From 997a6f6f1eee4f2191bbb73fab08a5765014cd1e Mon Sep 17 00:00:00 2001 From: David Anderson Date: Mon, 14 Oct 2019 01:59:50 -0700 Subject: nixos/pppd: init --- nixos/modules/module-list.nix | 1 + nixos/modules/services/networking/pppd.nix | 133 +++++++++++++++++++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 nixos/modules/services/networking/pppd.nix (limited to 'nixos') diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 4d177ae9699e..5214126ff7ed 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -666,6 +666,7 @@ ./services/networking/polipo.nix ./services/networking/powerdns.nix ./services/networking/pdns-recursor.nix + ./services/networking/pppd.nix ./services/networking/pptpd.nix ./services/networking/prayer.nix ./services/networking/privoxy.nix diff --git a/nixos/modules/services/networking/pppd.nix b/nixos/modules/services/networking/pppd.nix new file mode 100644 index 000000000000..db1359117644 --- /dev/null +++ b/nixos/modules/services/networking/pppd.nix @@ -0,0 +1,133 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.pppd; +in +{ + meta = { + maintainers = with maintainers; [ danderson ]; + }; + + options = { + services.pppd = { + enable = mkEnableOption "pppd"; + + package = mkOption { + default = pkgs.ppp; + defaultText = "pkgs.ppp"; + type = types.package; + description = "pppd package to use."; + }; + + peers = mkOption { + default = {}; + type = types.attrsOf (types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "dialup"; + description = "Name of the PPP peer."; + }; + + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = "Whether to enable this PPP peer."; + }; + + autostart = mkOption { + type = types.bool; + default = true; + example = false; + description = "Whether the PPP session is automatically started at boot time."; + }; + + config = mkOption { + type = types.lines; + default = ""; + description = "pppd configuration for this peer, see the pppd(8) man page."; + }; + }; + })); + }; + }; + }; + + config = let + enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); + + mkEtc = peerCfg: { + "ppp/peers/${peerCfg.name}".text = peerCfg.config; + }; + + mkSystemd = peerCfg: { + "pppd-${peerCfg.name}" = { + restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; + before = [ "network.target" ]; + wants = [ "network.target" ]; + after = [ "network-pre.target" ]; + environment = { + # pppd likes to write directly into /var/run. This is rude + # on a modern system, so we use libredirect to transparently + # move those files into /run/pppd. + LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; + NIX_REDIRECTS = "/var/run=/run/pppd"; + }; + serviceConfig = { + ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; + Restart = "always"; + RestartSec = 5; + + AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + # pppd can be configured to tweak kernel settings. + ProtectKernelTunables = false; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SecureBits = "no-setuid-fixup-locked noroot-locked"; + SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; + + # All pppd instances on a system must share a runtime + # directory in order for PPP multilink to work correctly. So + # we give all instances the same /run/pppd directory to store + # things in. + # + # For the same reason, we can't set PrivateUsers=true, because + # all instances need to run as the same user to access the + # multilink database. + RuntimeDirectory = "pppd"; + RuntimeDirectoryPreserve = true; + }; + wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; + }; + }; + + etcFiles = map mkEtc enabledConfigs; + systemdConfigs = map mkSystemd enabledConfigs; + + in mkIf cfg.enable { + environment.etc = mkMerge etcFiles; + systemd.services = mkMerge systemdConfigs; + }; +} -- cgit 1.4.1 From ae02b3dd1f450b51ef69bb13e4c7728106009936 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Mon, 14 Oct 2019 21:26:54 -0700 Subject: nixos/tests/pppd: init This test creates a PPPoE link between two machines, and verifies that the machines can ping each other. --- nixos/tests/all-tests.nix | 1 + nixos/tests/pppd.nix | 62 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 nixos/tests/pppd.nix (limited to 'nixos') diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 914b32f97c3a..e94c9712cbfa 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -227,6 +227,7 @@ in postgresql = handleTest ./postgresql.nix {}; postgresql-wal-receiver = handleTest ./postgresql-wal-receiver.nix {}; powerdns = handleTest ./powerdns.nix {}; + pppd = handleTest ./pppd.nix {}; predictable-interface-names = handleTest ./predictable-interface-names.nix {}; printing = handleTest ./printing.nix {}; prometheus = handleTest ./prometheus.nix {}; diff --git a/nixos/tests/pppd.nix b/nixos/tests/pppd.nix new file mode 100644 index 000000000000..91f811859093 --- /dev/null +++ b/nixos/tests/pppd.nix @@ -0,0 +1,62 @@ +import ./make-test.nix ( + let + chap-secrets = { + text = ''"flynn" * "reindeerflotilla" *''; + mode = "0640"; + }; + in { + nodes = { + server = {config, pkgs, ...}: { + config = { + # Run a PPPoE access concentrator server. It will spawn an + # appropriate PPP server process when a PPPoE client sets up a + # PPPoE session. + systemd.services.pppoe-server = { + restartTriggers = [ + config.environment.etc."ppp/pppoe-server-options".source + config.environment.etc."ppp/chap-secrets".source + ]; + after = ["network.target"]; + serviceConfig = { + ExecStart = "${pkgs.rpPPPoE}/sbin/pppoe-server -F -O /etc/ppp/pppoe-server-options -q ${pkgs.ppp}/sbin/pppd -I eth1 -L 192.0.2.1 -R 192.0.2.2"; + }; + wantedBy = ["multi-user.target"]; + }; + environment.etc = { + "ppp/pppoe-server-options".text = '' + lcp-echo-interval 10 + lcp-echo-failure 2 + plugin rp-pppoe.so + require-chap + nobsdcomp + noccp + novj + ''; + "ppp/chap-secrets" = chap-secrets; + }; + }; + }; + client = {config, pkgs, ...}: { + services.pppd = { + enable = true; + peers.test = { + config = '' + plugin rp-pppoe.so eth1 + name "flynn" + noipdefault + persist + noauth + debug + ''; + }; + }; + environment.etc."ppp/chap-secrets" = chap-secrets; + }; + }; + + testScript = '' + startAll; + $client->waitUntilSucceeds("ping -c1 -W1 192.0.2.1"); + $server->waitUntilSucceeds("ping -c1 -W1 192.0.2.2"); + ''; + }) -- cgit 1.4.1 From a4916fdea5680452cb9fc5aac5ec350b52b3797c Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 27 Oct 2018 16:01:19 +0200 Subject: pinentry: build with multiple outputs in single drv Co-authored-by: Florian Klink Co-authored-by: worldofpeace --- nixos/modules/config/no-x-libs.nix | 1 - pkgs/tools/security/pinentry/default.nix | 105 ++++++++++++++++++++----------- pkgs/top-level/all-packages.nix | 31 ++------- 3 files changed, 75 insertions(+), 62 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 74cf74d74181..873b8073fed9 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -34,7 +34,6 @@ with lib; networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; }; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; - pinentry = super.pinentry.override { gtk2 = null; gcr = null; qt4 = null; qt5 = null; }; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; })); }; diff --git a/pkgs/tools/security/pinentry/default.nix b/pkgs/tools/security/pinentry/default.nix index 160816a8cb72..87edc914131d 100644 --- a/pkgs/tools/security/pinentry/default.nix +++ b/pkgs/tools/security/pinentry/default.nix @@ -1,60 +1,93 @@ -{ fetchurl, fetchpatch, stdenv, lib, pkgconfig, autoreconfHook -, libgpgerror, libassuan -, libcap ? null, libsecret ? null, ncurses ? null, gtk2 ? null, gcr ? null -, qt4 ? null, qt5 ? null -, enableEmacs ? false +{ fetchurl, mkDerivation, fetchpatch, stdenv, lib, pkgconfig, autoreconfHook, wrapGAppsHook +, libgpgerror, libassuan, qtbase, wrapQtAppsHook +, ncurses, gtk2, gcr +, libcap ? null, libsecret ? null +, enabledFlavors ? [ "curses" "tty" "gtk2" "qt" "gnome3" "emacs" ] }: -assert qt5 != null -> qt4 == null; -assert qt4 != null -> qt5 == null; +with stdenv.lib; + +assert isList enabledFlavors && enabledFlavors != []; let - mkDerivation = - if qt5 != null - then qt5.mkDerivation + pinentryMkDerivation = + if (builtins.elem "qt" enabledFlavors) + then mkDerivation else stdenv.mkDerivation; + + mkFlag = pfxTrue: pfxFalse: cond: name: + "--${if cond then pfxTrue else pfxFalse}-${name}"; + mkEnable = mkFlag "enable" "disable"; + mkWith = mkFlag "with" "without"; + + mkEnablePinentry = f: + let + info = flavorInfo.${f}; + flag = flavorInfo.${f}.flag or null; + in + optionalString (flag != null) + (mkEnable (elem f enabledFlavors) ("pinentry-" + flag)); + + flavorInfo = { + curses = { bin = "curses"; flag = "curses"; buildInputs = [ ncurses ]; }; + tty = { bin = "tty"; flag = "tty"; }; + gtk2 = { bin = "gtk-2"; flag = "gtk2"; buildInputs = [ gtk2 ]; }; + gnome3 = { bin = "gnome3"; flag = "gnome3"; buildInputs = [ gcr ]; nativeBuildInputs = [ wrapGAppsHook ]; }; + qt = { bin = "qt"; flag = "qt"; buildInputs = [ qtbase ]; nativeBuildInputs = [ wrapQtAppsHook ]; }; + emacs = { bin = "emacs"; flag = "emacs"; buildInputs = []; }; + }; + in -mkDerivation rec { - name = "pinentry-1.1.0"; +pinentryMkDerivation rec { + pname = "pinentry"; + version = "1.1.0"; src = fetchurl { - url = "mirror://gnupg/pinentry/${name}.tar.bz2"; + url = "mirror://gnupg/pinentry/${pname}-${version}.tar.bz2"; sha256 = "0w35ypl960pczg5kp6km3dyr000m1hf0vpwwlh72jjkjza36c1v8"; }; - nativeBuildInputs = [ pkgconfig autoreconfHook ]; - buildInputs = - [ libgpgerror libassuan libcap libsecret gtk2 gcr ncurses qt4 ] - ++ stdenv.lib.optional (qt5 != null) qt5.qtbase; + nativeBuildInputs = [ pkgconfig autoreconfHook ] + ++ concatMap(f: flavorInfo.${f}.nativeBuildInputs or []) enabledFlavors; + buildInputs = [ libgpgerror libassuan libcap libsecret ] + ++ concatMap(f: flavorInfo.${f}.buildInputs or []) enabledFlavors; - prePatch = '' - substituteInPlace pinentry/pinentry-curses.c --replace ncursesw ncurses - ''; + dontWrapGApps = true; + dontWrapQtApps = true; patches = [ ./autoconf-ar.patch - ] ++ lib.optionals (gtk2 != null) [ + ] ++ optionals (elem "gtk2" enabledFlavors) [ (fetchpatch { - url = "https://salsa.debian.org/debian/pinentry/raw/debian/1.1.0-1/debian/patches/" - + "0007-gtk2-When-X11-input-grabbing-fails-try-again-over-0..patch"; + url = "https://salsa.debian.org/debian/pinentry/raw/debian/1.1.0-1/debian/patches/0007-gtk2-When-X11-input-grabbing-fails-try-again-over-0..patch"; sha256 = "15r1axby3fdlzz9wg5zx7miv7gqx2jy4immaw4xmmw5skiifnhfd"; }) ]; configureFlags = [ - (stdenv.lib.withFeature (libcap != null) "libcap") - (stdenv.lib.enableFeature (libsecret != null) "libsecret") - (stdenv.lib.enableFeature (ncurses != null) "pinentry-curses") - (stdenv.lib.enableFeature true "pinentry-tty") - (stdenv.lib.enableFeature enableEmacs "pinentry-emacs") - (stdenv.lib.enableFeature (gtk2 != null) "pinentry-gtk2") - (stdenv.lib.enableFeature (gcr != null) "pinentry-gnome3") - (stdenv.lib.enableFeature (qt4 != null || qt5 != null) "pinentry-qt") - - "--with-libassuan-prefix=${libassuan.dev}" - "--with-libgpg-error-prefix=${libgpgerror.dev}" - ]; + (mkWith (libcap != null) "libcap") + (mkEnable (libsecret != null) "libsecret") + ] ++ (map mkEnablePinentry (attrNames flavorInfo)); + + postInstall = + concatStrings (flip map enabledFlavors (f: + let + binary = "pinentry-" + flavorInfo.${f}.bin; + in '' + moveToOutput bin/${binary} ${placeholder f} + ln -sf ${placeholder f}/bin/${binary} ${placeholder f}/bin/pinentry + '' + optionalString (f == "gnome3") '' + wrapGApp ${placeholder f}/bin/${binary} + '' + optionalString (f == "qt") '' + wrapQtApp ${placeholder f}/bin/${binary} + '')) + '' + ln -sf ${placeholder (head enabledFlavors)}/bin/pinentry-${flavorInfo.${head enabledFlavors}.bin} $out/bin/pinentry + ''; + + outputs = [ "out" ] ++ enabledFlavors; + + passthru = { flavors = enabledFlavors; }; meta = with stdenv.lib; { homepage = http://gnupg.org/aegypten2/; @@ -65,6 +98,6 @@ mkDerivation rec { Pinentry provides a console and (optional) GTK and Qt GUIs allowing users to enter a passphrase when `gpg' or `gpg2' is run and needs it. ''; - maintainers = [ maintainers.ttuegel ]; + maintainers = with maintainers; [ ttuegel fpletz ]; }; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index eb6854327422..d01c2ac98d0c 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5521,34 +5521,15 @@ in phodav = callPackage ../tools/networking/phodav { }; - pinentry = callPackage ../tools/security/pinentry { + pinentry = libsForQt5.callPackage ../tools/security/pinentry { libcap = if stdenv.isDarwin then null else libcap; - gcr = null; - qt4 = null; - qt5 = null; - }; - - pinentry_ncurses = res.pinentry.override { - gtk2 = null; }; - pinentry_emacs = res.pinentry.override { - enableEmacs = true; - }; - - pinentry_gnome = res.pinentry.override { - inherit gcr; - }; - - pinentry_qt4 = res.pinentry.override { - gtk2 = null; - inherit qt4; - }; - - pinentry_qt5 = res.pinentry.override { - gtk2 = null; - inherit qt5; - }; + pinentry_curses = (stdenv.lib.getOutput "curses" pinentry); + pinentry_emacs = (stdenv.lib.getOutput "emacs" pinentry); + pinentry_gtk2 = (stdenv.lib.getOutput "gtk2" pinentry); + pinentry_qt = (stdenv.lib.getOutput "qt" pinentry); + pinentry_gnome = (stdenv.lib.getOutput "gnome" pinentry); pinentry_mac = callPackage ../tools/security/pinentry/mac.nix { inherit (darwin.apple_sdk.frameworks) Cocoa; -- cgit 1.4.1 From edea9fed725339a42f94f42139b8f9d2af0de5ee Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 27 Oct 2018 16:02:16 +0200 Subject: nixos/gnupg: add option for setting pinentry flavours Co-authored-by: Florian Klink --- nixos/modules/installer/tools/tools.nix | 6 ++++- nixos/modules/programs/gnupg.nix | 39 ++++++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 329260059598..9e6eead3c4d7 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -120,7 +120,11 @@ in # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; - # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # flavour = "gnome3"; + # }; # List services that you want to enable: diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index bcbc994efe9b..dd3d74c26326 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -6,6 +6,19 @@ let cfg = config.programs.gnupg; + xserverCfg = config.services.xserver; + + defaultPinentryFlavor = + if xserverCfg.desktopManager.lxqt.enable + || xserverCfg.desktopManager.plasma5.enable then + "qt" + else if xserverCfg.desktopManager.xfce.enable then + "gtk2" + else if xserverCfg.enable then + "gnome3" + else + null; + in { @@ -54,6 +67,20 @@ in ''; }; + agent.pinentryFlavor = mkOption { + type = types.nullOr (types.enum pkgs.pinentry.flavors); + example = "gnome3"; + description = '' + Which pinentry interface to use. If not null, the path to the + pinentry binary will be passed to gpg-agent via commandline and + thus overrides the pinentry option in gpg-agent.conf in the user's + home directory. + If not set at all, it'll pick an appropriate flavor depending on the + system configuration (qt3 flavor for lxqt and plasma5, gtk2 for xfce + 4.12, gnome3 on all other systems with X enabled, ncurses otherwise). + ''; + }; + dirmngr.enable = mkOption { type = types.bool; default = false; @@ -64,6 +91,16 @@ in }; config = mkIf cfg.agent.enable { + programs.gnupg.agent.pinentryFlavor = mkDefault defaultPinentryFlavor; + + # This overrides the systemd user unit shipped with the gnupg package + systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) { + serviceConfig.ExecStart = [ "" '' + ${pkgs.gnupg}/bin/gpg-agent --supervised \ + --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry + '' ]; + }; + systemd.user.sockets.gpg-agent = { wantedBy = [ "sockets.target" ]; }; @@ -83,7 +120,7 @@ in systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable { wantedBy = [ "sockets.target" ]; }; - + environment.systemPackages = with pkgs; [ cfg.package ]; systemd.packages = [ cfg.package ]; -- cgit 1.4.1 From b5bea4ce32a26deb3b6d600893e37a4c347c66ab Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 27 Oct 2018 16:03:13 +0200 Subject: gnupg: disable gui/pinentry support by default This solves the dependency cycle in gcr alternatively so there won't be two gnupg store paths in a standard NixOS system which has udisks2 enabled by default. NixOS users are expected to use the gpg-agent user service to pull in the appropriate pinentry flavour or install it on their systemPackages and set it in their local gnupg agent config instead. Co-authored-by: Florian Klink --- nixos/doc/manual/release-notes/rl-2003.xml | 9 ++++++++- nixos/modules/programs/gnupg.nix | 2 +- pkgs/development/libraries/gcr/default.nix | 6 +----- pkgs/tools/security/gnupg/20.nix | 2 +- pkgs/tools/security/gnupg/22.nix | 2 +- pkgs/top-level/all-packages.nix | 6 ++++-- 6 files changed, 16 insertions(+), 11 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index ab0951e831ce..49ffcd1c2d21 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -85,7 +85,14 @@ - + + GnuPG is now built without support for a graphical passphrase entry + by default. Please enable the gpg-agent user service + via the NixOS option programs.gnupg.agent.enable. + Note that upstream recommends using gpg-agent and + will spawn a gpg-agent on the first invocation of + GnuPG anyway. + diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index dd3d74c26326..4fb7c43c8b2e 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -76,7 +76,7 @@ in thus overrides the pinentry option in gpg-agent.conf in the user's home directory. If not set at all, it'll pick an appropriate flavor depending on the - system configuration (qt3 flavor for lxqt and plasma5, gtk2 for xfce + system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce 4.12, gnome3 on all other systems with X enabled, ncurses otherwise). ''; }; diff --git a/pkgs/development/libraries/gcr/default.nix b/pkgs/development/libraries/gcr/default.nix index 18b568b0f6c6..1947d40dc85d 100644 --- a/pkgs/development/libraries/gcr/default.nix +++ b/pkgs/development/libraries/gcr/default.nix @@ -24,11 +24,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig gettext gobject-introspection libxslt makeWrapper vala ]; - buildInputs = let - gpg = gnupg.override { guiSupport = false; }; # prevent build cycle with pinentry_gnome - in [ - gpg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk - ]; + buildInputs = [ gnupg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk ]; propagatedBuildInputs = [ glib gtk3 p11-kit ]; diff --git a/pkgs/tools/security/gnupg/20.nix b/pkgs/tools/security/gnupg/20.nix index 6336d319997f..ef348e388342 100644 --- a/pkgs/tools/security/gnupg/20.nix +++ b/pkgs/tools/security/gnupg/20.nix @@ -3,7 +3,7 @@ # Each of the dependencies below are optional. # Gnupg can be built without them at the cost of reduced functionality. -, pinentry ? null, guiSupport ? true +, pinentry ? null, guiSupport ? false , openldap ? null, bzip2 ? null, libusb ? null, curl ? null }: diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index e2f460e7e308..f62f10c8cf9d 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -4,7 +4,7 @@ # Each of the dependencies below are optional. # Gnupg can be built without them at the cost of reduced functionality. -, pinentry ? null, guiSupport ? true +, pinentry ? null, guiSupport ? false , adns ? null, gnutls ? null, libusb ? null, openldap ? null , readline ? null, zlib ? null, bzip2 ? null }: diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d1c5611d3892..56aa84bca7d3 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3499,10 +3499,12 @@ in gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { }; gnupg1 = gnupg1compat; # use config.packageOverrides if you prefer original gnupg1 gnupg20 = callPackage ../tools/security/gnupg/20.nix { - pinentry = if stdenv.isDarwin then pinentry_mac else pinentry; + guiSupport = stdenv.isDarwin; + pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2; }; gnupg22 = callPackage ../tools/security/gnupg/22.nix { - pinentry = if stdenv.isDarwin then pinentry_mac else pinentry; + guiSupport = stdenv.isDarwin; + pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2; }; gnupg = gnupg22; -- cgit 1.4.1 From b04b354e2cee6248ba9871841e3d29d6f123ae56 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 27 Oct 2018 16:08:17 +0200 Subject: Revert "installer: Disable udisks" This reverts commit 571fb74f449aa173e231166515b41feb778524b8. The dependency on gtk2 was removed. Co-authored-by: Florian Klink --- nixos/modules/profiles/installation-device.nix | 3 --- nixos/tests/installer.nix | 4 ---- nixos/tests/os-prober.nix | 3 +-- 3 files changed, 1 insertion(+), 9 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index fd30220ce1c9..4596e163404c 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -31,9 +31,6 @@ with lib; # Let the user play Rogue on TTY 8 during the installation. #services.rogue.enable = true; - # Disable some other stuff we don't need. - services.udisks2.enable = mkDefault false; - # Use less privileged nixos user users.users.nixos = { isNormalUser = true; diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index a136678c6eff..eb1f4f192dd1 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -54,8 +54,6 @@ let hardware.enableAllFirmware = lib.mkForce false; - services.udisks2.enable = lib.mkDefault false; - ${replaceChars ["\n"] ["\n "] extraConfig} } ''; @@ -295,8 +293,6 @@ let ++ optional (bootLoader == "grub" && grubVersion == 1) pkgs.grub ++ optionals (bootLoader == "grub" && grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ]; - services.udisks2.enable = mkDefault false; - nix.binaryCaches = mkForce [ ]; nix.extraOptions = '' diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix index 9cd9f4ecd150..5407a62339fe 100644 --- a/nixos/tests/os-prober.nix +++ b/nixos/tests/os-prober.nix @@ -51,12 +51,11 @@ let hashed-mirrors = connect-timeout = 1 ''; - services.udisks2.enable = lib.mkForce false; }; # /etc/nixos/configuration.nix for the vm configFile = pkgs.writeText "configuration.nix" '' {config, pkgs, ...}: ({ - imports = + imports = [ ./hardware-configuration.nix ]; -- cgit 1.4.1 From e397b949a9439e0df7ad77e72a12410efc61a930 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 16 Oct 2019 19:31:58 +0200 Subject: udisks2: use tmpfiles instead of activation script to create /var/lib/udisks2 --- nixos/modules/services/hardware/udisks2.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix index ed8703be921c..e898f3260585 100644 --- a/nixos/modules/services/hardware/udisks2.nix +++ b/nixos/modules/services/hardware/udisks2.nix @@ -34,10 +34,7 @@ with lib; services.dbus.packages = [ pkgs.udisks2 ]; - system.activationScripts.udisks2 = - '' - mkdir -m 0755 -p /var/lib/udisks2 - ''; + systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ]; services.udev.packages = [ pkgs.udisks2 ]; -- cgit 1.4.1 From 2fbccbc7288a72bea649d035cdb7a772d10baf3a Mon Sep 17 00:00:00 2001 From: worldofpeace Date: Wed, 16 Oct 2019 20:28:21 -0400 Subject: Revert "Merge pull request #71095 from flokli/pinentry-cleanup" This reverts commit 823da4d492b8b4ad46bf812db8421d99ff17a8fc, reversing changes made to b75c8ee3bc1b9734c29740e9d17ac2175fe207fd. --- nixos/doc/manual/release-notes/rl-2003.xml | 9 +-- nixos/modules/config/no-x-libs.nix | 1 + nixos/modules/installer/tools/tools.nix | 6 +- nixos/modules/profiles/installation-device.nix | 3 + nixos/modules/programs/gnupg.nix | 39 +-------- nixos/modules/services/hardware/udisks2.nix | 5 +- nixos/tests/installer.nix | 4 + nixos/tests/os-prober.nix | 3 +- pkgs/development/libraries/gcr/default.nix | 6 +- pkgs/tools/security/gnupg/20.nix | 2 +- pkgs/tools/security/gnupg/22.nix | 2 +- pkgs/tools/security/kwalletcli/default.nix | 4 +- pkgs/tools/security/pinentry/default.nix | 105 +++++++++---------------- pkgs/top-level/aliases.nix | 5 -- pkgs/top-level/all-packages.nix | 37 ++++++--- 15 files changed, 89 insertions(+), 142 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index 49ffcd1c2d21..ab0951e831ce 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -85,14 +85,7 @@ - - GnuPG is now built without support for a graphical passphrase entry - by default. Please enable the gpg-agent user service - via the NixOS option programs.gnupg.agent.enable. - Note that upstream recommends using gpg-agent and - will spawn a gpg-agent on the first invocation of - GnuPG anyway. - + diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 873b8073fed9..74cf74d74181 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -34,6 +34,7 @@ with lib; networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; }; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; + pinentry = super.pinentry.override { gtk2 = null; gcr = null; qt4 = null; qt5 = null; }; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; })); }; diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 9e6eead3c4d7..329260059598 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -120,11 +120,7 @@ in # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # flavour = "gnome3"; - # }; + # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; # List services that you want to enable: diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 4596e163404c..fd30220ce1c9 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -31,6 +31,9 @@ with lib; # Let the user play Rogue on TTY 8 during the installation. #services.rogue.enable = true; + # Disable some other stuff we don't need. + services.udisks2.enable = mkDefault false; + # Use less privileged nixos user users.users.nixos = { isNormalUser = true; diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index 4fb7c43c8b2e..bcbc994efe9b 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -6,19 +6,6 @@ let cfg = config.programs.gnupg; - xserverCfg = config.services.xserver; - - defaultPinentryFlavor = - if xserverCfg.desktopManager.lxqt.enable - || xserverCfg.desktopManager.plasma5.enable then - "qt" - else if xserverCfg.desktopManager.xfce.enable then - "gtk2" - else if xserverCfg.enable then - "gnome3" - else - null; - in { @@ -67,20 +54,6 @@ in ''; }; - agent.pinentryFlavor = mkOption { - type = types.nullOr (types.enum pkgs.pinentry.flavors); - example = "gnome3"; - description = '' - Which pinentry interface to use. If not null, the path to the - pinentry binary will be passed to gpg-agent via commandline and - thus overrides the pinentry option in gpg-agent.conf in the user's - home directory. - If not set at all, it'll pick an appropriate flavor depending on the - system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce - 4.12, gnome3 on all other systems with X enabled, ncurses otherwise). - ''; - }; - dirmngr.enable = mkOption { type = types.bool; default = false; @@ -91,16 +64,6 @@ in }; config = mkIf cfg.agent.enable { - programs.gnupg.agent.pinentryFlavor = mkDefault defaultPinentryFlavor; - - # This overrides the systemd user unit shipped with the gnupg package - systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) { - serviceConfig.ExecStart = [ "" '' - ${pkgs.gnupg}/bin/gpg-agent --supervised \ - --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry - '' ]; - }; - systemd.user.sockets.gpg-agent = { wantedBy = [ "sockets.target" ]; }; @@ -120,7 +83,7 @@ in systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable { wantedBy = [ "sockets.target" ]; }; - + environment.systemPackages = with pkgs; [ cfg.package ]; systemd.packages = [ cfg.package ]; diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix index e898f3260585..ed8703be921c 100644 --- a/nixos/modules/services/hardware/udisks2.nix +++ b/nixos/modules/services/hardware/udisks2.nix @@ -34,7 +34,10 @@ with lib; services.dbus.packages = [ pkgs.udisks2 ]; - systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ]; + system.activationScripts.udisks2 = + '' + mkdir -m 0755 -p /var/lib/udisks2 + ''; services.udev.packages = [ pkgs.udisks2 ]; diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index eb1f4f192dd1..a136678c6eff 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -54,6 +54,8 @@ let hardware.enableAllFirmware = lib.mkForce false; + services.udisks2.enable = lib.mkDefault false; + ${replaceChars ["\n"] ["\n "] extraConfig} } ''; @@ -293,6 +295,8 @@ let ++ optional (bootLoader == "grub" && grubVersion == 1) pkgs.grub ++ optionals (bootLoader == "grub" && grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ]; + services.udisks2.enable = mkDefault false; + nix.binaryCaches = mkForce [ ]; nix.extraOptions = '' diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix index 5407a62339fe..9cd9f4ecd150 100644 --- a/nixos/tests/os-prober.nix +++ b/nixos/tests/os-prober.nix @@ -51,11 +51,12 @@ let hashed-mirrors = connect-timeout = 1 ''; + services.udisks2.enable = lib.mkForce false; }; # /etc/nixos/configuration.nix for the vm configFile = pkgs.writeText "configuration.nix" '' {config, pkgs, ...}: ({ - imports = + imports = [ ./hardware-configuration.nix ]; diff --git a/pkgs/development/libraries/gcr/default.nix b/pkgs/development/libraries/gcr/default.nix index 1947d40dc85d..18b568b0f6c6 100644 --- a/pkgs/development/libraries/gcr/default.nix +++ b/pkgs/development/libraries/gcr/default.nix @@ -24,7 +24,11 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig gettext gobject-introspection libxslt makeWrapper vala ]; - buildInputs = [ gnupg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk ]; + buildInputs = let + gpg = gnupg.override { guiSupport = false; }; # prevent build cycle with pinentry_gnome + in [ + gpg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk + ]; propagatedBuildInputs = [ glib gtk3 p11-kit ]; diff --git a/pkgs/tools/security/gnupg/20.nix b/pkgs/tools/security/gnupg/20.nix index ef348e388342..6336d319997f 100644 --- a/pkgs/tools/security/gnupg/20.nix +++ b/pkgs/tools/security/gnupg/20.nix @@ -3,7 +3,7 @@ # Each of the dependencies below are optional. # Gnupg can be built without them at the cost of reduced functionality. -, pinentry ? null, guiSupport ? false +, pinentry ? null, guiSupport ? true , openldap ? null, bzip2 ? null, libusb ? null, curl ? null }: diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index f62f10c8cf9d..e2f460e7e308 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -4,7 +4,7 @@ # Each of the dependencies below are optional. # Gnupg can be built without them at the cost of reduced functionality. -, pinentry ? null, guiSupport ? false +, pinentry ? null, guiSupport ? true , adns ? null, gnutls ? null, libusb ? null, openldap ? null , readline ? null, zlib ? null, bzip2 ? null }: diff --git a/pkgs/tools/security/kwalletcli/default.nix b/pkgs/tools/security/kwalletcli/default.nix index 9356e2f53f94..fedf3421fb1c 100644 --- a/pkgs/tools/security/kwalletcli/default.nix +++ b/pkgs/tools/security/kwalletcli/default.nix @@ -1,5 +1,5 @@ { mkDerivation, fetchFromGitHub, lib, makeWrapper, pkgconfig -, kcoreaddons, ki18n, kwallet, mksh, pinentry-qt }: +, kcoreaddons, ki18n, kwallet, mksh, pinentry_qt5 }: mkDerivation rec { pname = "kwalletcli"; @@ -36,7 +36,7 @@ mkDerivation rec { postInstall = '' wrapProgram $out/bin/pinentry-kwallet \ - --prefix PATH : $out/bin:${lib.makeBinPath [ pinentry-qt ]} \ + --prefix PATH : $out/bin:${lib.makeBinPath [ pinentry_qt5 ]} \ --set-default PINENTRY pinentry-qt ''; diff --git a/pkgs/tools/security/pinentry/default.nix b/pkgs/tools/security/pinentry/default.nix index 87edc914131d..160816a8cb72 100644 --- a/pkgs/tools/security/pinentry/default.nix +++ b/pkgs/tools/security/pinentry/default.nix @@ -1,93 +1,60 @@ -{ fetchurl, mkDerivation, fetchpatch, stdenv, lib, pkgconfig, autoreconfHook, wrapGAppsHook -, libgpgerror, libassuan, qtbase, wrapQtAppsHook -, ncurses, gtk2, gcr -, libcap ? null, libsecret ? null -, enabledFlavors ? [ "curses" "tty" "gtk2" "qt" "gnome3" "emacs" ] +{ fetchurl, fetchpatch, stdenv, lib, pkgconfig, autoreconfHook +, libgpgerror, libassuan +, libcap ? null, libsecret ? null, ncurses ? null, gtk2 ? null, gcr ? null +, qt4 ? null, qt5 ? null +, enableEmacs ? false }: -with stdenv.lib; - -assert isList enabledFlavors && enabledFlavors != []; +assert qt5 != null -> qt4 == null; +assert qt4 != null -> qt5 == null; let - pinentryMkDerivation = - if (builtins.elem "qt" enabledFlavors) - then mkDerivation + mkDerivation = + if qt5 != null + then qt5.mkDerivation else stdenv.mkDerivation; - - mkFlag = pfxTrue: pfxFalse: cond: name: - "--${if cond then pfxTrue else pfxFalse}-${name}"; - mkEnable = mkFlag "enable" "disable"; - mkWith = mkFlag "with" "without"; - - mkEnablePinentry = f: - let - info = flavorInfo.${f}; - flag = flavorInfo.${f}.flag or null; - in - optionalString (flag != null) - (mkEnable (elem f enabledFlavors) ("pinentry-" + flag)); - - flavorInfo = { - curses = { bin = "curses"; flag = "curses"; buildInputs = [ ncurses ]; }; - tty = { bin = "tty"; flag = "tty"; }; - gtk2 = { bin = "gtk-2"; flag = "gtk2"; buildInputs = [ gtk2 ]; }; - gnome3 = { bin = "gnome3"; flag = "gnome3"; buildInputs = [ gcr ]; nativeBuildInputs = [ wrapGAppsHook ]; }; - qt = { bin = "qt"; flag = "qt"; buildInputs = [ qtbase ]; nativeBuildInputs = [ wrapQtAppsHook ]; }; - emacs = { bin = "emacs"; flag = "emacs"; buildInputs = []; }; - }; - in -pinentryMkDerivation rec { - pname = "pinentry"; - version = "1.1.0"; +mkDerivation rec { + name = "pinentry-1.1.0"; src = fetchurl { - url = "mirror://gnupg/pinentry/${pname}-${version}.tar.bz2"; + url = "mirror://gnupg/pinentry/${name}.tar.bz2"; sha256 = "0w35ypl960pczg5kp6km3dyr000m1hf0vpwwlh72jjkjza36c1v8"; }; - nativeBuildInputs = [ pkgconfig autoreconfHook ] - ++ concatMap(f: flavorInfo.${f}.nativeBuildInputs or []) enabledFlavors; - buildInputs = [ libgpgerror libassuan libcap libsecret ] - ++ concatMap(f: flavorInfo.${f}.buildInputs or []) enabledFlavors; + nativeBuildInputs = [ pkgconfig autoreconfHook ]; + buildInputs = + [ libgpgerror libassuan libcap libsecret gtk2 gcr ncurses qt4 ] + ++ stdenv.lib.optional (qt5 != null) qt5.qtbase; - dontWrapGApps = true; - dontWrapQtApps = true; + prePatch = '' + substituteInPlace pinentry/pinentry-curses.c --replace ncursesw ncurses + ''; patches = [ ./autoconf-ar.patch - ] ++ optionals (elem "gtk2" enabledFlavors) [ + ] ++ lib.optionals (gtk2 != null) [ (fetchpatch { - url = "https://salsa.debian.org/debian/pinentry/raw/debian/1.1.0-1/debian/patches/0007-gtk2-When-X11-input-grabbing-fails-try-again-over-0..patch"; + url = "https://salsa.debian.org/debian/pinentry/raw/debian/1.1.0-1/debian/patches/" + + "0007-gtk2-When-X11-input-grabbing-fails-try-again-over-0..patch"; sha256 = "15r1axby3fdlzz9wg5zx7miv7gqx2jy4immaw4xmmw5skiifnhfd"; }) ]; configureFlags = [ - (mkWith (libcap != null) "libcap") - (mkEnable (libsecret != null) "libsecret") - ] ++ (map mkEnablePinentry (attrNames flavorInfo)); - - postInstall = - concatStrings (flip map enabledFlavors (f: - let - binary = "pinentry-" + flavorInfo.${f}.bin; - in '' - moveToOutput bin/${binary} ${placeholder f} - ln -sf ${placeholder f}/bin/${binary} ${placeholder f}/bin/pinentry - '' + optionalString (f == "gnome3") '' - wrapGApp ${placeholder f}/bin/${binary} - '' + optionalString (f == "qt") '' - wrapQtApp ${placeholder f}/bin/${binary} - '')) + '' - ln -sf ${placeholder (head enabledFlavors)}/bin/pinentry-${flavorInfo.${head enabledFlavors}.bin} $out/bin/pinentry - ''; - - outputs = [ "out" ] ++ enabledFlavors; - - passthru = { flavors = enabledFlavors; }; + (stdenv.lib.withFeature (libcap != null) "libcap") + (stdenv.lib.enableFeature (libsecret != null) "libsecret") + (stdenv.lib.enableFeature (ncurses != null) "pinentry-curses") + (stdenv.lib.enableFeature true "pinentry-tty") + (stdenv.lib.enableFeature enableEmacs "pinentry-emacs") + (stdenv.lib.enableFeature (gtk2 != null) "pinentry-gtk2") + (stdenv.lib.enableFeature (gcr != null) "pinentry-gnome3") + (stdenv.lib.enableFeature (qt4 != null || qt5 != null) "pinentry-qt") + + "--with-libassuan-prefix=${libassuan.dev}" + "--with-libgpg-error-prefix=${libgpgerror.dev}" + ]; meta = with stdenv.lib; { homepage = http://gnupg.org/aegypten2/; @@ -98,6 +65,6 @@ pinentryMkDerivation rec { Pinentry provides a console and (optional) GTK and Qt GUIs allowing users to enter a passphrase when `gpg' or `gpg2' is run and needs it. ''; - maintainers = with maintainers; [ ttuegel fpletz ]; + maintainers = [ maintainers.ttuegel ]; }; } diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 127bf8b2cdf0..d4617a635f14 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -290,11 +290,6 @@ mapAliases ({ pg_hll = postgresqlPackages.pg_hll; pg_cron = postgresqlPackages.pg_cron; pg_topn = postgresqlPackages.pg_topn; - pinentry_curses = pinentry-curses; # added 2019-10-14 - pinentry_emacs = pinentry-emacs; # added 2019-10-14 - pinentry_gtk2 = pinentry-gtk2; # added 2019-10-14 - pinentry_qt = pinentry-qt; # added 2019-10-14 - pinentry_gnome = pinentry-gnome; # added 2019-10-14 postgis = postgresqlPackages.postgis; # end ppl-address-book = throw "deprecated in 2019-05-02: abandoned by upstream."; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index be4e7875a1e9..38b8b521248e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3497,12 +3497,10 @@ in gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { }; gnupg1 = gnupg1compat; # use config.packageOverrides if you prefer original gnupg1 gnupg20 = callPackage ../tools/security/gnupg/20.nix { - guiSupport = stdenv.isDarwin; - pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2; + pinentry = if stdenv.isDarwin then pinentry_mac else pinentry; }; gnupg22 = callPackage ../tools/security/gnupg/22.nix { - guiSupport = stdenv.isDarwin; - pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2; + pinentry = if stdenv.isDarwin then pinentry_mac else pinentry; }; gnupg = gnupg22; @@ -5521,15 +5519,34 @@ in phodav = callPackage ../tools/networking/phodav { }; - pinentry = libsForQt5.callPackage ../tools/security/pinentry { + pinentry = callPackage ../tools/security/pinentry { libcap = if stdenv.isDarwin then null else libcap; + gcr = null; + qt4 = null; + qt5 = null; + }; + + pinentry_ncurses = res.pinentry.override { + gtk2 = null; }; - pinentry-curses = (stdenv.lib.getOutput "curses" pinentry); - pinentry-emacs = (stdenv.lib.getOutput "emacs" pinentry); - pinentry-gtk2 = (stdenv.lib.getOutput "gtk2" pinentry); - pinentry-qt = (stdenv.lib.getOutput "qt" pinentry); - pinentry-gnome = (stdenv.lib.getOutput "gnome" pinentry); + pinentry_emacs = res.pinentry.override { + enableEmacs = true; + }; + + pinentry_gnome = res.pinentry.override { + inherit gcr; + }; + + pinentry_qt4 = res.pinentry.override { + gtk2 = null; + inherit qt4; + }; + + pinentry_qt5 = res.pinentry.override { + gtk2 = null; + inherit qt5; + }; pinentry_mac = callPackage ../tools/security/pinentry/mac.nix { inherit (darwin.apple_sdk.frameworks) Cocoa; -- cgit 1.4.1 From 0256080d11b53acef115d7547ad3e33e7a879e10 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Thu, 17 Oct 2019 13:59:52 +0200 Subject: nixos/pppd: add description for peers, unbreaks metrics job and channel services.pppd.peers was lacking a description, causing a trace warning resulting in a parse error in the metrics job. --- nixos/modules/services/networking/pppd.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos') diff --git a/nixos/modules/services/networking/pppd.nix b/nixos/modules/services/networking/pppd.nix index db1359117644..e96c27bd84b4 100644 --- a/nixos/modules/services/networking/pppd.nix +++ b/nixos/modules/services/networking/pppd.nix @@ -23,6 +23,7 @@ in peers = mkOption { default = {}; + description = "pppd peers."; type = types.attrsOf (types.submodule ( { name, ... }: { -- cgit 1.4.1 From b788467ec4612e6468dc060827927f3b1efa6cda Mon Sep 17 00:00:00 2001 From: Dima Date: Wed, 16 Oct 2019 11:43:34 +0200 Subject: prometheus-blackbox-exporter: fixing path issue This fixes an issue with a recent addition of a config file check in c28ded36ef50cb80796c6bd946754abfb47ffa28. Previously it was possible to supply a path as a string to `configFile`. Now it will fail checking the config file during evaluation of the module due to sandboxing. A toggle to disable the check, more informative log messages and handling for various configFile values are added. --- .../monitoring/prometheus/exporters/blackbox.nix | 53 ++++++++++++++++++---- 1 file changed, 43 insertions(+), 10 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix index ca4366121e12..8a90afa99842 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix @@ -3,16 +3,34 @@ with lib; let + logPrefix = "services.prometheus.exporter.blackbox"; cfg = config.services.prometheus.exporters.blackbox; - checkConfig = file: pkgs.runCommand "checked-blackbox-exporter.conf" { - preferLocalBuild = true; - buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; } '' - ln -s ${file} $out - blackbox_exporter --config.check --config.file $out - ''; -in -{ + # This ensures that we can deal with string paths, path types and + # store-path strings with context. + coerceConfigFile = file: + if (builtins.isPath file) || (lib.isStorePath file) then + file + else + (lib.warn '' + ${logPrefix}: configuration file "${file}" is being copied to the nix-store. + If you would like to avoid that, please set enableConfigCheck to false. + '' /. + file); + checkConfigLocation = file: + if lib.hasPrefix "/tmp/" file then + throw + "${logPrefix}: configuration file must not reside within /tmp - it won't be visible to the systemd service." + else + true; + checkConfig = file: + pkgs.runCommand "checked-blackbox-exporter.conf" { + preferLocalBuild = true; + buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; + } '' + ln -s ${coerceConfigFile file} $out + blackbox_exporter --config.check --config.file $out + ''; +in { port = 9115; extraOpts = { configFile = mkOption { @@ -21,14 +39,29 @@ in Path to configuration file. ''; }; + enableConfigCheck = mkOption { + type = types.bool; + default = true; + description = '' + Whether to run a correctness check for the configuration file. This depends + on the configuration file residing in the nix-store. Paths passed as string will + be copied to the store. + ''; + }; }; - serviceOpts = { + + serviceOpts = let + adjustedConfigFile = if cfg.enableConfigCheck then + checkConfig cfg.configFile + else + checkConfigLocation cfg.configFile; + in { serviceConfig = { AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes ExecStart = '' ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - --config.file ${checkConfig cfg.configFile} \ + --config.file ${adjustedConfigFile} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; -- cgit 1.4.1