xtermjs.org/docs/api/terminal/interfaces/iterminaloptions/> ''; @@ -93,50 +127,50 @@ in terminalType = mkOption { type = types.str; default = "xterm-256color"; - description = lib.mdDoc "Terminal type to report."; + description = "Terminal type to report."; }; checkOrigin = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether to allow a websocket connection from a different origin."; + description = "Whether to allow a websocket connection from a different origin."; }; maxClients = mkOption { type = types.int; default = 0; - description = lib.mdDoc "Maximum clients to support (0, no limit)"; + description = "Maximum clients to support (0, no limit)"; }; indexFile = mkOption { type = types.nullOr types.path; default = null; - description = lib.mdDoc "Custom index.html path"; + description = "Custom index.html path"; }; enableIPv6 = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether or not to enable IPv6 support."; + description = "Whether or not to enable IPv6 support."; }; enableSSL = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether or not to enable SSL (https) support."; + description = "Whether or not to enable SSL (https) support."; }; certFile = mkOption { type = types.nullOr types.path; default = null; - description = lib.mdDoc "SSL certificate file path."; + description = "SSL certificate file path."; }; keyFile = mkOption { type = types.nullOr types.path; default = null; apply = value: if value == null then null else toString value; - description = lib.mdDoc '' + description = '' SSL key file path. For insecurely putting the keyFile in the globally readable store use `pkgs.writeText "ttydKeyFile" "SSLKEY"`. @@ -146,25 +180,27 @@ in caFile = mkOption { type = types.nullOr types.path; default = null; - description = lib.mdDoc "SSL CA file path for client certificate verification."; + description = "SSL CA file path for client certificate verification."; }; logLevel = mkOption { type = types.int; default = 7; - description = lib.mdDoc "Set log level."; + description = "Set log level."; }; }; }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { assertions = [ { assertion = cfg.enableSSL -> cfg.certFile != null && cfg.keyFile != null && cfg.caFile != null; message = "SSL is enabled for ttyd, but no certFile, keyFile or caFile has been specified."; } + { assertion = cfg.writeable != null; + message = "services.ttyd.writeable must be set"; } { assertion = ! (cfg.interface != null && cfg.socket != null); message = "Cannot set both interface and socket for ttyd."; } { assertion = (cfg.username != null) == (cfg.passwordFile != null); @@ -177,21 +213,19 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig = { - # Runs login which needs to be run as root - # login: Cannot possibly work without effective root - User = "root"; + User = cfg.user; LoadCredential = lib.optionalString (cfg.passwordFile != null) "TTYD_PASSWORD_FILE:${cfg.passwordFile}"; }; script = if cfg.passwordFile != null then '' PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/TTYD_PASSWORD_FILE") ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ - --credential ${escapeShellArg cfg.username}:"$PASSWORD" \ - ${pkgs.shadow}/bin/login + --credential ${lib.escapeShellArg cfg.username}:"$PASSWORD" \ + ${cfg.entrypoint} '' else '' ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ - ${pkgs.shadow}/bin/login + ${cfg.entrypoint} ''; }; }; diff --git a/nixos/modules/services/web-servers/zope2.nix b/nixos/modules/services/web-servers/zope2.nix deleted file mode 100644 index 29731b29eea4..000000000000 --- a/nixos/modules/services/web-servers/zope2.nix +++ /dev/null @@ -1,262 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.zope2; - - zope2Opts = { name, ... }: { - options = { - - name = mkOption { - default = "${name}"; - type = types.str; - description = lib.mdDoc "The name of the zope2 instance. If undefined, the name of the attribute set will be used."; - }; - - threads = mkOption { - default = 2; - type = types.int; - description = lib.mdDoc "Specify the number of threads that Zope's ZServer web server will use to service requests. "; - }; - - http_address = mkOption { - default = "localhost:8080"; - type = types.str; - description = lib.mdDoc "Give a port and address for the HTTP server."; - }; - - user = mkOption { - default = "zope2"; - type = types.str; - description = lib.mdDoc "The name of the effective user for the Zope process."; - }; - - clientHome = mkOption { - default = "/var/lib/zope2/${name}"; - type = types.path; - description = lib.mdDoc "Home directory of zope2 instance."; - }; - extra = mkOption { - default = - '' - <zodb_db main> - mount-point / - cache-size 30000 - <blobstorage> - blob-dir /var/lib/zope2/${name}/blobstorage - <filestorage> - path /var/lib/zope2/${name}/filestorage/Data.fs - </filestorage> - </blobstorage> - </zodb_db> - ''; - type = types.lines; - description = lib.mdDoc "Extra zope.conf"; - }; - - packages = mkOption { - type = types.listOf types.package; - description = lib.mdDoc "The list of packages you want to make available to the zope2 instance."; - }; - - }; - }; - -in - -{ - - ###### interface - - options = { - - services.zope2.instances = mkOption { - default = {}; - type = with types; attrsOf (submodule zope2Opts); - example = literalExpression '' - { - plone01 = { - http_address = "127.0.0.1:8080"; - extra = - ''' - <zodb_db main> - mount-point / - cache-size 30000 - <blobstorage> - blob-dir /var/lib/zope2/plone01/blobstorage - <filestorage> - path /var/lib/zope2/plone01/filestorage/Data.fs - </filestorage> - </blobstorage> - </zodb_db> - '''; - }; - } - ''; - description = lib.mdDoc "zope2 instances to be created automatically by the system."; - }; - }; - - ###### implementation - - config = mkIf (cfg.instances != {}) { - - users.users.zope2 = { - isSystemUser = true; - group = "zope2"; - }; - users.groups.zope2 = {}; - - systemd.services = - let - - createZope2Instance = opts: name: - let - interpreter = pkgs.writeScript "interpreter" - '' - import sys - - _interactive = True - if len(sys.argv) > 1: - _options, _args = __import__("getopt").getopt(sys.argv[1:], 'ic:m:') - _interactive = False - for (_opt, _val) in _options: - if _opt == '-i': - _interactive = True - elif _opt == '-c': - exec _val - elif _opt == '-m': - sys.argv[1:] = _args - _args = [] - __import__("runpy").run_module( - _val, {}, "__main__", alter_sys=True) - - if _args: - sys.argv[:] = _args - __file__ = _args[0] - del _options, _args - execfile(__file__) - - if _interactive: - del _interactive - __import__("code").interact(banner="", local=globals()) - ''; - env = pkgs.buildEnv { - name = "zope2-${name}-env"; - paths = [ - pkgs.python27 - pkgs.python27Packages.recursive-pth-loader - pkgs.python27Packages."plone.recipe.zope2instance" - ] ++ attrValues pkgs.python27.modules - ++ opts.packages; - postBuild = - '' - echo "#!$out/bin/python" > $out/bin/interpreter - cat ${interpreter} >> $out/bin/interpreter - ''; - }; - conf = pkgs.writeText "zope2-${name}-conf" - '' - %define INSTANCEHOME ${env} - instancehome $INSTANCEHOME - %define CLIENTHOME ${opts.clientHome}/${opts.name} - clienthome $CLIENTHOME - - debug-mode off - security-policy-implementation C - verbose-security off - default-zpublisher-encoding utf-8 - zserver-threads ${toString opts.threads} - effective-user ${opts.user} - - pid-filename ${opts.clientHome}/${opts.name}/pid - lock-filename ${opts.clientHome}/${opts.name}/lock - python-check-interval 1000 - enable-product-installation off - - <environment> - zope_i18n_compile_mo_files false - </environment> - - <eventlog> - level INFO - <logfile> - path /var/log/zope2/${name}.log - level INFO - </logfile> - </eventlog> - - <logger access> - level WARN - <logfile> - path /var/log/zope2/${name}-Z2.log - format %(message)s - </logfile> - </logger> - - <http-server> - address ${opts.http_address} - </http-server> - - <zodb_db temporary> - <temporarystorage> - name temporary storage for sessioning - </temporarystorage> - mount-point /temp_folder - container-class Products.TemporaryFolder.TemporaryContainer - </zodb_db> - - ${opts.extra} - ''; - ctlScript = pkgs.writeScript "zope2-${name}-ctl-script" - '' - #!${env}/bin/python - - import sys - import plone.recipe.zope2instance.ctl - - if __name__ == '__main__': - sys.exit(plone.recipe.zope2instance.ctl.main( - ["-C", "${conf}"] - + sys.argv[1:])) - ''; - - ctl = pkgs.writeScript "zope2-${name}-ctl" - '' - #!${pkgs.bash}/bin/bash -e - export PYTHONHOME=${env} - exec ${ctlScript} "$@" - ''; - in { - #description = "${name} instance"; - after = [ "network.target" ]; # with RelStorage also add "postgresql.service" - wantedBy = [ "multi-user.target" ]; - path = opts.packages; - preStart = - '' - mkdir -p /var/log/zope2/ - touch /var/log/zope2/${name}.log - touch /var/log/zope2/${name}-Z2.log - chown ${opts.user} /var/log/zope2/${name}.log - chown ${opts.user} /var/log/zope2/${name}-Z2.log - - mkdir -p ${opts.clientHome}/filestorage ${opts.clientHome}/blobstorage - mkdir -p ${opts.clientHome}/${opts.name} - chown ${opts.user} ${opts.clientHome} -R - - ${ctl} adduser admin admin - ''; - - serviceConfig.Type = "forking"; - serviceConfig.ExecStart = "${ctl} start"; - serviceConfig.ExecStop = "${ctl} stop"; - serviceConfig.ExecReload = "${ctl} restart"; - }; - - in listToAttrs (map (name: { name = "zope2-${name}"; value = createZope2Instance (builtins.getAttr name cfg.instances) name; }) (builtins.attrNames cfg.instances)); - - }; - -} diff --git a/nixos/modules/services/x11/desktop-managers/budgie.nix b/nixos/modules/services/x11/desktop-managers/budgie.nix index 463c45675cee..fe39097a22e8 100644 --- a/nixos/modules/services/x11/desktop-managers/budgie.nix +++ b/nixos/modules/services/x11/desktop-managers/budgie.nix @@ -39,6 +39,10 @@ let ''; destination = "/share/gnome-background-properties/nixos.xml"; }; + + budgie-control-center = pkgs.budgie.budgie-control-center.override { + enableSshSocket = config.services.openssh.startWhenNeeded; + }; in { options = { services.xserver.desktopManager.budgie = { @@ -114,7 +118,7 @@ in { [ # Budgie Desktop. budgie.budgie-backgrounds - budgie.budgie-control-center + budgie-control-center (budgie.budgie-desktop-with-plugins.override { plugins = cfg.extraPlugins; }) budgie.budgie-desktop-view budgie.budgie-screensaver @@ -233,8 +237,8 @@ in { services.gvfs.enable = mkDefault true; # Register packages for DBus. - services.dbus.packages = with pkgs; [ - budgie.budgie-control-center + services.dbus.packages = [ + budgie-control-center ]; # Register packages for udev. diff --git a/nixos/modules/services/x11/desktop-managers/deepin.nix b/nixos/modules/services/x11/desktop-managers/deepin.nix index 7d3acada6073..0824d6e30a8a 100644 --- a/nixos/modules/services/x11/desktop-managers/deepin.nix +++ b/nixos/modules/services/x11/desktop-managers/deepin.nix @@ -173,19 +173,20 @@ in ]; optionalPackages = [ onboard # dde-dock plugin - deepin-camera deepin-calculator deepin-compressor deepin-editor deepin-picker deepin-draw - deepin-album - deepin-image-viewer deepin-music deepin-movie-reborn deepin-system-monitor - deepin-screen-recorder deepin-shortcut-viewer + # freeimage has knownVulnerabilties, don't install packages using freeiamge by default + # deepin-album + # deepin-camera + # deepin-image-viewer + # deepin-screen-recorder ]; in requiredPackages diff --git a/nixos/modules/services/x11/window-managers/icewm.nix b/nixos/modules/services/x11/window-managers/icewm.nix index 48741aa41d85..e3cb5cc3be2b 100644 --- a/nixos/modules/services/x11/window-managers/icewm.nix +++ b/nixos/modules/services/x11/window-managers/icewm.nix @@ -17,7 +17,7 @@ in { name = "icewm"; start = '' - ${pkgs.icewm}/bin/icewm & + ${pkgs.icewm}/bin/icewm-session & waitPID=$! ''; }; diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index a46331ccd431..b0ac857feb4b 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -81,6 +81,13 @@ in extraStructuredConfig.FOO = lib.kernel.yes; features.foo = true; } + { + name = "foo-ml-mbox"; + patch = (fetchurl { + url = "https://lore.kernel.org/lkml/19700205182810.58382-1-email@domain/t.mbox.gz"; + hash = "sha256-..."; + }); + } ] ''; description = lib.mdDoc '' diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index e990aeea7a14..90a74c0ac578 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -3,7 +3,7 @@ # the modules necessary to mount the root file system, then calls the # init in the root file system to start the second boot stage. -{ config, lib, utils, pkgs, ... }: +{ config, options, lib, utils, pkgs, ... }: with lib; @@ -621,6 +621,11 @@ in path the secret should have inside the initrd, the value is the path it should be copied from (or null for the same path inside and out). + + Note that `nixos-rebuild switch` will generate the initrd + also for past generations, so if secrets are moved or deleted + you will also have to garbage collect the generations that + use those secrets. ''; example = literalExpression '' @@ -631,10 +636,8 @@ in }; boot.initrd.supportedFilesystems = mkOption { - default = [ ]; - example = [ "btrfs" ]; - type = types.listOf types.str; - description = lib.mdDoc "Names of supported filesystem types in the initial ramdisk."; + default = { }; + inherit (options.boot.supportedFilesystems) example type description; }; boot.initrd.verbose = mkOption { diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 9641921fc795..f83837fbc6d4 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -90,8 +90,6 @@ let inherit (cfg) packages package; }; - fileSystems = filter utils.fsNeededForBoot config.system.build.fileSystems; - kernel-name = config.boot.kernelPackages.kernel.name or "kernel"; modulesTree = config.system.modulesTree.override { name = kernel-name + "-modules"; }; firmware = config.hardware.firmware; diff --git a/nixos/modules/system/boot/systemd/oomd.nix b/nixos/modules/system/boot/systemd/oomd.nix index 000b18c01609..edc25784367a 100644 --- a/nixos/modules/system/boot/systemd/oomd.nix +++ b/nixos/modules/system/boot/systemd/oomd.nix @@ -49,15 +49,15 @@ in { systemd.slices."-".sliceConfig = lib.mkIf cfg.enableRootSlice { ManagedOOMMemoryPressure = "kill"; - ManagedOOMMemoryPressureLimit = "80%"; + ManagedOOMMemoryPressureLimit = lib.mkDefault "80%"; }; systemd.slices."system".sliceConfig = lib.mkIf cfg.enableSystemSlice { ManagedOOMMemoryPressure = "kill"; - ManagedOOMMemoryPressureLimit = "80%"; + ManagedOOMMemoryPressureLimit = lib.mkDefault "80%"; }; systemd.slices."user-".sliceConfig = lib.mkIf cfg.enableUserSlices { ManagedOOMMemoryPressure = "kill"; - ManagedOOMMemoryPressureLimit = "80%"; + ManagedOOMMemoryPressureLimit = lib.mkDefault "80%"; }; systemd.user.units."slice" = lib.mkIf cfg.enableUserSlices { text = '' diff --git a/nixos/modules/system/boot/uki.nix b/nixos/modules/system/boot/uki.nix index 63a7cbc5967b..ce00ac8e6397 100644 --- a/nixos/modules/system/boot/uki.nix +++ b/nixos/modules/system/boot/uki.nix @@ -27,6 +27,20 @@ in description = lib.mdDoc "Version of the image or generation the UKI belongs to"; }; + tries = lib.mkOption { + type = lib.types.nullOr lib.types.ints.unsigned; + default = null; + description = lib.mdDoc '' + Number of boot attempts before this UKI is considered bad. + + If no tries are specified (the default) automatic boot assessment remains inactive. + + See documentation on [Automatic Boot Assessment](https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT/) and + [boot counting](https://uapi-group.org/specifications/specs/boot_loader_specification/#boot-counting) + for more information. + ''; + }; + settings = lib.mkOption { type = format.type; description = lib.mdDoc '' @@ -69,8 +83,9 @@ in name = config.boot.uki.name; version = config.boot.uki.version; versionInfix = if version != null then "_${version}" else ""; + triesInfix = if cfg.tries != null then "+${builtins.toString cfg.tries}" else ""; in - name + versionInfix + ".efi"; + name + versionInfix + triesInfix + ".efi"; system.build.uki = pkgs.runCommand config.system.boot.loader.ukiFile { } '' mkdir -p $out diff --git a/nixos/modules/system/etc/build-composefs-dump.py b/nixos/modules/system/etc/build-composefs-dump.py index bf4ec791ecf7..bba454dd888d 100644 --- a/nixos/modules/system/etc/build-composefs-dump.py +++ b/nixos/modules/system/etc/build-composefs-dump.py @@ -199,7 +199,8 @@ def main() -> None: size=os.stat(source).st_size, filetype=FileType.file, mode=mode, - payload=target, + # payload needs to be relative path in this case + payload=target.lstrip("/"), ) paths[target] = composefs_path add_leading_directories(target, attrs, paths) diff --git a/nixos/modules/system/etc/etc.nix b/nixos/modules/system/etc/etc.nix index baf37ba6def3..9f735364196c 100644 --- a/nixos/modules/system/etc/etc.nix +++ b/nixos/modules/system/etc/etc.nix @@ -238,7 +238,9 @@ in # this should not run because /etc is mounted via a systemd mount unit # instead. To a large extent this mimics what composefs does. Because # it's relatively simple, however, we avoid the composefs dependency. - if [[ ! $IN_NIXOS_SYSTEMD_STAGE1 ]]; then + # Since this script is not idempotent, it should not run when etc hasn't + # changed. + if [[ ! $IN_NIXOS_SYSTEMD_STAGE1 ]] && [[ "${config.system.build.etc}/etc" != "$(readlink -f /run/current-system/etc)" ]]; then echo "remounting /etc..." tmpMetadataMount=$(mktemp --directory) diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 1378a0090c1d..e72a1e37759e 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -246,10 +246,23 @@ in }; boot.supportedFilesystems = mkOption { - default = [ ]; - example = [ "btrfs" ]; - type = types.listOf types.str; - description = lib.mdDoc "Names of supported filesystem types."; + default = { }; + example = lib.literalExpression '' + { + btrfs = true; + zfs = lib.mkForce false; + } + ''; + type = types.coercedTo + (types.listOf types.str) + (enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled)) + (types.attrsOf types.bool); + description = lib.mdDoc '' + Names of supported filesystem types, or an attribute set of file system types + and their state. The set form may be used together with `lib.mkForce` to + explicitly disable support for specific filesystems, e.g. to disable ZFS + with an unsupported kernel. + ''; }; boot.specialFileSystems = mkOption { diff --git a/nixos/modules/tasks/filesystems/apfs.nix b/nixos/modules/tasks/filesystems/apfs.nix index 2f2be351df61..980a3ad0f9c4 100644 --- a/nixos/modules/tasks/filesystems/apfs.nix +++ b/nixos/modules/tasks/filesystems/apfs.nix @@ -4,12 +4,12 @@ with lib; let - inInitrd = any (fs: fs == "apfs") config.boot.initrd.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.apfs or false; in { - config = mkIf (any (fs: fs == "apfs") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.apfs or false) { system.fsPackages = [ pkgs.apfsprogs ]; diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix index 3b990ce30b21..ba33edd702f7 100644 --- a/nixos/modules/tasks/filesystems/bcachefs.nix +++ b/nixos/modules/tasks/filesystems/bcachefs.nix @@ -118,7 +118,7 @@ let in { - config = lib.mkIf (lib.elem "bcachefs" config.boot.supportedFilesystems) (lib.mkMerge [ + config = lib.mkIf (config.boot.supportedFilesystems.bcachefs or false) (lib.mkMerge [ { inherit assertions; # needed for systemd-remount-fs @@ -133,7 +133,7 @@ in }; } - (lib.mkIf ((lib.elem "bcachefs" config.boot.initrd.supportedFilesystems) || (bootFs != {})) { + (lib.mkIf ((config.boot.initrd.supportedFilesystems.bcachefs or false) || (bootFs != {})) { inherit assertions; # chacha20 and poly1305 are required only for decryption attempts boot.initrd.availableKernelModules = [ "bcachefs" "sha256" "chacha20" "poly1305" ]; diff --git a/nixos/modules/tasks/filesystems/btrfs.nix b/nixos/modules/tasks/filesystems/btrfs.nix index 87fe326c0974..8494a06f97a2 100644 --- a/nixos/modules/tasks/filesystems/btrfs.nix +++ b/nixos/modules/tasks/filesystems/btrfs.nix @@ -4,8 +4,8 @@ with lib; let - inInitrd = any (fs: fs == "btrfs") config.boot.initrd.supportedFilesystems; - inSystem = any (fs: fs == "btrfs") config.boot.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.btrfs or false; + inSystem = config.boot.supportedFilesystems.btrfs or false; cfgScrub = config.services.btrfs.autoScrub; diff --git a/nixos/modules/tasks/filesystems/cifs.nix b/nixos/modules/tasks/filesystems/cifs.nix index 837b9e19bfb9..5a562b2940f7 100644 --- a/nixos/modules/tasks/filesystems/cifs.nix +++ b/nixos/modules/tasks/filesystems/cifs.nix @@ -4,14 +4,14 @@ with lib; let - inInitrd = any (fs: fs == "cifs") config.boot.initrd.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.cifs or false; in { config = { - system.fsPackages = mkIf (any (fs: fs == "cifs") config.boot.supportedFilesystems) [ pkgs.cifs-utils ]; + system.fsPackages = mkIf (config.boot.supportedFilesystems.cifs or false) [ pkgs.cifs-utils ]; boot.initrd.availableKernelModules = mkIf inInitrd [ "cifs" "nls_utf8" "hmac" "md4" "ecb" "des_generic" "sha256" ]; diff --git a/nixos/modules/tasks/filesystems/ecryptfs.nix b/nixos/modules/tasks/filesystems/ecryptfs.nix index 8138e6591610..f966a1be1536 100644 --- a/nixos/modules/tasks/filesystems/ecryptfs.nix +++ b/nixos/modules/tasks/filesystems/ecryptfs.nix @@ -4,7 +4,7 @@ with lib; { - config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.ecryptfs or false) { system.fsPackages = [ pkgs.ecryptfs ]; security.wrappers = { "mount.ecryptfs_private" = diff --git a/nixos/modules/tasks/filesystems/erofs.nix b/nixos/modules/tasks/filesystems/erofs.nix index a3d657669350..b13fa2531557 100644 --- a/nixos/modules/tasks/filesystems/erofs.nix +++ b/nixos/modules/tasks/filesystems/erofs.nix @@ -2,8 +2,8 @@ let - inInitrd = lib.any (fs: fs == "erofs") config.boot.initrd.supportedFilesystems; - inSystem = lib.any (fs: fs == "erofs") config.boot.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.erofs or false; + inSystem = config.boot.supportedFilesystems.erofs or false; in diff --git a/nixos/modules/tasks/filesystems/exfat.nix b/nixos/modules/tasks/filesystems/exfat.nix index 540b9b91c3ec..4011653c00df 100644 --- a/nixos/modules/tasks/filesystems/exfat.nix +++ b/nixos/modules/tasks/filesystems/exfat.nix @@ -3,7 +3,7 @@ with lib; { - config = mkIf (any (fs: fs == "exfat") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.exfat or false) { system.fsPackages = if config.boot.kernelPackages.kernelOlder "5.7" then [ pkgs.exfat # FUSE ] else [ diff --git a/nixos/modules/tasks/filesystems/ext.nix b/nixos/modules/tasks/filesystems/ext.nix index 1c34ee2c7035..165fe9474c3e 100644 --- a/nixos/modules/tasks/filesystems/ext.nix +++ b/nixos/modules/tasks/filesystems/ext.nix @@ -2,8 +2,10 @@ let - inInitrd = lib.any (fs: fs == "ext2" || fs == "ext3" || fs == "ext4") config.boot.initrd.supportedFilesystems; - inSystem = lib.any (fs: fs == "ext2" || fs == "ext3" || fs == "ext4") config.boot.supportedFilesystems; + hasExtX = s: s.ext2 or s.ext3 or s.ext4 or false; + + inInitrd = hasExtX config.boot.initrd.supportedFilesystems; + inSystem = hasExtX config.boot.supportedFilesystems; in diff --git a/nixos/modules/tasks/filesystems/f2fs.nix b/nixos/modules/tasks/filesystems/f2fs.nix index 4f99f9a57fa6..f4f5fcab9cae 100644 --- a/nixos/modules/tasks/filesystems/f2fs.nix +++ b/nixos/modules/tasks/filesystems/f2fs.nix @@ -3,11 +3,10 @@ with lib; let - inInitrd = any (fs: fs == "f2fs") config.boot.initrd.supportedFilesystems; - fileSystems = filter (x: x.fsType == "f2fs") config.system.build.fileSystems; + inInitrd = config.boot.initrd.supportedFilesystems.f2fs or false; in { - config = mkIf (any (fs: fs == "f2fs") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.f2fs or false) { system.fsPackages = [ pkgs.f2fs-tools ]; diff --git a/nixos/modules/tasks/filesystems/glusterfs.nix b/nixos/modules/tasks/filesystems/glusterfs.nix index e8c7fa8efbae..02ef95262dbd 100644 --- a/nixos/modules/tasks/filesystems/glusterfs.nix +++ b/nixos/modules/tasks/filesystems/glusterfs.nix @@ -3,7 +3,7 @@ with lib; { - config = mkIf (any (fs: fs == "glusterfs") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.glusterfs or false) { system.fsPackages = [ pkgs.glusterfs ]; diff --git a/nixos/modules/tasks/filesystems/jfs.nix b/nixos/modules/tasks/filesystems/jfs.nix index b5132b4caa33..73ddb0fb18bb 100644 --- a/nixos/modules/tasks/filesystems/jfs.nix +++ b/nixos/modules/tasks/filesystems/jfs.nix @@ -3,10 +3,10 @@ with lib; let - inInitrd = any (fs: fs == "jfs") config.boot.initrd.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.jfs or false; in { - config = mkIf (any (fs: fs == "jfs") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.jfs or false) { system.fsPackages = [ pkgs.jfsutils ]; diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix index 8c631f0772db..462568b5db3e 100644 --- a/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixos/modules/tasks/filesystems/nfs.nix @@ -4,7 +4,7 @@ with lib; let - inInitrd = any (fs: fs == "nfs") config.boot.initrd.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.nfs or false; nfsStateDir = "/var/lib/nfs"; @@ -58,7 +58,7 @@ in ###### implementation - config = mkIf (any (fs: fs == "nfs" || fs == "nfs4") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.nfs or config.boot.supportedFilesystems.nfs4 or false) { services.rpcbind.enable = true; diff --git a/nixos/modules/tasks/filesystems/ntfs.nix b/nixos/modules/tasks/filesystems/ntfs.nix index c40d2a1a80bc..99ba494a7a39 100644 --- a/nixos/modules/tasks/filesystems/ntfs.nix +++ b/nixos/modules/tasks/filesystems/ntfs.nix @@ -3,7 +3,7 @@ with lib; { - config = mkIf (any (fs: fs == "ntfs" || fs == "ntfs-3g") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.ntfs or config.boot.supportedFilesystems.ntfs-3g or false) { system.fsPackages = [ pkgs.ntfs3g ]; diff --git a/nixos/modules/tasks/filesystems/reiserfs.nix b/nixos/modules/tasks/filesystems/reiserfs.nix index 3c6a0f0cd917..f3f5e6aaa10b 100644 --- a/nixos/modules/tasks/filesystems/reiserfs.nix +++ b/nixos/modules/tasks/filesystems/reiserfs.nix @@ -4,12 +4,12 @@ with lib; let - inInitrd = any (fs: fs == "reiserfs") config.boot.initrd.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.reiserfs or false; in { - config = mkIf (any (fs: fs == "reiserfs") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.reiserfs or false) { system.fsPackages = [ pkgs.reiserfsprogs ]; diff --git a/nixos/modules/tasks/filesystems/squashfs.nix b/nixos/modules/tasks/filesystems/squashfs.nix index 10d45a21d3ca..a0fac904766a 100644 --- a/nixos/modules/tasks/filesystems/squashfs.nix +++ b/nixos/modules/tasks/filesystems/squashfs.nix @@ -2,7 +2,7 @@ let - inInitrd = lib.any (fs: fs == "squashfs") config.boot.initrd.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.squashfs or false; in diff --git a/nixos/modules/tasks/filesystems/sshfs.nix b/nixos/modules/tasks/filesystems/sshfs.nix index cd71dda16d8b..63ff7f2b6b39 100644 --- a/nixos/modules/tasks/filesystems/sshfs.nix +++ b/nixos/modules/tasks/filesystems/sshfs.nix @@ -1,7 +1,11 @@ { config, lib, pkgs, ... }: { - config = lib.mkIf (lib.any (fs: fs == "sshfs" || fs == "fuse.sshfs") config.boot.supportedFilesystems) { - system.fsPackages = [ pkgs.sshfs ]; - }; + config = lib.mkIf + (config.boot.supportedFilesystems.sshfs + or config.boot.supportedFilesystems."fuse.sshfs" + or false) + { + system.fsPackages = [ pkgs.sshfs ]; + }; } diff --git a/nixos/modules/tasks/filesystems/unionfs-fuse.nix b/nixos/modules/tasks/filesystems/unionfs-fuse.nix index f9954b5182f9..929454ff1529 100644 --- a/nixos/modules/tasks/filesystems/unionfs-fuse.nix +++ b/nixos/modules/tasks/filesystems/unionfs-fuse.nix @@ -3,7 +3,7 @@ { config = lib.mkMerge [ - (lib.mkIf (lib.any (fs: fs == "unionfs-fuse") config.boot.initrd.supportedFilesystems) { + (lib.mkIf (config.boot.initrd.supportedFilesystems.unionfs-fuse or false) { boot.initrd.kernelModules = [ "fuse" ]; boot.initrd.extraUtilsCommands = lib.mkIf (!config.boot.initrd.systemd.enable) '' @@ -35,7 +35,7 @@ }; }) - (lib.mkIf (lib.any (fs: fs == "unionfs-fuse") config.boot.supportedFilesystems) { + (lib.mkIf (config.boot.supportedFilesystems.unionfs-fuse or false) { system.fsPackages = [ pkgs.unionfs-fuse ]; }) diff --git a/nixos/modules/tasks/filesystems/vboxsf.nix b/nixos/modules/tasks/filesystems/vboxsf.nix index 5497194f6a8d..00245b5af252 100644 --- a/nixos/modules/tasks/filesystems/vboxsf.nix +++ b/nixos/modules/tasks/filesystems/vboxsf.nix @@ -4,7 +4,7 @@ with lib; let - inInitrd = any (fs: fs == "vboxsf") config.boot.initrd.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.vboxsf or false; package = pkgs.runCommand "mount.vboxsf" { preferLocalBuild = true; } '' mkdir -p $out/bin @@ -13,7 +13,7 @@ let in { - config = mkIf (any (fs: fs == "vboxsf") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.vboxsf or false) { system.fsPackages = [ package ]; diff --git a/nixos/modules/tasks/filesystems/vfat.nix b/nixos/modules/tasks/filesystems/vfat.nix index 9281b34633c2..d7acc0c9e50b 100644 --- a/nixos/modules/tasks/filesystems/vfat.nix +++ b/nixos/modules/tasks/filesystems/vfat.nix @@ -4,12 +4,12 @@ with lib; let - inInitrd = any (fs: fs == "vfat") config.boot.initrd.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.vfat or false; in { - config = mkIf (any (fs: fs == "vfat") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.vfat or false) { system.fsPackages = [ pkgs.dosfstools pkgs.mtools ]; diff --git a/nixos/modules/tasks/filesystems/xfs.nix b/nixos/modules/tasks/filesystems/xfs.nix index 76f31e660ad3..50dc1b3340aa 100644 --- a/nixos/modules/tasks/filesystems/xfs.nix +++ b/nixos/modules/tasks/filesystems/xfs.nix @@ -4,12 +4,12 @@ with lib; let - inInitrd = any (fs: fs == "xfs") config.boot.initrd.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.xfs or false; in { - config = mkIf (any (fs: fs == "xfs") config.boot.supportedFilesystems) { + config = mkIf (config.boot.supportedFilesystems.xfs or false) { system.fsPackages = [ pkgs.xfsprogs.bin ]; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index b289d2151eb7..98df6a40e8a1 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -20,8 +20,8 @@ let clevisDatasets = map (e: e.device) (filter (e: e.device != null && (hasAttr e.device config.boot.initrd.clevis.devices) && e.fsType == "zfs" && (fsNeededForBoot e)) config.system.build.fileSystems); - inInitrd = any (fs: fs == "zfs") config.boot.initrd.supportedFilesystems; - inSystem = any (fs: fs == "zfs") config.boot.supportedFilesystems; + inInitrd = config.boot.initrd.supportedFilesystems.zfs or false; + inSystem = config.boot.supportedFilesystems.zfs or false; autosnapPkg = pkgs.zfstools.override { zfs = cfgZfs.package; diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 3e33cabf2660..b3d81078eb34 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -28,6 +28,43 @@ in description = lib.mdDoc "Enable the OCI seccomp BPF hook"; }; + cdi = { + dynamic.nvidia.enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Enable dynamic CDI configuration for NVidia devices by running nvidia-container-toolkit on boot. + ''; + }; + + static = mkOption { + type = types.attrs; + default = { }; + description = lib.mdDoc '' + Declarative CDI specification. Each key of the attribute set + will be mapped to a file in /etc/cdi. It is required for every + key to be provided in JSON format. + ''; + example = { + some-vendor = builtins.fromJSON '' + { + "cdiVersion": "0.5.0", + "kind": "some-vendor.com/foo", + "devices": [], + "containerEdits": [] + } + ''; + + some-other-vendor = { + cdiVersion = "0.5.0"; + kind = "some-other-vendor.com/bar"; + devices = []; + containerEdits = []; + }; + }; + }; + }; + containersConf.settings = mkOption { type = toml.type; default = { }; @@ -113,6 +150,8 @@ in config = lib.mkIf cfg.enable { + hardware.nvidia-container-toolkit-cdi-generator.enable = lib.mkIf cfg.cdi.dynamic.nvidia.enable true; + virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ]; virtualisation.containers.containersConf.settings = { @@ -124,19 +163,28 @@ in }; }; - environment.etc."containers/containers.conf".source = - toml.generate "containers.conf" cfg.containersConf.settings; - - environment.etc."containers/storage.conf".source = - toml.generate "storage.conf" cfg.storage.settings; + environment.etc = let + cdiStaticConfigurationFiles = (lib.attrsets.mapAttrs' + (name: value: + lib.attrsets.nameValuePair "cdi/${name}.json" + { text = builtins.toJSON value; }) + cfg.cdi.static); + in { + "containers/containers.conf".source = + toml.generate "containers.conf" cfg.containersConf.settings; + + "containers/storage.conf".source = + toml.generate "storage.conf" cfg.storage.settings; + + "containers/registries.conf".source = toml.generate "registries.conf" { + registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; + }; - environment.etc."containers/registries.conf".source = toml.generate "registries.conf" { - registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; - }; + "containers/policy.json".source = + if cfg.policy != { } then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) + else "${pkgs.skopeo.policy}/default-policy.json"; + } // cdiStaticConfigurationFiles; - environment.etc."containers/policy.json".source = - if cfg.policy != { } then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) - else "${pkgs.skopeo.policy}/default-policy.json"; }; } diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix index dacd700537c7..417cf516c7f4 100644 --- a/nixos/modules/virtualisation/cri-o.nix +++ b/nixos/modules/virtualisation/cri-o.nix @@ -6,7 +6,7 @@ let crioPackage = pkgs.cri-o.override { extraPackages = cfg.extraPackages - ++ lib.optional (builtins.elem "zfs" config.boot.supportedFilesystems) config.boot.zfs.package; + ++ lib.optional (config.boot.supportedFilesystems.zfs or false) config.boot.zfs.package; }; format = pkgs.formats.toml { }; diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index b0d61ee06091..cceb186e0b36 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -72,6 +72,8 @@ in type = types.bool; default = false; description = lib.mdDoc '' + **Deprecated**, please use virtualisation.containers.cdi.dynamic.nvidia.enable instead. + Enable nvidia-docker wrapper, supporting NVIDIA GPUs inside docker containers. ''; }; @@ -93,8 +95,18 @@ in default = null; description = lib.mdDoc '' - This option determines which Docker storage driver to use. By default - it let's docker automatically choose preferred storage driver. + This option determines which Docker + [storage driver](https://docs.docker.com/storage/storagedriver/select-storage-driver/) + to use. + By default it lets docker automatically choose the preferred storage + driver. + However, it is recommended to specify a storage driver explicitly, as + docker's default varies over versions. + + ::: {.warning} + Changing the storage driver will cause any existing containers + and images to become inaccessible. + ::: ''; }; @@ -175,6 +187,16 @@ in users.groups.docker.gid = config.ids.gids.docker; systemd.packages = [ cfg.package ]; + # Docker 25.0.0 supports CDI by default + # (https://docs.docker.com/engine/release-notes/25.0/#new). Encourage + # moving to CDI as opposed to having deprecated runtime + # wrappers. + warnings = lib.optionals (cfg.enableNvidia && (lib.strings.versionAtLeast cfg.package.version "25")) [ + '' + You have set virtualisation.docker.enableNvidia. This option is deprecated, please set virtualisation.containers.cdi.dynamic.nvidia.enable instead. + '' + ]; + systemd.services.docker = { wantedBy = optional cfg.enableOnBoot "multi-user.target"; after = [ "network.target" "docker.socket" ]; diff --git a/nixos/modules/virtualisation/hyperv-image.nix b/nixos/modules/virtualisation/hyperv-image.nix index efaea0c110d2..fddff7bf1c69 100644 --- a/nixos/modules/virtualisation/hyperv-image.nix +++ b/nixos/modules/virtualisation/hyperv-image.nix @@ -60,7 +60,6 @@ in { boot.growPartition = true; boot.loader.grub = { - version = 2; device = "nodev"; efiSupport = true; efiInstallAsRemovable = true; diff --git a/nixos/modules/virtualisation/incus.nix b/nixos/modules/virtualisation/incus.nix index bbe5b48b95bb..3bbe0ba45851 100644 --- a/nixos/modules/virtualisation/incus.nix +++ b/nixos/modules/virtualisation/incus.nix @@ -97,6 +97,12 @@ in considered failed and systemd will attempt to restart it. ''; }; + + ui = { + enable = lib.mkEnableOption (lib.mdDoc "(experimental) Incus UI"); + + package = lib.mkPackageOption pkgs [ "incus" "ui" ] { }; + }; }; }; @@ -165,10 +171,12 @@ in "${config.boot.zfs.package}/lib/udev" ]; - environment = { + environment = lib.mkMerge [ { # Override Path to the LXC template configuration directory INCUS_LXC_TEMPLATE_CONFIG = "${pkgs.lxcfs}/share/lxc/config"; - }; + } (lib.mkIf (cfg.ui.enable) { + "INCUS_UI" = cfg.ui.package; + }) ]; serviceConfig = { ExecStart = "${cfg.package}/bin/incusd --group incus-admin"; diff --git a/nixos/modules/virtualisation/linode-config.nix b/nixos/modules/virtualisation/linode-config.nix index bbf81bda9c02..209bff57ea8b 100644 --- a/nixos/modules/virtualisation/linode-config.nix +++ b/nixos/modules/virtualisation/linode-config.nix @@ -59,7 +59,6 @@ with lib; grub = { enable = true; - version = 2; forceInstall = true; device = "nodev"; diff --git a/nixos/modules/virtualisation/lxc-container.nix b/nixos/modules/virtualisation/lxc-container.nix index 8d3a480e6dc8..95e3083ff9ed 100644 --- a/nixos/modules/virtualisation/lxc-container.nix +++ b/nixos/modules/virtualisation/lxc-container.nix @@ -14,7 +14,9 @@ options = { }; - config = { + config = let + initScript = if config.boot.initrd.systemd.enable then "prepare-root" else "init"; + in { boot.isContainer = true; boot.postBootCommands = '' @@ -41,7 +43,7 @@ contents = [ { - source = config.system.build.toplevel + "/init"; + source = config.system.build.toplevel + "/${initScript}"; target = "/sbin/init"; } # Technically this is not required for lxc, but having also make this configuration work with systemd-nspawn. @@ -65,7 +67,7 @@ pseudoFiles = [ "/sbin d 0755 0 0" - "/sbin/init s 0555 0 0 ${config.system.build.toplevel}/init" + "/sbin/init s 0555 0 0 ${config.system.build.toplevel}/${initScript}" "/dev d 0755 0 0" "/proc d 0555 0 0" "/sys d 0555 0 0" @@ -74,7 +76,7 @@ system.build.installBootLoader = pkgs.writeScript "install-lxd-sbin-init.sh" '' #!${pkgs.runtimeShell} - ${pkgs.coreutils}/bin/ln -fs "$1/init" /sbin/init + ${pkgs.coreutils}/bin/ln -fs "$1/${initScript}" /sbin/init ''; # networkd depends on this, but systemd module disables this for containers @@ -83,7 +85,7 @@ systemd.packages = [ pkgs.distrobuilder.generator ]; system.activationScripts.installInitScript = lib.mkForce '' - ln -fs $systemConfig/init /sbin/init + ln -fs $systemConfig/${initScript} /sbin/init ''; }; } diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index b6a7b1154c4a..a88715587d65 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -252,10 +252,13 @@ let text = '' ${cfg.backend} rm -f ${name} || true ${optionalString (isValidLogin container.login) '' + # try logging in, if it fails, check if image exists locally ${cfg.backend} login \ ${container.login.registry} \ --username ${container.login.username} \ - --password-stdin < ${container.login.passwordFile} + --password-stdin < ${container.login.passwordFile} \ + || ${cfg.backend} image inspect ${container.image} >/dev/null \ + || { echo "image doesn't exist locally and login failed" >&2 ; exit 1; } ''} ${optionalString (container.imageFile != null) '' ${cfg.backend} load -i ${container.imageFile} diff --git a/nixos/modules/virtualisation/podman/default.nix b/nixos/modules/virtualisation/podman/default.nix index 47382f9beab0..5a99dc8a1bb9 100644 --- a/nixos/modules/virtualisation/podman/default.nix +++ b/nixos/modules/virtualisation/podman/default.nix @@ -9,7 +9,7 @@ let extraPackages = cfg.extraPackages # setuid shadow ++ [ "/run/wrappers" ] - ++ lib.optional (builtins.elem "zfs" config.boot.supportedFilesystems) config.boot.zfs.package; + ++ lib.optional (config.boot.supportedFilesystems.zfs or false) config.boot.zfs.package; }); # Provides a fake "docker" binary mapping to podman @@ -82,6 +82,8 @@ in type = types.bool; default = false; description = lib.mdDoc '' + **Deprecated**, please use virtualisation.containers.cdi.dynamic.nvidia.enable instead. + Enable use of NVidia GPUs from within podman containers. ''; }; @@ -166,6 +168,12 @@ in inherit (networkConfig) dns_enabled network_interface; in lib.mkIf cfg.enable { + warnings = lib.optionals cfg.enableNvidia [ + '' + You have set virtualisation.podman.enableNvidia. This option is deprecated, please set virtualisation.containers.cdi.dynamic.nvidia.enable instead. + '' + ]; + environment.systemPackages = [ cfg.package ] ++ lib.optional cfg.dockerCompat dockerCompat; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 57e2c38301a0..75ba6dacc122 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -738,7 +738,7 @@ in See the [QEMU Wiki on Networking](https://wiki.qemu.org/Documentation/Networking) for details. If you override this option, be advised to keep - ''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} (as seen in the example) + `''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}` (as seen in the example) to keep the default runtime behaviour. ''; }; @@ -813,14 +813,19 @@ in defaultText = "!cfg.useBootLoader"; description = lib.mdDoc '' - If enabled, the virtual machine will boot directly into the kernel instead of through a bootloader. Other relevant parameters such as the initrd are also passed to QEMU. + If enabled, the virtual machine will boot directly into the kernel instead of through a bootloader. + Read more about this feature in the [QEMU documentation on Direct Linux Boot](https://qemu-project.gitlab.io/qemu/system/linuxboot.html) + This is enabled by default. If you want to test netboot, consider disabling this option. + Enable a bootloader with {option}`virtualisation.useBootLoader` if you need. - This will not boot / reboot correctly into a system that has switched to a different configuration on disk. + Relevant parameters such as those set in `boot.initrd` and `boot.kernelParams` are also passed to QEMU. + Additional parameters can be supplied on invocation through the environment variable `$QEMU_KERNEL_PARAMS`. + They are added to the `-append` option, see [QEMU User Documentation](https://www.qemu.org/docs/master/system/qemu-manpage) for details + For example, to let QEMU use the parent terminal as the serial console, set `QEMU_KERNEL_PARAMS="console=ttyS0"`. - This is enabled by default if you don't enable bootloaders, but you can still enable a bootloader if you need. - Read more about this feature: <https://qemu-project.gitlab.io/qemu/system/linuxboot.html>. + This will not (re-)boot correctly into a system that has switched to a different configuration on disk. ''; }; initrd = @@ -850,6 +855,8 @@ in If disabled, the kernel and initrd are directly booted, forgoing any bootloader. + + Check the documentation on {option}`virtualisation.directBoot.enable` for details. ''; }; @@ -870,9 +877,11 @@ in type = types.package; default = (pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; + systemManagementModeRequired = cfg.useSecureBoot; }).fd; defaultText = ''(pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; + systemManagementModeRequired = cfg.useSecureBoot; }).fd''; description = lib.mdDoc "OVMF firmware package, defaults to OVMF configured with secure boot if needed."; @@ -1176,6 +1185,10 @@ in "-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm" "-device ${cfg.tpm.deviceModel},tpmdev=tpm_dev_0" ]) + (mkIf (cfg.efi.OVMF.systemManagementModeRequired or false) [ + "-machine" "q35,smm=on" + "-global" "driver=cfi.pflash01,property=secure,value=on" + ]) ]; virtualisation.qemu.drives = mkMerge [ diff --git a/nixos/modules/virtualisation/vmware-image.nix b/nixos/modules/virtualisation/vmware-image.nix index a38713b4d4ee..3674b37d0b97 100644 --- a/nixos/modules/virtualisation/vmware-image.nix +++ b/nixos/modules/virtualisation/vmware-image.nix @@ -80,7 +80,6 @@ in { boot.growPartition = true; boot.loader.grub = { - version = 2; device = "nodev"; efiSupport = true; efiInstallAsRemovable = true; diff --git a/nixos/tests/activation/etc-overlay-immutable.nix b/nixos/tests/activation/etc-overlay-immutable.nix index 70c3623b929c..f347f9cf8efe 100644 --- a/nixos/tests/activation/etc-overlay-immutable.nix +++ b/nixos/tests/activation/etc-overlay-immutable.nix @@ -20,11 +20,17 @@ }; testScript = '' - machine.succeed("findmnt --kernel --type overlay /etc") - machine.fail("stat /etc/newgen") + with subtest("/etc is mounted as an overlay"): + machine.succeed("findmnt --kernel --type overlay /etc") - machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch") + with subtest("switching to the same generation"): + machine.succeed("/run/current-system/bin/switch-to-configuration test") - assert machine.succeed("cat /etc/newgen") == "newgen" + with subtest("switching to a new generation"): + machine.fail("stat /etc/newgen") + + machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch") + + assert machine.succeed("cat /etc/newgen") == "newgen" ''; } diff --git a/nixos/tests/activation/etc-overlay-mutable.nix b/nixos/tests/activation/etc-overlay-mutable.nix index cfe7604fceb8..087c06408a71 100644 --- a/nixos/tests/activation/etc-overlay-mutable.nix +++ b/nixos/tests/activation/etc-overlay-mutable.nix @@ -18,13 +18,19 @@ }; testScript = '' - machine.succeed("findmnt --kernel --type overlay /etc") - machine.fail("stat /etc/newgen") - machine.succeed("echo -n 'mutable' > /etc/mutable") + with subtest("/etc is mounted as an overlay"): + machine.succeed("findmnt --kernel --type overlay /etc") - machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch") + with subtest("switching to the same generation"): + machine.succeed("/run/current-system/bin/switch-to-configuration test") - assert machine.succeed("cat /etc/newgen") == "newgen" - assert machine.succeed("cat /etc/mutable") == "mutable" + with subtest("switching to a new generation"): + machine.fail("stat /etc/newgen") + machine.succeed("echo -n 'mutable' > /etc/mutable") + + machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch") + + assert machine.succeed("cat /etc/newgen") == "newgen" + assert machine.succeed("cat /etc/mutable") == "mutable" ''; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 31af6ec64214..1144a5611dcf 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -539,6 +539,7 @@ in { mongodb = handleTest ./mongodb.nix {}; moodle = handleTest ./moodle.nix {}; moonraker = handleTest ./moonraker.nix {}; + morph-browser = handleTest ./morph-browser.nix { }; morty = handleTest ./morty.nix {}; mosquitto = handleTest ./mosquitto.nix {}; moosefs = handleTest ./moosefs.nix {}; @@ -771,6 +772,7 @@ in { sanoid = handleTest ./sanoid.nix {}; scaphandre = handleTest ./scaphandre.nix {}; schleuder = handleTest ./schleuder.nix {}; + scrutiny = handleTest ./scrutiny.nix {}; sddm = handleTest ./sddm.nix {}; seafile = handleTest ./seafile.nix {}; searx = handleTest ./searx.nix {}; @@ -799,7 +801,7 @@ in { solanum = handleTest ./solanum.nix {}; sonarr = handleTest ./sonarr.nix {}; sonic-server = handleTest ./sonic-server.nix {}; - sourcehut = handleTest ./sourcehut.nix {}; + sourcehut = handleTest ./sourcehut {}; spacecookie = handleTest ./spacecookie.nix {}; spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {}; sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {}; diff --git a/nixos/tests/ccache.nix b/nixos/tests/ccache.nix new file mode 100644 index 000000000000..a97ae0501767 --- /dev/null +++ b/nixos/tests/ccache.nix @@ -0,0 +1,24 @@ +import ./make-test-python.nix ({ pkgs, ...} : { + name = "ccache"; + meta = with pkgs.lib.maintainers; { + maintainers = [ ehmry ]; + }; + + nodes.machine = { ... }: { + imports = [ ../modules/profiles/minimal.nix ]; + environment.systemPackages = [ pkgs.hello ]; + programs.ccache = { + enable = true; + packageNames = [ "hello" ]; + }; + }; + + testScript = + '' + start_all() + machine.wait_for_unit("multi-user.target") + machine.succeed("nix-ccache --show-stats") + machine.succeed("hello") + machine.shutdown() + ''; +}) diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 90af817e75ed..f252eb9ff61e 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -46,6 +46,18 @@ let echo 'runAsRoot has run.' ''; }; + + chownTestImage = + pkgs.dockerTools.streamLayeredImage { + name = "chown-test"; + tag = "latest"; + enableFakechroot = true; + fakeRootCommands = '' + touch /testfile + chown 12345:12345 /testfile + ''; + config.Cmd = [ "${pkgs.coreutils}/bin/stat" "-c" "%u:%g" "/testfile" ]; + }; in { name = "docker-tools"; meta = with pkgs.lib.maintainers; { @@ -71,14 +83,29 @@ in { docker.succeed("${examples.helloOnRoot} | docker load") docker.succeed("docker run --rm hello | grep -i hello") docker.succeed("docker image rm hello:latest") + with subtest("includeStorePath = false; breaks example"): docker.succeed("${examples.helloOnRootNoStore} | docker load") docker.fail("docker run --rm hello | grep -i hello") docker.succeed("docker image rm hello:latest") + with subtest("includeStorePath = false; breaks example (fakechroot)"): + docker.succeed("${examples.helloOnRootNoStoreFakechroot} | docker load") + docker.fail("docker run --rm hello | grep -i hello") + docker.succeed("docker image rm hello:latest") + + with subtest("Ensure ZERO paths are added to the store"): + docker.fail("${examples.helloOnRootNoStore} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'") + with subtest("Ensure ZERO paths are added to the store (fakechroot)"): + docker.fail("${examples.helloOnRootNoStoreFakechroot} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'") + with subtest("includeStorePath = false; works with mounted store"): docker.succeed("${examples.helloOnRootNoStore} | docker load") docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello") docker.succeed("docker image rm hello:latest") + with subtest("includeStorePath = false; works with mounted store (fakechroot)"): + docker.succeed("${examples.helloOnRootNoStoreFakechroot} | docker load") + docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello") + docker.succeed("docker image rm hello:latest") with subtest("Ensure Docker images use a stable date by default"): docker.succeed( @@ -128,6 +155,15 @@ in { docker.succeed("docker images --format '{{.Tag}}' | grep -F '${examples.nixLayered.imageTag}'") docker.succeed("docker rmi ${examples.nixLayered.imageName}") + with subtest("Check that images with alternative compression schemas load"): + docker.succeed( + "docker load --input='${examples.bashZstdCompressed}'", + "docker rmi ${examples.bashZstdCompressed.imageName}", + ) + docker.succeed( + "docker load --input='${examples.bashUncompressed}'", + "docker rmi ${examples.bashUncompressed.imageName}", + ) with subtest( "Check if the nix store is correctly initialized by listing " @@ -449,6 +485,18 @@ in { "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} /hello/bin/layeredImageWithFakeRootCommands-hello" ) + with subtest("mergeImage correctly deals with varying compression schemas in inputs"): + docker.succeed("docker load --input='${examples.mergeVaryingCompressor}'") + + for sub_image, tag in [ + ("${examples.redis.imageName}", "${examples.redis.imageTag}"), + ("${examples.bashUncompressed.imageName}", "${examples.bashUncompressed.imageTag}"), + ("${examples.bashZstdCompressed.imageName}", "${examples.bashZstdCompressed.imageTag}"), + ]: + docker.succeed(f"docker images --format '{{{{.Repository}}}}-{{{{.Tag}}}}' | grep -F '{sub_image}-{tag}'") + docker.succeed(f"docker rmi {sub_image}") + + with subtest("exportImage produces a valid tarball"): docker.succeed( "tar -tf ${examples.exportBash} | grep '\./bin/bash' > /dev/null" @@ -550,5 +598,11 @@ in { "${examples.nix-shell-build-derivation} | docker load", "docker run --rm -it nix-shell-build-derivation" ) + + with subtest("streamLayeredImage: chown is persistent in fakeRootCommands"): + docker.succeed( + "${chownTestImage} | docker load", + "docker run --rm ${chownTestImage.imageName} | diff /dev/stdin <(echo 12345:12345)" + ) ''; }) diff --git a/nixos/tests/geoserver.nix b/nixos/tests/geoserver.nix index 7e5507a296ea..4f6f2b209d07 100644 --- a/nixos/tests/geoserver.nix +++ b/nixos/tests/geoserver.nix @@ -1,4 +1,18 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: + +let + geoserver = pkgs.geoserver; + geoserverWithImporterExtension = pkgs.geoserver.withExtensions (ps: with ps; [ importer ]); + + # Blacklisted extensions: + # - wps-jdbc needs a running (Postrgres) db server. + blacklist = [ "wps-jdbc" ]; + + blacklistedToNull = n: v: if ! builtins.elem n blacklist then v else null; + getNonBlackistedExtensionsAsList = ps: builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList blacklistedToNull ps); + geoserverWithAllExtensions = pkgs.geoserver.withExtensions (ps: getNonBlackistedExtensionsAsList ps); +in +{ name = "geoserver"; meta = { @@ -9,16 +23,57 @@ machine = { pkgs, ... }: { virtualisation.diskSize = 2 * 1024; - environment.systemPackages = [ pkgs.geoserver ]; + environment.systemPackages = [ + geoserver + geoserverWithImporterExtension + geoserverWithAllExtensions + ]; }; }; testScript = '' + from contextlib import contextmanager + + curl_cmd = "curl --fail --connect-timeout 2" + curl_cmd_rest = f"{curl_cmd} -u admin:geoserver -X GET" + base_url = "http://localhost:8080/geoserver" + log_file = "./log.txt" + + @contextmanager + def running_geoserver(pkg): + try: + print(f"Launching geoserver from {pkg}...") + machine.execute(f"{pkg}/bin/geoserver-startup > {log_file} 2>&1 &") + machine.wait_until_succeeds(f"{curl_cmd} {base_url} 2>&1", timeout=60) + yield + finally: + # We need to wait a little bit to make sure the server is properly + # shutdown before launching a new instance. + machine.execute(f"{pkg}/bin/geoserver-shutdown; sleep 1") + start_all() - machine.execute("${pkgs.geoserver}/bin/geoserver-startup > /dev/null 2>&1 &") - machine.wait_until_succeeds("curl --fail --connect-timeout 2 http://localhost:8080/geoserver", timeout=60) + with running_geoserver("${geoserver}"): + machine.succeed(f"{curl_cmd} {base_url}/ows?service=WMS&version=1.3.0&request=GetCapabilities") + + # No extensions yet. + machine.fail(f"{curl_cmd_rest} {base_url}/rest/imports") + machine.fail(f"{curl_cmd_rest} {base_url}/rest/monitor/requests.csv") + + + with running_geoserver("${geoserverWithImporterExtension}"): + machine.succeed(f"{curl_cmd_rest} {base_url}/rest/imports") + machine.fail(f"{curl_cmd_rest} {base_url}/rest/monitor/requests.csv") + + with running_geoserver("${geoserverWithAllExtensions}"): + machine.succeed(f"{curl_cmd_rest} {base_url}/rest/imports") + machine.succeed(f"{curl_cmd_rest} {base_url}/rest/monitor/requests.csv") + _, stdout = machine.execute(f"cat {log_file}") + print(stdout.replace("\\n", "\n")) + assert "GDAL Native Library loaded" in stdout, "gdal" + assert "The turbo jpeg encoder is available for usage" in stdout, "libjpeg-turbo" + assert "org.geotools.imageio.netcdf.utilities.NetCDFUtilities" in stdout, "netcdf" + assert "Unable to load library 'netcdf'" not in stdout, "netcdf" - machine.succeed("curl --fail --connect-timeout 2 http://localhost:8080/geoserver/ows?service=WMS&version=1.3.0&request=GetCapabilities") ''; } diff --git a/nixos/tests/go-camo.nix b/nixos/tests/go-camo.nix new file mode 100644 index 000000000000..513964c31c43 --- /dev/null +++ b/nixos/tests/go-camo.nix @@ -0,0 +1,30 @@ +{ system ? builtins.currentSystem, config ? { } +, pkgs ? import ../.. { inherit system config; } }: + +with import ../lib/testing-python.nix { inherit system pkgs; }; + +{ + gocamo_file_key = let + key_val = "12345678"; + in + makeTest { + name = "go-camo-file-key"; + meta = { + maintainers = [ pkgs.lib.maintainers.viraptor ]; + }; + + nodes.machine = { config, pkgs, ... }: { + services.go-camo = { + enable = true; + keyFile = pkgs.writeText "foo" key_val; + }; + }; + + # go-camo responds to http requests + testScript = '' + machine.wait_for_unit("go-camo.service") + machine.wait_for_open_port(8080) + machine.succeed("curl http://localhost:8080") + ''; + }; +} diff --git a/nixos/tests/incus/container.nix b/nixos/tests/incus/container.nix index 0e65cc1e1529..0f42d16f133d 100644 --- a/nixos/tests/incus/container.nix +++ b/nixos/tests/incus/container.nix @@ -1,11 +1,11 @@ -import ../make-test-python.nix ({ pkgs, lib, ... } : +import ../make-test-python.nix ({ pkgs, lib, extra ? {}, ... } : let releases = import ../../release.nix { configuration = { # Building documentation makes the test unnecessarily take a longer time: documentation.enable = lib.mkForce false; - }; + } // extra; }; container-image-metadata = releases.lxdContainerMeta.${pkgs.stdenv.hostPlatform.system}; diff --git a/nixos/tests/incus/default.nix b/nixos/tests/incus/default.nix index 26e8a4ac4c77..ff36fe9d6730 100644 --- a/nixos/tests/incus/default.nix +++ b/nixos/tests/incus/default.nix @@ -5,9 +5,14 @@ handleTestOn, }: { - container = import ./container.nix { inherit system pkgs; }; + container-old-init = import ./container.nix { inherit system pkgs; }; + container-new-init = import ./container.nix { inherit system pkgs; extra = { + # Enable new systemd init + boot.initrd.systemd.enable = true; + }; }; lxd-to-incus = import ./lxd-to-incus.nix { inherit system pkgs; }; preseed = import ./preseed.nix { inherit system pkgs; }; socket-activated = import ./socket-activated.nix { inherit system pkgs; }; + ui = import ./ui.nix {inherit system pkgs;}; virtual-machine = handleTestOn [ "x86_64-linux" ] ./virtual-machine.nix { inherit system pkgs; }; } diff --git a/nixos/tests/incus/ui.nix b/nixos/tests/incus/ui.nix new file mode 100644 index 000000000000..24ce1217d8df --- /dev/null +++ b/nixos/tests/incus/ui.nix @@ -0,0 +1,63 @@ +import ../make-test-python.nix ({ pkgs, lib, ... }: { + name = "incus-ui"; + + meta = { + maintainers = lib.teams.lxc.members; + }; + + nodes.machine = { lib, ... }: { + virtualisation = { + incus.enable = true; + incus.ui.enable = true; + }; + + environment.systemPackages = + let + seleniumScript = pkgs.writers.writePython3Bin "selenium-script" + { + libraries = with pkgs.python3Packages; [ selenium ]; + } '' + from selenium import webdriver + from selenium.webdriver.common.by import By + from selenium.webdriver.firefox.options import Options + from selenium.webdriver.support.ui import WebDriverWait + + options = Options() + options.add_argument("--headless") + service = webdriver.FirefoxService(executable_path="${lib.getExe pkgs.geckodriver}") # noqa: E501 + + driver = webdriver.Firefox(options=options, service=service) + driver.implicitly_wait(10) + driver.get("https://localhost:8443/ui") + + wait = WebDriverWait(driver, 60) + + assert len(driver.find_elements(By.CLASS_NAME, "l-application")) > 0 + assert len(driver.find_elements(By.CLASS_NAME, "l-navigation__drawer")) > 0 + + driver.close() + ''; + in + with pkgs; [ curl firefox-unwrapped geckodriver seleniumScript ]; + }; + + + testScript = '' + machine.wait_for_unit("sockets.target") + machine.wait_for_unit("incus.service") + machine.wait_for_file("/var/lib/incus/unix.socket") + + # Configure incus listen address + machine.succeed("incus config set core.https_address :8443") + machine.succeed("systemctl restart incus") + + # Check that the INCUS_UI environment variable is populated in the systemd unit + machine.succeed("cat /etc/systemd/system/incus.service | grep 'INCUS_UI'") + + # Ensure the endpoint returns an HTML page with 'Incus UI' in the title + machine.succeed("curl -kLs https://localhost:8443/ui | grep '<title>Incus UI</title>'") + + # Ensure the application is actually rendered by the Javascript + machine.succeed("PYTHONUNBUFFERED=1 selenium-script") + ''; +}) diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 7576fae41f83..b6cb6a0c6d45 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -526,8 +526,7 @@ let curl ] ++ optionals (bootLoader == "grub") (let - zfsSupport = lib.any (x: x == "zfs") - (extraInstallerConfig.boot.supportedFilesystems or []); + zfsSupport = extraInstallerConfig.boot.supportedFilesystems.zfs or false; in [ (pkgs.grub2.override { inherit zfsSupport; }) (pkgs.grub2_efi.override { inherit zfsSupport; }) diff --git a/nixos/tests/keepalived.nix b/nixos/tests/keepalived.nix index ce291514591f..16564511d85d 100644 --- a/nixos/tests/keepalived.nix +++ b/nixos/tests/keepalived.nix @@ -1,6 +1,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "keepalived"; - maintainers = [ lib.maintainers.raitobezarius ]; + meta.maintainers = [ lib.maintainers.raitobezarius ]; nodes = { node1 = { pkgs, ... }: { diff --git a/nixos/tests/knot.nix b/nixos/tests/knot.nix index 44efd93b6fa9..c5af8bf1edcc 100644 --- a/nixos/tests/knot.nix +++ b/nixos/tests/knot.nix @@ -114,11 +114,14 @@ in { services.knot.extraArgs = [ "-v" ]; services.knot.settings = { server = { + automatic-acl = true; + }; + + xdp = { listen = [ - "0.0.0.0@53" - "::@53" + "eth1" ]; - automatic-acl = true; + tcp = true; }; remote.primary = { @@ -140,7 +143,7 @@ in { "sub.example.com".file = "sub.example.com.zone"; }; - log.syslog.any = "info"; + log.syslog.any = "debug"; }; }; client = { lib, nodes, ... }: { diff --git a/nixos/tests/lemmy.nix b/nixos/tests/lemmy.nix index e8d747f89a9e..d93df3646837 100644 --- a/nixos/tests/lemmy.nix +++ b/nixos/tests/lemmy.nix @@ -51,7 +51,8 @@ in with subtest("the backend starts and responds"): server.wait_for_open_port(${toString backendPort}) - server.succeed("curl --fail localhost:${toString backendPort}/api/v3/site") + # wait until succeeds, it just needs few seconds for migrations, but lets give it 10s max + server.wait_until_succeeds("curl --fail localhost:${toString backendPort}/api/v3/site", 10) with subtest("the UI starts and responds"): server.wait_for_unit("lemmy-ui.service") diff --git a/nixos/tests/matomo.nix b/nixos/tests/matomo.nix index 7dbef63136aa..130f3dd8485a 100644 --- a/nixos/tests/matomo.nix +++ b/nixos/tests/matomo.nix @@ -47,4 +47,8 @@ in { name = "matomo-beta"; meta.maintainers = with maintainers; [ florianjacob kiwi mmilata twey boozedog ]; }; + matomo_5 = matomoTest pkgs.matomo_5 // { + name = "matomo-5"; + meta.maintainers = with maintainers; [ florianjacob kiwi mmilata twey boozedog ] ++ lib.teams.flyingcircus.members; + }; } diff --git a/nixos/tests/morph-browser.nix b/nixos/tests/morph-browser.nix new file mode 100644 index 000000000000..859e6bb47646 --- /dev/null +++ b/nixos/tests/morph-browser.nix @@ -0,0 +1,53 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "morph-browser-standalone"; + meta.maintainers = lib.teams.lomiri.members; + + nodes.machine = { config, pkgs, ... }: { + imports = [ + ./common/x11.nix + ]; + + services.xserver.enable = true; + + environment = { + systemPackages = with pkgs.lomiri; [ + suru-icon-theme + morph-browser + ]; + variables = { + UITK_ICON_THEME = "suru"; + }; + }; + + i18n.supportedLocales = [ "all" ]; + + fonts.packages = with pkgs; [ + # Intended font & helps with OCR + ubuntu_font_family + ]; + }; + + enableOCR = true; + + testScript = + '' + machine.wait_for_x() + + with subtest("morph browser launches"): + machine.execute("morph-browser >&2 &") + machine.wait_for_text(r"Web Browser|New|sites|Bookmarks") + machine.screenshot("morph_open") + + with subtest("morph browser displays HTML"): + machine.send_chars("file://${pkgs.valgrind.doc}/share/doc/valgrind/html/index.html\n") + machine.wait_for_text("Valgrind Documentation") + machine.screenshot("morph_htmlcontent") + + machine.succeed("pkill -f morph-browser") + + with subtest("morph browser localisation works"): + machine.execute("env LANG=de_DE.UTF-8 morph-browser >&2 &") + machine.wait_for_text(r"Web-Browser|Neuer|Seiten|Lesezeichen") + machine.screenshot("morph_localised") + ''; +}) diff --git a/nixos/tests/nextcloud/with-postgresql-and-redis.nix b/nixos/tests/nextcloud/with-postgresql-and-redis.nix index 3c090f0d3c3b..06afc589403d 100644 --- a/nixos/tests/nextcloud/with-postgresql-and-redis.nix +++ b/nixos/tests/nextcloud/with-postgresql-and-redis.nix @@ -39,7 +39,7 @@ in { }; extraAppsEnable = true; extraApps = { - inherit (pkgs."nextcloud${lib.versions.major config.services.nextcloud.package.version}Packages".apps) notify_push; + inherit (pkgs."nextcloud${lib.versions.major config.services.nextcloud.package.version}Packages".apps) notify_push notes; }; settings.trusted_proxies = [ "::1" ]; }; @@ -84,7 +84,7 @@ in { "${withRcloneEnv} ${copySharedFile}" ) client.wait_for_unit("multi-user.target") - client.execute("${pkgs.nextcloud-notify_push.passthru.test_client}/bin/test_client http://nextcloud ${adminuser} ${adminpass} >&2 &") + client.execute("${pkgs.lib.getExe pkgs.nextcloud-notify_push.passthru.test_client} http://nextcloud ${adminuser} ${adminpass} >&2 &") client.succeed( "${withRcloneEnv} ${diffSharedFile}" ) @@ -92,5 +92,7 @@ in { # redis cache should not be empty nextcloud.fail('test "[]" = "$(redis-cli --json KEYS "*")"') + + nextcloud.fail("curl -f http://nextcloud/nix-apps/notes/lib/AppInfo/Application.php") ''; })) args diff --git a/nixos/tests/opensnitch.nix b/nixos/tests/opensnitch.nix index d84e4e0a935b..a1af07647f71 100644 --- a/nixos/tests/opensnitch.nix +++ b/nixos/tests/opensnitch.nix @@ -31,7 +31,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { enable = true; settings.DefaultAction = "deny"; rules = { - opensnitch = { + curl = { name = "curl"; enabled = true; action = "allow"; diff --git a/nixos/tests/power-profiles-daemon.nix b/nixos/tests/power-profiles-daemon.nix index c887cde4b829..8a54d8e8bab8 100644 --- a/nixos/tests/power-profiles-daemon.nix +++ b/nixos/tests/power-profiles-daemon.nix @@ -8,22 +8,22 @@ import ./make-test-python.nix ({ pkgs, ... }: nodes.machine = { pkgs, ... }: { security.polkit.enable = true; services.power-profiles-daemon.enable = true; - environment.systemPackages = [ pkgs.glib ]; + environment.systemPackages = [ pkgs.glib pkgs.power-profiles-daemon ]; }; testScript = '' def get_profile(): return machine.succeed( - """gdbus call --system --dest net.hadess.PowerProfiles --object-path /net/hadess/PowerProfiles \ - --method org.freedesktop.DBus.Properties.Get 'net.hadess.PowerProfiles' 'ActiveProfile' + """gdbus call --system --dest org.freedesktop.UPower.PowerProfiles --object-path /org/freedesktop/UPower/PowerProfiles \ + --method org.freedesktop.DBus.Properties.Get 'org.freedesktop.UPower.PowerProfiles' 'ActiveProfile' """ ) def set_profile(profile): return machine.succeed( - """gdbus call --system --dest net.hadess.PowerProfiles --object-path /net/hadess/PowerProfiles \ - --method org.freedesktop.DBus.Properties.Set 'net.hadess.PowerProfiles' 'ActiveProfile' "<'{profile}'>" + """gdbus call --system --dest org.freedesktop.UPower.PowerProfiles --object-path /org/freedesktop/UPower/PowerProfiles \ + --method org.freedesktop.DBus.Properties.Set 'org.freedesktop.UPower.PowerProfiles' 'ActiveProfile' "<'{profile}'>" """.format( profile=profile ) @@ -42,5 +42,16 @@ import ./make-test-python.nix ({ pkgs, ... }: profile = get_profile() if not "balanced" in profile: raise Exception("Unable to set balanced profile") + + # test powerprofilectl CLI + machine.succeed("powerprofilesctl set power-saver") + profile = get_profile() + if not "power-saver" in profile: + raise Exception("Unable to set power-saver profile with powerprofilectl") + + machine.succeed("powerprofilesctl set balanced") + profile = get_profile() + if not "balanced" in profile: + raise Exception("Unable to set balanced profile with powerprofilectl") ''; }) diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 7e74f27174ec..632656ad5795 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -218,6 +218,9 @@ let services.dnsmasq.enable = true; }; exporterTest = '' + wait_for_unit("dnsmasq.service") + wait_for_open_port(53) + wait_for_file("/var/lib/dnsmasq/dnsmasq.leases") wait_for_unit("prometheus-dnsmasq-exporter.service") wait_for_open_port(9153) succeed("curl -sSf http://localhost:9153/metrics | grep 'dnsmasq_leases 0'") diff --git a/nixos/tests/qownnotes.nix b/nixos/tests/qownnotes.nix index 93801cb98702..3390ba6d9025 100644 --- a/nixos/tests/qownnotes.nix +++ b/nixos/tests/qownnotes.nix @@ -21,6 +21,7 @@ import ./make-test-python.nix ({ lib, pkgs, ...} : enableOCR = true; + # https://nixos.org/manual/nixos/stable/#ssec-machine-objects testScript = { nodes, ... }: let aliceDo = cmd: ''machine.succeed("su - alice -c '${cmd}' >&2 &");''; in '' @@ -52,8 +53,13 @@ import ./make-test-python.nix ({ lib, pkgs, ...} : machine.wait_for_text("App metric") machine.send_key("ret") + # Doesn't work for non-root + #machine.wait_for_window("QOwnNotes - ${pkgs.qownnotes.version}") + + # OCR doesn't seem to be able any more to handle the main window + #machine.wait_for_text("QOwnNotes - ${pkgs.qownnotes.version}") + # The main window should now show up - machine.wait_for_text("QOwnNotes - ${pkgs.qownnotes.version}") machine.wait_for_open_port(22222) machine.wait_for_console_text("QOwnNotes server listening on port 22222") @@ -63,7 +69,13 @@ import ./make-test-python.nix ({ lib, pkgs, ...} : machine.send_key("ctrl-n") machine.sleep(1) machine.send_chars("This is a NixOS test!\n") - machine.wait_for_text("This is a NixOS test!") + machine.wait_until_succeeds("find /home/alice/Notes -type f | grep -qi 'Note 2'") + + # OCR doesn't seem to be able any more to handle the main window + #machine.wait_for_text("This is a NixOS test!") + + # Doesn't work for non-root + #machine.wait_for_window("- QOwnNotes - ${pkgs.qownnotes.version}") machine.screenshot("QOwnNotes-NewNote") ''; diff --git a/nixos/tests/scrutiny.nix b/nixos/tests/scrutiny.nix new file mode 100644 index 000000000000..33160a6b3088 --- /dev/null +++ b/nixos/tests/scrutiny.nix @@ -0,0 +1,70 @@ +import ./make-test-python.nix ({ lib, ... }: + +{ + name = "scrutiny"; + meta.maintainers = with lib.maintainers; [ jnsgruk ]; + + nodes = { + machine = { self, pkgs, lib, ... }: { + services = { + scrutiny.enable = true; + scrutiny.collector.enable = true; + }; + + environment.systemPackages = + let + seleniumScript = pkgs.writers.writePython3Bin "selenium-script" + { + libraries = with pkgs.python3Packages; [ selenium ]; + } '' + from selenium import webdriver + from selenium.webdriver.common.by import By + from selenium.webdriver.firefox.options import Options + from selenium.webdriver.support.ui import WebDriverWait + from selenium.webdriver.support import expected_conditions as EC + + options = Options() + options.add_argument("--headless") + service = webdriver.FirefoxService(executable_path="${lib.getExe pkgs.geckodriver}") # noqa: E501 + + driver = webdriver.Firefox(options=options, service=service) + driver.implicitly_wait(10) + driver.get("http://localhost:8080/web/dashboard") + + wait = WebDriverWait(driver, 10).until( + EC.text_to_be_present_in_element( + (By.TAG_NAME, "body"), "Drive health at a glance") + ) + + body_text = driver.find_element(By.TAG_NAME, "body").text + assert "Temperature history for each device" in body_text + + driver.close() + ''; + in + with pkgs; [ curl firefox-unwrapped geckodriver seleniumScript ]; + }; + }; + # This is the test code that will check if our service is running correctly: + testScript = '' + start_all() + + # Wait for InfluxDB to be available + machine.wait_for_unit("influxdb2") + machine.wait_for_open_port(8086) + + # Wait for Scrutiny to be available + machine.wait_for_unit("scrutiny") + machine.wait_for_open_port(8080) + + # Ensure the API responds as we expect + output = machine.succeed("curl localhost:8080/api/health") + assert output == '{"success":true}' + + # Start the collector service to send some metrics + collect = machine.succeed("systemctl start scrutiny-collector.service") + + # Ensure the application is actually rendered by the Javascript + machine.succeed("PYTHONUNBUFFERED=1 selenium-script") + ''; +}) diff --git a/nixos/tests/slurm.nix b/nixos/tests/slurm.nix index a6b02e970b0c..ad516b6e8d2b 100644 --- a/nixos/tests/slurm.nix +++ b/nixos/tests/slurm.nix @@ -45,7 +45,7 @@ let ''; in pkgs.runCommand "mpitest" {} '' mkdir -p $out/bin - ${pkgs.openmpi}/bin/mpicc ${mpitestC} -o $out/bin/mpitest + ${lib.getDev pkgs.mpi}/bin/mpicc ${mpitestC} -o $out/bin/mpitest ''; in { name = "slurm"; diff --git a/nixos/tests/sourcehut.nix b/nixos/tests/sourcehut.nix deleted file mode 100644 index 0b258acc2af1..000000000000 --- a/nixos/tests/sourcehut.nix +++ /dev/null @@ -1,252 +0,0 @@ -import ./make-test-python.nix ({ pkgs, lib, ... }: -let - domain = "sourcehut.localdomain"; - - # Note that wildcard certificates just under the TLD (eg. *.com) - # would be rejected by clients like curl. - tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' - openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 36500 \ - -subj '/CN=${domain}' -extensions v3_req \ - -addext 'subjectAltName = DNS:*.${domain}' - install -D -t $out key.pem cert.pem - ''; - - images = { - nixos.unstable.x86_64 = - let - systemConfig = { pkgs, ... }: { - # passwordless ssh server - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "yes"; - PermitEmptyPasswords = true; - }; - }; - - users = { - mutableUsers = false; - # build user - extraUsers."build" = { - isNormalUser = true; - uid = 1000; - extraGroups = [ "wheel" ]; - password = ""; - }; - users.root.password = ""; - }; - - security.sudo.wheelNeedsPassword = false; - nix.settings.trusted-users = [ "root" "build" ]; - documentation.nixos.enable = false; - - # builds.sr.ht-image-specific network settings - networking = { - hostName = "build"; - dhcpcd.enable = false; - defaultGateway.address = "10.0.2.2"; - usePredictableInterfaceNames = false; - interfaces."eth0".ipv4.addresses = [{ - address = "10.0.2.15"; - prefixLength = 25; - }]; - enableIPv6 = false; - nameservers = [ - # OpenNIC anycast - "185.121.177.177" - "169.239.202.202" - # Google - "8.8.8.8" - ]; - firewall.allowedTCPPorts = [ 22 ]; - }; - - environment.systemPackages = [ - pkgs.gitMinimal - #pkgs.mercurial - pkgs.curl - pkgs.gnupg - ]; - }; - qemuConfig = { pkgs, ... }: { - imports = [ systemConfig ]; - fileSystems."/".device = "/dev/disk/by-label/nixos"; - boot.initrd.availableKernelModules = [ - "ahci" - "ehci_pci" - "sd_mod" - "usb_storage" - "usbhid" - "virtio_balloon" - "virtio_blk" - "virtio_pci" - "virtio_ring" - "xhci_pci" - ]; - boot.loader = { - grub = { - version = 2; - device = "/dev/vda"; - }; - timeout = 0; - }; - }; - config = (import (pkgs.path + "/nixos/lib/eval-config.nix") { - inherit pkgs; modules = [ qemuConfig ]; - system = "x86_64-linux"; - }).config; - in - import (pkgs.path + "/nixos/lib/make-disk-image.nix") { - inherit pkgs lib config; - diskSize = 16000; - format = "qcow2-compressed"; - contents = [ - { source = pkgs.writeText "gitconfig" '' - [user] - name = builds.sr.ht - email = build@sr.ht - ''; - target = "/home/build/.gitconfig"; - user = "build"; - group = "users"; - mode = "644"; - } - ]; - }; - }; - -in -{ - name = "sourcehut"; - - meta.maintainers = [ pkgs.lib.maintainers.tomberek ]; - - nodes.machine = { config, pkgs, nodes, ... }: { - # buildsrht needs space - virtualisation.diskSize = 4 * 1024; - virtualisation.memorySize = 2 * 1024; - networking.domain = domain; - networking.enableIPv6 = false; - networking.extraHosts = '' - ${config.networking.primaryIPAddress} builds.${domain} - ${config.networking.primaryIPAddress} git.${domain} - ${config.networking.primaryIPAddress} meta.${domain} - ''; - - services.sourcehut = { - enable = true; - nginx.enable = true; - nginx.virtualHost = { - forceSSL = true; - sslCertificate = "${tls-cert}/cert.pem"; - sslCertificateKey = "${tls-cert}/key.pem"; - }; - postgresql.enable = true; - redis.enable = true; - - meta.enable = true; - builds = { - enable = true; - # FIXME: see why it does not seem to activate fully. - #enableWorker = true; - inherit images; - }; - git.enable = true; - - settings."sr.ht" = { - global-domain = config.networking.domain; - service-key = pkgs.writeText "service-key" "8b327279b77e32a3620e2fc9aabce491cc46e7d821fd6713b2a2e650ce114d01"; - network-key = pkgs.writeText "network-key" "cEEmc30BRBGkgQZcHFksiG7hjc6_dK1XR2Oo5Jb9_nQ="; - }; - settings."builds.sr.ht" = { - oauth-client-secret = pkgs.writeText "buildsrht-oauth-client-secret" "2260e9c4d9b8dcedcef642860e0504bc"; - oauth-client-id = "299db9f9c2013170"; - }; - settings."git.sr.ht" = { - oauth-client-secret = pkgs.writeText "gitsrht-oauth-client-secret" "3597288dc2c716e567db5384f493b09d"; - oauth-client-id = "d07cb713d920702e"; - }; - settings.webhooks.private-key = pkgs.writeText "webhook-key" "Ra3IjxgFiwG9jxgp4WALQIZw/BMYt30xWiOsqD0J7EA="; - settings.mail = { - smtp-from = "root+hut@${domain}"; - # WARNING: take care to keep pgp-privkey outside the Nix store in production, - # or use LoadCredentialEncrypted= - pgp-privkey = toString (pkgs.writeText "sourcehut.pgp-privkey" '' - -----BEGIN PGP PRIVATE KEY BLOCK----- - - lFgEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd - Gk7hYQoAAP9X4oPmxxrHN8LewBpWITdBomNqlHoiP7mI0nz/BOPJHxEktDZuaXhv - cy90ZXN0cy9zb3VyY2VodXQgPHJvb3QraHV0QHNvdXJjZWh1dC5sb2NhbGRvbWFp - bj6IlwQTFgoAPxYhBPqjgjnL8RHN4JnADNicgXaYm0jJBQJioNE5AhsDBQkDwmcA - BgsJCAcDCgUVCgkICwUWAwIBAAIeBQIXgAAKCRDYnIF2mJtIySVCAP9e2nHsVHSi - 2B1YGZpVG7Xf36vxljmMkbroQy+0gBPwRwEAq+jaiQqlbGhQ7R/HMFcAxBIVsq8h - Aw1rngsUd0o3dAicXQRioNE5EgorBgEEAZdVAQUBAQdAXZV2Sd5ZNBVTBbTGavMv - D6ORrUh8z7TI/3CsxCE7+yADAQgHAAD/c1RU9xH+V/uI1fE7HIn/zL0LUPpsuce2 - cH++g4u3kBgTOYh+BBgWCgAmFiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg0TkC - GwwFCQPCZwAACgkQ2JyBdpibSMlKagD/cTre6p1m8QuJ7kwmCFRSz5tBzIuYMMgN - xtT7dmS91csA/35fWsOykSiFRojQ7ccCSUTHL7ApF2EbL968tP/D2hIG - =Hjoc - -----END PGP PRIVATE KEY BLOCK----- - ''); - pgp-pubkey = pkgs.writeText "sourcehut.pgp-pubkey" '' - -----BEGIN PGP PUBLIC KEY BLOCK----- - - mDMEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd - Gk7hYQq0Nm5peG9zL3Rlc3RzL3NvdXJjZWh1dCA8cm9vdCtodXRAc291cmNlaHV0 - LmxvY2FsZG9tYWluPoiXBBMWCgA/FiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg - 0TkCGwMFCQPCZwAGCwkIBwMKBRUKCQgLBRYDAgEAAh4FAheAAAoJENicgXaYm0jJ - JUIA/17acexUdKLYHVgZmlUbtd/fq/GWOYyRuuhDL7SAE/BHAQCr6NqJCqVsaFDt - H8cwVwDEEhWyryEDDWueCxR3Sjd0CLg4BGKg0TkSCisGAQQBl1UBBQEBB0BdlXZJ - 3lk0FVMFtMZq8y8Po5GtSHzPtMj/cKzEITv7IAMBCAeIfgQYFgoAJhYhBPqjgjnL - 8RHN4JnADNicgXaYm0jJBQJioNE5AhsMBQkDwmcAAAoJENicgXaYm0jJSmoA/3E6 - 3uqdZvELie5MJghUUs+bQcyLmDDIDcbU+3ZkvdXLAP9+X1rDspEohUaI0O3HAklE - xy+wKRdhGy/evLT/w9oSBg== - =pJD7 - -----END PGP PUBLIC KEY BLOCK----- - ''; - pgp-key-id = "0xFAA38239CBF111CDE099C00CD89C8176989B48C9"; - }; - }; - - networking.firewall.allowedTCPPorts = [ 443 ]; - security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ]; - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - }; - - services.postgresql = { - enable = true; - enableTCPIP = false; - settings.unix_socket_permissions = "0770"; - }; - }; - - testScript = '' - start_all() - machine.wait_for_unit("multi-user.target") - - # Testing metasrht - machine.wait_for_unit("metasrht-api.service") - machine.wait_for_unit("metasrht.service") - machine.wait_for_unit("metasrht-webhooks.service") - machine.wait_for_open_port(5000) - machine.succeed("curl -sL http://localhost:5000 | grep meta.${domain}") - machine.succeed("curl -sL http://meta.${domain} | grep meta.${domain}") - - # Testing buildsrht - machine.wait_for_unit("buildsrht.service") - machine.wait_for_open_port(5002) - machine.succeed("curl -sL http://localhost:5002 | grep builds.${domain}") - #machine.wait_for_unit("buildsrht-worker.service") - - # Testing gitsrht - machine.wait_for_unit("gitsrht-api.service") - machine.wait_for_unit("gitsrht.service") - machine.wait_for_unit("gitsrht-webhooks.service") - machine.succeed("curl -sL http://git.${domain} | grep git.${domain}") - ''; -}) diff --git a/nixos/tests/sourcehut/builds.nix b/nixos/tests/sourcehut/builds.nix new file mode 100644 index 000000000000..f1f928ecc3d0 --- /dev/null +++ b/nixos/tests/sourcehut/builds.nix @@ -0,0 +1,54 @@ +import ../make-test-python.nix ({ pkgs, lib, ... }: +let + domain = "sourcehut.localdomain"; +in +{ + name = "sourcehut"; + + meta.maintainers = with pkgs.lib.maintainers; [ tomberek nessdoor ]; + + nodes.machine = { config, pkgs, nodes, ... }: { + imports = [ + ./nodes/common.nix + ]; + + networking.domain = domain; + networking.extraHosts = '' + ${config.networking.primaryIPAddress} builds.${domain} + ${config.networking.primaryIPAddress} meta.${domain} + ''; + + services.sourcehut = { + builds = { + enable = true; + # FIXME: see why it does not seem to activate fully. + #enableWorker = true; + images = { }; + }; + + settings."builds.sr.ht" = { + oauth-client-secret = pkgs.writeText "buildsrht-oauth-client-secret" "2260e9c4d9b8dcedcef642860e0504bc"; + oauth-client-id = "299db9f9c2013170"; + }; + }; + }; + + testScript = '' + start_all() + machine.wait_for_unit("multi-user.target") + + with subtest("Check whether meta comes up"): + machine.wait_for_unit("metasrht-api.service") + machine.wait_for_unit("metasrht.service") + machine.wait_for_unit("metasrht-webhooks.service") + machine.wait_for_open_port(5000) + machine.succeed("curl -sL http://localhost:5000 | grep meta.${domain}") + machine.succeed("curl -sL http://meta.${domain} | grep meta.${domain}") + + with subtest("Check whether builds comes up"): + machine.wait_for_unit("buildsrht.service") + machine.wait_for_open_port(5002) + machine.succeed("curl -sL http://localhost:5002 | grep builds.${domain}") + #machine.wait_for_unit("buildsrht-worker.service") + ''; +}) diff --git a/nixos/tests/sourcehut/default.nix b/nixos/tests/sourcehut/default.nix new file mode 100644 index 000000000000..04f1551d70d9 --- /dev/null +++ b/nixos/tests/sourcehut/default.nix @@ -0,0 +1,6 @@ +{ system, pkgs, ... }: + +{ + git = import ./git.nix { inherit system pkgs; }; + builds = import ./builds.nix { inherit system pkgs; }; +} diff --git a/nixos/tests/sourcehut/git.nix b/nixos/tests/sourcehut/git.nix new file mode 100644 index 000000000000..ed184d5d5518 --- /dev/null +++ b/nixos/tests/sourcehut/git.nix @@ -0,0 +1,96 @@ +import ../make-test-python.nix ({ pkgs, lib, ... }: +let + domain = "sourcehut.localdomain"; +in +{ + name = "sourcehut"; + + meta.maintainers = with pkgs.lib.maintainers; [ tomberek nessdoor ]; + + nodes.machine = { config, pkgs, nodes, ... }: { + imports = [ + ./nodes/common.nix + ]; + + networking.domain = domain; + networking.extraHosts = '' + ${config.networking.primaryIPAddress} git.${domain} + ${config.networking.primaryIPAddress} meta.${domain} + ''; + + services.sourcehut = { + git.enable = true; + settings."git.sr.ht" = { + oauth-client-secret = pkgs.writeText "gitsrht-oauth-client-secret" "3597288dc2c716e567db5384f493b09d"; + oauth-client-id = "d07cb713d920702e"; + }; + }; + + environment.systemPackages = with pkgs; [ + git + ]; + }; + + testScript = + let + userName = "nixos-test"; + userPass = "AutoNixosTestPwd"; + hutConfig = pkgs.writeText "hut-config" '' + instance "${domain}" { + # Will be replaced at runtime with the generated token + access-token "OAUTH-TOKEN" + } + ''; + sshConfig = pkgs.writeText "ssh-config" '' + Host git.${domain} + IdentityFile = ~/.ssh/id_rsa + ''; + in + '' + start_all() + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("sshd.service") + + with subtest("Check whether meta comes up"): + machine.wait_for_unit("metasrht-api.service") + machine.wait_for_unit("metasrht.service") + machine.wait_for_unit("metasrht-webhooks.service") + machine.wait_for_open_port(5000) + machine.succeed("curl -sL http://localhost:5000 | grep meta.${domain}") + machine.succeed("curl -sL http://meta.${domain} | grep meta.${domain}") + + with subtest("Create a new user account and OAuth access key"): + machine.succeed("echo ${userPass} | metasrht-manageuser -ps -e ${userName}@${domain}\ + -t active_paying ${userName}"); + (_, token) = machine.execute("srht-gen-oauth-tok -i ${domain} -q ${userName} ${userPass}") + token = token.strip().replace("/", r"\\/") # Escape slashes in token before passing it to sed + machine.execute("mkdir -p ~/.config/hut/") + machine.execute("sed s/OAUTH-TOKEN/" + token + "/ ${hutConfig} > ~/.config/hut/config") + + with subtest("Check whether git comes up"): + machine.wait_for_unit("gitsrht-api.service") + machine.wait_for_unit("gitsrht.service") + machine.wait_for_unit("gitsrht-webhooks.service") + machine.succeed("curl -sL http://git.${domain} | grep git.${domain}") + + with subtest("Add an SSH key for Git access"): + machine.execute("ssh-keygen -q -N \"\" -t rsa -f ~/.ssh/id_rsa") + machine.execute("cat ${sshConfig} > ~/.ssh/config") + machine.succeed("hut meta ssh-key create ~/.ssh/id_rsa.pub") + + with subtest("Create a new repo and push contents to it"): + machine.execute("git init test") + machine.execute("echo \"Hello world!\" > test/hello.txt") + machine.execute("cd test && git add .") + machine.execute("cd test && git commit -m \"Initial commit\"") + machine.execute("cd test && git tag v0.1") + machine.succeed("cd test && git remote add origin gitsrht@git.${domain}:~${userName}/test") + machine.execute("( echo -n 'git.${domain} '; cat /etc/ssh/ssh_host_ed25519_key.pub ) > ~/.ssh/known_hosts") + machine.succeed("hut git create test") + machine.succeed("cd test && git push --tags --set-upstream origin master") + + with subtest("Verify that the repo is downloadable and its contents match the original"): + machine.succeed("curl https://git.${domain}/~${userName}/test/archive/v0.1.tar.gz | tar -xz") + machine.succeed("diff test-v0.1/hello.txt test/hello.txt") + ''; +}) diff --git a/nixos/tests/sourcehut/nodes/common.nix b/nixos/tests/sourcehut/nodes/common.nix new file mode 100644 index 000000000000..f0a81358f972 --- /dev/null +++ b/nixos/tests/sourcehut/nodes/common.nix @@ -0,0 +1,107 @@ +{ config, pkgs, nodes, ... }: +let + domain = config.networking.domain; + + # Note that wildcard certificates just under the TLD (eg. *.com) + # would be rejected by clients like curl. + tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 36500 \ + -subj '/CN=${domain}' -extensions v3_req \ + -addext 'subjectAltName = DNS:*.${domain}' + install -D -t $out key.pem cert.pem + ''; +in +{ + # buildsrht needs space + virtualisation.diskSize = 4 * 1024; + virtualisation.memorySize = 2 * 1024; + networking.enableIPv6 = false; + + services.sourcehut = { + enable = true; + nginx.enable = true; + nginx.virtualHost = { + forceSSL = true; + sslCertificate = "${tls-cert}/cert.pem"; + sslCertificateKey = "${tls-cert}/key.pem"; + }; + postgresql.enable = true; + redis.enable = true; + + meta.enable = true; + + settings."sr.ht" = { + environment = "production"; + global-domain = config.networking.domain; + service-key = pkgs.writeText "service-key" "8b327279b77e32a3620e2fc9aabce491cc46e7d821fd6713b2a2e650ce114d01"; + network-key = pkgs.writeText "network-key" "cEEmc30BRBGkgQZcHFksiG7hjc6_dK1XR2Oo5Jb9_nQ="; + }; + settings.webhooks.private-key = pkgs.writeText "webhook-key" "Ra3IjxgFiwG9jxgp4WALQIZw/BMYt30xWiOsqD0J7EA="; + settings.mail = { + smtp-from = "root+hut@${domain}"; + # WARNING: take care to keep pgp-privkey outside the Nix store in production, + # or use LoadCredentialEncrypted= + pgp-privkey = toString (pkgs.writeText "sourcehut.pgp-privkey" '' + -----BEGIN PGP PRIVATE KEY BLOCK----- + + lFgEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd + Gk7hYQoAAP9X4oPmxxrHN8LewBpWITdBomNqlHoiP7mI0nz/BOPJHxEktDZuaXhv + cy90ZXN0cy9zb3VyY2VodXQgPHJvb3QraHV0QHNvdXJjZWh1dC5sb2NhbGRvbWFp + bj6IlwQTFgoAPxYhBPqjgjnL8RHN4JnADNicgXaYm0jJBQJioNE5AhsDBQkDwmcA + BgsJCAcDCgUVCgkICwUWAwIBAAIeBQIXgAAKCRDYnIF2mJtIySVCAP9e2nHsVHSi + 2B1YGZpVG7Xf36vxljmMkbroQy+0gBPwRwEAq+jaiQqlbGhQ7R/HMFcAxBIVsq8h + Aw1rngsUd0o3dAicXQRioNE5EgorBgEEAZdVAQUBAQdAXZV2Sd5ZNBVTBbTGavMv + D6ORrUh8z7TI/3CsxCE7+yADAQgHAAD/c1RU9xH+V/uI1fE7HIn/zL0LUPpsuce2 + cH++g4u3kBgTOYh+BBgWCgAmFiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg0TkC + GwwFCQPCZwAACgkQ2JyBdpibSMlKagD/cTre6p1m8QuJ7kwmCFRSz5tBzIuYMMgN + xtT7dmS91csA/35fWsOykSiFRojQ7ccCSUTHL7ApF2EbL968tP/D2hIG + =Hjoc + -----END PGP PRIVATE KEY BLOCK----- + ''); + pgp-pubkey = pkgs.writeText "sourcehut.pgp-pubkey" '' + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mDMEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd + Gk7hYQq0Nm5peG9zL3Rlc3RzL3NvdXJjZWh1dCA8cm9vdCtodXRAc291cmNlaHV0 + LmxvY2FsZG9tYWluPoiXBBMWCgA/FiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg + 0TkCGwMFCQPCZwAGCwkIBwMKBRUKCQgLBRYDAgEAAh4FAheAAAoJENicgXaYm0jJ + JUIA/17acexUdKLYHVgZmlUbtd/fq/GWOYyRuuhDL7SAE/BHAQCr6NqJCqVsaFDt + H8cwVwDEEhWyryEDDWueCxR3Sjd0CLg4BGKg0TkSCisGAQQBl1UBBQEBB0BdlXZJ + 3lk0FVMFtMZq8y8Po5GtSHzPtMj/cKzEITv7IAMBCAeIfgQYFgoAJhYhBPqjgjnL + 8RHN4JnADNicgXaYm0jJBQJioNE5AhsMBQkDwmcAAAoJENicgXaYm0jJSmoA/3E6 + 3uqdZvELie5MJghUUs+bQcyLmDDIDcbU+3ZkvdXLAP9+X1rDspEohUaI0O3HAklE + xy+wKRdhGy/evLT/w9oSBg== + =pJD7 + -----END PGP PUBLIC KEY BLOCK----- + ''; + pgp-key-id = "0xFAA38239CBF111CDE099C00CD89C8176989B48C9"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ]; + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + }; + + services.postgresql = { + enable = true; + enableTCPIP = false; + settings.unix_socket_permissions = "0770"; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.PermitRootLogin = "no"; + }; + + environment.systemPackages = with pkgs; [ + hut # For interacting with the Sourcehut APIs via CLI + srht-gen-oauth-tok # To automatically generate user OAuth tokens + ]; +} diff --git a/nixos/tests/stalwart-mail.nix b/nixos/tests/stalwart-mail.nix index b5589966a160..634c0e2e3926 100644 --- a/nixos/tests/stalwart-mail.nix +++ b/nixos/tests/stalwart-mail.nix @@ -42,20 +42,22 @@ in import ./make-test-python.nix ({ lib, ... }: { session.auth.mechanisms = [ "PLAIN" ]; session.auth.directory = "in-memory"; - jmap.directory = "in-memory"; # shared with imap + storage.directory = "in-memory"; # shared with imap session.rcpt.directory = "in-memory"; queue.outbound.next-hop = [ "local" ]; directory."in-memory" = { type = "memory"; - users = [ + principals = [ { + type = "individual"; name = "alice"; secret = "foobar"; email = [ "alice@${domain}" ]; } { + type = "individual"; name = "bob"; secret = "foobar"; email = [ "bob@${domain}" ]; @@ -90,8 +92,9 @@ in import ./make-test-python.nix ({ lib, ... }: { with IMAP4('localhost') as imap: imap.starttls() - imap.login('bob', 'foobar') - imap.select('"All Mail"') + status, [caps] = imap.login('bob', 'foobar') + assert status == 'OK' + imap.select() status, [ref] = imap.search(None, 'ALL') assert status == 'OK' [msgId] = ref.split() diff --git a/nixos/tests/systemd-boot.nix b/nixos/tests/systemd-boot.nix index c0b37a230df0..ce3245f3d862 100644 --- a/nixos/tests/systemd-boot.nix +++ b/nixos/tests/systemd-boot.nix @@ -39,6 +39,32 @@ in ''; }; + # Test that systemd-boot works with secure boot + secureBoot = makeTest { + name = "systemd-boot-secure-boot"; + + nodes.machine = { + imports = [ common ]; + environment.systemPackages = [ pkgs.sbctl ]; + virtualisation.useSecureBoot = true; + }; + + testScript = '' + machine.start(allow_reboot=True) + machine.wait_for_unit("multi-user.target") + + machine.succeed("sbctl create-keys") + machine.succeed("sbctl enroll-keys --yes-this-might-brick-my-machine") + machine.succeed('sbctl sign /boot/EFI/systemd/systemd-bootx64.efi') + machine.succeed('sbctl sign /boot/EFI/BOOT/BOOTX64.EFI') + machine.succeed('sbctl sign /boot/EFI/nixos/*bzImage.efi') + + machine.reboot() + + assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") + ''; + }; + # Check that specialisations create corresponding boot entries. specialisation = makeTest { name = "systemd-boot-specialisation"; diff --git a/nixos/tests/web-apps/mastodon/default.nix b/nixos/tests/web-apps/mastodon/default.nix index 411ebfcd731b..178590d13b63 100644 --- a/nixos/tests/web-apps/mastodon/default.nix +++ b/nixos/tests/web-apps/mastodon/default.nix @@ -5,5 +5,5 @@ let in { standard = handleTestOn supportedSystems ./standard.nix { inherit system; }; - remote-postgresql = handleTestOn supportedSystems ./remote-postgresql.nix { inherit system; }; + remote-databases = handleTestOn supportedSystems ./remote-databases.nix { inherit system; }; } diff --git a/nixos/tests/web-apps/mastodon/remote-postgresql.nix b/nixos/tests/web-apps/mastodon/remote-databases.nix index 6548883db452..fa6430a99353 100644 --- a/nixos/tests/web-apps/mastodon/remote-postgresql.nix +++ b/nixos/tests/web-apps/mastodon/remote-databases.nix @@ -16,7 +16,14 @@ in meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin ]; nodes = { - database = { config, ... }: { + databases = { config, ... }: { + environment = { + etc = { + "redis/password-redis-db".text = '' + ogjhJL8ynrP7MazjYOF6 + ''; + }; + }; networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -24,7 +31,17 @@ in ]; }; extraHosts = hosts; - firewall.allowedTCPPorts = [ config.services.postgresql.port ]; + firewall.allowedTCPPorts = [ + config.services.redis.servers.mastodon.port + config.services.postgresql.port + ]; + }; + + services.redis.servers.mastodon = { + enable = true; + bind = "0.0.0.0"; + port = 31637; + requirePassFile = "/etc/redis/password-redis-db"; }; services.postgresql = { @@ -83,6 +100,9 @@ in environment = { etc = { + "mastodon/password-redis-db".text = '' + ogjhJL8ynrP7MazjYOF6 + ''; "mastodon/password-posgressql-db".text = '' SoDTZcISc3f1M1LJsRLT ''; @@ -108,6 +128,12 @@ in localDomain = "mastodon.local"; enableUnixSocket = false; streamingProcesses = 2; + redis = { + createLocally = false; + host = "192.168.2.102"; + port = 31637; + passwordFile = "/etc/mastodon/password-redis-db"; + }; database = { createLocally = false; host = "192.168.2.102"; @@ -151,12 +177,14 @@ in extraInit = '' nginx.wait_for_unit("nginx.service") nginx.wait_for_open_port(443) - database.wait_for_unit("postgresql.service") - database.wait_for_open_port(5432) + databases.wait_for_unit("redis-mastodon.service") + databases.wait_for_unit("postgresql.service") + databases.wait_for_open_port(31637) + databases.wait_for_open_port(5432) ''; extraShutdown = '' nginx.shutdown() - database.shutdown() + databases.shutdown() ''; }; }) diff --git a/nixos/tests/web-apps/mastodon/script.nix b/nixos/tests/web-apps/mastodon/script.nix index afb7c0e0a0eb..9184c63c8941 100644 --- a/nixos/tests/web-apps/mastodon/script.nix +++ b/nixos/tests/web-apps/mastodon/script.nix @@ -8,7 +8,6 @@ ${extraInit} - server.wait_for_unit("redis-mastodon.service") server.wait_for_unit("mastodon-sidekiq-all.service") server.wait_for_unit("mastodon-streaming.target") server.wait_for_unit("mastodon-web.service") diff --git a/nixos/tests/web-apps/mastodon/standard.nix b/nixos/tests/web-apps/mastodon/standard.nix index e5eb30fef597..ddc764e2168c 100644 --- a/nixos/tests/web-apps/mastodon/standard.nix +++ b/nixos/tests/web-apps/mastodon/standard.nix @@ -34,12 +34,6 @@ in pki.certificateFiles = [ "${cert pkgs}/cert.pem" ]; }; - services.redis.servers.mastodon = { - enable = true; - bind = "127.0.0.1"; - port = 31637; - }; - # TODO remove once https://github.com/NixOS/nixpkgs/pull/266270 is resolved. services.postgresql.package = pkgs.postgresql_14; @@ -89,6 +83,7 @@ in extraInit = '' server.wait_for_unit("nginx.service") server.wait_for_open_port(443) + server.wait_for_unit("redis-mastodon.service") server.wait_for_unit("postgresql.service") server.wait_for_open_port(5432) ''; diff --git a/nixos/tests/web-servers/ttyd.nix b/nixos/tests/web-servers/ttyd.nix index d161673684b3..b79a2032ec75 100644 --- a/nixos/tests/web-servers/ttyd.nix +++ b/nixos/tests/web-servers/ttyd.nix @@ -2,18 +2,28 @@ import ../make-test-python.nix ({ lib, pkgs, ... }: { name = "ttyd"; meta.maintainers = with lib.maintainers; [ stunkymonkey ]; - nodes.machine = { pkgs, ... }: { + nodes.readonly = { pkgs, ... }: { + services.ttyd = { + enable = true; + entrypoint = [ (lib.getExe pkgs.htop) ]; + writeable = false; + }; + }; + + nodes.writeable = { pkgs, ... }: { services.ttyd = { enable = true; username = "foo"; passwordFile = pkgs.writeText "password" "bar"; + writeable = true; }; }; testScript = '' - machine.wait_for_unit("ttyd.service") - machine.wait_for_open_port(7681) - response = machine.succeed("curl -vvv -u foo:bar -s -H 'Host: ttyd' http://127.0.0.1:7681/") - assert '<title>ttyd - Terminal</title>' in response, "Page didn't load successfully" + for machine in [readonly, writeable]: + machine.wait_for_unit("ttyd.service") + machine.wait_for_open_port(7681) + response = machine.succeed("curl -vvv -u foo:bar -s -H 'Host: ttyd' http://127.0.0.1:7681/") + assert '<title>ttyd - Terminal</title>' in response, "Page didn't load successfully" ''; }) |