From 00ae655e639e620ee5dcfd6f1bd9ccb4e337eea1 Mon Sep 17 00:00:00 2001 From: tu-maurice Date: Mon, 19 Sep 2022 22:46:53 +0200 Subject: btrbk: Use sudo or doas based on configuration --- nixos/modules/services/backup/btrbk.nix | 57 ++++++++++++++++++++++++--------- 1 file changed, 42 insertions(+), 15 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/backup/btrbk.nix b/nixos/modules/services/backup/btrbk.nix index b6eb68cc43f1..b838c174553d 100644 --- a/nixos/modules/services/backup/btrbk.nix +++ b/nixos/modules/services/backup/btrbk.nix @@ -47,7 +47,12 @@ let then [ "${name} ${value}" ] else concatLists (mapAttrsToList (genSection name) value); - addDefaults = settings: { backend = "btrfs-progs-sudo"; } // settings; + sudo_doas = + if config.security.sudo.enable then "sudo" + else if config.security.doas.enable then "doas" + else throw "The btrbk nixos module needs either sudo or doas enabled in the configuration"; + + addDefaults = settings: { backend = "btrfs-progs-${sudo_doas}"; } // settings; mkConfigFile = name: settings: pkgs.writeTextFile { name = "btrbk-${name}.conf"; @@ -152,20 +157,41 @@ in }; config = mkIf (sshEnabled || serviceEnabled) { environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages; - security.sudo.extraRules = [ - { - users = [ "btrbk" ]; - commands = [ - { command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; } - { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; } - { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; } - # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} - { command = "/run/current-system/bin/btrfs"; options = [ "NOPASSWD" ]; } - { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; } - { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; } + security.sudo = mkIf (sudo_doas == "sudo") { + extraRules = [ + { + users = [ "btrbk" ]; + commands = [ + { command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; } + { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; } + { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; } + # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} + { command = "/run/current-system/bin/btrfs"; options = [ "NOPASSWD" ]; } + { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; } + { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; } + ]; + } + ]; + }; + security.doas = mkIf (sudo_doas == "doas") { + extraRules = let + doasCmdNoPass = cmd: { users = [ "btrbk" ]; cmd = cmd; noPass = true; }; + in + [ + (doasCmdNoPass "${pkgs.btrfs-progs}/bin/btrfs") + (doasCmdNoPass "${pkgs.coreutils}/bin/mkdir") + (doasCmdNoPass "${pkgs.coreutils}/bin/readlink") + # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} + (doasCmdNoPass "/run/current-system/bin/btrfs") + (doasCmdNoPass "/run/current-system/sw/bin/mkdir") + (doasCmdNoPass "/run/current-system/sw/bin/readlink") + + # doas matches command, not binary + (doasCmdNoPass "btrfs") + (doasCmdNoPass "mkdir") + (doasCmdNoPass "readlink") ]; - } - ]; + }; users.users.btrbk = { isSystemUser = true; # ssh needs a home directory @@ -183,8 +209,9 @@ in "best-effort" = 2; "realtime" = 1; }.${cfg.ioSchedulingClass}; + sudo_doas_flag = "--${sudo_doas}"; in - ''command="${pkgs.util-linux}/bin/ionice -t -c ${toString ioniceClass} ${optionalString (cfg.niceness >= 1) "${pkgs.coreutils}/bin/nice -n ${toString cfg.niceness}"} ${pkgs.btrbk}/share/btrbk/scripts/ssh_filter_btrbk.sh --sudo ${options}" ${v.key}'' + ''command="${pkgs.util-linux}/bin/ionice -t -c ${toString ioniceClass} ${optionalString (cfg.niceness >= 1) "${pkgs.coreutils}/bin/nice -n ${toString cfg.niceness}"} ${pkgs.btrbk}/share/btrbk/scripts/ssh_filter_btrbk.sh ${sudo_doas_flag} ${options}" ${v.key}'' ) cfg.sshAccess; }; -- cgit 1.4.1 From 3144b00d2486ca5d85098a688a76a5e945de411d Mon Sep 17 00:00:00 2001 From: tu-maurice Date: Sun, 2 Oct 2022 12:42:57 +0200 Subject: btrbk: add doas variant of module test --- nixos/tests/all-tests.nix | 1 + nixos/tests/btrbk-doas.nix | 114 ++++++++++++++++++++++++++++++++++++ pkgs/tools/backup/btrbk/default.nix | 2 +- 3 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 nixos/tests/btrbk-doas.nix (limited to 'nixos') diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 96330bd40f60..59df1e9e3961 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -102,6 +102,7 @@ in { breitbandmessung = handleTest ./breitbandmessung.nix {}; brscan5 = handleTest ./brscan5.nix {}; btrbk = handleTest ./btrbk.nix {}; + btrbk-doas = handleTest ./btrbk-doas.nix {}; btrbk-no-timer = handleTest ./btrbk-no-timer.nix {}; btrbk-section-order = handleTest ./btrbk-section-order.nix {}; buildbot = handleTest ./buildbot.nix {}; diff --git a/nixos/tests/btrbk-doas.nix b/nixos/tests/btrbk-doas.nix new file mode 100644 index 000000000000..1e3f8d56addb --- /dev/null +++ b/nixos/tests/btrbk-doas.nix @@ -0,0 +1,114 @@ +import ./make-test-python.nix ({ pkgs, ... }: + + let + privateKey = '' + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrwAAAJB+cF5HfnBe + RwAAAAtzc2gtZWQyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrw + AAAEBN75NsJZSpt63faCuaD75Unko0JjlSDxMhYHAPJk2/xXHxQHThDpD9/AMWNqQer3Tg + 9gXMb2lTZMn0pelo8xyvAAAADXJzY2h1ZXR6QGt1cnQ= + -----END OPENSSH PRIVATE KEY----- + ''; + publicKey = '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHxQHThDpD9/AMWNqQer3Tg9gXMb2lTZMn0pelo8xyv + ''; + in + { + name = "btrbk-doas"; + meta = with pkgs.lib; { + maintainers = with maintainers; [ symphorien tu-maurice ]; + }; + + nodes = { + archive = { ... }: { + security.sudo.enable = false; + security.doas.enable = true; + environment.systemPackages = with pkgs; [ btrfs-progs ]; + # note: this makes the privateKey world readable. + # don't do it with real ssh keys. + environment.etc."btrbk_key".text = privateKey; + services.btrbk = { + extraPackages = [ pkgs.lz4 ]; + instances = { + remote = { + onCalendar = "minutely"; + settings = { + ssh_identity = "/etc/btrbk_key"; + ssh_user = "btrbk"; + stream_compress = "lz4"; + volume = { + "ssh://main/mnt" = { + target = "/mnt"; + snapshot_dir = "btrbk/remote"; + subvolume = "to_backup"; + }; + }; + }; + }; + }; + }; + }; + + main = { ... }: { + security.sudo.enable = false; + security.doas.enable = true; + environment.systemPackages = with pkgs; [ btrfs-progs ]; + services.openssh = { + enable = true; + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + }; + services.btrbk = { + extraPackages = [ pkgs.lz4 ]; + sshAccess = [ + { + key = publicKey; + roles = [ "source" "send" "info" "delete" ]; + } + ]; + instances = { + local = { + onCalendar = "minutely"; + settings = { + volume = { + "/mnt" = { + snapshot_dir = "btrbk/local"; + subvolume = "to_backup"; + }; + }; + }; + }; + }; + }; + }; + }; + + testScript = '' + start_all() + + # create btrfs partition at /mnt + for machine in (archive, main): + machine.succeed("dd if=/dev/zero of=/data_fs bs=120M count=1") + machine.succeed("mkfs.btrfs /data_fs") + machine.succeed("mkdir /mnt") + machine.succeed("mount /data_fs /mnt") + + # what to backup and where + main.succeed("btrfs subvolume create /mnt/to_backup") + main.succeed("mkdir -p /mnt/btrbk/{local,remote}") + + # check that local snapshots work + with subtest("local"): + main.succeed("echo foo > /mnt/to_backup/bar") + main.wait_until_succeeds("cat /mnt/btrbk/local/*/bar | grep foo") + main.succeed("echo bar > /mnt/to_backup/bar") + main.succeed("cat /mnt/btrbk/local/*/bar | grep foo") + + # check that btrfs send/receive works and ssh access works + with subtest("remote"): + archive.wait_until_succeeds("cat /mnt/*/bar | grep bar") + main.succeed("echo baz > /mnt/to_backup/bar") + archive.succeed("cat /mnt/*/bar | grep bar") + ''; + }) diff --git a/pkgs/tools/backup/btrbk/default.nix b/pkgs/tools/backup/btrbk/default.nix index e1aaafa3d1f6..34bd7c56178d 100644 --- a/pkgs/tools/backup/btrbk/default.nix +++ b/pkgs/tools/backup/btrbk/default.nix @@ -54,7 +54,7 @@ stdenv.mkDerivation rec { ''; passthru.tests = { - inherit (nixosTests) btrbk btrbk-no-timer btrbk-section-order; + inherit (nixosTests) btrbk btrbk-no-timer btrbk-section-order btrbk-doas; }; passthru.updateScript = genericUpdater { -- cgit 1.4.1 From 9fdd97298b6b8b0a8385ada8b81d9d1d56ed7c34 Mon Sep 17 00:00:00 2001 From: Tristan Ross Date: Fri, 30 Dec 2022 13:50:57 -0800 Subject: nixos/java: add binfmt option --- nixos/modules/programs/java.nix | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/programs/java.nix b/nixos/modules/programs/java.nix index 4f03c1f3ff25..c5f83858d06a 100644 --- a/nixos/modules/programs/java.nix +++ b/nixos/modules/programs/java.nix @@ -8,7 +8,6 @@ with lib; let cfg = config.programs.java; in - { options = { @@ -40,12 +39,35 @@ in type = types.package; }; + binfmt = mkEnableOption (lib.mdDoc "binfmt to execute java jar's and classes"); + }; }; config = mkIf cfg.enable { + boot.binfmt.registrations = mkIf cfg.binfmt { + java-class = { + recognitionType = "extension"; + magicOrExtension = "class"; + interpreter = pkgs.writeShellScript "java-class-wrapper" '' + test -e ${cfg.package}/nix-support/setup-hook && source ${cfg.package}/nix-support/setup-hook + classpath=$(dirname "$1") + class=$(basename "''${1%%.class}") + $JAVA_HOME/bin/java -classpath "$classpath" "$class" "''${@:2}" + ''; + }; + java-jar = { + recognitionType = "extension"; + magicOrExtension = "jar"; + interpreter = pkgs.writeShellScript "java-jar-wrapper" '' + test -e ${cfg.package}/nix-support/setup-hook && source ${cfg.package}/nix-support/setup-hook + $JAVA_HOME/bin/java -jar "$@" + ''; + }; + }; + environment.systemPackages = [ cfg.package ]; environment.shellInit = '' -- cgit 1.4.1 From 9e8f51fc6c934e671bc3a5ae7cb900df0a4cd0b4 Mon Sep 17 00:00:00 2001 From: nachoslover813260 <115492109+nachoslover813260@users.noreply.github.com> Date: Mon, 9 Jan 2023 10:59:14 +0700 Subject: Adding Ark as a file archiver Since the default plasma desktop already got dolphin-plugins adding ark for archiving would make plasma desktop more complete as well --- nixos/modules/services/x11/desktop-managers/plasma5.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos') diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 73322696aeac..503d49441e03 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -440,6 +440,7 @@ in spectacle systemsettings + ark dolphin dolphin-plugins ffmpegthumbs -- cgit 1.4.1 From 4b0bc9ea727d682e9c1c19bba850e81cfb623d9d Mon Sep 17 00:00:00 2001 From: nachoslover813260 <115492109+nachoslover813260@users.noreply.github.com> Date: Sat, 11 Mar 2023 19:37:53 +0700 Subject: nixos/plasma5: add ark as an optional package instead --- nixos/modules/services/x11/desktop-managers/plasma5.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 503d49441e03..f0c4b2172f9d 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -440,7 +440,6 @@ in spectacle systemsettings - ark dolphin dolphin-plugins ffmpegthumbs @@ -449,6 +448,7 @@ in kio-extras ]; optionalPackages = [ + ark elisa gwenview okular -- cgit 1.4.1