diff options
Diffstat (limited to 'nixos')
17 files changed, 324 insertions, 84 deletions
diff --git a/nixos/doc/manual/administration/boot-problems.section.md b/nixos/doc/manual/administration/boot-problems.section.md index eb9209602a32..dee83e7ec225 100644 --- a/nixos/doc/manual/administration/boot-problems.section.md +++ b/nixos/doc/manual/administration/boot-problems.section.md @@ -30,6 +30,12 @@ If NixOS fails to boot, there are a number of kernel command line parameters tha : Make systemd very verbose and send log messages to the console instead of the journal. For more parameters recognised by systemd, see systemd(1). +In addition, these arguments are recognised by the live image only: + +`live.nixos.passwd=password` + +: Set the password for the `nixos` live user. This can be used for SSH access if there are issues using the terminal. + Notice that for `boot.shell_on_fail`, `boot.debug1`, `boot.debug1devices`, and `boot.debug1mounts`, if you did **not** select "start the new shell as pid 1", and you `exit` from the new shell, boot will proceed normally from the point where it failed, as if you'd chosen "ignore the error and continue". If no login prompts or X11 login screens appear (e.g. due to hanging dependencies), you can press Alt+ArrowUp. If you’re lucky, this will start rescue mode (described above). (Also note that since most units have a 90-second timeout before systemd gives up on them, the `agetty` login prompts should appear eventually unless something is very wrong.) diff --git a/nixos/doc/manual/from_md/administration/boot-problems.section.xml b/nixos/doc/manual/from_md/administration/boot-problems.section.xml index b484d075818a..4ea01e78f32f 100644 --- a/nixos/doc/manual/from_md/administration/boot-problems.section.xml +++ b/nixos/doc/manual/from_md/administration/boot-problems.section.xml @@ -107,6 +107,23 @@ </varlistentry> </variablelist> <para> + In addition, these arguments are recognised by the live image only: + </para> + <variablelist> + <varlistentry> + <term> + <literal>live.nixos.passwd=password</literal> + </term> + <listitem> + <para> + Set the password for the <literal>nixos</literal> live user. + This can be used for SSH access if there are issues using the + terminal. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> Notice that for <literal>boot.shell_on_fail</literal>, <literal>boot.debug1</literal>, <literal>boot.debug1devices</literal>, and diff --git a/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml index e043bee7761d..f4155d6f8ce6 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml @@ -101,16 +101,18 @@ <listitem> <para> <link xlink:href="https://www.gnuradio.org/">GNURadio</link> - 3.8 was + 3.8 and 3.9 were <link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finally</link> packaged, along with a rewrite to the Nix expressions, allowing users to override the features upstream supports selecting to compile or not to. Additionally, the attribute - <literal>gnuradio</literal> and <literal>gnuradio3_7</literal> - now point to an externally wrapped by default derivations, - that allow you to also add `extraPythonPackages` to the Python - interpreter used by GNURadio. Missing environmental variables - needed for operational GUI were also added + <literal>gnuradio</literal> (3.9), + <literal>gnuradio3_8</literal> and + <literal>gnuradio3_7</literal> now point to an externally + wrapped by default derivations, that allow you to also add + `extraPythonPackages` to the Python interpreter used by + GNURadio. Missing environmental variables needed for + operational GUI were also added (<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#75478</link>). </para> </listitem> @@ -1026,7 +1028,7 @@ self: super: <para> <link xlink:href="https://kodi.tv/">Kodi</link> has been updated to version 19.1 "Matrix". See the - <link xlink:href="https://kodi.tv/article/kodi-190-matrix-release">announcement</link> + <link xlink:href="https://kodi.tv/article/kodi-19-0-matrix-release">announcement</link> for further details. </para> </listitem> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index abd10a6f9a73..6f4079ea9bbd 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -339,6 +339,116 @@ release instead of the old 2.31.0 version. </para> </listitem> + <listitem> + <para> + The <literal>bitwarden_rs</literal> packages and modules were + renamed to <literal>vaultwarden</literal> + <link xlink:href="https://github.com/dani-garcia/vaultwarden/discussions/1642">following + upstream</link>. More specifically, + </para> + <itemizedlist> + <listitem> + <para> + <literal>pkgs.bitwarden_rs</literal>, + <literal>pkgs.bitwarden_rs-sqlite</literal>, + <literal>pkgs.bitwarden_rs-mysql</literal> and + <literal>pkgs.bitwarden_rs-postgresql</literal> were + renamed to <literal>pkgs.vaultwarden</literal>, + <literal>pkgs.vaultwarden-sqlite</literal>, + <literal>pkgs.vaultwarden-mysql</literal> and + <literal>pkgs.vaultwarden-postgresql</literal>, + respectively. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Old names are preserved as aliases for backwards + compatibility, but may be removed in the future. + </para> + </listitem> + <listitem> + <para> + The <literal>bitwarden_rs</literal> executable was + also renamed to <literal>vaultwarden</literal> in all + packages. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>pkgs.bitwarden_rs-vault</literal> was renamed to + <literal>pkgs.vaultwarden-vault</literal>. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>pkgs.bitwarden_rs-vault</literal> is + preserved as an alias for backwards compatibility, but + may be removed in the future. + </para> + </listitem> + <listitem> + <para> + The static files were moved from + <literal>/usr/share/bitwarden_rs</literal> to + <literal>/usr/share/vaultwarden</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>services.bitwarden_rs</literal> config module + was renamed to <literal>services.vaultwarden</literal>. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>services.bitwarden_rs</literal> is preserved + as an alias for backwards compatibility, but may be + removed in the future. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>systemd.services.bitwarden_rs</literal>, + <literal>systemd.services.backup-bitwarden_rs</literal> + and <literal>systemd.timers.backup-bitwarden_rs</literal> + were renamed to + <literal>systemd.services.vaultwarden</literal>, + <literal>systemd.services.backup-vaultwarden</literal> and + <literal>systemd.timers.backup-vaultwarden</literal>, + respectively. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Old names are preserved as aliases for backwards + compatibility, but may be removed in the future. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>users.users.bitwarden_rs</literal> and + <literal>users.groups.bitwarden_rs</literal> were renamed + to <literal>users.users.vaultwarden</literal> and + <literal>users.groups.vaultwarden</literal>, respectively. + </para> + </listitem> + <listitem> + <para> + The data directory remains located at + <literal>/var/lib/bitwarden_rs</literal>, for backwards + compatibility. + </para> + </listitem> + </itemizedlist> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-21.11-notable-changes"> diff --git a/nixos/doc/manual/release-notes/rl-2105.section.md b/nixos/doc/manual/release-notes/rl-2105.section.md index e4565b8ca605..49b97c203fe6 100644 --- a/nixos/doc/manual/release-notes/rl-2105.section.md +++ b/nixos/doc/manual/release-notes/rl-2105.section.md @@ -36,7 +36,7 @@ In addition to numerous new and upgraded packages, this release has the followin The following new services were added since the last release: -- [GNURadio](https://www.gnuradio.org/) 3.8 was [finally](https://github.com/NixOS/nixpkgs/issues/82263) packaged, along with a rewrite to the Nix expressions, allowing users to override the features upstream supports selecting to compile or not to. Additionally, the attribute `gnuradio` and `gnuradio3_7` now point to an externally wrapped by default derivations, that allow you to also add \`extraPythonPackages\` to the Python interpreter used by GNURadio. Missing environmental variables needed for operational GUI were also added ([\#75478](https://github.com/NixOS/nixpkgs/issues/75478)). +- [GNURadio](https://www.gnuradio.org/) 3.8 and 3.9 were [finally](https://github.com/NixOS/nixpkgs/issues/82263) packaged, along with a rewrite to the Nix expressions, allowing users to override the features upstream supports selecting to compile or not to. Additionally, the attribute `gnuradio` (3.9), `gnuradio3_8` and `gnuradio3_7` now point to an externally wrapped by default derivations, that allow you to also add \`extraPythonPackages\` to the Python interpreter used by GNURadio. Missing environmental variables needed for operational GUI were also added ([\#75478](https://github.com/NixOS/nixpkgs/issues/75478)). - [Keycloak](https://www.keycloak.org/), an open source identity and access management server with support for [OpenID Connect](https://openid.net/connect/), [OAUTH 2.0](https://oauth.net/2/) and [SAML 2.0](https://en.wikipedia.org/wiki/SAML_2.0). @@ -300,7 +300,7 @@ When upgrading from a previous release, please be aware of the following incompa Regarding the NixOS module, new options for HTTPS inspection have been added and `services.privoxy.extraConfig` has been replaced by the new [services.privoxy.settings](options.html#opt-services.privoxy.settings) (See [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) for the motivation). -- [Kodi](https://kodi.tv/) has been updated to version 19.1 \"Matrix\". See the [announcement](https://kodi.tv/article/kodi-190-matrix-release) for further details. +- [Kodi](https://kodi.tv/) has been updated to version 19.1 \"Matrix\". See the [announcement](https://kodi.tv/article/kodi-19-0-matrix-release) for further details. - The `services.packagekit.backend` option has been removed as it only supported a single setting which would always be the default. Instead new [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) compliant [services.packagekit.settings](options.html#opt-services.packagekit.settings) and [services.packagekit.vendorSettings](options.html#opt-services.packagekit.vendorSettings) options have been introduced. diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 1b7250a18156..1f532a296ea0 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -85,6 +85,32 @@ In addition to numerous new and upgraded packages, this release has the followin * The `libwnck` package now defaults to the 3.x release instead of the old 2.31.0 version. +* The `bitwarden_rs` packages and modules were renamed to `vaultwarden` + [following upstream](https://github.com/dani-garcia/vaultwarden/discussions/1642). More specifically, + + * `pkgs.bitwarden_rs`, `pkgs.bitwarden_rs-sqlite`, `pkgs.bitwarden_rs-mysql` and + `pkgs.bitwarden_rs-postgresql` were renamed to `pkgs.vaultwarden`, `pkgs.vaultwarden-sqlite`, + `pkgs.vaultwarden-mysql` and `pkgs.vaultwarden-postgresql`, respectively. + * Old names are preserved as aliases for backwards compatibility, but may be removed in the future. + * The `bitwarden_rs` executable was also renamed to `vaultwarden` in all packages. + + * `pkgs.bitwarden_rs-vault` was renamed to `pkgs.vaultwarden-vault`. + * `pkgs.bitwarden_rs-vault` is preserved as an alias for backwards compatibility, but may be removed in the future. + * The static files were moved from `/usr/share/bitwarden_rs` to `/usr/share/vaultwarden`. + + * The `services.bitwarden_rs` config module was renamed to `services.vaultwarden`. + * `services.bitwarden_rs` is preserved as an alias for backwards compatibility, but may be removed in the future. + + * `systemd.services.bitwarden_rs`, `systemd.services.backup-bitwarden_rs` and `systemd.timers.backup-bitwarden_rs` + were renamed to `systemd.services.vaultwarden`, `systemd.services.backup-vaultwarden` and + `systemd.timers.backup-vaultwarden`, respectively. + * Old names are preserved as aliases for backwards compatibility, but may be removed in the future. + + * `users.users.bitwarden_rs` and `users.groups.bitwarden_rs` were renamed to `users.users.vaultwarden` and + `users.groups.vaultwarden`, respectively. + + * The data directory remains located at `/var/lib/bitwarden_rs`, for backwards compatibility. + ## Other Notable Changes {#sec-release-21.11-notable-changes} - The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets. diff --git a/nixos/modules/installer/cd-dvd/installation-cd-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-base.nix index 6c7ea293e8ac..aecb65b8c576 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-base.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-base.nix @@ -30,5 +30,16 @@ with lib; # Add Memtest86+ to the CD. boot.loader.grub.memtest86.enable = true; + boot.postBootCommands = '' + for o in $(</proc/cmdline); do + case "$o" in + live.nixos.passwd=*) + set -- $(IFS==; echo $o) + echo "nixos:$2" | ${pkgs.shadow}/bin/chpasswd + ;; + esac + done + ''; + system.stateVersion = mkDefault "18.03"; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2d0f5d37f9e8..7eb4c7e922eb 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -874,7 +874,6 @@ ./services/search/hound.nix ./services/search/kibana.nix ./services/search/solr.nix - ./services/security/bitwarden_rs/default.nix ./services/security/certmgr.nix ./services/security/cfssl.nix ./services/security/clamav.nix @@ -900,6 +899,7 @@ ./services/security/torsocks.nix ./services/security/usbguard.nix ./services/security/vault.nix + ./services/security/vaultwarden/default.nix ./services/security/yubikey-agent.nix ./services/system/cloud-init.nix ./services/system/dbus.nix diff --git a/nixos/modules/services/networking/coturn.nix b/nixos/modules/services/networking/coturn.nix index 1bfbc307c59d..5f7d2893ae27 100644 --- a/nixos/modules/services/networking/coturn.nix +++ b/nixos/modules/services/networking/coturn.nix @@ -16,6 +16,7 @@ ${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"} ${lib.optionalString cfg.no-auth "no-auth"} ${lib.optionalString cfg.use-auth-secret "use-auth-secret"} ${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")} +${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")} realm=${cfg.realm} ${lib.optionalString cfg.no-udp "no-udp"} ${lib.optionalString cfg.no-tcp "no-tcp"} @@ -182,6 +183,13 @@ in { by a separate program, so this is why that other mode is 'dynamic'. ''; }; + static-auth-secret-file = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to the file containing the static authentication secret. + ''; + }; realm = mkOption { type = types.str; default = config.networking.hostName; @@ -293,42 +301,63 @@ in { }; }; - config = mkIf cfg.enable { - users.users.turnserver = - { uid = config.ids.uids.turnserver; - description = "coturn TURN server user"; - }; - users.groups.turnserver = - { gid = config.ids.gids.turnserver; - members = [ "turnserver" ]; - }; + config = mkIf cfg.enable (mkMerge ([ + { assertions = [ + { assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ; + message = "static-auth-secret and static-auth-secret-file cannot be set at the same time"; + } + ];} - systemd.services.coturn = { - description = "coturn TURN server"; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + { + users.users.turnserver = + { uid = config.ids.uids.turnserver; + description = "coturn TURN server user"; + }; + users.groups.turnserver = + { gid = config.ids.gids.turnserver; + members = [ "turnserver" ]; + }; - unitConfig = { - Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)"; - }; + systemd.services.coturn = let + runConfig = "/run/coturn/turnserver.cfg"; + in { + description = "coturn TURN server"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.coturn}/bin/turnserver -c ${configFile}"; - RuntimeDirectory = "turnserver"; - User = "turnserver"; - Group = "turnserver"; - AmbientCapabilities = - mkIf ( - cfg.listening-port < 1024 || - cfg.alt-listening-port < 1024 || - cfg.tls-listening-port < 1024 || - cfg.alt-tls-listening-port < 1024 || - cfg.min-port < 1024 - ) "cap_net_bind_service"; - Restart = "on-abort"; - }; - }; - }; + unitConfig = { + Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)"; + }; + + preStart = '' + cat ${configFile} > ${runConfig} + ${optionalString (cfg.static-auth-secret-file != null) '' + STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)" + sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \ + -i ${runConfig} + '' } + chmod 640 ${runConfig} + ''; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}"; + RuntimeDirectory = "turnserver"; + User = "turnserver"; + Group = "turnserver"; + AmbientCapabilities = + mkIf ( + cfg.listening-port < 1024 || + cfg.alt-listening-port < 1024 || + cfg.tls-listening-port < 1024 || + cfg.alt-tls-listening-port < 1024 || + cfg.min-port < 1024 + ) "cap_net_bind_service"; + Restart = "on-abort"; + }; + }; + systemd.tmpfiles.rules = [ + "d /run/coturn 0700 turnserver turnserver - -" + ]; + }])); } diff --git a/nixos/modules/services/security/bitwarden_rs/backup.sh b/nixos/modules/services/security/vaultwarden/backup.sh index 264a7da9cbb6..2a3de0ab1dee 100644 --- a/nixos/modules/services/security/bitwarden_rs/backup.sh +++ b/nixos/modules/services/security/vaultwarden/backup.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Based on: https://github.com/dani-garcia/bitwarden_rs/wiki/Backing-up-your-vault +# Based on: https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault if ! mkdir -p "$BACKUP_FOLDER"; then echo "Could not create backup folder '$BACKUP_FOLDER'" >&2 exit 1 diff --git a/nixos/modules/services/security/bitwarden_rs/default.nix b/nixos/modules/services/security/vaultwarden/default.nix index bed59dbf821f..940ac7832dae 100644 --- a/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixos/modules/services/security/vaultwarden/default.nix @@ -3,9 +3,9 @@ with lib; let - cfg = config.services.bitwarden_rs; - user = config.users.users.bitwarden_rs.name; - group = config.users.groups.bitwarden_rs.name; + cfg = config.services.vaultwarden; + user = config.users.users.vaultwarden.name; + group = config.users.groups.vaultwarden.name; # Convert name from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER). nameToEnvVar = name: @@ -26,22 +26,26 @@ let if value != null then [ (nameValuePair (nameToEnvVar name) (if isBool value then boolToString value else toString value)) ] else [] ) cfg.config)); in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") { - WEB_VAULT_FOLDER = "${pkgs.bitwarden_rs-vault}/share/bitwarden_rs/vault"; + WEB_VAULT_FOLDER = "${pkgs.vaultwarden-vault}/share/vaultwarden/vault"; } // configEnv; - configFile = pkgs.writeText "bitwarden_rs.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); + configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); - bitwarden_rs = pkgs.bitwarden_rs.override { inherit (cfg) dbBackend; }; + vaultwarden = pkgs.vaultwarden.override { inherit (cfg) dbBackend; }; in { - options.services.bitwarden_rs = with types; { - enable = mkEnableOption "bitwarden_rs"; + imports = [ + (mkRenamedOptionModule [ "services" "bitwarden_rs" ] [ "services" "vaultwarden" ]) + ]; + + options.services.vaultwarden = with types; { + enable = mkEnableOption "vaultwarden"; dbBackend = mkOption { type = enum [ "sqlite" "mysql" "postgresql" ]; default = "sqlite"; description = '' - Which database backend bitwarden_rs will be using. + Which database backend vaultwarden will be using. ''; }; @@ -49,7 +53,7 @@ in { type = nullOr str; default = null; description = '' - The directory under which bitwarden_rs will backup its persistent data. + The directory under which vaultwarden will backup its persistent data. ''; }; @@ -65,7 +69,7 @@ in { } ''; description = '' - The configuration of bitwarden_rs is done through environment variables, + The configuration of vaultwarden is done through environment variables, therefore the names are converted from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER). In this conversion digits (0-9) are handled just like upper case characters, @@ -75,17 +79,17 @@ in { This allows working around any potential future conflicting naming conventions. Based on the attributes passed to this config option an environment file will be generated - that is passed to bitwarden_rs's systemd service. + that is passed to vaultwarden's systemd service. The available configuration options can be found in - <link xlink:href="https://github.com/dani-garcia/bitwarden_rs/blob/${bitwarden_rs.version}/.env.template">the environment template file</link>. + <link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>. ''; }; environmentFile = mkOption { type = with types; nullOr path; default = null; - example = "/root/bitwarden_rs.env"; + example = "/root/vaultwarden.env"; description = '' Additional environment file as defined in <citerefentry> <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> @@ -95,7 +99,7 @@ in { may be passed to the service without adding them to the world-readable Nix store. Note that this file needs to be available on the host on which - <literal>bitwarden_rs</literal> is running. + <literal>vaultwarden</literal> is running. ''; }; }; @@ -106,20 +110,21 @@ in { message = "Backups for database backends other than sqlite will need customization"; } ]; - users.users.bitwarden_rs = { + users.users.vaultwarden = { inherit group; isSystemUser = true; }; - users.groups.bitwarden_rs = { }; + users.groups.vaultwarden = { }; - systemd.services.bitwarden_rs = { + systemd.services.vaultwarden = { + aliases = [ "bitwarden_rs" ]; after = [ "network.target" ]; path = with pkgs; [ openssl ]; serviceConfig = { User = user; Group = group; EnvironmentFile = [ configFile ] ++ optional (cfg.environmentFile != null) cfg.environmentFile; - ExecStart = "${bitwarden_rs}/bin/bitwarden_rs"; + ExecStart = "${vaultwarden}/bin/vaultwarden"; LimitNOFILE = "1048576"; PrivateTmp = "true"; PrivateDevices = "true"; @@ -131,15 +136,16 @@ in { wantedBy = [ "multi-user.target" ]; }; - systemd.services.backup-bitwarden_rs = mkIf (cfg.backupDir != null) { - description = "Backup bitwarden_rs"; + systemd.services.backup-vaultwarden = mkIf (cfg.backupDir != null) { + aliases = [ "backup-bitwarden_rs" ]; + description = "Backup vaultwarden"; environment = { DATA_FOLDER = "/var/lib/bitwarden_rs"; BACKUP_FOLDER = cfg.backupDir; }; path = with pkgs; [ sqlite ]; serviceConfig = { - SyslogIdentifier = "backup-bitwarden_rs"; + SyslogIdentifier = "backup-vaultwarden"; Type = "oneshot"; User = mkDefault user; Group = mkDefault group; @@ -148,12 +154,13 @@ in { wantedBy = [ "multi-user.target" ]; }; - systemd.timers.backup-bitwarden_rs = mkIf (cfg.backupDir != null) { - description = "Backup bitwarden_rs on time"; + systemd.timers.backup-vaultwarden = mkIf (cfg.backupDir != null) { + aliases = [ "backup-bitwarden_rs" ]; + description = "Backup vaultwarden on time"; timerConfig = { OnCalendar = mkDefault "23:00"; Persistent = "true"; - Unit = "backup-bitwarden_rs.service"; + Unit = "backup-vaultwarden.service"; }; wantedBy = [ "multi-user.target" ]; }; diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 6751ca3f2ee7..4e2f25cd27fc 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -13,7 +13,7 @@ let # !!! fix this children = mapAttrs (childName: childConfig: (import ../../../lib/eval-config.nix { - inherit baseModules specialArgs; + inherit lib baseModules specialArgs; system = config.nixpkgs.initialSystem; modules = (optionals childConfig.inheritParentConfig modules) diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 8c82b4bcf5db..f87d3b07a360 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -621,6 +621,8 @@ in Whether to allow TRIM requests to the underlying device. This option has security implications; please read the LUKS documentation before activating it. + This option is incompatible with authenticated encryption (dm-crypt + stacked over dm-integrity). ''; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index b5126be8af7a..c77e72a7f49f 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -42,7 +42,6 @@ in bind = handleTest ./bind.nix {}; bitcoind = handleTest ./bitcoind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; - bitwarden = handleTest ./bitwarden.nix {}; blockbook-frontend = handleTest ./blockbook-frontend.nix {}; boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64 boot-stage1 = handleTest ./boot-stage1.nix {}; @@ -88,6 +87,7 @@ in containers-tmpfs = handleTest ./containers-tmpfs.nix {}; convos = handleTest ./convos.nix {}; corerad = handleTest ./corerad.nix {}; + coturn = handleTest ./coturn.nix {}; couchdb = handleTest ./couchdb.nix {}; cri-o = handleTestOn ["x86_64-linux"] ./cri-o.nix {}; custom-ca = handleTest ./custom-ca.nix {}; @@ -446,6 +446,7 @@ in v2ray = handleTest ./v2ray.nix {}; vault = handleTest ./vault.nix {}; vault-postgresql = handleTest ./vault-postgresql.nix {}; + vaultwarden = handleTest ./vaultwarden.nix {}; vector = handleTest ./vector.nix {}; victoriametrics = handleTest ./victoriametrics.nix {}; virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; diff --git a/nixos/tests/coturn.nix b/nixos/tests/coturn.nix new file mode 100644 index 000000000000..dff832281c7c --- /dev/null +++ b/nixos/tests/coturn.nix @@ -0,0 +1,29 @@ +import ./make-test-python.nix ({ ... }: { + name = "coturn"; + nodes = { + default = { + services.coturn.enable = true; + }; + secretsfile = { + boot.postBootCommands = '' + echo "some-very-secret-string" > /run/coturn-secret + ''; + services.coturn = { + enable = true; + static-auth-secret-file = "/run/coturn-secret"; + }; + }; + }; + + testScript = + '' + start_all() + + with subtest("by default works without configuration"): + default.wait_for_unit("coturn.service") + + with subtest("works with static-auth-secret-file"): + secretsfile.wait_for_unit("coturn.service") + secretsfile.succeed("grep 'some-very-secret-string' /run/coturn/turnserver.cfg") + ''; +}) diff --git a/nixos/tests/bitwarden.nix b/nixos/tests/vaultwarden.nix index f64cf171f01f..b5343f5cad2d 100644 --- a/nixos/tests/bitwarden.nix +++ b/nixos/tests/vaultwarden.nix @@ -4,7 +4,7 @@ }: # These tests will: -# * Set up a bitwarden-rs server +# * Set up a vaultwarden server # * Have Firefox use the web vault to create an account, log in, and save a password to the valut # * Have the bw cli log in and read that password from the vault # @@ -24,8 +24,8 @@ let storedPassword = "seeeecret"; - makeBitwardenTest = backend: makeTest { - name = "bitwarden_rs-${backend}"; + makeVaultwardenTest = backend: makeTest { + name = "vaultwarden-${backend}"; meta = { maintainers = with pkgs.lib.maintainers; [ jjjollyjim ]; }; @@ -45,9 +45,9 @@ let package = pkgs.mariadb; }; - services.bitwarden_rs.config.databaseUrl = "mysql://bitwardenuser:${dbPassword}@localhost/bitwarden"; + services.vaultwarden.config.databaseUrl = "mysql://bitwardenuser:${dbPassword}@localhost/bitwarden"; - systemd.services.bitwarden_rs.after = [ "mysql.service" ]; + systemd.services.vaultwarden.after = [ "mysql.service" ]; }; postgresql = { @@ -60,9 +60,9 @@ let ''; }; - services.bitwarden_rs.config.databaseUrl = "postgresql://bitwardenuser:${dbPassword}@localhost/bitwarden"; + services.vaultwarden.config.databaseUrl = "postgresql://bitwardenuser:${dbPassword}@localhost/bitwarden"; - systemd.services.bitwarden_rs.after = [ "postgresql.service" ]; + systemd.services.vaultwarden.after = [ "postgresql.service" ]; }; sqlite = { }; @@ -71,7 +71,7 @@ let mkMerge [ backendConfig.${backend} { - services.bitwarden_rs = { + services.vaultwarden = { enable = true; dbBackend = backend; config.rocketPort = 80; @@ -152,7 +152,7 @@ let testScript = '' start_all() - server.wait_for_unit("bitwarden_rs.service") + server.wait_for_unit("vaultwarden.service") server.wait_for_open_port(80) with subtest("configure the cli"): @@ -184,6 +184,6 @@ let in builtins.listToAttrs ( map - (backend: { name = backend; value = makeBitwardenTest backend; }) + (backend: { name = backend; value = makeVaultwardenTest backend; }) backends ) diff --git a/nixos/tests/zsh-history.nix b/nixos/tests/zsh-history.nix index 3109c3f65081..355687798406 100644 --- a/nixos/tests/zsh-history.nix +++ b/nixos/tests/zsh-history.nix @@ -23,7 +23,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { # Login default.wait_until_tty_matches(1, "login: ") default.send_chars("root\n") - default.wait_until_tty_matches(1, "root@default>") + default.wait_until_tty_matches(1, r"\nroot@default\b") # Generate some history default.send_chars("echo foobar\n") |