diff options
| author | Katharina Fey <kookie@spacekookie.de> | 2019-10-23 12:12:59 +0000 |
|---|---|---|
| committer | Katharina Fey <kookie@spacekookie.de> | 2019-10-23 12:12:59 +0000 |
| commit | 3547597c8c5db5e40e66119587777910e780da3d (patch) | |
| tree | d5f54a723ee6bb380b918cea195762d271a98ba0 /nixpkgs/nixos | |
| parent | 0f74f62ee25ac2d21bd67c29b8efc3ad079a72a8 (diff) | |
| parent | f35f0880f2cdbc8c1bc81492811251f120d7a9bc (diff) | |
Merge commit 'f35f0880f2cdbc8c1bc81492811251f120d7a9bc' into bump-nixpkgs
Diffstat (limited to 'nixpkgs/nixos')
29 files changed, 387 insertions, 109 deletions
diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml index 446597e74fe..1b7ca76c2f0 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml @@ -532,6 +532,8 @@ is set to <literal>/var/lib/gitlab/state</literal>, <literal>gitlab</literal> and all parent directories must be owned by either <literal>root</literal> or the user specified in <option>services.gitlab.user</option>. </para> + </listitem> + <listitem> <para> The <option>networking.useDHCP</option> option is unsupported in combination with <option>networking.useNetworkd</option> in anticipation of defaulting to it by default. diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml index bdf56acd545..ab0951e831c 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml @@ -36,6 +36,19 @@ quirk in the boot menu. </para> </listitem> + <listitem> + <para> + By default zfs pools will now be trimmed on a weekly basis. + Trimming is only done on supported devices (i.e. NVME or SSDs) + and should improve throughput and lifetime of these devices. + It is controlled by the <varname>services.zfs.trim.enable</varname> varname. + The zfs scrub service (<varname>services.zfs.autoScrub.enable</varname>) + and the zfs autosnapshot service (<varname>services.zfs.autoSnapshot.enable</varname>) + are now only enabled if zfs is set in <varname>config.boot.initrd.supportedFilesystems</varname> or + <varname>config.boot.supportedFilesystems</varname>. These lists will automatically contain + zfs as soon as any zfs mountpoint is configured in <varname>fileSystems</varname>. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixpkgs/nixos/lib/make-iso9660-image.nix b/nixpkgs/nixos/lib/make-iso9660-image.nix index 8cd19b6e187..0f3f2b5b523 100644 --- a/nixpkgs/nixos/lib/make-iso9660-image.nix +++ b/nixpkgs/nixos/lib/make-iso9660-image.nix @@ -10,9 +10,9 @@ contents , # In addition to `contents', the closure of the store paths listed - # in `packages' are also placed in the Nix store of the CD. This is - # a list of attribute sets {object, symlink} where `object' if a - # store path whose closure will be copied, and `symlink' is a + # in `storeContents' are also placed in the Nix store of the CD. + # This is a list of attribute sets {object, symlink} where `object' + # is a store path whose closure will be copied, and `symlink' is a # symlink to `object' that will be added to the CD. storeContents ? [] diff --git a/nixpkgs/nixos/modules/config/system-environment.nix b/nixpkgs/nixos/modules/config/system-environment.nix index 361c3cfc553..4888740ba3d 100644 --- a/nixpkgs/nixos/modules/config/system-environment.nix +++ b/nixpkgs/nixos/modules/config/system-environment.nix @@ -88,6 +88,13 @@ in (mapAttrsToList pamVariable (zipAttrsWith (n: concatLists) [ + # Make sure security wrappers are prioritized without polluting + # shell environments with an extra entry. Sessions which depend on + # pam for its environment will otherwise have eg. broken sudo. In + # particular Gnome Shell sometimes fails to source a proper + # environment from a shell. + { PATH = [ config.security.wrapperDir ]; } + (mapAttrs (n: toList) cfg.sessionVariables) suffixedVariables ])); diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 4d177ae9699..5214126ff7e 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -666,6 +666,7 @@ ./services/networking/polipo.nix ./services/networking/powerdns.nix ./services/networking/pdns-recursor.nix + ./services/networking/pppd.nix ./services/networking/pptpd.nix ./services/networking/prayer.nix ./services/networking/privoxy.nix diff --git a/nixpkgs/nixos/modules/programs/environment.nix b/nixpkgs/nixos/modules/programs/environment.nix index fcffb213498..38bdabb4fa8 100644 --- a/nixpkgs/nixos/modules/programs/environment.nix +++ b/nixpkgs/nixos/modules/programs/environment.nix @@ -21,8 +21,6 @@ in PAGER = mkDefault "less -R"; EDITOR = mkDefault "nano"; XDG_CONFIG_DIRS = [ "/etc/xdg" ]; # needs to be before profile-relative paths to allow changes through environment.etc - GTK_DATA_PREFIX = "${config.system.path}"; # needed for gtk2 apps to find themes - GTK_EXE_PREFIX = "${config.system.path}"; }; environment.profiles = mkAfter diff --git a/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix b/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix index 38d10923494..697732426cc 100644 --- a/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixpkgs/nixos/modules/services/amqp/rabbitmq.nix @@ -80,10 +80,12 @@ in { configItems = mkOption { default = {}; type = types.attrsOf types.str; - example = { - "auth_backends.1.authn" = "rabbit_auth_backend_ldap"; - "auth_backends.1.authz" = "rabbit_auth_backend_internal"; - }; + example = literalExample '' + { + "auth_backends.1.authn" = "rabbit_auth_backend_ldap"; + "auth_backends.1.authz" = "rabbit_auth_backend_internal"; + } + ''; description = '' Configuration options in RabbitMQ's new config file format, which is a simple key-value format that can not express nested diff --git a/nixpkgs/nixos/modules/services/backup/borgbackup.nix b/nixpkgs/nixos/modules/services/backup/borgbackup.nix index 2ad116a7872..10d42325a6b 100644 --- a/nixpkgs/nixos/modules/services/backup/borgbackup.nix +++ b/nixpkgs/nixos/modules/services/backup/borgbackup.nix @@ -8,7 +8,7 @@ let builtins.substring 0 1 x == "/" # absolute path || builtins.substring 0 1 x == "." # relative path || builtins.match "[.*:.*]" == null; # not machine:path - + mkExcludeFile = cfg: # Write each exclude pattern to a new line pkgs.writeText "excludefile" (concatStringsSep "\n" cfg.exclude); @@ -104,12 +104,12 @@ let install = "install -o ${cfg.user} -g ${cfg.group}"; in nameValuePair "borgbackup-job-${name}" (stringAfter [ "users" ] ('' - # Eensure that the home directory already exists + # Ensure that the home directory already exists # We can't assert createHome == true because that's not the case for root - cd "${config.users.users.${cfg.user}.home}" + cd "${config.users.users.${cfg.user}.home}" ${install} -d .config/borg ${install} -d .cache/borg - '' + optionalString (isLocalPath cfg.repo) '' + '' + optionalString (isLocalPath cfg.repo && !cfg.removableDevice) '' ${install} -d ${escapeShellArg cfg.repo} '')); @@ -163,6 +163,13 @@ let + " without at least one public key"; }; + mkRemovableDeviceAssertions = name: cfg: { + assertion = !(isLocalPath cfg.repo) -> !cfg.removableDevice; + message = '' + borgbackup.repos.${name}: repo isn't a local path, thus it can't be a removable device! + ''; + }; + in { meta.maintainers = with maintainers; [ dotlambda ]; @@ -202,6 +209,12 @@ in { example = "user@machine:/path/to/repo"; }; + removableDevice = mkOption { + type = types.bool; + default = false; + description = "Whether the repo (which must be local) is a removable device."; + }; + archiveBaseName = mkOption { type = types.strMatching "[^/{}]+"; default = "${globalConfig.networking.hostName}-${name}"; @@ -511,7 +524,6 @@ in { type = types.attrsOf (types.submodule ( { ... }: { options = { - path = mkOption { type = types.path; description = '' @@ -598,7 +610,8 @@ in { (with config.services.borgbackup; { assertions = mapAttrsToList mkPassAssertion jobs - ++ mapAttrsToList mkKeysAssertion repos; + ++ mapAttrsToList mkKeysAssertion repos + ++ mapAttrsToList mkRemovableDeviceAssertions jobs; system.activationScripts = mapAttrs' mkActivationScript jobs; diff --git a/nixpkgs/nixos/modules/services/databases/mysql.nix b/nixpkgs/nixos/modules/services/databases/mysql.nix index df74cfc9a26..39192d05948 100644 --- a/nixpkgs/nixos/modules/services/databases/mysql.nix +++ b/nixpkgs/nixos/modules/services/databases/mysql.nix @@ -272,8 +272,13 @@ in port = ${toString cfg.port} datadir = ${cfg.dataDir} ${optionalString (cfg.bind != null) "bind-address = ${cfg.bind}" } - ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "log-bin=mysql-bin"} - ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "server-id = ${toString cfg.replication.serverId}"} + ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") + '' + log-bin=mysql-bin-${toString cfg.replication.serverId} + log-bin-index=mysql-bin-${toString cfg.replication.serverId}.index + relay-log=mysql-relay-bin + server-id = ${toString cfg.replication.serverId} + ''} ${optionalString (cfg.ensureUsers != []) '' plugin-load-add = auth_socket.so @@ -381,6 +386,7 @@ in ( echo "stop slave;" echo "change master to master_host='${cfg.replication.masterHost}', master_user='${cfg.replication.masterUser}', master_password='${cfg.replication.masterPassword}';" + echo "set global slave_exec_mode='IDEMPOTENT';" echo "start slave;" ) | ${mysql}/bin/mysql -u root -N ''} diff --git a/nixpkgs/nixos/modules/services/misc/gitlab.nix b/nixpkgs/nixos/modules/services/misc/gitlab.nix index 20b87af23a5..34be9d69a46 100644 --- a/nixpkgs/nixos/modules/services/misc/gitlab.nix +++ b/nixpkgs/nixos/modules/services/misc/gitlab.nix @@ -649,7 +649,7 @@ in { "d ${cfg.statePath} 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/builds 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/config 0750 ${cfg.user} ${cfg.group} -" - "D ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -" + "d ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/db 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/log 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.statePath}/repositories 2770 ${cfg.user} ${cfg.group} -" diff --git a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix index 018fac38616..0f4eb2ccfca 100644 --- a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix @@ -79,7 +79,11 @@ turn_user_lifetime: "${cfg.turn_user_lifetime}" user_creation_max_duration: ${cfg.user_creation_max_duration} bcrypt_rounds: ${cfg.bcrypt_rounds} allow_guest_access: ${boolToString cfg.allow_guest_access} -trusted_third_party_id_servers: ${builtins.toJSON cfg.trusted_third_party_id_servers} + +account_threepid_delegates: + ${optionalString (cfg.account_threepid_delegates.email != null) "email: ${cfg.account_threepid_delegates.email}"} + ${optionalString (cfg.account_threepid_delegates.msisdn != null) "msisdn: ${cfg.account_threepid_delegates.msisdn}"} + room_invite_state_types: ${builtins.toJSON cfg.room_invite_state_types} ${optionalString (cfg.macaroon_secret_key != null) '' macaroon_secret_key: "${cfg.macaroon_secret_key}" @@ -102,6 +106,7 @@ perspectives: '') cfg.servers)} } } +redaction_retention_period: ${toString cfg.redaction_retention_period} app_service_config_files: ${builtins.toJSON cfg.app_service_config_files} ${cfg.extraConfig} @@ -552,14 +557,18 @@ in { accessible to anonymous users. ''; }; - trusted_third_party_id_servers = mkOption { - type = types.listOf types.str; - default = [ - "matrix.org" - "vector.im" - ]; + account_threepid_delegates.email = mkOption { + type = types.nullOr types.str; + default = null; description = '' - The list of identity servers trusted to verify third party identifiers by this server. + Delegate email sending to https://example.org + ''; + }; + account_threepid_delegates.msisdn = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Delegate SMS sending to this local process (https://localhost:8090) ''; }; room_invite_state_types = mkOption { @@ -600,6 +609,13 @@ in { A list of application service config file to use ''; }; + redaction_retention_period = mkOption { + type = types.int; + default = 7; + description = '' + How long to keep redacted events in unredacted form in the database. + ''; + }; extraConfig = mkOption { type = types.lines; default = ""; @@ -699,4 +715,12 @@ in { }; }; }; + + imports = [ + (mkRemovedOptionModule [ "services" "matrix-synapse" "trusted_third_party_id_servers" ] '' + The `trusted_third_party_id_servers` option as been removed in `matrix-synapse` v1.4.0 + as the behavior is now obsolete. + '') + ]; + } diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix index ca4366121e1..8a90afa9984 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix @@ -3,16 +3,34 @@ with lib; let + logPrefix = "services.prometheus.exporter.blackbox"; cfg = config.services.prometheus.exporters.blackbox; - checkConfig = file: pkgs.runCommand "checked-blackbox-exporter.conf" { - preferLocalBuild = true; - buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; } '' - ln -s ${file} $out - blackbox_exporter --config.check --config.file $out - ''; -in -{ + # This ensures that we can deal with string paths, path types and + # store-path strings with context. + coerceConfigFile = file: + if (builtins.isPath file) || (lib.isStorePath file) then + file + else + (lib.warn '' + ${logPrefix}: configuration file "${file}" is being copied to the nix-store. + If you would like to avoid that, please set enableConfigCheck to false. + '' /. + file); + checkConfigLocation = file: + if lib.hasPrefix "/tmp/" file then + throw + "${logPrefix}: configuration file must not reside within /tmp - it won't be visible to the systemd service." + else + true; + checkConfig = file: + pkgs.runCommand "checked-blackbox-exporter.conf" { + preferLocalBuild = true; + buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; + } '' + ln -s ${coerceConfigFile file} $out + blackbox_exporter --config.check --config.file $out + ''; +in { port = 9115; extraOpts = { configFile = mkOption { @@ -21,14 +39,29 @@ in Path to configuration file. ''; }; + enableConfigCheck = mkOption { + type = types.bool; + default = true; + description = '' + Whether to run a correctness check for the configuration file. This depends + on the configuration file residing in the nix-store. Paths passed as string will + be copied to the store. + ''; + }; }; - serviceOpts = { + + serviceOpts = let + adjustedConfigFile = if cfg.enableConfigCheck then + checkConfig cfg.configFile + else + checkConfigLocation cfg.configFile; + in { serviceConfig = { AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes ExecStart = '' ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - --config.file ${checkConfig cfg.configFile} \ + --config.file ${adjustedConfigFile} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; diff --git a/nixpkgs/nixos/modules/services/networking/firewall.nix b/nixpkgs/nixos/modules/services/networking/firewall.nix index 5b3aa19af3b..5919962837a 100644 --- a/nixpkgs/nixos/modules/services/networking/firewall.nix +++ b/nixpkgs/nixos/modules/services/networking/firewall.nix @@ -331,6 +331,17 @@ in ''; }; + package = mkOption { + type = types.package; + default = pkgs.iptables; + defaultText = "pkgs.iptables"; + example = literalExample "pkgs.iptables-nftables-compat"; + description = + '' + The iptables package to use for running the firewall service." + ''; + }; + logRefusedConnections = mkOption { type = types.bool; default = true; @@ -536,7 +547,7 @@ in networking.firewall.trustedInterfaces = [ "lo" ]; - environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; + environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; @@ -555,7 +566,7 @@ in before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; - path = [ pkgs.iptables ] ++ cfg.extraPackages; + path = [ cfg.package ] ++ cfg.extraPackages; # FIXME: this module may also try to load kernel modules, but # containers don't have CAP_SYS_MODULE. So the host system had diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index 176d26e07b0..05a78d1c448 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -24,9 +24,6 @@ let enableIwd = cfg.wifi.backend == "iwd"; - # /var/lib/misc is for dnsmasq.leases. - stateDirs = "/var/lib/NetworkManager /var/lib/dhclient /var/lib/misc"; - configFile = pkgs.writeText "NetworkManager.conf" '' [main] plugins=keyfile @@ -202,7 +199,7 @@ in { dhcp = mkOption { type = types.enum [ "dhclient" "dhcpcd" "internal" ]; - default = "dhclient"; + default = "internal"; description = '' Which program (or internal library) should be used for DHCP. ''; @@ -472,17 +469,25 @@ in { systemd.packages = cfg.packages; + systemd.tmpfiles.rules = [ + "d /etc/NetworkManager/system-connections 0700 root root -" + "d /etc/ipsec.d 0700 root root -" + "d /var/lib/NetworkManager-fortisslvpn 0700 root root -" + + "d /var/lib/dhclient 0755 root root -" + "d /var/lib/misc 0755 root root -" # for dnsmasq.leases + ]; + systemd.services.NetworkManager = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; - preStart = '' - mkdir -m 700 -p /etc/NetworkManager/system-connections - mkdir -m 700 -p /etc/ipsec.d - mkdir -m 755 -p ${stateDirs} - ''; - aliases = [ "dbus-org.freedesktop.NetworkManager.service" ]; + + serviceConfig = { + StateDirectory = "NetworkManager"; + StateDirectoryMode = 755; # not sure if this really needs to be 755 + }; }; systemd.services.NetworkManager-wait-online = { diff --git a/nixpkgs/nixos/modules/services/networking/pppd.nix b/nixpkgs/nixos/modules/services/networking/pppd.nix new file mode 100644 index 00000000000..e96c27bd84b --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/pppd.nix @@ -0,0 +1,134 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.pppd; +in +{ + meta = { + maintainers = with maintainers; [ danderson ]; + }; + + options = { + services.pppd = { + enable = mkEnableOption "pppd"; + + package = mkOption { + default = pkgs.ppp; + defaultText = "pkgs.ppp"; + type = types.package; + description = "pppd package to use."; + }; + + peers = mkOption { + default = {}; + description = "pppd peers."; + type = types.attrsOf (types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "dialup"; + description = "Name of the PPP peer."; + }; + + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = "Whether to enable this PPP peer."; + }; + + autostart = mkOption { + type = types.bool; + default = true; + example = false; + description = "Whether the PPP session is automatically started at boot time."; + }; + + config = mkOption { + type = types.lines; + default = ""; + description = "pppd configuration for this peer, see the pppd(8) man page."; + }; + }; + })); + }; + }; + }; + + config = let + enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); + + mkEtc = peerCfg: { + "ppp/peers/${peerCfg.name}".text = peerCfg.config; + }; + + mkSystemd = peerCfg: { + "pppd-${peerCfg.name}" = { + restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; + before = [ "network.target" ]; + wants = [ "network.target" ]; + after = [ "network-pre.target" ]; + environment = { + # pppd likes to write directly into /var/run. This is rude + # on a modern system, so we use libredirect to transparently + # move those files into /run/pppd. + LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; + NIX_REDIRECTS = "/var/run=/run/pppd"; + }; + serviceConfig = { + ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; + Restart = "always"; + RestartSec = 5; + + AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + # pppd can be configured to tweak kernel settings. + ProtectKernelTunables = false; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SecureBits = "no-setuid-fixup-locked noroot-locked"; + SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; + + # All pppd instances on a system must share a runtime + # directory in order for PPP multilink to work correctly. So + # we give all instances the same /run/pppd directory to store + # things in. + # + # For the same reason, we can't set PrivateUsers=true, because + # all instances need to run as the same user to access the + # multilink database. + RuntimeDirectory = "pppd"; + RuntimeDirectoryPreserve = true; + }; + wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; + }; + }; + + etcFiles = map mkEtc enabledConfigs; + systemdConfigs = map mkSystemd enabledConfigs; + + in mkIf cfg.enable { + environment.etc = mkMerge etcFiles; + systemd.services = mkMerge systemdConfigs; + }; +} diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix index 20385c884b5..5ad31e5b9d0 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -30,6 +30,10 @@ let cp -f ${pkgs.gnome3.gnome-shell}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas + ${optionalString flashbackEnabled '' + cp -f ${pkgs.gnome3.gnome-flashback}/share/gsettings-schemas/*/glib-2.0/schemas/*.gschema.override $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas + ''} + chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides cat - > $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/nixos-defaults.gschema.override <<- EOF [org.gnome.desktop.background] diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix index 597fb57a179..e5990aec4b9 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix @@ -170,8 +170,9 @@ in "plymouth-start.service" ]; systemd.services.display-manager.conflicts = [ - "getty@tty${gdm.initialVT}.service" - "plymouth-quit.service" + "getty@tty${gdm.initialVT}.service" + # TODO: Add "plymouth-quit.service" so GDM can control when plymouth quits. + # Currently this breaks switching configurations while using plymouth. ]; systemd.services.display-manager.onFailure = [ "plymouth-quit.service" diff --git a/nixpkgs/nixos/modules/system/boot/plymouth.nix b/nixpkgs/nixos/modules/system/boot/plymouth.nix index fd43ea1620c..adca3c3f66e 100644 --- a/nixpkgs/nixos/modules/system/boot/plymouth.nix +++ b/nixpkgs/nixos/modules/system/boot/plymouth.nix @@ -88,10 +88,7 @@ in systemd.services.plymouth-kexec.wantedBy = [ "kexec.target" ]; systemd.services.plymouth-halt.wantedBy = [ "halt.target" ]; systemd.services.plymouth-quit-wait.wantedBy = [ "multi-user.target" ]; - systemd.services.plymouth-quit = { - wantedBy = [ "multi-user.target" ]; - after = [ "display-manager.service" ]; - }; + systemd.services.plymouth-quit.wantedBy = [ "multi-user.target" ]; systemd.services.plymouth-poweroff.wantedBy = [ "poweroff.target" ]; systemd.services.plymouth-reboot.wantedBy = [ "reboot.target" ]; systemd.services.plymouth-read-write.wantedBy = [ "sysinit.target" ]; diff --git a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix index cfdc0a31020..fe11917c609 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix @@ -16,9 +16,7 @@ let inInitrd = any (fs: fs == "zfs") config.boot.initrd.supportedFilesystems; inSystem = any (fs: fs == "zfs") config.boot.supportedFilesystems; - enableAutoSnapshots = cfgSnapshots.enable; - enableAutoScrub = cfgScrub.enable; - enableZfs = inInitrd || inSystem || enableAutoSnapshots || enableAutoScrub; + enableZfs = inInitrd || inSystem; kernel = config.boot.kernelPackages; @@ -392,10 +390,11 @@ in }; environment.etc."zfs/zed.d".source = "${packages.zfsUser}/etc/zfs/zed.d/"; + environment.etc."zfs/zpool.d".source = "${packages.zfsUser}/etc/zfs/zpool.d/"; system.fsPackages = [ packages.zfsUser ]; # XXX: needed? zfs doesn't have (need) a fsck environment.systemPackages = [ packages.zfsUser ] - ++ optional enableAutoSnapshots autosnapPkg; # so the user can run the command to see flags + ++ optional cfgSnapshots.enable autosnapPkg; # so the user can run the command to see flags services.udev.packages = [ packages.zfsUser ]; # to hook zvol naming, etc. systemd.packages = [ packages.zfsUser ]; @@ -487,7 +486,7 @@ in systemd.targets.zfs.wantedBy = [ "multi-user.target" ]; }) - (mkIf enableAutoSnapshots { + (mkIf (enableZfs && cfgSnapshots.enable) { systemd.services = let descr = name: if name == "frequent" then "15 mins" else if name == "hourly" then "hour" @@ -525,7 +524,7 @@ in }) snapshotNames); }) - (mkIf enableAutoScrub { + (mkIf (enableZfs && cfgScrub.enable) { systemd.services.zfs-scrub = { description = "ZFS pools scrubbing"; after = [ "zfs-import.target" ]; @@ -552,15 +551,13 @@ in }; }) - (mkIf cfgTrim.enable { + (mkIf (enableZfs && cfgTrim.enable) { systemd.services.zpool-trim = { description = "ZFS pools trim"; after = [ "zfs-import.target" ]; path = [ packages.zfsUser ]; startAt = cfgTrim.interval; - script = '' - zpool list -H -o name | xargs -n1 zpool trim - ''; + serviceConfig.ExecStart = "${pkgs.runtimeShell} -c 'zpool list -H -o name | xargs --no-run-if-empty -n1 zpool trim'"; }; }) ]; diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index 914b32f97c3..e94c9712cbf 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -227,6 +227,7 @@ in postgresql = handleTest ./postgresql.nix {}; postgresql-wal-receiver = handleTest ./postgresql-wal-receiver.nix {}; powerdns = handleTest ./powerdns.nix {}; + pppd = handleTest ./pppd.nix {}; predictable-interface-names = handleTest ./predictable-interface-names.nix {}; printing = handleTest ./printing.nix {}; prometheus = handleTest ./prometheus.nix {}; diff --git a/nixpkgs/nixos/tests/gnome3-xorg.nix b/nixpkgs/nixos/tests/gnome3-xorg.nix index f12361da037..eb4c376319b 100644 --- a/nixpkgs/nixos/tests/gnome3-xorg.nix +++ b/nixpkgs/nixos/tests/gnome3-xorg.nix @@ -29,7 +29,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->waitForUnit("default.target","alice"); # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'"); $machine->succeed("xauth merge ~alice/.Xauthority"); diff --git a/nixpkgs/nixos/tests/gnome3.nix b/nixpkgs/nixos/tests/gnome3.nix index b6fe602a732..ab363efb6a1 100644 --- a/nixpkgs/nixos/tests/gnome3.nix +++ b/nixpkgs/nixos/tests/gnome3.nix @@ -44,7 +44,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->waitForUnit("default.target","alice"); # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); # Wait for the wayland server $machine->waitForFile("/run/user/1000/wayland-0"); diff --git a/nixpkgs/nixos/tests/login.nix b/nixpkgs/nixos/tests/login.nix index 2a7c063d303..bd8ed23a7b8 100644 --- a/nixpkgs/nixos/tests/login.nix +++ b/nixpkgs/nixos/tests/login.nix @@ -48,12 +48,12 @@ import ./make-test.nix ({ pkgs, latestKernel ? false, ... }: # Check whether systemd gives and removes device ownership as # needed. subtest "device permissions", sub { - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); $machine->sendKeys("alt-f1"); $machine->waitUntilSucceeds("[ \$(fgconsole) = 1 ]"); - $machine->fail("getfacl /dev/snd/timer | grep -q alice"); + $machine->fail("getfacl -p /dev/snd/timer | grep -q alice"); $machine->succeed("chvt 2"); - $machine->waitUntilSucceeds("getfacl /dev/snd/timer | grep -q alice"); + $machine->waitUntilSucceeds("getfacl -p /dev/snd/timer | grep -q alice"); }; # Log out. diff --git a/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix b/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix index 81c269c2378..f655aba9d45 100644 --- a/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix +++ b/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix @@ -36,49 +36,16 @@ in { }; services.redis = { - unixSocket = "/var/run/redis/redis.sock"; enable = true; - extraConfig = '' - unixsocketperm 770 - ''; - }; - - systemd.services.redis = { - preStart = '' - mkdir -p /var/run/redis - chown ${config.services.redis.user}:${config.services.nginx.group} /var/run/redis - ''; - serviceConfig.PermissionsStartOnly = true; }; systemd.services.nextcloud-setup= { requires = ["postgresql.service"]; after = [ "postgresql.service" - "chown-redis-socket.service" ]; }; - # At the time of writing, redis creates its socket with the "nobody" - # group. I figure this is slightly less bad than making the socket world - # readable. - systemd.services.chown-redis-socket = { - enable = true; - script = '' - until ${pkgs.redis}/bin/redis-cli ping; do - echo "waiting for redis..." - sleep 1 - done - chown ${config.services.redis.user}:${config.services.nginx.group} /var/run/redis/redis.sock - ''; - after = [ "redis.service" ]; - requires = [ "redis.service" ]; - wantedBy = [ "redis.service" ]; - serviceConfig = { - Type = "oneshot"; - }; - }; - services.postgresql = { enable = true; ensureDatabases = [ "nextcloud" ]; @@ -94,8 +61,8 @@ in { testScript = let configureRedis = pkgs.writeScript "configure-redis" '' #!${pkgs.stdenv.shell} - nextcloud-occ config:system:set redis 'host' --value '/var/run/redis/redis.sock' --type string - nextcloud-occ config:system:set redis 'port' --value 0 --type integer + nextcloud-occ config:system:set redis 'host' --value 'localhost' --type string + nextcloud-occ config:system:set redis 'port' --value 6379 --type integer nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string ''; diff --git a/nixpkgs/nixos/tests/pantheon.nix b/nixpkgs/nixos/tests/pantheon.nix index c50f77f8617..9888887ee8b 100644 --- a/nixpkgs/nixos/tests/pantheon.nix +++ b/nixpkgs/nixos/tests/pantheon.nix @@ -42,7 +42,7 @@ import ./make-test.nix ({ pkgs, ...} : $machine->waitForWindow(qr/plank/); # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); # Open elementary terminal $machine->execute("su - alice -c 'DISPLAY=:0.0 io.elementary.terminal &'"); diff --git a/nixpkgs/nixos/tests/plasma5.nix b/nixpkgs/nixos/tests/plasma5.nix index 88d4ff33436..614fc9bf316 100644 --- a/nixpkgs/nixos/tests/plasma5.nix +++ b/nixpkgs/nixos/tests/plasma5.nix @@ -48,7 +48,7 @@ import ./make-test.nix ({ pkgs, ...} : $machine->waitForWindow("^Desktop "); # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); $machine->execute("su - alice -c 'DISPLAY=:0.0 dolphin &'"); $machine->waitForWindow(" Dolphin"); diff --git a/nixpkgs/nixos/tests/pppd.nix b/nixpkgs/nixos/tests/pppd.nix new file mode 100644 index 00000000000..91f81185909 --- /dev/null +++ b/nixpkgs/nixos/tests/pppd.nix @@ -0,0 +1,62 @@ +import ./make-test.nix ( + let + chap-secrets = { + text = ''"flynn" * "reindeerflotilla" *''; + mode = "0640"; + }; + in { + nodes = { + server = {config, pkgs, ...}: { + config = { + # Run a PPPoE access concentrator server. It will spawn an + # appropriate PPP server process when a PPPoE client sets up a + # PPPoE session. + systemd.services.pppoe-server = { + restartTriggers = [ + config.environment.etc."ppp/pppoe-server-options".source + config.environment.etc."ppp/chap-secrets".source + ]; + after = ["network.target"]; + serviceConfig = { + ExecStart = "${pkgs.rpPPPoE}/sbin/pppoe-server -F -O /etc/ppp/pppoe-server-options -q ${pkgs.ppp}/sbin/pppd -I eth1 -L 192.0.2.1 -R 192.0.2.2"; + }; + wantedBy = ["multi-user.target"]; + }; + environment.etc = { + "ppp/pppoe-server-options".text = '' + lcp-echo-interval 10 + lcp-echo-failure 2 + plugin rp-pppoe.so + require-chap + nobsdcomp + noccp + novj + ''; + "ppp/chap-secrets" = chap-secrets; + }; + }; + }; + client = {config, pkgs, ...}: { + services.pppd = { + enable = true; + peers.test = { + config = '' + plugin rp-pppoe.so eth1 + name "flynn" + noipdefault + persist + noauth + debug + ''; + }; + }; + environment.etc."ppp/chap-secrets" = chap-secrets; + }; + }; + + testScript = '' + startAll; + $client->waitUntilSucceeds("ping -c1 -W1 192.0.2.1"); + $server->waitUntilSucceeds("ping -c1 -W1 192.0.2.2"); + ''; + }) diff --git a/nixpkgs/nixos/tests/xfce.nix b/nixpkgs/nixos/tests/xfce.nix index 6cb4fae2021..7ff623062d9 100644 --- a/nixpkgs/nixos/tests/xfce.nix +++ b/nixpkgs/nixos/tests/xfce.nix @@ -32,7 +32,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->sleep(10); # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); $machine->succeed("su - alice -c 'DISPLAY=:0.0 xfce4-terminal &'"); $machine->waitForWindow(qr/Terminal/); diff --git a/nixpkgs/nixos/tests/xfce4-14.nix b/nixpkgs/nixos/tests/xfce4-14.nix index 94378f0c8d3..d9b87b08437 100644 --- a/nixpkgs/nixos/tests/xfce4-14.nix +++ b/nixpkgs/nixos/tests/xfce4-14.nix @@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : { services.xserver.desktopManager.xfce4-14.enable = true; hardware.pulseaudio.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then - + virtualisation.memorySize = 1024; }; @@ -27,7 +27,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->sleep(10); # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); $machine->succeed("su - alice -c 'DISPLAY=:0.0 xfce4-terminal &'"); $machine->waitForWindow(qr/Terminal/); |