diff options
| author | Katharina Fey <kookie@spacekookie.de> | 2020-01-10 20:09:37 +0000 |
|---|---|---|
| committer | Katharina Fey <kookie@spacekookie.de> | 2020-01-10 20:09:37 +0000 |
| commit | 45431c078bf8f54aef7c9fae2e5913395ec82c31 (patch) | |
| tree | fd8ff1346a963ddd72e782421f05b623f9759e2a /nixpkgs/nixos | |
| parent | c86fea6086c212ea489cfb023a5f5c9c8f188810 (diff) | |
| parent | 3ccbc8d89153ecf13f3eae7d9c106d91cd4ab9e5 (diff) | |
Merge commit '3ccbc8d89153ecf13f3eae7d9c106d91cd4ab9e5' into fuckthisshit
Diffstat (limited to 'nixpkgs/nixos')
439 files changed, 9936 insertions, 6221 deletions
diff --git a/nixpkgs/nixos/doc/manual/configuration/profiles/graphical.xml b/nixpkgs/nixos/doc/manual/configuration/profiles/graphical.xml index 73e3abc59d0..cc6d0825d24 100644 --- a/nixpkgs/nixos/doc/manual/configuration/profiles/graphical.xml +++ b/nixpkgs/nixos/doc/manual/configuration/profiles/graphical.xml @@ -13,9 +13,7 @@ <para> It sets <xref linkend="opt-services.xserver.enable"/>, <xref linkend="opt-services.xserver.displayManager.sddm.enable"/>, - <xref linkend="opt-services.xserver.desktopManager.plasma5.enable"/> ( - <link linkend="opt-services.xserver.desktopManager.plasma5.enableQt4Support"> - without Qt4 Support</link>), and + <xref linkend="opt-services.xserver.desktopManager.plasma5.enable"/>, and <xref linkend="opt-services.xserver.libinput.enable"/> to true. It also includes glxinfo and firefox in the system packages list. </para> diff --git a/nixpkgs/nixos/doc/manual/configuration/x-windows.xml b/nixpkgs/nixos/doc/manual/configuration/x-windows.xml index f6f659b02af..9206f43ea39 100644 --- a/nixpkgs/nixos/doc/manual/configuration/x-windows.xml +++ b/nixpkgs/nixos/doc/manual/configuration/x-windows.xml @@ -39,7 +39,7 @@ can select an alternative one by picking one of the following lines: <programlisting> <xref linkend="opt-services.xserver.displayManager.sddm.enable"/> = true; -<xref linkend="opt-services.xserver.displayManager.slim.enable"/> = true; +<xref linkend="opt-services.xserver.displayManager.gdm.enable"/> = true; </programlisting> </para> <para> diff --git a/nixpkgs/nixos/doc/manual/default.nix b/nixpkgs/nixos/doc/manual/default.nix index f9de2db1a08..6ca75f869f4 100644 --- a/nixpkgs/nixos/doc/manual/default.nix +++ b/nixpkgs/nixos/doc/manual/default.nix @@ -62,14 +62,13 @@ let "--stringparam html.stylesheet 'style.css overrides.css highlightjs/mono-blue.css'" "--stringparam html.script './highlightjs/highlight.pack.js ./highlightjs/loader.js'" "--param xref.with.number.and.title 1" - "--param toc.section.depth 3" + "--param toc.section.depth 0" "--stringparam admon.style ''" "--stringparam callout.graphics.extension .svg" "--stringparam current.docid manual" "--param chunk.section.depth 0" "--param chunk.first.sections 1" "--param use.id.as.filename 1" - "--stringparam generate.toc 'book toc appendix toc'" "--stringparam chunk.toc ${toc}" ]; diff --git a/nixpkgs/nixos/doc/manual/development/option-declarations.xml b/nixpkgs/nixos/doc/manual/development/option-declarations.xml index eee81bf6426..56ebf481630 100644 --- a/nixpkgs/nixos/doc/manual/development/option-declarations.xml +++ b/nixpkgs/nixos/doc/manual/development/option-declarations.xml @@ -99,7 +99,7 @@ xlink:href="https://nixos.org/nixpkgs/manual/#sec-package-naming"> <para> As an example, we will take the case of display managers. There is a central display manager module for generic display manager options and a module file - per display manager backend (slim, sddm, gdm ...). + per display manager backend (sddm, gdm ...). </para> <para> @@ -146,7 +146,7 @@ xlink:href="https://nixos.org/nixpkgs/manual/#sec-package-naming"> />), and to extend it in each backend module (<xref - linkend='ex-option-declaration-eot-backend-slim' />, + linkend='ex-option-declaration-eot-backend-gdm' />, <xref linkend='ex-option-declaration-eot-backend-sddm' />). </para> @@ -167,11 +167,11 @@ services.xserver.displayManager.enable = mkOption { };</screen> </example> - <example xml:id='ex-option-declaration-eot-backend-slim'> - <title>Extending <literal>services.xserver.displayManager.enable</literal> in the <literal>slim</literal> module</title> + <example xml:id='ex-option-declaration-eot-backend-gdm'> + <title>Extending <literal>services.xserver.displayManager.enable</literal> in the <literal>gdm</literal> module</title> <screen> services.xserver.displayManager.enable = mkOption { - type = with types; nullOr (enum [ "slim" ]); + type = with types; nullOr (enum [ "gdm" ]); };</screen> </example> diff --git a/nixpkgs/nixos/doc/manual/development/releases.xml b/nixpkgs/nixos/doc/manual/development/releases.xml index 1cdec64f69b..9371af9984d 100755 --- a/nixpkgs/nixos/doc/manual/development/releases.xml +++ b/nixpkgs/nixos/doc/manual/development/releases.xml @@ -45,12 +45,12 @@ <listitem> <para> <literal>git tag -a -s -m "Release 17.09-beta" 17.09-beta - && git push --tags</literal> + && git push origin 17.09-beta</literal> </para> </listitem> <listitem> <para> - From the master branch run <literal>git checkout -B + From the master branch run <literal>git checkout -b release-17.09</literal>. </para> </listitem> @@ -157,7 +157,7 @@ <listitem> <para> Release Nix (currently only Eelco Dolstra can do that). - <link xlink:href="https://github.com/NixOS/nixpkgs/commit/53710c752a85f00658882531bc90a23a3d1287e4"> + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/installer/tools/nix-fallback-paths.nix"> Make sure fallback is updated. </link> </para> </listitem> @@ -169,8 +169,8 @@ </listitem> <listitem> <para> - Change <literal>stableBranch</literal> to true and wait for channel to - update. + Change <literal>stableBranch</literal> to <literal>true</literal> in Hydra and wait for + the channel to update. </para> </listitem> </itemizedlist> @@ -193,9 +193,11 @@ </listitem> <listitem> <para> - Update http://nixos.org/nixos/download.html and - http://nixos.org/nixos/manual in - https://github.com/NixOS/nixos-org-configurations + Update the + <link xlink:href="https://github.com/NixOS/nixos-homepage/commit/2a37975d5a617ecdfca94696242b6f32ffcba9f1"><code>NIXOS_SERIES</code></link> + in the + <link xlink:href="https://github.com/NixOS/nixos-homepage">nixos-homepage</link> + repository. </para> </listitem> <listitem> @@ -212,7 +214,8 @@ </listitem> <listitem> <para> - Send an email to nix-dev to announce the release with above information. + Create a new topic on <link xlink:href="https://discourse.nixos.org/">the + Discourse instance</link> to announce the release with the above information. Best to check how previous email was formulated to see what needs to be included. </para> diff --git a/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml b/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml index e390d62fde2..31216874c70 100644 --- a/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml +++ b/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml @@ -2,7 +2,7 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" - xml:id="sec-running-nixos-tests"> + xml:id="sec-running-nixos-tests-interactively"> <title>Running Tests interactively</title> <para> @@ -14,14 +14,14 @@ starting VDE switch for network 1 <prompt>></prompt> </screen> - You can then take any Perl statement, e.g. + You can then take any Python statement, e.g. <screen> -<prompt>></prompt> startAll -<prompt>></prompt> testScript -<prompt>></prompt> $machine->succeed("touch /tmp/foo") -<prompt>></prompt> print($machine->succeed("pwd")) # Show stdout of command +<prompt>></prompt> start_all() +<prompt>></prompt> test_script() +<prompt>></prompt> machine.succeed("touch /tmp/foo") +<prompt>></prompt> print(machine.succeed("pwd")) # Show stdout of command </screen> - The function <command>testScript</command> executes the entire test script + The function <command>test_script</command> executes the entire test script and drops you back into the test driver command line upon its completion. This allows you to inspect the state of the VMs after the test (e.g. to debug the test script). diff --git a/nixpkgs/nixos/doc/manual/development/running-nixos-tests.xml b/nixpkgs/nixos/doc/manual/development/running-nixos-tests.xml index 13ae1ed9369..e9257c907da 100644 --- a/nixpkgs/nixos/doc/manual/development/running-nixos-tests.xml +++ b/nixpkgs/nixos/doc/manual/development/running-nixos-tests.xml @@ -2,7 +2,7 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" - xml:id="sec-running-nixos-tests-interactively"> + xml:id="sec-running-nixos-tests"> <title>Running Tests</title> <para> diff --git a/nixpkgs/nixos/doc/manual/development/sources.xml b/nixpkgs/nixos/doc/manual/development/sources.xml index 3c30c782746..b333ccabb42 100644 --- a/nixpkgs/nixos/doc/manual/development/sources.xml +++ b/nixpkgs/nixos/doc/manual/development/sources.xml @@ -13,17 +13,16 @@ <screen> <prompt>$ </prompt>git clone https://github.com/NixOS/nixpkgs <prompt>$ </prompt>cd nixpkgs -<prompt>$ </prompt>git remote add channels https://github.com/NixOS/nixpkgs-channels -<prompt>$ </prompt>git remote update channels +<prompt>$ </prompt>git remote update origin </screen> This will check out the latest Nixpkgs sources to <filename>./nixpkgs</filename> the NixOS sources to <filename>./nixpkgs/nixos</filename>. (The NixOS source tree lives in a - subdirectory of the Nixpkgs repository.) The remote - <literal>channels</literal> refers to a read-only repository that tracks the - Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/> for more + subdirectory of the Nixpkgs repository.) The + <literal>nixpkgs</literal> repository has branches that correspond + to each Nixpkgs/NixOS channel (see <xref linkend="sec-upgrading"/> for more information about channels). Thus, the Git branch - <literal>channels/nixos-17.03</literal> will contain the latest built and + <literal>origin/nixos-17.03</literal> will contain the latest built and tested version available in the <literal>nixos-17.03</literal> channel. </para> <para> @@ -40,15 +39,15 @@ Or, to base your local branch on the latest version available in a NixOS channel: <screen> -<prompt>$ </prompt>git remote update channels -<prompt>$ </prompt>git checkout -b local channels/nixos-17.03 +<prompt>$ </prompt>git remote update origin +<prompt>$ </prompt>git checkout -b local origin/nixos-17.03 </screen> (Replace <literal>nixos-17.03</literal> with the name of the channel you want to use.) You can use <command>git merge</command> or <command>git rebase</command> to keep your local branch in sync with the channel, e.g. <screen> -<prompt>$ </prompt>git remote update channels -<prompt>$ </prompt>git merge channels/nixos-17.03 +<prompt>$ </prompt>git remote update origin +<prompt>$ </prompt>git merge origin/nixos-17.03 </screen> You can use <command>git cherry-pick</command> to copy commits from your local branch to the upstream branch. diff --git a/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.xml b/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.xml index 6be2d0a4d23..24efd2e3273 100644 --- a/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.xml +++ b/nixpkgs/nixos/doc/manual/development/writing-nixos-tests.xml @@ -8,7 +8,7 @@ <para> A NixOS test is a Nix expression that has the following structure: <programlisting> -import ./make-test.nix { +import ./make-test-python.nix { # Either the configuration of a single machine: machine = @@ -27,11 +27,11 @@ import ./make-test.nix { testScript = '' - <replaceable>Perl code…</replaceable> + <replaceable>Python code…</replaceable> ''; } </programlisting> - The attribute <literal>testScript</literal> is a bit of Perl code that + The attribute <literal>testScript</literal> is a bit of Python code that executes the test (described below). During the test, it will start one or more virtual machines, the configuration of which is described by the attribute <literal>machine</literal> (if you need only one machine in your @@ -96,26 +96,27 @@ xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualis </para> <para> - The test script is a sequence of Perl statements that perform various + The test script is a sequence of Python statements that perform various actions, such as starting VMs, executing commands in the VMs, and so on. Each virtual machine is represented as an object stored in the variable - <literal>$<replaceable>name</replaceable></literal>, where - <replaceable>name</replaceable> is the identifier of the machine (which is - just <literal>machine</literal> if you didn’t specify multiple machines - using the <literal>nodes</literal> attribute). For instance, the following - starts the machine, waits until it has finished booting, then executes a - command and checks that the output is more-or-less correct: + <literal><replaceable>name</replaceable></literal> if this is also the + identifier of the machine in the declarative config. + If you didn't specify multiple machines using the <literal>nodes</literal> + attribute, it is just <literal>machine</literal>. + The following example starts the machine, waits until it has finished booting, + then executes a command and checks that the output is more-or-less correct: <programlisting> -$machine->start; -$machine->waitForUnit("default.target"); -$machine->succeed("uname") =~ /Linux/ or die; +machine.start() +machine.wait_for_unit("default.target") +if not "Linux" in machine.succeed("uname"): + raise Exception("Wrong OS") </programlisting> The first line is actually unnecessary; machines are implicitly started when - you first execute an action on them (such as <literal>waitForUnit</literal> + you first execute an action on them (such as <literal>wait_for_unit</literal> or <literal>succeed</literal>). If you have multiple machines, you can speed up the test by starting them in parallel: <programlisting> -startAll; +start_all() </programlisting> </para> @@ -187,7 +188,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>getScreenText</methodname> + <methodname>get_screen_text</methodname> </term> <listitem> <para> @@ -204,7 +205,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>sendMonitorCommand</methodname> + <methodname>send_monitor_command</methodname> </term> <listitem> <para> @@ -215,23 +216,23 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>sendKeys</methodname> + <methodname>send_keys</methodname> </term> <listitem> <para> Simulate pressing keys on the virtual keyboard, e.g., - <literal>sendKeys("ctrl-alt-delete")</literal>. + <literal>send_keys("ctrl-alt-delete")</literal>. </para> </listitem> </varlistentry> <varlistentry> <term> - <methodname>sendChars</methodname> + <methodname>send_chars</methodname> </term> <listitem> <para> Simulate typing a sequence of characters on the virtual keyboard, e.g., - <literal>sendKeys("foobar\n")</literal> will type the string + <literal>send_keys("foobar\n")</literal> will type the string <literal>foobar</literal> followed by the Enter key. </para> </listitem> @@ -272,7 +273,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitUntilSucceeds</methodname> + <methodname>wait_until_succeeds</methodname> </term> <listitem> <para> @@ -282,7 +283,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitUntilFails</methodname> + <methodname>wait_until_fails</methodname> </term> <listitem> <para> @@ -292,7 +293,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForUnit</methodname> + <methodname>wait_for_unit</methodname> </term> <listitem> <para> @@ -302,7 +303,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForFile</methodname> + <methodname>wait_for_file</methodname> </term> <listitem> <para> @@ -312,7 +313,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForOpenPort</methodname> + <methodname>wait_for_open_port</methodname> </term> <listitem> <para> @@ -323,7 +324,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForClosedPort</methodname> + <methodname>wait_for_closed_port</methodname> </term> <listitem> <para> @@ -333,7 +334,7 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForX</methodname> + <methodname>wait_for_x</methodname> </term> <listitem> <para> @@ -343,13 +344,13 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForText</methodname> + <methodname>wait_for_text</methodname> </term> <listitem> <para> Wait until the supplied regular expressions matches the textual contents of the screen by using optical character recognition (see - <methodname>getScreenText</methodname>). + <methodname>get_screen_text</methodname>). </para> <note> <para> @@ -361,23 +362,23 @@ startAll; </varlistentry> <varlistentry> <term> - <methodname>waitForWindow</methodname> + <methodname>wait_for_window</methodname> </term> <listitem> <para> Wait until an X11 window has appeared whose name matches the given - regular expression, e.g., <literal>waitForWindow(qr/Terminal/)</literal>. + regular expression, e.g., <literal>wait_for_window("Terminal")</literal>. </para> </listitem> </varlistentry> <varlistentry> <term> - <methodname>copyFileFromHost</methodname> + <methodname>copy_file_from_host</methodname> </term> <listitem> <para> Copies a file from host to machine, e.g., - <literal>copyFileFromHost("myfile", "/etc/my/important/file")</literal>. + <literal>copy_file_from_host("myfile", "/etc/my/important/file")</literal>. </para> <para> The first argument is the file on the host. The file needs to be @@ -397,8 +398,8 @@ startAll; </para> <para> <programlisting> -$machine->systemctl("list-jobs --no-pager"); // runs `systemctl list-jobs --no-pager` -$machine->systemctl("list-jobs --no-pager", "any-user"); // spawns a shell for `any-user` and runs `systemctl --user list-jobs --no-pager` +machine.systemctl("list-jobs --no-pager") # runs `systemctl list-jobs --no-pager` +machine.systemctl("list-jobs --no-pager", "any-user") # spawns a shell for `any-user` and runs `systemctl --user list-jobs --no-pager` </programlisting> </para> </listitem> @@ -408,14 +409,14 @@ $machine->systemctl("list-jobs --no-pager", "any-user"); // spawns a shell for ` <para> To test user units declared by <literal>systemd.user.services</literal> the - optional <literal>$user</literal> argument can be used: + optional <literal>user</literal> argument can be used: <programlisting> -$machine->start; -$machine->waitForX; -$machine->waitForUnit("xautolock.service", "x-session-user"); +machine.start() +machine.wait_for_x() +machine.wait_for_unit("xautolock.service", "x-session-user") </programlisting> - This applies to <literal>systemctl</literal>, <literal>getUnitInfo</literal>, - <literal>waitForUnit</literal>, <literal>startJob</literal> and - <literal>stopJob</literal>. + This applies to <literal>systemctl</literal>, <literal>get_unit_info</literal>, + <literal>wait_for_unit</literal>, <literal>start_job</literal> and + <literal>stop_job</literal>. </para> </section> diff --git a/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml b/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml index 5c86eacfbf4..0ba909fa953 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml +++ b/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml @@ -49,6 +49,11 @@ </listitem> <listitem> <para> + Click on Settings / Display / Screen and select VBoxVGA as Graphics Controller + </para> + </listitem> + <listitem> + <para> Save the settings, start the virtual machine, and continue installation like normal </para> diff --git a/nixpkgs/nixos/doc/manual/installation/installing.xml b/nixpkgs/nixos/doc/manual/installation/installing.xml index 8ff920eb5a8..7991c43e01f 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing.xml +++ b/nixpkgs/nixos/doc/manual/installation/installing.xml @@ -392,11 +392,11 @@ <filename>hardware-configuration.nix</filename> is included from <filename>configuration.nix</filename> and will be overwritten by future invocations of <command>nixos-generate-config</command>; thus, you - generally should not modify it.) Additionally, you may want to look at + generally should not modify it.) Additionally, you may want to look at <link xlink:href="https://github.com/NixOS/nixos-hardware">Hardware configuration for known-hardware</link> at this point or after installation. - + </para> <note> <para> @@ -418,11 +418,11 @@ Do the installation: <screen> <prompt># </prompt>nixos-install</screen> - Cross fingers. If this fails due to a temporary problem (such as a network - issue while downloading binaries from the NixOS binary cache), you can - just re-run <command>nixos-install</command>. Otherwise, fix your - <filename>configuration.nix</filename> and then re-run - <command>nixos-install</command>. + This will install your system based on the configuration you provided. + If anything fails due to a configuration problem or any other issue + (such as a network outage while downloading binaries from the NixOS + binary cache), you can re-run <command>nixos-install</command> after + fixing your <filename>configuration.nix</filename>. </para> <para> As the last step, <command>nixos-install</command> will ask you to set the diff --git a/nixpkgs/nixos/doc/manual/man-nixos-option.xml b/nixpkgs/nixos/doc/manual/man-nixos-option.xml index 81e3739b3be..beabf020c92 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-option.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-option.xml @@ -19,14 +19,10 @@ </arg> <arg> - <option>--verbose</option> + <option>--all</option> </arg> <arg> - <option>--xml</option> - </arg> - - <arg choice="plain"> <replaceable>option.name</replaceable> </arg> </cmdsynopsis> @@ -62,22 +58,11 @@ </varlistentry> <varlistentry> <term> - <option>--verbose</option> - </term> - <listitem> - <para> - This option enables verbose mode, which currently is just the Bash - <command>set</command> <option>-x</option> debug mode. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>--xml</option> + <option>--all</option> </term> <listitem> <para> - This option causes the output to be rendered as XML. + Print the values of all options. </para> </listitem> </varlistentry> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml b/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml index c697b7ee047..495dbc8859b 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml @@ -494,6 +494,20 @@ </para> </listitem> </varlistentry> + + <varlistentry> + <term> + <option>--use-remote-sudo</option> + </term> + <listitem> + <para> + When set, nixos-rebuild prefixes remote commands that run on + the <option>--build-host</option> and <option>--target-host</option> + systems with <command>sudo</command>. Setting this option allows + deploying as a non-root user. + </para> + </listitem> + </varlistentry> </variablelist> <para> diff --git a/nixpkgs/nixos/doc/manual/manual.xml b/nixpkgs/nixos/doc/manual/manual.xml index 12f52e1997c..18a67a2dd94 100644 --- a/nixpkgs/nixos/doc/manual/manual.xml +++ b/nixpkgs/nixos/doc/manual/manual.xml @@ -8,32 +8,7 @@ <subtitle>Version <xi:include href="./generated/version" parse="text" /> </subtitle> </info> - <preface xml:id="preface"> - <title>Preface</title> - <para> - This manual describes how to install, use and extend NixOS, a Linux - distribution based on the purely functional package management system Nix. - </para> - <para> - If you encounter problems, please report them on the - <literal - xlink:href="https://discourse.nixos.org">Discourse</literal> or - on the <link - xlink:href="irc://irc.freenode.net/#nixos"> - <literal>#nixos</literal> channel on Freenode</link>. Bugs should be - reported in - <link - xlink:href="https://github.com/NixOS/nixpkgs/issues">NixOS’ - GitHub issue tracker</link>. - </para> - <note> - <para> - Commands prefixed with <literal>#</literal> have to be run as root, either - requiring to login as root user or temporarily switching to it using - <literal>sudo</literal> for example. - </para> - </note> - </preface> + <xi:include href="preface.xml" /> <xi:include href="installation/installation.xml" /> <xi:include href="configuration/configuration.xml" /> <xi:include href="administration/running.xml" /> diff --git a/nixpkgs/nixos/doc/manual/preface.xml b/nixpkgs/nixos/doc/manual/preface.xml new file mode 100644 index 00000000000..6ac9ae7e786 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/preface.xml @@ -0,0 +1,37 @@ +<preface xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xml:id="preface"> + <title>Preface</title> + <para> + This manual describes how to install, use and extend NixOS, a Linux + distribution based on the purely functional package management system + <link xlink:href="https://nixos.org/nix">Nix</link>, that is composed + using modules and packages defined in the + <link xlink:href="https://nixos.org/nixpkgs">Nixpkgs</link> project. + </para> + <para> + Additional information regarding the Nix package manager and the Nixpkgs + project can be found in respectively the + <link xlink:href="https://nixos.org/nix/manual">Nix manual</link> and the + <link xlink:href="https://nixos.org/nixpkgs/manual">Nixpkgs manual</link>. + </para> + <para> + If you encounter problems, please report them on the + <literal + xlink:href="https://discourse.nixos.org">Discourse</literal> or + on the <link + xlink:href="irc://irc.freenode.net/#nixos"> + <literal>#nixos</literal> channel on Freenode</link>. Bugs should be + reported in + <link + xlink:href="https://github.com/NixOS/nixpkgs/issues">NixOS’ + GitHub issue tracker</link>. + </para> + <note> + <para> + Commands prefixed with <literal>#</literal> have to be run as root, either + requiring to login as root user or temporarily switching to it using + <literal>sudo</literal> for example. + </para> + </note> +</preface> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml index 1b7ca76c2f0..4102fe206e1 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml @@ -190,6 +190,13 @@ </listitem> </itemizedlist> </listitem> + <listitem> + <para> + <xref linkend="opt-services.blueman.enable"/> has been added. + If you previously had blueman installed via <option>environment.systemPackages</option> please + migrate to using the NixOS module, as this would result in an insufficiently configured blueman. + </para> + </listitem> </itemizedlist> </section> @@ -536,7 +543,7 @@ <listitem> <para> The <option>networking.useDHCP</option> option is unsupported in combination with - <option>networking.useNetworkd</option> in anticipation of defaulting to it by default. + <option>networking.useNetworkd</option> in anticipation of defaulting to it. It has to be set to <literal>false</literal> and enabled per interface with <option>networking.interfaces.<name>.useDHCP = true;</option> </para> @@ -563,6 +570,27 @@ earlier version of NixOS. </para> </listitem> + <listitem> + <para> + Due to the short lifetime of non-LTS kernel releases package attributes like <literal>linux_5_1</literal>, + <literal>linux_5_2</literal> and <literal>linux_5_3</literal> have been removed to discourage dependence + on specific non-LTS kernel versions in stable NixOS releases. + + Going forward, versioned attributes like <literal>linux_4_9</literal> will exist for LTS versions only. + Please use <literal>linux_latest</literal> or <literal>linux_testing</literal> if you depend on non-LTS + releases. Keep in mind that <literal>linux_latest</literal> and <literal>linux_testing</literal> will + change versions under the hood during the lifetime of a stable release and might include breaking changes. + </para> + </listitem> + <listitem> + <para> + Because of the systemd upgrade, + some network interfaces might change their name. For details see + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html#History"> + upstream docs</link> or <link xlink:href="https://github.com/NixOS/nixpkgs/issues/71086"> + our ticket</link>. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml index ab0951e831c..2a5064c71b0 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml @@ -49,6 +49,12 @@ zfs as soon as any zfs mountpoint is configured in <varname>fileSystems</varname>. </para> </listitem> + <listitem> + <para> + <command>nixos-option</command> has been rewritten in C++, speeding it up, improving correctness, + and adding a <option>--all</option> option which prints all options and their values. + </para> + </listitem> </itemizedlist> </section> @@ -65,7 +71,11 @@ <itemizedlist> <listitem> - <para /> + <para> + The kubernetes kube-proxy now supports a new hostname configuration + <literal>services.kubernetes.proxy.hostname</literal> which has to + be set if the hostname of the node should be non default. + </para> </listitem> </itemizedlist> @@ -85,7 +95,109 @@ <itemizedlist> <listitem> - <para /> + <para> + GnuPG is now built without support for a graphical passphrase entry + by default. Please enable the <literal>gpg-agent</literal> user service + via the NixOS option <literal>programs.gnupg.agent.enable</literal>. + Note that upstream recommends using <literal>gpg-agent</literal> and + will spawn a <literal>gpg-agent</literal> on the first invocation of + GnuPG anyway. + </para> + </listitem> + <listitem> + <para> + The <literal>dynamicHosts</literal> option has been removed from the + <link linkend="opt-networking.networkmanager.enable">networkd</link> + module. Allowing (multiple) regular users to override host entries + affecting the whole system opens up a huge attack vector. + There seem to be very rare cases where this might be useful. + Consider setting system-wide host entries using + <link linkend="opt-networking.hosts">networking.hosts</link>, provide + them via the DNS server in your network, or use + <link linkend="opt-environment.etc">environment.etc</link> + to add a file into <literal>/etc/NetworkManager/dnsmasq.d</literal> + reconfiguring <literal>hostsdir</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>99-main.network</literal> file was removed. Maching all + network interfaces caused many breakages, see + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18962">#18962</link> + and <link xlink:href="https://github.com/NixOS/nixpkgs/pull/71106">#71106</link>. + </para> + <para> + We already don't support the global <link linkend="opt-networking.useDHCP">networking.useDHCP</link>, + <link linkend="opt-networking.defaultGateway">networking.defaultGateway</link> and + <link linkend="opt-networking.defaultGateway6">networking.defaultGateway6</link> options + if <link linkend="opt-networking.useNetworkd">networking.useNetworkd</link> is enabled, + but direct users to configure the per-device + <link linkend="opt-networking.interfaces">networking.interfaces.<name>.…</link> options. + </para> + </listitem> + <listitem> + <para> + The stdenv now runs all bash with <literal>set -u</literal>, to catch the use of undefined variables. + Before, it itself used <literal>set -u</literal> but was careful to unset it so other packages' code ran as before. + Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded. + </para> + </listitem> + <listitem> + <para> + The SLIM Display Manager has been removed, as it has been unmaintained since 2013. + Consider migrating to a different display manager such as LightDM (current default in NixOS), + SDDM, GDM, or using the startx module which uses Xinitrc. + </para> + </listitem> + <listitem> + <para> + The BEAM package set has been deleted. You will only find there the different interpreters. + You should now use the different build tools coming with the languages with sandbox mode disabled. + </para> + </listitem> + <listitem> + <para> + There is now only one Xfce package-set and module. This means attributes, <literal>xfce4-14</literal> + <literal>xfce4-12</literal>, and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14 + packages. And in future NixOS releases will be the latest released version of Xfce available at the + time during the releases development (if viable). + </para> + </listitem> + <listitem> + <para> + The <link linkend="opt-services.phpfpm.pools">phpfpm</link> module now sets + <literal>PrivateTmp=true</literal> in its systemd units for better process isolation. + If you rely on <literal>/tmp</literal> being shared with other services, explicitly override this by + setting <literal>serviceConfig.PrivateTmp</literal> to <literal>false</literal> for each phpfpm unit. + </para> + </listitem> + <listitem> + <para> + KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have <option>enableQt4Support</option> option any more. + </para> + </listitem> + <listitem> + <para> + The BeeGFS module has been removed. + </para> + </listitem> + <listitem> + <para> + The osquery module has been removed. + </para> + </listitem> + <listitem> + <para> + Going forward, <literal>~/bin</literal> in the users home directory will no longer be in <literal>PATH</literal> by default. + If you depend on this you should set the option <literal>environment.homeBinInPath</literal> to <literal>true</literal>. + The aforementioned option was added this release. + </para> + </listitem> + <listitem> + <para> + The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output. + This has led to drastically reduced closed sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output. + </para> </listitem> </itemizedlist> </section> @@ -101,6 +213,14 @@ <listitem> <para>SD images are now compressed by default using <literal>bzip2</literal>.</para> </listitem> + <listitem> + <para> + OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features + but with potential incompatibilities. Consult the + <link xlink:href="https://www.openssh.com/txt/release-8.1"> + release announcement</link> for more information. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixpkgs/nixos/lib/make-options-doc/default.nix b/nixpkgs/nixos/lib/make-options-doc/default.nix index 35c8b543dec..eee8f612410 100644 --- a/nixpkgs/nixos/lib/make-options-doc/default.nix +++ b/nixpkgs/nixos/lib/make-options-doc/default.nix @@ -86,7 +86,7 @@ let optionsList = lib.sort optionLess optionsListDesc; # Convert the list of options into an XML file. - optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList); + optionsXML = pkgs.writeText "options.xml" (builtins.toXML optionsList); optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList); diff --git a/nixpkgs/nixos/lib/test-driver/test-driver.py b/nixpkgs/nixos/lib/test-driver/test-driver.py new file mode 100644 index 00000000000..e45521424de --- /dev/null +++ b/nixpkgs/nixos/lib/test-driver/test-driver.py @@ -0,0 +1,829 @@ +#! /somewhere/python3 +from contextlib import contextmanager, _GeneratorContextManager +from xml.sax.saxutils import XMLGenerator +import _thread +import atexit +import os +import ptpython.repl +import pty +from queue import Queue, Empty +import re +import shutil +import socket +import subprocess +import sys +import tempfile +import time +import unicodedata +from typing import Tuple, Any, Callable, Dict, Iterator, Optional, List + +CHAR_TO_KEY = { + "A": "shift-a", + "N": "shift-n", + "-": "0x0C", + "_": "shift-0x0C", + "B": "shift-b", + "O": "shift-o", + "=": "0x0D", + "+": "shift-0x0D", + "C": "shift-c", + "P": "shift-p", + "[": "0x1A", + "{": "shift-0x1A", + "D": "shift-d", + "Q": "shift-q", + "]": "0x1B", + "}": "shift-0x1B", + "E": "shift-e", + "R": "shift-r", + ";": "0x27", + ":": "shift-0x27", + "F": "shift-f", + "S": "shift-s", + "'": "0x28", + '"': "shift-0x28", + "G": "shift-g", + "T": "shift-t", + "`": "0x29", + "~": "shift-0x29", + "H": "shift-h", + "U": "shift-u", + "\\": "0x2B", + "|": "shift-0x2B", + "I": "shift-i", + "V": "shift-v", + ",": "0x33", + "<": "shift-0x33", + "J": "shift-j", + "W": "shift-w", + ".": "0x34", + ">": "shift-0x34", + "K": "shift-k", + "X": "shift-x", + "/": "0x35", + "?": "shift-0x35", + "L": "shift-l", + "Y": "shift-y", + " ": "spc", + "M": "shift-m", + "Z": "shift-z", + "\n": "ret", + "!": "shift-0x02", + "@": "shift-0x03", + "#": "shift-0x04", + "$": "shift-0x05", + "%": "shift-0x06", + "^": "shift-0x07", + "&": "shift-0x08", + "*": "shift-0x09", + "(": "shift-0x0A", + ")": "shift-0x0B", +} + +# Forward references +nr_tests: int +nr_succeeded: int +log: "Logger" +machines: "List[Machine]" + + +def eprint(*args: object, **kwargs: Any) -> None: + print(*args, file=sys.stderr, **kwargs) + + +def create_vlan(vlan_nr: str) -> Tuple[str, str, "subprocess.Popen[bytes]", Any]: + global log + log.log("starting VDE switch for network {}".format(vlan_nr)) + vde_socket = os.path.abspath("./vde{}.ctl".format(vlan_nr)) + pty_master, pty_slave = pty.openpty() + vde_process = subprocess.Popen( + ["vde_switch", "-s", vde_socket, "--dirmode", "0777"], + bufsize=1, + stdin=pty_slave, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + shell=False, + ) + fd = os.fdopen(pty_master, "w") + fd.write("version\n") + # TODO: perl version checks if this can be read from + # an if not, dies. we could hang here forever. Fix it. + vde_process.stdout.readline() + if not os.path.exists(os.path.join(vde_socket, "ctl")): + raise Exception("cannot start vde_switch") + + return (vlan_nr, vde_socket, vde_process, fd) + + +def retry(fn: Callable) -> None: + """Call the given function repeatedly, with 1 second intervals, + until it returns True or a timeout is reached. + """ + + for _ in range(900): + if fn(False): + return + time.sleep(1) + + if not fn(True): + raise Exception("action timed out") + + +class Logger: + def __init__(self) -> None: + self.logfile = os.environ.get("LOGFILE", "/dev/null") + self.logfile_handle = open(self.logfile, "wb") + self.xml = XMLGenerator(self.logfile_handle, encoding="utf-8") + self.queue: "Queue[Dict[str, str]]" = Queue(1000) + + self.xml.startDocument() + self.xml.startElement("logfile", attrs={}) + + def close(self) -> None: + self.xml.endElement("logfile") + self.xml.endDocument() + self.logfile_handle.close() + + def sanitise(self, message: str) -> str: + return "".join(ch for ch in message if unicodedata.category(ch)[0] != "C") + + def maybe_prefix(self, message: str, attributes: Dict[str, str]) -> str: + if "machine" in attributes: + return "{}: {}".format(attributes["machine"], message) + return message + + def log_line(self, message: str, attributes: Dict[str, str]) -> None: + self.xml.startElement("line", attributes) + self.xml.characters(message) + self.xml.endElement("line") + + def log(self, message: str, attributes: Dict[str, str] = {}) -> None: + eprint(self.maybe_prefix(message, attributes)) + self.drain_log_queue() + self.log_line(message, attributes) + + def enqueue(self, message: Dict[str, str]) -> None: + self.queue.put(message) + + def drain_log_queue(self) -> None: + try: + while True: + item = self.queue.get_nowait() + attributes = {"machine": item["machine"], "type": "serial"} + self.log_line(self.sanitise(item["msg"]), attributes) + except Empty: + pass + + @contextmanager + def nested(self, message: str, attributes: Dict[str, str] = {}) -> Iterator[None]: + eprint(self.maybe_prefix(message, attributes)) + + self.xml.startElement("nest", attrs={}) + self.xml.startElement("head", attributes) + self.xml.characters(message) + self.xml.endElement("head") + + tic = time.time() + self.drain_log_queue() + yield + self.drain_log_queue() + toc = time.time() + self.log("({:.2f} seconds)".format(toc - tic)) + + self.xml.endElement("nest") + + +class Machine: + def __init__(self, args: Dict[str, Any]) -> None: + if "name" in args: + self.name = args["name"] + else: + self.name = "machine" + cmd = args.get("startCommand", None) + if cmd: + match = re.search("run-(.+)-vm$", cmd) + if match: + self.name = match.group(1) + + self.script = args.get("startCommand", self.create_startcommand(args)) + + tmp_dir = os.environ.get("TMPDIR", tempfile.gettempdir()) + + def create_dir(name: str) -> str: + path = os.path.join(tmp_dir, name) + os.makedirs(path, mode=0o700, exist_ok=True) + return path + + self.state_dir = create_dir("vm-state-{}".format(self.name)) + self.shared_dir = create_dir("xchg-shared") + + self.booted = False + self.connected = False + self.pid: Optional[int] = None + self.socket = None + self.monitor: Optional[socket.socket] = None + self.logger: Logger = args["log"] + self.allow_reboot = args.get("allowReboot", False) + + @staticmethod + def create_startcommand(args: Dict[str, str]) -> str: + net_backend = "-netdev user,id=net0" + net_frontend = "-device virtio-net-pci,netdev=net0" + + if "netBackendArgs" in args: + net_backend += "," + args["netBackendArgs"] + + if "netFrontendArgs" in args: + net_frontend += "," + args["netFrontendArgs"] + + start_command = ( + "qemu-kvm -m 384 " + net_backend + " " + net_frontend + " $QEMU_OPTS " + ) + + if "hda" in args: + hda_path = os.path.abspath(args["hda"]) + if args.get("hdaInterface", "") == "scsi": + start_command += ( + "-drive id=hda,file=" + + hda_path + + ",werror=report,if=none " + + "-device scsi-hd,drive=hda " + ) + else: + start_command += ( + "-drive file=" + + hda_path + + ",if=" + + args["hdaInterface"] + + ",werror=report " + ) + + if "cdrom" in args: + start_command += "-cdrom " + args["cdrom"] + " " + + if "usb" in args: + start_command += ( + "-device piix3-usb-uhci -drive " + + "id=usbdisk,file=" + + args["usb"] + + ",if=none,readonly " + + "-device usb-storage,drive=usbdisk " + ) + if "bios" in args: + start_command += "-bios " + args["bios"] + " " + + start_command += args.get("qemuFlags", "") + + return start_command + + def is_up(self) -> bool: + return self.booted and self.connected + + def log(self, msg: str) -> None: + self.logger.log(msg, {"machine": self.name}) + + def nested(self, msg: str, attrs: Dict[str, str] = {}) -> _GeneratorContextManager: + my_attrs = {"machine": self.name} + my_attrs.update(attrs) + return self.logger.nested(msg, my_attrs) + + def wait_for_monitor_prompt(self) -> str: + assert self.monitor is not None + answer = "" + while True: + undecoded_answer = self.monitor.recv(1024) + if not undecoded_answer: + break + answer += undecoded_answer.decode() + if answer.endswith("(qemu) "): + break + return answer + + def send_monitor_command(self, command: str) -> str: + message = ("{}\n".format(command)).encode() + self.log("sending monitor command: {}".format(command)) + assert self.monitor is not None + self.monitor.send(message) + return self.wait_for_monitor_prompt() + + def wait_for_unit(self, unit: str, user: Optional[str] = None) -> bool: + while True: + info = self.get_unit_info(unit, user) + state = info["ActiveState"] + if state == "failed": + raise Exception('unit "{}" reached state "{}"'.format(unit, state)) + + if state == "inactive": + status, jobs = self.systemctl("list-jobs --full 2>&1", user) + if "No jobs" in jobs: + info = self.get_unit_info(unit, user) + if info["ActiveState"] == state: + raise Exception( + ( + 'unit "{}" is inactive and there ' "are no pending jobs" + ).format(unit) + ) + if state == "active": + return True + + def get_unit_info(self, unit: str, user: Optional[str] = None) -> Dict[str, str]: + status, lines = self.systemctl('--no-pager show "{}"'.format(unit), user) + if status != 0: + raise Exception( + 'retrieving systemctl info for unit "{}" {} failed with exit code {}'.format( + unit, "" if user is None else 'under user "{}"'.format(user), status + ) + ) + + line_pattern = re.compile(r"^([^=]+)=(.*)$") + + def tuple_from_line(line: str) -> Tuple[str, str]: + match = line_pattern.match(line) + assert match is not None + return match[1], match[2] + + return dict( + tuple_from_line(line) + for line in lines.split("\n") + if line_pattern.match(line) + ) + + def systemctl(self, q: str, user: Optional[str] = None) -> Tuple[int, str]: + if user is not None: + q = q.replace("'", "\\'") + return self.execute( + ( + "su -l {} -c " + "$'XDG_RUNTIME_DIR=/run/user/`id -u` " + "systemctl --user {}'" + ).format(user, q) + ) + return self.execute("systemctl {}".format(q)) + + def require_unit_state(self, unit: str, require_state: str = "active") -> None: + with self.nested( + "checking if unit ‘{}’ has reached state '{}'".format(unit, require_state) + ): + info = self.get_unit_info(unit) + state = info["ActiveState"] + if state != require_state: + raise Exception( + "Expected unit ‘{}’ to to be in state ".format(unit) + + "'active' but it is in state ‘{}’".format(state) + ) + + def execute(self, command: str) -> Tuple[int, str]: + self.connect() + + out_command = "( {} ); echo '|!EOF' $?\n".format(command) + self.shell.send(out_command.encode()) + + output = "" + status_code_pattern = re.compile(r"(.*)\|\!EOF\s+(\d+)") + + while True: + chunk = self.shell.recv(4096).decode() + match = status_code_pattern.match(chunk) + if match: + output += match[1] + status_code = int(match[2]) + return (status_code, output) + output += chunk + + def succeed(self, *commands: str) -> str: + """Execute each command and check that it succeeds.""" + output = "" + for command in commands: + with self.nested("must succeed: {}".format(command)): + (status, out) = self.execute(command) + if status != 0: + self.log("output: {}".format(out)) + raise Exception( + "command `{}` failed (exit code {})".format(command, status) + ) + output += out + return output + + def fail(self, *commands: str) -> None: + """Execute each command and check that it fails.""" + for command in commands: + with self.nested("must fail: {}".format(command)): + status, output = self.execute(command) + if status == 0: + raise Exception( + "command `{}` unexpectedly succeeded".format(command) + ) + + def wait_until_succeeds(self, command: str) -> str: + with self.nested("waiting for success: {}".format(command)): + while True: + status, output = self.execute(command) + if status == 0: + return output + + def wait_until_fails(self, command: str) -> str: + with self.nested("waiting for failure: {}".format(command)): + while True: + status, output = self.execute(command) + if status != 0: + return output + + def wait_for_shutdown(self) -> None: + if not self.booted: + return + + with self.nested("waiting for the VM to power off"): + sys.stdout.flush() + self.process.wait() + + self.pid = None + self.booted = False + self.connected = False + + def get_tty_text(self, tty: str) -> str: + status, output = self.execute( + "fold -w$(stty -F /dev/tty{0} size | " + "awk '{{print $2}}') /dev/vcs{0}".format(tty) + ) + return output + + def wait_until_tty_matches(self, tty: str, regexp: str) -> bool: + matcher = re.compile(regexp) + with self.nested("waiting for {} to appear on tty {}".format(regexp, tty)): + while True: + text = self.get_tty_text(tty) + if len(matcher.findall(text)) > 0: + return True + + def send_chars(self, chars: List[str]) -> None: + with self.nested("sending keys ‘{}‘".format(chars)): + for char in chars: + self.send_key(char) + + def wait_for_file(self, filename: str) -> bool: + with self.nested("waiting for file ‘{}‘".format(filename)): + while True: + status, _ = self.execute("test -e {}".format(filename)) + if status == 0: + return True + + def wait_for_open_port(self, port: int) -> None: + def port_is_open(_: Any) -> bool: + status, _ = self.execute("nc -z localhost {}".format(port)) + return status == 0 + + with self.nested("waiting for TCP port {}".format(port)): + retry(port_is_open) + + def wait_for_closed_port(self, port: int) -> None: + def port_is_closed(_: Any) -> bool: + status, _ = self.execute("nc -z localhost {}".format(port)) + return status != 0 + + retry(port_is_closed) + + def start_job(self, jobname: str, user: Optional[str] = None) -> Tuple[int, str]: + return self.systemctl("start {}".format(jobname), user) + + def stop_job(self, jobname: str, user: Optional[str] = None) -> Tuple[int, str]: + return self.systemctl("stop {}".format(jobname), user) + + def wait_for_job(self, jobname: str) -> bool: + return self.wait_for_unit(jobname) + + def connect(self) -> None: + if self.connected: + return + + with self.nested("waiting for the VM to finish booting"): + self.start() + + tic = time.time() + self.shell.recv(1024) + # TODO: Timeout + toc = time.time() + + self.log("connected to guest root shell") + self.log("(connecting took {:.2f} seconds)".format(toc - tic)) + self.connected = True + + def screenshot(self, filename: str) -> None: + out_dir = os.environ.get("out", os.getcwd()) + word_pattern = re.compile(r"^\w+$") + if word_pattern.match(filename): + filename = os.path.join(out_dir, "{}.png".format(filename)) + tmp = "{}.ppm".format(filename) + + with self.nested( + "making screenshot {}".format(filename), + {"image": os.path.basename(filename)}, + ): + self.send_monitor_command("screendump {}".format(tmp)) + ret = subprocess.run("pnmtopng {} > {}".format(tmp, filename), shell=True) + os.unlink(tmp) + if ret.returncode != 0: + raise Exception("Cannot convert screenshot") + + def dump_tty_contents(self, tty: str) -> None: + """Debugging: Dump the contents of the TTY<n> + """ + self.execute("fold -w 80 /dev/vcs{} | systemd-cat".format(tty)) + + def get_screen_text(self) -> str: + if shutil.which("tesseract") is None: + raise Exception("get_screen_text used but enableOCR is false") + + magick_args = ( + "-filter Catrom -density 72 -resample 300 " + + "-contrast -normalize -despeckle -type grayscale " + + "-sharpen 1 -posterize 3 -negate -gamma 100 " + + "-blur 1x65535" + ) + + tess_args = "-c debug_file=/dev/null --psm 11 --oem 2" + + with self.nested("performing optical character recognition"): + with tempfile.NamedTemporaryFile() as tmpin: + self.send_monitor_command("screendump {}".format(tmpin.name)) + + cmd = "convert {} {} tiff:- | tesseract - - {}".format( + magick_args, tmpin.name, tess_args + ) + ret = subprocess.run(cmd, shell=True, capture_output=True) + if ret.returncode != 0: + raise Exception( + "OCR failed with exit code {}".format(ret.returncode) + ) + + return ret.stdout.decode("utf-8") + + def wait_for_text(self, regex: str) -> None: + def screen_matches(last: bool) -> bool: + text = self.get_screen_text() + matches = re.search(regex, text) is not None + + if last and not matches: + self.log("Last OCR attempt failed. Text was: {}".format(text)) + + return matches + + with self.nested("waiting for {} to appear on screen".format(regex)): + retry(screen_matches) + + def send_key(self, key: str) -> None: + key = CHAR_TO_KEY.get(key, key) + self.send_monitor_command("sendkey {}".format(key)) + + def start(self) -> None: + if self.booted: + return + + self.log("starting vm") + + def create_socket(path: str) -> socket.socket: + if os.path.exists(path): + os.unlink(path) + s = socket.socket(family=socket.AF_UNIX, type=socket.SOCK_STREAM) + s.bind(path) + s.listen(1) + return s + + monitor_path = os.path.join(self.state_dir, "monitor") + self.monitor_socket = create_socket(monitor_path) + + shell_path = os.path.join(self.state_dir, "shell") + self.shell_socket = create_socket(shell_path) + + qemu_options = ( + " ".join( + [ + "" if self.allow_reboot else "-no-reboot", + "-monitor unix:{}".format(monitor_path), + "-chardev socket,id=shell,path={}".format(shell_path), + "-device virtio-serial", + "-device virtconsole,chardev=shell", + "-device virtio-rng-pci", + "-serial stdio" if "DISPLAY" in os.environ else "-nographic", + ] + ) + + " " + + os.environ.get("QEMU_OPTS", "") + ) + + environment = dict(os.environ) + environment.update( + { + "TMPDIR": self.state_dir, + "SHARED_DIR": self.shared_dir, + "USE_TMPDIR": "1", + "QEMU_OPTS": qemu_options, + } + ) + + self.process = subprocess.Popen( + self.script, + bufsize=1, + stdin=subprocess.DEVNULL, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + shell=True, + cwd=self.state_dir, + env=environment, + ) + self.monitor, _ = self.monitor_socket.accept() + self.shell, _ = self.shell_socket.accept() + + def process_serial_output() -> None: + for _line in self.process.stdout: + line = _line.decode("unicode_escape").replace("\r", "").rstrip() + eprint("{} # {}".format(self.name, line)) + self.logger.enqueue({"msg": line, "machine": self.name}) + + _thread.start_new_thread(process_serial_output, ()) + + self.wait_for_monitor_prompt() + + self.pid = self.process.pid + self.booted = True + + self.log("QEMU running (pid {})".format(self.pid)) + + def shutdown(self) -> None: + if not self.booted: + return + + self.shell.send("poweroff\n".encode()) + self.wait_for_shutdown() + + def crash(self) -> None: + if not self.booted: + return + + self.log("forced crash") + self.send_monitor_command("quit") + self.wait_for_shutdown() + + def wait_for_x(self) -> None: + """Wait until it is possible to connect to the X server. Note that + testing the existence of /tmp/.X11-unix/X0 is insufficient. + """ + with self.nested("waiting for the X11 server"): + while True: + cmd = ( + "journalctl -b SYSLOG_IDENTIFIER=systemd | " + + 'grep "Reached target Current graphical"' + ) + status, _ = self.execute(cmd) + if status != 0: + continue + status, _ = self.execute("[ -e /tmp/.X11-unix/X0 ]") + if status == 0: + return + + def get_window_names(self) -> List[str]: + return self.succeed( + r"xwininfo -root -tree | sed 's/.*0x[0-9a-f]* \"\([^\"]*\)\".*/\1/; t; d'" + ).splitlines() + + def wait_for_window(self, regexp: str) -> None: + pattern = re.compile(regexp) + + def window_is_visible(last_try: bool) -> bool: + names = self.get_window_names() + if last_try: + self.log( + "Last chance to match {} on the window list,".format(regexp) + + " which currently contains: " + + ", ".join(names) + ) + return any(pattern.search(name) for name in names) + + with self.nested("Waiting for a window to appear"): + retry(window_is_visible) + + def sleep(self, secs: int) -> None: + time.sleep(secs) + + def forward_port(self, host_port: int = 8080, guest_port: int = 80) -> None: + """Forward a TCP port on the host to a TCP port on the guest. + Useful during interactive testing. + """ + self.send_monitor_command( + "hostfwd_add tcp::{}-:{}".format(host_port, guest_port) + ) + + def block(self) -> None: + """Make the machine unreachable by shutting down eth1 (the multicast + interface used to talk to the other VMs). We keep eth0 up so that + the test driver can continue to talk to the machine. + """ + self.send_monitor_command("set_link virtio-net-pci.1 off") + + def unblock(self) -> None: + """Make the machine reachable. + """ + self.send_monitor_command("set_link virtio-net-pci.1 on") + + +def create_machine(args: Dict[str, Any]) -> Machine: + global log + args["log"] = log + args["redirectSerial"] = os.environ.get("USE_SERIAL", "0") == "1" + return Machine(args) + + +def start_all() -> None: + global machines + with log.nested("starting all VMs"): + for machine in machines: + machine.start() + + +def join_all() -> None: + global machines + with log.nested("waiting for all VMs to finish"): + for machine in machines: + machine.wait_for_shutdown() + + +def test_script() -> None: + exec(os.environ["testScript"]) + + +def run_tests() -> None: + global machines + tests = os.environ.get("tests", None) + if tests is not None: + with log.nested("running the VM test script"): + try: + exec(tests, globals()) + except Exception as e: + eprint("error: {}".format(str(e))) + sys.exit(1) + else: + ptpython.repl.embed(locals(), globals()) + + # TODO: Collect coverage data + + for machine in machines: + if machine.is_up(): + machine.execute("sync") + + if nr_tests != 0: + eprint("{} out of {} tests succeeded".format(nr_succeeded, nr_tests)) + if nr_tests > nr_succeeded: + sys.exit(1) + + +@contextmanager +def subtest(name: str) -> Iterator[None]: + global nr_tests + global nr_succeeded + + with log.nested(name): + nr_tests += 1 + try: + yield + nr_succeeded += 1 + return True + except Exception as e: + log.log("error: {}".format(str(e))) + + return False + + +if __name__ == "__main__": + log = Logger() + + vlan_nrs = list(dict.fromkeys(os.environ["VLANS"].split())) + vde_sockets = [create_vlan(v) for v in vlan_nrs] + for nr, vde_socket, _, _ in vde_sockets: + os.environ["QEMU_VDE_SOCKET_{}".format(nr)] = vde_socket + + vm_scripts = sys.argv[1:] + machines = [create_machine({"startCommand": s}) for s in vm_scripts] + machine_eval = [ + "{0} = machines[{1}]".format(m.name, idx) for idx, m in enumerate(machines) + ] + exec("\n".join(machine_eval)) + + nr_tests = 0 + nr_succeeded = 0 + + @atexit.register + def clean_up() -> None: + with log.nested("cleaning up"): + for machine in machines: + if machine.pid is None: + continue + log.log("killing {} (pid {})".format(machine.name, machine.pid)) + machine.process.kill() + + for _, _, process, _ in vde_sockets: + process.kill() + log.close() + + tic = time.time() + run_tests() + toc = time.time() + print("test script finished in {:.2f}s".format(toc - tic)) diff --git a/nixpkgs/nixos/lib/testing-python.nix b/nixpkgs/nixos/lib/testing-python.nix new file mode 100644 index 00000000000..d567d268765 --- /dev/null +++ b/nixpkgs/nixos/lib/testing-python.nix @@ -0,0 +1,281 @@ +{ system +, pkgs ? import ../.. { inherit system config; } + # Use a minimal kernel? +, minimal ? false + # Ignored +, config ? {} + # Modules to add to each VM +, extraConfigurations ? [] }: + +with import ./build-vms.nix { inherit system pkgs minimal extraConfigurations; }; +with pkgs; + +let + jquery-ui = callPackage ./testing/jquery-ui.nix { }; + jquery = callPackage ./testing/jquery.nix { }; + +in rec { + + inherit pkgs; + + + testDriver = let + testDriverScript = ./test-driver/test-driver.py; + in stdenv.mkDerivation { + name = "nixos-test-driver"; + + nativeBuildInputs = [ makeWrapper ]; + buildInputs = [ (python3.withPackages (p: [ p.ptpython ])) ]; + checkInputs = with python3Packages; [ pylint black mypy ]; + + dontUnpack = true; + + preferLocalBuild = true; + + doCheck = true; + checkPhase = '' + mypy --disallow-untyped-defs \ + --no-implicit-optional \ + --ignore-missing-imports ${testDriverScript} + pylint --errors-only ${testDriverScript} + black --check --diff ${testDriverScript} + ''; + + installPhase = + '' + mkdir -p $out/bin + cp ${testDriverScript} $out/bin/nixos-test-driver + chmod u+x $out/bin/nixos-test-driver + # TODO: copy user script part into this file (append) + + wrapProgram $out/bin/nixos-test-driver \ + --prefix PATH : "${lib.makeBinPath [ qemu_test vde2 netpbm coreutils ]}" \ + ''; + }; + + + # Run an automated test suite in the given virtual network. + # `driver' is the script that runs the network. + runTests = driver: + stdenv.mkDerivation { + name = "vm-test-run-${driver.testName}"; + + requiredSystemFeatures = [ "kvm" "nixos-test" ]; + + buildInputs = [ libxslt ]; + + buildCommand = + '' + mkdir -p $out/nix-support + + LOGFILE=$out/log.xml tests='exec(os.environ["testScript"])' ${driver}/bin/nixos-test-driver + + # Generate a pretty-printed log. + xsltproc --output $out/log.html ${./test-driver/log2html.xsl} $out/log.xml + ln -s ${./test-driver/logfile.css} $out/logfile.css + ln -s ${./test-driver/treebits.js} $out/treebits.js + ln -s ${jquery}/js/jquery.min.js $out/ + ln -s ${jquery}/js/jquery.js $out/ + ln -s ${jquery-ui}/js/jquery-ui.min.js $out/ + ln -s ${jquery-ui}/js/jquery-ui.js $out/ + + touch $out/nix-support/hydra-build-products + echo "report testlog $out log.html" >> $out/nix-support/hydra-build-products + + for i in */xchg/coverage-data; do + mkdir -p $out/coverage-data + mv $i $out/coverage-data/$(dirname $(dirname $i)) + done + ''; + }; + + + makeTest = + { testScript + , makeCoverageReport ? false + , enableOCR ? false + , name ? "unnamed" + , ... + } @ t: + + let + # A standard store path to the vm monitor is built like this: + # /tmp/nix-build-vm-test-run-$name.drv-0/vm-state-machine/monitor + # The max filename length of a unix domain socket is 108 bytes. + # This means $name can at most be 50 bytes long. + maxTestNameLen = 50; + testNameLen = builtins.stringLength name; + + testDriverName = with builtins; + if testNameLen > maxTestNameLen then + abort ("The name of the test '${name}' must not be longer than ${toString maxTestNameLen} " + + "it's currently ${toString testNameLen} characters long.") + else + "nixos-test-driver-${name}"; + + nodes = buildVirtualNetwork ( + t.nodes or (if t ? machine then { machine = t.machine; } else { })); + + testScript' = + # Call the test script with the computed nodes. + if lib.isFunction testScript + then testScript { inherit nodes; } + else testScript; + + vlans = map (m: m.config.virtualisation.vlans) (lib.attrValues nodes); + + vms = map (m: m.config.system.build.vm) (lib.attrValues nodes); + + ocrProg = tesseract4.override { enableLanguages = [ "eng" ]; }; + + imagemagick_tiff = imagemagick_light.override { inherit libtiff; }; + + # Generate onvenience wrappers for running the test driver + # interactively with the specified network, and for starting the + # VMs from the command line. + driver = runCommand testDriverName + { buildInputs = [ makeWrapper]; + testScript = testScript'; + preferLocalBuild = true; + testName = name; + } + '' + mkdir -p $out/bin + + echo -n "$testScript" > $out/test-script + ${python3Packages.black}/bin/black --check --diff $out/test-script + + ln -s ${testDriver}/bin/nixos-test-driver $out/bin/ + vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)) + wrapProgram $out/bin/nixos-test-driver \ + --add-flags "''${vms[*]}" \ + ${lib.optionalString enableOCR + "--prefix PATH : '${ocrProg}/bin:${imagemagick_tiff}/bin'"} \ + --run "export testScript=\"\$(cat $out/test-script)\"" \ + --set VLANS '${toString vlans}' + ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms + wrapProgram $out/bin/nixos-run-vms \ + --add-flags "''${vms[*]}" \ + ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \ + --set tests 'start_all(); join_all();' \ + --set VLANS '${toString vlans}' \ + ${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"} + ''; # " + + passMeta = drv: drv // lib.optionalAttrs (t ? meta) { + meta = (drv.meta or {}) // t.meta; + }; + + test = passMeta (runTests driver); + report = passMeta (releaseTools.gcovReport { coverageRuns = [ test ]; }); + + nodeNames = builtins.attrNames nodes; + invalidNodeNames = lib.filter + (node: builtins.match "^[A-z_][A-z0-9_]+$" node == null) nodeNames; + + in + if lib.length invalidNodeNames > 0 then + throw '' + Cannot create machines out of (${lib.concatStringsSep ", " invalidNodeNames})! + All machines are referenced as perl variables in the testing framework which will break the + script when special characters are used. + + Please stick to alphanumeric chars and underscores as separation. + '' + else + (if makeCoverageReport then report else test) // { + inherit nodes driver test; + }; + + runInMachine = + { drv + , machine + , preBuild ? "" + , postBuild ? "" + , ... # ??? + }: + let + vm = buildVM { } + [ machine + { key = "run-in-machine"; + networking.hostName = "client"; + nix.readOnlyStore = false; + virtualisation.writableStore = false; + } + ]; + + buildrunner = writeText "vm-build" '' + source $1 + + ${coreutils}/bin/mkdir -p $TMPDIR + cd $TMPDIR + + exec $origBuilder $origArgs + ''; + + testScript = '' + startAll; + $client->waitForUnit("multi-user.target"); + ${preBuild} + $client->succeed("env -i ${bash}/bin/bash ${buildrunner} /tmp/xchg/saved-env >&2"); + ${postBuild} + $client->succeed("sync"); # flush all data before pulling the plug + ''; + + vmRunCommand = writeText "vm-run" '' + xchg=vm-state-client/xchg + ${coreutils}/bin/mkdir $out + ${coreutils}/bin/mkdir -p $xchg + + for i in $passAsFile; do + i2=''${i}Path + _basename=$(${coreutils}/bin/basename ''${!i2}) + ${coreutils}/bin/cp ''${!i2} $xchg/$_basename + eval $i2=/tmp/xchg/$_basename + ${coreutils}/bin/ls -la $xchg + done + + unset i i2 _basename + export | ${gnugrep}/bin/grep -v '^xchg=' > $xchg/saved-env + unset xchg + + export tests='${testScript}' + ${testDriver}/bin/nixos-test-driver ${vm.config.system.build.vm}/bin/run-*-vm + ''; # */ + + in + lib.overrideDerivation drv (attrs: { + requiredSystemFeatures = [ "kvm" ]; + builder = "${bash}/bin/sh"; + args = ["-e" vmRunCommand]; + origArgs = attrs.args; + origBuilder = attrs.builder; + }); + + + runInMachineWithX = { require ? [], ... } @ args: + let + client = + { ... }: + { + inherit require; + virtualisation.memorySize = 1024; + services.xserver.enable = true; + services.xserver.displayManager.auto.enable = true; + services.xserver.windowManager.default = "icewm"; + services.xserver.windowManager.icewm.enable = true; + services.xserver.desktopManager.default = "none"; + }; + in + runInMachine ({ + machine = client; + preBuild = + '' + $client->waitForX; + ''; + } // args); + + + simpleTest = as: (makeTest as).test; + +} diff --git a/nixpkgs/nixos/lib/testing.nix b/nixpkgs/nixos/lib/testing.nix index 76706877103..a5f060a8d8e 100644 --- a/nixpkgs/nixos/lib/testing.nix +++ b/nixpkgs/nixos/lib/testing.nix @@ -248,7 +248,6 @@ in rec { inherit require; virtualisation.memorySize = 1024; services.xserver.enable = true; - services.xserver.displayManager.slim.enable = false; services.xserver.displayManager.auto.enable = true; services.xserver.windowManager.default = "icewm"; services.xserver.windowManager.icewm.enable = true; diff --git a/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh b/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh index c4149e3e8ff..5dc1c5aaed5 100755 --- a/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh +++ b/nixpkgs/nixos/maintainers/scripts/ec2/create-amis.sh @@ -14,7 +14,7 @@ set -euo pipefail # configuration -state_dir=/home/deploy/amis/ec2-images +state_dir=$HOME/amis/ec2-images home_region=eu-west-1 bucket=nixos-amis @@ -211,11 +211,11 @@ upload_image() { log "Registering snapshot $snapshot_id as AMI" local block_device_mappings=( - "DeviceName=/dev/sda1,Ebs={SnapshotId=$snapshot_id,VolumeSize=$image_logical_gigabytes,DeleteOnTermination=true,VolumeType=gp2}" + "DeviceName=/dev/xvda,Ebs={SnapshotId=$snapshot_id,VolumeSize=$image_logical_gigabytes,DeleteOnTermination=true,VolumeType=gp2}" ) local extra_flags=( - --root-device-name /dev/sda1 + --root-device-name /dev/xvda --sriov-net-support simple --ena-support --virtualization-type hvm diff --git a/nixpkgs/nixos/maintainers/scripts/gce/create-gce.sh b/nixpkgs/nixos/maintainers/scripts/gce/create-gce.sh index 48748a59d29..77cc64e591e 100755 --- a/nixpkgs/nixos/maintainers/scripts/gce/create-gce.sh +++ b/nixpkgs/nixos/maintainers/scripts/gce/create-gce.sh @@ -15,7 +15,7 @@ nix-build '<nixpkgs/nixos/lib/eval-config.nix>' \ -j 10 img_path=$(echo gce/*.tar.gz) -img_name=$(basename "$img_path") +img_name=${IMAGE_NAME:-$(basename "$img_path")} img_id=$(echo "$img_name" | sed 's|.raw.tar.gz$||;s|\.|-|g;s|_|-|g') if ! gsutil ls "gs://${BUCKET_NAME}/$img_name"; then gsutil cp "$img_path" "gs://${BUCKET_NAME}/$img_name" diff --git a/nixpkgs/nixos/modules/config/fonts/corefonts.nix b/nixpkgs/nixos/modules/config/fonts/corefonts.nix deleted file mode 100644 index b9f69879a10..00000000000 --- a/nixpkgs/nixos/modules/config/fonts/corefonts.nix +++ /dev/null @@ -1,36 +0,0 @@ -# This module is deprecated, since you can just say ‘fonts.fonts = [ -# pkgs.corefonts ];’ instead. - -{ config, lib, pkgs, ... }: - -with lib; - -{ - - options = { - - fonts = { - - enableCoreFonts = mkOption { - visible = false; - default = false; - description = '' - Whether to include Microsoft's proprietary Core Fonts. These fonts - are redistributable, but only verbatim, among other restrictions. - See <link xlink:href="http://corefonts.sourceforge.net/eula.htm"/> - for details. - ''; - }; - - }; - - }; - - - config = mkIf config.fonts.enableCoreFonts { - - fonts.fonts = [ pkgs.corefonts ]; - - }; - -} diff --git a/nixpkgs/nixos/modules/config/fonts/fontconfig-ultimate.nix b/nixpkgs/nixos/modules/config/fonts/fontconfig-ultimate.nix deleted file mode 100644 index 84d90899dff..00000000000 --- a/nixpkgs/nixos/modules/config/fonts/fontconfig-ultimate.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let cfg = config.fonts.fontconfig.ultimate; - - latestVersion = pkgs.fontconfig.configVersion; - - # The configuration to be included in /etc/font/ - confPkg = pkgs.runCommand "font-ultimate-conf" { preferLocalBuild = true; } '' - support_folder=$out/etc/fonts/conf.d - latest_folder=$out/etc/fonts/${latestVersion}/conf.d - - mkdir -p $support_folder - mkdir -p $latest_folder - - # fontconfig ultimate substitutions - ${optionalString (cfg.substitutions != "none") '' - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \ - $support_folder - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \ - $latest_folder - ''} - - # fontconfig ultimate various configuration files - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \ - $support_folder - ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \ - $latest_folder - ''; - -in -{ - - options = { - - fonts = { - - fontconfig = { - - ultimate = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable fontconfig-ultimate settings (formerly known as - Infinality). Besides the customizable settings in this NixOS - module, fontconfig-ultimate also provides many font-specific - rendering tweaks. - ''; - }; - - substitutions = mkOption { - type = types.enum ["free" "combi" "ms" "none"]; - default = "free"; - description = '' - Font substitutions to replace common Type 1 fonts with nicer - TrueType fonts. <literal>free</literal> uses free fonts, - <literal>ms</literal> uses Microsoft fonts, - <literal>combi</literal> uses a combination, and - <literal>none</literal> disables the substitutions. - ''; - }; - - preset = mkOption { - type = types.enum ["ultimate1" "ultimate2" "ultimate3" "ultimate4" "ultimate5" "osx" "windowsxp"]; - default = "ultimate3"; - description = '' - FreeType rendering settings preset. Any of the presets may be - customized by setting environment variables. - ''; - }; - }; - }; - }; - - }; - - config = mkIf (config.fonts.fontconfig.enable && cfg.enable) { - - fonts.fontconfig.confPackages = [ confPkg ]; - environment.variables.INFINALITY_FT = cfg.preset; - - }; - -} diff --git a/nixpkgs/nixos/modules/config/i18n.nix b/nixpkgs/nixos/modules/config/i18n.nix index dc7305b1ba2..d0db8fedecd 100644 --- a/nixpkgs/nixos/modules/config/i18n.nix +++ b/nixpkgs/nixos/modules/config/i18n.nix @@ -89,11 +89,7 @@ with lib; }; consoleKeyMap = mkOption { - type = mkOptionType { - name = "string or path"; - check = t: (isString t || types.path.check t); - }; - + type = with types; either str path; default = "us"; example = "fr"; description = '' diff --git a/nixpkgs/nixos/modules/config/no-x-libs.nix b/nixpkgs/nixos/modules/config/no-x-libs.nix index 74cf74d7418..873b8073fed 100644 --- a/nixpkgs/nixos/modules/config/no-x-libs.nix +++ b/nixpkgs/nixos/modules/config/no-x-libs.nix @@ -34,7 +34,6 @@ with lib; networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; }; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; - pinentry = super.pinentry.override { gtk2 = null; gcr = null; qt4 = null; qt5 = null; }; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; })); }; diff --git a/nixpkgs/nixos/modules/config/pulseaudio.nix b/nixpkgs/nixos/modules/config/pulseaudio.nix index b3bc4a451aa..9baad9b5854 100644 --- a/nixpkgs/nixos/modules/config/pulseaudio.nix +++ b/nixpkgs/nixos/modules/config/pulseaudio.nix @@ -98,11 +98,12 @@ in { description = '' If false, a PulseAudio server is launched automatically for each user that tries to use the sound system. The server runs - with user privileges. This is the recommended and most secure - way to use PulseAudio. If true, one system-wide PulseAudio + with user privileges. If true, one system-wide PulseAudio server is launched on boot, running as the user "pulse", and only users in the "audio" group will have access to the server. Please read the PulseAudio documentation for more details. + + Don't enable this option unless you know what you are doing. ''; }; diff --git a/nixpkgs/nixos/modules/config/qt5.nix b/nixpkgs/nixos/modules/config/qt5.nix index 7de1c0f5d55..d9dec74f155 100644 --- a/nixpkgs/nixos/modules/config/qt5.nix +++ b/nixpkgs/nixos/modules/config/qt5.nix @@ -10,7 +10,7 @@ let isQtStyle = cfg.platformTheme == "gtk2" && cfg.style != "adwaita"; packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ] - else if isQtStyle then [ pkgs.qtstyleplugins ] + else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ] else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible."; in diff --git a/nixpkgs/nixos/modules/config/shells-environment.nix b/nixpkgs/nixos/modules/config/shells-environment.nix index d939cbb393e..a0a20228a74 100644 --- a/nixpkgs/nixos/modules/config/shells-environment.nix +++ b/nixpkgs/nixos/modules/config/shells-environment.nix @@ -118,6 +118,14 @@ in type = with types; attrsOf (nullOr (either str path)); }; + environment.homeBinInPath = mkOption { + description = '' + Include ~/bin/ in $PATH. + ''; + default = false; + type = types.bool; + }; + environment.binsh = mkOption { default = "${config.system.build.binsh}/bin/sh"; defaultText = "\${config.system.build.binsh}/bin/sh"; @@ -186,8 +194,10 @@ in ${cfg.extraInit} - # ~/bin if it exists overrides other bin directories. - export PATH="$HOME/bin:$PATH" + ${optionalString cfg.homeBinInPath '' + # ~/bin if it exists overrides other bin directories. + export PATH="$HOME/bin:$PATH" + ''} ''; system.activationScripts.binsh = stringAfter [ "stdio" ] diff --git a/nixpkgs/nixos/modules/config/update-users-groups.pl b/nixpkgs/nixos/modules/config/update-users-groups.pl index 59cea51c611..15e448b787a 100644 --- a/nixpkgs/nixos/modules/config/update-users-groups.pl +++ b/nixpkgs/nixos/modules/config/update-users-groups.pl @@ -56,12 +56,12 @@ sub allocGid { $gidsUsed{$prevGid} = 1; return $prevGid; } - return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) }); + return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 999, 0, sub { my ($gid) = @_; getgrgid($gid) }); } sub allocUid { my ($name, $isSystemUser) = @_; - my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1); + my ($min, $max, $up) = $isSystemUser ? (400, 999, 0) : (1000, 29999, 1); my $prevUid = $uidMap->{$name}; if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) { print STDERR "reviving user '$name' with UID $prevUid\n"; diff --git a/nixpkgs/nixos/modules/config/users-groups.nix b/nixpkgs/nixos/modules/config/users-groups.nix index ba79bd3d6ec..ae3bdeb00e6 100644 --- a/nixpkgs/nixos/modules/config/users-groups.nix +++ b/nixpkgs/nixos/modules/config/users-groups.nix @@ -251,7 +251,7 @@ let default = []; example = literalExample "[ pkgs.firefox pkgs.thunderbird ]"; description = '' - The set of packages that should be made availabe to the user. + The set of packages that should be made available to the user. This is in contrast to <option>environment.systemPackages</option>, which adds packages to all users. ''; diff --git a/nixpkgs/nixos/modules/config/vpnc.nix b/nixpkgs/nixos/modules/config/vpnc.nix deleted file mode 100644 index 356e007c0a3..00000000000 --- a/nixpkgs/nixos/modules/config/vpnc.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, lib, ... }: - -with lib; - -let - cfg = config.networking.vpnc; - mkServiceDef = name: value: - { - name = "vpnc/${name}.conf"; - value = { text = value; }; - }; - -in -{ - options = { - networking.vpnc = { - services = mkOption { - type = types.attrsOf types.str; - default = {}; - example = literalExample '' - { test = ''' - IPSec gateway 192.168.1.1 - IPSec ID someID - IPSec secret secretKey - Xauth username name - Xauth password pass - '''; - } - ''; - description = - '' - The names of cisco VPNs and their associated definitions - ''; - }; - }; - }; - - config.environment.etc = mapAttrs' mkServiceDef cfg.services; -} - - diff --git a/nixpkgs/nixos/modules/config/xdg/sounds.nix b/nixpkgs/nixos/modules/config/xdg/sounds.nix index 148240d631c..14d6340fc33 100644 --- a/nixpkgs/nixos/modules/config/xdg/sounds.nix +++ b/nixpkgs/nixos/modules/config/xdg/sounds.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; { @@ -14,6 +14,10 @@ with lib; }; config = mkIf config.xdg.sounds.enable { + environment.systemPackages = [ + pkgs.sound-theme-freedesktop + ]; + environment.pathsToLink = [ "/share/sounds" ]; diff --git a/nixpkgs/nixos/modules/hardware/brillo.nix b/nixpkgs/nixos/modules/hardware/brillo.nix new file mode 100644 index 00000000000..e970c948099 --- /dev/null +++ b/nixpkgs/nixos/modules/hardware/brillo.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.hardware.brillo; +in +{ + options = { + hardware.brillo = { + enable = mkEnableOption '' + Enable brillo in userspace. + This will allow brightness control from users in the video group. + ''; + }; + }; + + + config = mkIf cfg.enable { + services.udev.packages = [ pkgs.brillo ]; + environment.systemPackages = [ pkgs.brillo ]; + }; +} diff --git a/nixpkgs/nixos/modules/hardware/video/displaylink.nix b/nixpkgs/nixos/modules/hardware/video/displaylink.nix index 669ac849cba..912f53da836 100644 --- a/nixpkgs/nixos/modules/hardware/video/displaylink.nix +++ b/nixpkgs/nixos/modules/hardware/video/displaylink.nix @@ -19,6 +19,21 @@ in config = mkIf enabled { boot.extraModulePackages = [ evdi ]; + boot.kernelModules = [ "evdi" ]; + + environment.etc."X11/xorg.conf.d/40-displaylink.conf".text = '' + Section "OutputClass" + Identifier "DisplayLink" + MatchDriver "evdi" + Driver "modesetting" + Option "AccelMethod" "none" + EndSection + ''; + + # make the device available + services.xserver.displayManager.sessionCommands = '' + ${lib.getBin pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource 1 0 + ''; # Those are taken from displaylink-installer.sh and from Arch Linux AUR package. @@ -47,18 +62,13 @@ in description = "DisplayLink Manager Service"; after = [ "display-manager.service" ]; conflicts = [ "getty@tty7.service" ]; - path = [ pkgs.kmod ]; serviceConfig = { ExecStart = "${displaylink}/bin/DisplayLinkManager"; Restart = "always"; RestartSec = 5; + LogsDirectory = "displaylink"; }; - - preStart = '' - mkdir -p /var/log/displaylink - modprobe evdi - ''; }; }; diff --git a/nixpkgs/nixos/modules/hardware/video/nvidia.nix b/nixpkgs/nixos/modules/hardware/video/nvidia.nix index 3ab2afc9740..fcb30187fa2 100644 --- a/nixpkgs/nixos/modules/hardware/video/nvidia.nix +++ b/nixpkgs/nixos/modules/hardware/video/nvidia.nix @@ -75,7 +75,7 @@ in Note that this configuration will only be successful when a display manager for which the <option>services.xserver.displayManager.setupCommands</option> - option is supported is used; notably, SLiM is not supported. + option is supported is used. ''; }; @@ -111,9 +111,10 @@ in config = mkIf enabled { assertions = [ { - assertion = with config.services.xserver.displayManager; gdm.enable -> !gdm.wayland; - message = "NVIDIA drivers don't support wayland, set services.xserver.displayManager.gdm.wayland=false"; + assertion = with config.services.xserver.displayManager; gdm.nvidiaWayland -> cfg.modesetting.enable; + message = "You cannot use wayland with GDM without modesetting enabled for NVIDIA drivers, set `hardware.nvidia.modesetting.enable = true`"; } + { assertion = !optimusCfg.enable || (optimusCfg.nvidiaBusId != "" && optimusCfg.intelBusId != ""); diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix index 719ba5ffb12..e0b558dcb0d 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix @@ -22,17 +22,7 @@ with lib; }); ''; - services.xserver = { - enable = true; - - # Automatically login as nixos. - displayManager.slim = { - enable = true; - defaultUser = "nixos"; - autoLogin = true; - }; - - }; + services.xserver.enable = true; # Provide networkmanager for easy wireless configuration. networking.networkmanager.enable = true; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 0b813bbf37b..23c3426bff0 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -10,8 +10,6 @@ with lib; services.xserver.desktopManager.gnome3.enable = true; - services.xserver.displayManager.slim.enable = mkForce false; - # Auto-login as root. services.xserver.displayManager.gdm.autoLogin = { enable = true; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix index 1dc7920ff64..e00d3f7535b 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix @@ -11,7 +11,15 @@ with lib; services.xserver = { desktopManager.plasma5 = { enable = true; - enableQt4Support = false; + }; + + # Automatically login as nixos. + displayManager.sddm = { + enable = true; + autoLogin = { + enable = true; + user = "nixos"; + }; }; }; diff --git a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix index d510f3b2daf..7865b767f0b 100644 --- a/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix @@ -140,7 +140,11 @@ in export img=$out/sd-image/${config.sdImage.imageName} echo "${pkgs.stdenv.buildPlatform.system}" > $out/nix-support/system - echo "file sd-image $img" >> $out/nix-support/hydra-build-products + if test -n "$compressImage"; then + echo "file sd-image $img.bz2" >> $out/nix-support/hydra-build-products + else + echo "file sd-image $img" >> $out/nix-support/hydra-build-products + fi # Gap in front of the first partition, in MiB gap=8 diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option.sh b/nixpkgs/nixos/modules/installer/tools/nixos-option.sh deleted file mode 100644 index 4560e9c7403..00000000000 --- a/nixpkgs/nixos/modules/installer/tools/nixos-option.sh +++ /dev/null @@ -1,327 +0,0 @@ -#! @shell@ -e - -# FIXME: rewrite this in a more suitable language. - -usage () { - exec man nixos-option - exit 1 -} - -##################### -# Process Arguments # -##################### - -xml=false -verbose=false -nixPath="" - -option="" -exit_code=0 - -argfun="" -for arg; do - if test -z "$argfun"; then - case $arg in - -*) - sarg="$arg" - longarg="" - while test "$sarg" != "-"; do - case $sarg in - --*) longarg=$arg; sarg="--";; - -I) argfun="include_nixpath";; - -*) usage;; - esac - # remove the first letter option - sarg="-${sarg#??}" - done - ;; - *) longarg=$arg;; - esac - for larg in $longarg; do - case $larg in - --xml) xml=true;; - --verbose) verbose=true;; - --help) usage;; - -*) usage;; - *) if test -z "$option"; then - option="$larg" - else - usage - fi;; - esac - done - else - case $argfun in - set_*) - var=$(echo $argfun | sed 's,^set_,,') - eval $var=$arg - ;; - include_nixpath) - nixPath="-I $arg $nixPath" - ;; - esac - argfun="" - fi -done - -if $verbose; then - set -x -else - set +x -fi - -############################# -# Process the configuration # -############################# - -evalNix(){ - # disable `-e` flag, it's possible that the evaluation of `nix-instantiate` fails (e.g. due to broken pkgs) - set +e - result=$(nix-instantiate ${nixPath:+$nixPath} - --eval-only "$@" 2>&1) - exit_code=$? - set -e - - if test $exit_code -eq 0; then - sed '/^warning: Nix search path/d' <<EOF -$result -EOF - return 0; - else - sed -n ' - /^error/ { s/, at (string):[0-9]*:[0-9]*//; p; }; - /^warning: Nix search path/ { p; }; -' >&2 <<EOF -$result -EOF - exit_code=1 - fi -} - -header="let - nixos = import <nixpkgs/nixos> {}; - nixpkgs = import <nixpkgs> {}; -in with nixpkgs.lib; -" - -# This function is used for converting the option definition path given by -# the user into accessors for reaching the definition and the declaration -# corresponding to this option. -generateAccessors(){ - if result=$(evalNix --strict --show-trace <<EOF -$header - -let - path = "${option:+$option}"; - pathList = splitString "." path; - - walkOptions = attrsNames: result: - if attrsNames == [] then - result - else - let name = head attrsNames; rest = tail attrsNames; in - if isOption result.options then - walkOptions rest { - options = result.options.type.getSubOptions ""; - opt = ''(\${result.opt}.type.getSubOptions "")''; - cfg = ''\${result.cfg}."\${name}"''; - } - else - walkOptions rest { - options = result.options.\${name}; - opt = ''\${result.opt}."\${name}"''; - cfg = ''\${result.cfg}."\${name}"''; - } - ; - - walkResult = (if path == "" then x: x else walkOptions pathList) { - options = nixos.options; - opt = ''nixos.options''; - cfg = ''nixos.config''; - }; - -in - ''let option = \${walkResult.opt}; config = \${walkResult.cfg}; in'' -EOF -) - then - echo $result - else - # In case of error we want to ignore the error message roduced by the - # script above, as it is iterating over each attribute, which does not - # produce a nice error message. The following code is a fallback - # solution which is cause a nicer error message in the next - # evaluation. - echo "\"let option = nixos.options${option:+.$option}; config = nixos.config${option:+.$option}; in\"" - fi -} - -header="$header -$(eval echo $(generateAccessors)) -" - -evalAttr(){ - local prefix="$1" - local strict="$2" - local suffix="$3" - - # If strict is set, then set it to "true". - test -n "$strict" && strict=true - - evalNix ${strict:+--strict} <<EOF -$header - -let - value = $prefix${suffix:+.$suffix}; - strict = ${strict:-false}; - cleanOutput = x: with nixpkgs.lib; - if isDerivation x then x.outPath - else if isFunction x then "<CODE>" - else if strict then - if isAttrs x then mapAttrs (n: cleanOutput) x - else if isList x then map cleanOutput x - else x - else x; -in - cleanOutput value -EOF -} - -evalOpt(){ - evalAttr "option" "" "$@" -} - -evalCfg(){ - local strict="$1" - evalAttr "config" "$strict" -} - -findSources(){ - local suffix=$1 - evalNix --strict <<EOF -$header - -option.$suffix -EOF -} - -# Given a result from nix-instantiate, recover the list of attributes it -# contains. -attrNames() { - local attributeset=$1 - # sed is used to replace un-printable subset by 0s, and to remove most of - # the inner-attribute set, which reduce the likelyhood to encounter badly - # pre-processed input. - echo "builtins.attrNames $attributeset" | \ - sed 's,<[A-Z]*>,0,g; :inner; s/{[^\{\}]*};/0;/g; t inner;' | \ - evalNix --strict -} - -# map a simple list which contains strings or paths. -nixMap() { - local fun="$1" - local list="$2" - local elem - for elem in $list; do - test $elem = '[' -o $elem = ']' && continue; - $fun $elem - done -} - -# This duplicates the work made below, but it is useful for processing -# the output of nixos-option with other tools such as nixos-gui. -if $xml; then - evalNix --xml --no-location <<EOF -$header - -let - sources = builtins.map (f: f.source); - opt = option; - cfg = config; -in - -with nixpkgs.lib; - -let - optStrict = v: - let - traverse = x : - if isAttrs x then - if x ? outPath then true - else all id (mapAttrsFlatten (n: traverseNoAttrs) x) - else traverseNoAttrs x; - traverseNoAttrs = x: - # do not continue in attribute sets - if isAttrs x then true - else if isList x then all id (map traverse x) - else true; - in assert traverse v; v; -in - -if isOption opt then - optStrict ({} - // optionalAttrs (opt ? default) { inherit (opt) default; } - // optionalAttrs (opt ? example) { inherit (opt) example; } - // optionalAttrs (opt ? description) { inherit (opt) description; } - // optionalAttrs (opt ? type) { typename = opt.type.description; } - // optionalAttrs (opt ? options) { inherit (opt) options; } - // { - # to disambiguate the xml output. - _isOption = true; - declarations = sources opt.declarations; - definitions = sources opt.definitions; - value = cfg; - }) -else - opt -EOF - exit $? -fi - -if test "$(evalOpt "_type" 2> /dev/null)" = '"option"'; then - echo "Value:" - evalCfg 1 - - echo - - echo "Default:" - if default=$(evalOpt "default" - 2> /dev/null); then - echo "$default" - else - echo "<None>" - fi - echo - if example=$(evalOpt "example" - 2> /dev/null); then - echo "Example:" - echo "$example" - echo - fi - echo "Description:" - echo - echo $(evalOpt "description") - - echo $desc; - - printPath () { echo " $1"; } - - echo "Declared by:" - nixMap printPath "$(findSources "declarations")" - echo - echo "Defined by:" - nixMap printPath "$(findSources "files")" - echo - -else - # echo 1>&2 "Warning: This value is not an option." - - result=$(evalCfg "") - if [ ! -z "$result" ]; then - names=$(attrNames "$result" 2> /dev/null) - echo 1>&2 "This attribute set contains:" - escapeQuotes () { eval echo "$1"; } - nixMap escapeQuotes "$names" - else - echo 1>&2 "An error occurred while looking for attribute names. Are you sure that '$option' exists?" - fi -fi - -exit $exit_code diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/CMakeLists.txt b/nixpkgs/nixos/modules/installer/tools/nixos-option/CMakeLists.txt new file mode 100644 index 00000000000..e5834598c4f --- /dev/null +++ b/nixpkgs/nixos/modules/installer/tools/nixos-option/CMakeLists.txt @@ -0,0 +1,8 @@ +cmake_minimum_required (VERSION 2.6) +project (nixos-option) + +add_executable(nixos-option nixos-option.cc libnix-copy-paste.cc) +target_link_libraries(nixos-option PRIVATE -lnixmain -lnixexpr -lnixstore -lnixutil) +target_compile_features(nixos-option PRIVATE cxx_std_17) + +install (TARGETS nixos-option DESTINATION bin) diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/default.nix b/nixpkgs/nixos/modules/installer/tools/nixos-option/default.nix new file mode 100644 index 00000000000..753fd92c7bb --- /dev/null +++ b/nixpkgs/nixos/modules/installer/tools/nixos-option/default.nix @@ -0,0 +1,11 @@ +{lib, stdenv, boost, cmake, pkgconfig, nix, ... }: +stdenv.mkDerivation rec { + name = "nixos-option"; + src = ./.; + nativeBuildInputs = [ cmake pkgconfig ]; + buildInputs = [ boost nix ]; + meta = { + license = stdenv.lib.licenses.lgpl2Plus; + maintainers = with lib.maintainers; [ chkno ]; + }; +} diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.cc b/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.cc new file mode 100644 index 00000000000..875c07da639 --- /dev/null +++ b/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.cc @@ -0,0 +1,83 @@ +// These are useful methods inside the nix library that ought to be exported. +// Since they are not, copy/paste them here. +// TODO: Delete these and use the ones in the library as they become available. + +#include <nix/config.h> // for nix/globals.hh's reference to SYSTEM + +#include "libnix-copy-paste.hh" +#include <boost/format/alt_sstream.hpp> // for basic_altstringbuf... +#include <boost/format/alt_sstream_impl.hpp> // for basic_altstringbuf... +#include <boost/format/format_class.hpp> // for basic_format +#include <boost/format/format_fwd.hpp> // for format +#include <boost/format/format_implementation.hpp> // for basic_format::basi... +#include <boost/optional/optional.hpp> // for get_pointer +#include <iostream> // for operator<<, basic_... +#include <nix/types.hh> // for Strings, Error +#include <string> // for string, basic_string + +using boost::format; +using nix::Error; +using nix::Strings; +using std::string; + +// From nix/src/libexpr/attr-path.cc +Strings parseAttrPath(const string & s) +{ + Strings res; + string cur; + string::const_iterator i = s.begin(); + while (i != s.end()) { + if (*i == '.') { + res.push_back(cur); + cur.clear(); + } else if (*i == '"') { + ++i; + while (1) { + if (i == s.end()) + throw Error(format("missing closing quote in selection path '%1%'") % s); + if (*i == '"') + break; + cur.push_back(*i++); + } + } else + cur.push_back(*i); + ++i; + } + if (!cur.empty()) + res.push_back(cur); + return res; +} + +// From nix/src/nix/repl.cc +bool isVarName(const string & s) +{ + if (s.size() == 0) + return false; + char c = s[0]; + if ((c >= '0' && c <= '9') || c == '-' || c == '\'') + return false; + for (auto & i : s) + if (!((i >= 'a' && i <= 'z') || (i >= 'A' && i <= 'Z') || (i >= '0' && i <= '9') || i == '_' || i == '-' || + i == '\'')) + return false; + return true; +} + +// From nix/src/nix/repl.cc +std::ostream & printStringValue(std::ostream & str, const char * string) +{ + str << "\""; + for (const char * i = string; *i; i++) + if (*i == '\"' || *i == '\\') + str << "\\" << *i; + else if (*i == '\n') + str << "\\n"; + else if (*i == '\r') + str << "\\r"; + else if (*i == '\t') + str << "\\t"; + else + str << *i; + str << "\""; + return str; +} diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.hh b/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.hh new file mode 100644 index 00000000000..2274e9a0f85 --- /dev/null +++ b/nixpkgs/nixos/modules/installer/tools/nixos-option/libnix-copy-paste.hh @@ -0,0 +1,9 @@ +#pragma once + +#include <iostream> +#include <nix/types.hh> +#include <string> + +nix::Strings parseAttrPath(const std::string & s); +bool isVarName(const std::string & s); +std::ostream & printStringValue(std::ostream & str, const char * string); diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-option/nixos-option.cc b/nixpkgs/nixos/modules/installer/tools/nixos-option/nixos-option.cc new file mode 100644 index 00000000000..9b92dc829cd --- /dev/null +++ b/nixpkgs/nixos/modules/installer/tools/nixos-option/nixos-option.cc @@ -0,0 +1,618 @@ +#include <nix/config.h> // for nix/globals.hh's reference to SYSTEM + +#include <exception> // for exception_ptr, current_exception +#include <functional> // for function +#include <iostream> // for operator<<, basic_ostream, ostrin... +#include <iterator> // for next +#include <list> // for _List_iterator +#include <memory> // for allocator, unique_ptr, make_unique +#include <new> // for operator new +#include <nix/args.hh> // for argvToStrings, UsageError +#include <nix/attr-path.hh> // for findAlongAttrPath +#include <nix/attr-set.hh> // for Attr, Bindings, Bindings::iterator +#include <nix/common-eval-args.hh> // for MixEvalArgs +#include <nix/eval-inline.hh> // for EvalState::forceValue +#include <nix/eval.hh> // for EvalState, initGC, operator<< +#include <nix/globals.hh> // for initPlugins, Settings, settings +#include <nix/nixexpr.hh> // for Pos +#include <nix/shared.hh> // for getArg, LegacyArgs, printVersion +#include <nix/store-api.hh> // for openStore +#include <nix/symbol-table.hh> // for Symbol, SymbolTable +#include <nix/types.hh> // for Error, Path, Strings, PathSet +#include <nix/util.hh> // for absPath, baseNameOf +#include <nix/value.hh> // for Value, Value::(anonymous), Value:... +#include <string> // for string, operator+, operator== +#include <utility> // for move +#include <variant> // for get, holds_alternative, variant +#include <vector> // for vector<>::iterator, vector + +#include "libnix-copy-paste.hh" + +using nix::absPath; +using nix::Bindings; +using nix::Error; +using nix::EvalError; +using nix::EvalState; +using nix::Path; +using nix::PathSet; +using nix::Strings; +using nix::Symbol; +using nix::tAttrs; +using nix::ThrownError; +using nix::tLambda; +using nix::tString; +using nix::UsageError; +using nix::Value; + +// An ostream wrapper to handle nested indentation +class Out +{ + public: + class Separator + {}; + const static Separator sep; + enum LinePolicy + { + ONE_LINE, + MULTI_LINE + }; + explicit Out(std::ostream & ostream) : ostream(ostream), policy(ONE_LINE), writeSinceSep(true) {} + Out(Out & o, const std::string & start, const std::string & end, LinePolicy policy); + Out(Out & o, const std::string & start, const std::string & end, int count) + : Out(o, start, end, count < 2 ? ONE_LINE : MULTI_LINE) + {} + Out(const Out &) = delete; + Out(Out &&) = default; + Out & operator=(const Out &) = delete; + Out & operator=(Out &&) = delete; + ~Out() { ostream << end; } + + private: + std::ostream & ostream; + std::string indentation; + std::string end; + LinePolicy policy; + bool writeSinceSep; + template <typename T> friend Out & operator<<(Out & o, T thing); +}; + +template <typename T> Out & operator<<(Out & o, T thing) +{ + if (!o.writeSinceSep && o.policy == Out::MULTI_LINE) { + o.ostream << o.indentation; + } + o.writeSinceSep = true; + o.ostream << thing; + return o; +} + +template <> Out & operator<<<Out::Separator>(Out & o, Out::Separator /* thing */) +{ + o.ostream << (o.policy == Out::ONE_LINE ? " " : "\n"); + o.writeSinceSep = false; + return o; +} + +Out::Out(Out & o, const std::string & start, const std::string & end, LinePolicy policy) + : ostream(o.ostream), indentation(policy == ONE_LINE ? o.indentation : o.indentation + " "), + end(policy == ONE_LINE ? end : o.indentation + end), policy(policy), writeSinceSep(true) +{ + o << start; + *this << Out::sep; +} + +// Stuff needed for evaluation +struct Context +{ + Context(EvalState & state, Bindings & autoArgs, Value optionsRoot, Value configRoot) + : state(state), autoArgs(autoArgs), optionsRoot(optionsRoot), configRoot(configRoot), + underscoreType(state.symbols.create("_type")) + {} + EvalState & state; + Bindings & autoArgs; + Value optionsRoot; + Value configRoot; + Symbol underscoreType; +}; + +Value evaluateValue(Context & ctx, Value & v) +{ + ctx.state.forceValue(v); + if (ctx.autoArgs.empty()) { + return v; + } + Value called{}; + ctx.state.autoCallFunction(ctx.autoArgs, v, called); + return called; +} + +bool isOption(Context & ctx, const Value & v) +{ + if (v.type != tAttrs) { + return false; + } + const auto & atualType = v.attrs->find(ctx.underscoreType); + if (atualType == v.attrs->end()) { + return false; + } + try { + Value evaluatedType = evaluateValue(ctx, *atualType->value); + if (evaluatedType.type != tString) { + return false; + } + return static_cast<std::string>(evaluatedType.string.s) == "option"; + } catch (Error &) { + return false; + } +} + +// Add quotes to a component of a path. +// These are needed for paths like: +// fileSystems."/".fsType +// systemd.units."dbus.service".text +std::string quoteAttribute(const std::string & attribute) +{ + if (isVarName(attribute)) { + return attribute; + } + std::ostringstream buf; + printStringValue(buf, attribute.c_str()); + return buf.str(); +} + +const std::string appendPath(const std::string & prefix, const std::string & suffix) +{ + if (prefix.empty()) { + return quoteAttribute(suffix); + } + return prefix + "." + quoteAttribute(suffix); +} + +bool forbiddenRecursionName(std::string name) { return (!name.empty() && name[0] == '_') || name == "haskellPackages"; } + +void recurse(const std::function<bool(const std::string & path, std::variant<Value, std::exception_ptr>)> & f, + Context & ctx, Value v, const std::string & path) +{ + std::variant<Value, std::exception_ptr> evaluated; + try { + evaluated = evaluateValue(ctx, v); + } catch (Error &) { + evaluated = std::current_exception(); + } + if (!f(path, evaluated)) { + return; + } + if (std::holds_alternative<std::exception_ptr>(evaluated)) { + return; + } + const Value & evaluated_value = std::get<Value>(evaluated); + if (evaluated_value.type != tAttrs) { + return; + } + for (const auto & child : evaluated_value.attrs->lexicographicOrder()) { + if (forbiddenRecursionName(child->name)) { + continue; + } + recurse(f, ctx, *child->value, appendPath(path, child->name)); + } +} + +// Calls f on all the option names +void mapOptions(const std::function<void(const std::string & path)> & f, Context & ctx, Value root) +{ + recurse( + [f, &ctx](const std::string & path, std::variant<Value, std::exception_ptr> v) { + bool isOpt = std::holds_alternative<std::exception_ptr>(v) || isOption(ctx, std::get<Value>(v)); + if (isOpt) { + f(path); + } + return !isOpt; + }, + ctx, root, ""); +} + +// Calls f on all the config values inside one option. +// Simple options have one config value inside, like sound.enable = true. +// Compound options have multiple config values. For example, the option +// "users.users" has about 1000 config values inside it: +// users.users.avahi.createHome = false; +// users.users.avahi.cryptHomeLuks = null; +// users.users.avahi.description = "`avahi-daemon' privilege separation user"; +// ... +// users.users.avahi.openssh.authorizedKeys.keyFiles = [ ]; +// users.users.avahi.openssh.authorizedKeys.keys = [ ]; +// ... +// users.users.avahi.uid = 10; +// users.users.avahi.useDefaultShell = false; +// users.users.cups.createHome = false; +// ... +// users.users.cups.useDefaultShell = false; +// users.users.gdm = ... ... ... +// users.users.messagebus = ... .. ... +// users.users.nixbld1 = ... .. ... +// ... +// users.users.systemd-timesync = ... .. ... +void mapConfigValuesInOption( + const std::function<void(const std::string & path, std::variant<Value, std::exception_ptr> v)> & f, + const std::string & path, Context & ctx) +{ + Value * option; + try { + option = findAlongAttrPath(ctx.state, path, ctx.autoArgs, ctx.configRoot); + } catch (Error &) { + f(path, std::current_exception()); + return; + } + recurse( + [f, ctx](const std::string & path, std::variant<Value, std::exception_ptr> v) { + bool leaf = std::holds_alternative<std::exception_ptr>(v) || std::get<Value>(v).type != tAttrs || + ctx.state.isDerivation(std::get<Value>(v)); + if (!leaf) { + return true; // Keep digging + } + f(path, v); + return false; + }, + ctx, *option, path); +} + +std::string describeError(const Error & e) { return "«error: " + e.msg() + "»"; } + +void describeDerivation(Context & ctx, Out & out, Value v) +{ + // Copy-pasted from nix/src/nix/repl.cc :( + Bindings::iterator i = v.attrs->find(ctx.state.sDrvPath); + PathSet pathset; + try { + Path drvPath = i != v.attrs->end() ? ctx.state.coerceToPath(*i->pos, *i->value, pathset) : "???"; + out << "«derivation " << drvPath << "»"; + } catch (Error & e) { + out << describeError(e); + } +} + +Value parseAndEval(EvalState & state, const std::string & expression, const std::string & path) +{ + Value v{}; + state.eval(state.parseExprFromString(expression, absPath(path)), v); + return v; +} + +void printValue(Context & ctx, Out & out, std::variant<Value, std::exception_ptr> maybeValue, const std::string & path); + +void printList(Context & ctx, Out & out, Value & v) +{ + Out listOut(out, "[", "]", v.listSize()); + for (unsigned int n = 0; n < v.listSize(); ++n) { + printValue(ctx, listOut, *v.listElems()[n], ""); + listOut << Out::sep; + } +} + +void printAttrs(Context & ctx, Out & out, Value & v, const std::string & path) +{ + Out attrsOut(out, "{", "}", v.attrs->size()); + for (const auto & a : v.attrs->lexicographicOrder()) { + std::string name = a->name; + attrsOut << name << " = "; + printValue(ctx, attrsOut, *a->value, appendPath(path, name)); + attrsOut << ";" << Out::sep; + } +} + +void multiLineStringEscape(Out & out, const std::string & s) +{ + int i; + for (i = 1; i < s.size(); i++) { + if (s[i - 1] == '$' && s[i] == '{') { + out << "''${"; + i++; + } else if (s[i - 1] == '\'' && s[i] == '\'') { + out << "'''"; + i++; + } else { + out << s[i - 1]; + } + } + if (i == s.size()) { + out << s[i - 1]; + } +} + +void printMultiLineString(Out & out, const Value & v) +{ + std::string s = v.string.s; + Out strOut(out, "''", "''", Out::MULTI_LINE); + std::string::size_type begin = 0; + while (begin < s.size()) { + std::string::size_type end = s.find('\n', begin); + if (end == std::string::npos) { + multiLineStringEscape(strOut, s.substr(begin, s.size() - begin)); + break; + } + multiLineStringEscape(strOut, s.substr(begin, end - begin)); + strOut << Out::sep; + begin = end + 1; + } +} + +void printValue(Context & ctx, Out & out, std::variant<Value, std::exception_ptr> maybeValue, const std::string & path) +{ + try { + if (auto ex = std::get_if<std::exception_ptr>(&maybeValue)) { + std::rethrow_exception(*ex); + } + Value v = evaluateValue(ctx, std::get<Value>(maybeValue)); + if (ctx.state.isDerivation(v)) { + describeDerivation(ctx, out, v); + } else if (v.isList()) { + printList(ctx, out, v); + } else if (v.type == tAttrs) { + printAttrs(ctx, out, v, path); + } else if (v.type == tString && std::string(v.string.s).find('\n') != std::string::npos) { + printMultiLineString(out, v); + } else { + ctx.state.forceValueDeep(v); + out << v; + } + } catch (ThrownError & e) { + if (e.msg() == "The option `" + path + "' is used but not defined.") { + // 93% of errors are this, and just letting this message through would be + // misleading. These values may or may not actually be "used" in the + // config. The thing throwing the error message assumes that if anything + // ever looks at this value, it is a "use" of this value. But here in + // nixos-option, we are looking at this value only to print it. + // In order to avoid implying that this undefined value is actually + // referenced, eat the underlying error message and emit "«not defined»". + out << "«not defined»"; + } else { + out << describeError(e); + } + } catch (Error & e) { + out << describeError(e); + } +} + +void printConfigValue(Context & ctx, Out & out, const std::string & path, std::variant<Value, std::exception_ptr> v) +{ + out << path << " = "; + printValue(ctx, out, std::move(v), path); + out << ";\n"; +} + +void printAll(Context & ctx, Out & out) +{ + mapOptions( + [&ctx, &out](const std::string & optionPath) { + mapConfigValuesInOption( + [&ctx, &out](const std::string & configPath, std::variant<Value, std::exception_ptr> v) { + printConfigValue(ctx, out, configPath, v); + }, + optionPath, ctx); + }, + ctx, ctx.optionsRoot); +} + +void printAttr(Context & ctx, Out & out, const std::string & path, Value & root) +{ + try { + printValue(ctx, out, *findAlongAttrPath(ctx.state, path, ctx.autoArgs, root), path); + } catch (Error & e) { + out << describeError(e); + } +} + +bool hasExample(Context & ctx, Value & option) +{ + try { + findAlongAttrPath(ctx.state, "example", ctx.autoArgs, option); + return true; + } catch (Error &) { + return false; + } +} + +void printOption(Context & ctx, Out & out, const std::string & path, Value & option) +{ + out << "Value:\n"; + printAttr(ctx, out, path, ctx.configRoot); + + out << "\n\nDefault:\n"; + printAttr(ctx, out, "default", option); + + out << "\n\nType:\n"; + printAttr(ctx, out, "type.description", option); + + if (hasExample(ctx, option)) { + out << "\n\nExample:\n"; + printAttr(ctx, out, "example", option); + } + + out << "\n\nDescription:\n"; + printAttr(ctx, out, "description", option); + + out << "\n\nDeclared by:\n"; + printAttr(ctx, out, "declarations", option); + + out << "\n\nDefined by:\n"; + printAttr(ctx, out, "files", option); + out << "\n"; +} + +void printListing(Out & out, Value & v) +{ + out << "This attribute set contains:\n"; + for (const auto & a : v.attrs->lexicographicOrder()) { + std::string name = a->name; + if (!name.empty() && name[0] != '_') { + out << name << "\n"; + } + } +} + +bool optionTypeIs(Context & ctx, Value & v, const std::string & soughtType) +{ + try { + const auto & typeLookup = v.attrs->find(ctx.state.sType); + if (typeLookup == v.attrs->end()) { + return false; + } + Value type = evaluateValue(ctx, *typeLookup->value); + if (type.type != tAttrs) { + return false; + } + const auto & nameLookup = type.attrs->find(ctx.state.sName); + if (nameLookup == type.attrs->end()) { + return false; + } + Value name = evaluateValue(ctx, *nameLookup->value); + if (name.type != tString) { + return false; + } + return name.string.s == soughtType; + } catch (Error &) { + return false; + } +} + +bool isAggregateOptionType(Context & ctx, Value & v) +{ + return optionTypeIs(ctx, v, "attrsOf") || optionTypeIs(ctx, v, "listOf") || optionTypeIs(ctx, v, "loaOf"); +} + +MakeError(OptionPathError, EvalError); + +Value getSubOptions(Context & ctx, Value & option) +{ + Value getSubOptions = evaluateValue(ctx, *findAlongAttrPath(ctx.state, "type.getSubOptions", ctx.autoArgs, option)); + if (getSubOptions.type != tLambda) { + throw OptionPathError("Option's type.getSubOptions isn't a function"); + } + Value emptyString{}; + nix::mkString(emptyString, ""); + Value v; + ctx.state.callFunction(getSubOptions, emptyString, v, nix::Pos{}); + return v; +} + +// Carefully walk an option path, looking for sub-options when a path walks past +// an option value. +Value findAlongOptionPath(Context & ctx, const std::string & path) +{ + Strings tokens = parseAttrPath(path); + Value v = ctx.optionsRoot; + for (auto i = tokens.begin(); i != tokens.end(); i++) { + const auto & attr = *i; + try { + bool lastAttribute = std::next(i) == tokens.end(); + v = evaluateValue(ctx, v); + if (attr.empty()) { + throw OptionPathError("empty attribute name"); + } + if (isOption(ctx, v) && optionTypeIs(ctx, v, "submodule")) { + v = getSubOptions(ctx, v); + } + if (isOption(ctx, v) && isAggregateOptionType(ctx, v) && !lastAttribute) { + v = getSubOptions(ctx, v); + // Note that we've consumed attr, but didn't actually use it. This is the path component that's looked + // up in the list or attribute set that doesn't name an option -- the "root" in "users.users.root.name". + } else if (v.type != tAttrs) { + throw OptionPathError("Value is %s while a set was expected", showType(v)); + } else { + const auto & next = v.attrs->find(ctx.state.symbols.create(attr)); + if (next == v.attrs->end()) { + throw OptionPathError("Attribute not found", attr, path); + } + v = *next->value; + } + } catch (OptionPathError & e) { + throw OptionPathError("At '%s' in path '%s': %s", attr, path, e.msg()); + } + } + return v; +} + +void printOne(Context & ctx, Out & out, const std::string & path) +{ + try { + Value option = findAlongOptionPath(ctx, path); + option = evaluateValue(ctx, option); + if (isOption(ctx, option)) { + printOption(ctx, out, path, option); + } else { + printListing(out, option); + } + } catch (Error & e) { + std::cerr << "error: " << e.msg() + << "\nAn error occurred while looking for attribute names. Are " + "you sure that '" + << path << "' exists?\n"; + } +} + +int main(int argc, char ** argv) +{ + bool all = false; + std::string path = "."; + std::string optionsExpr = "(import <nixpkgs/nixos> {}).options"; + std::string configExpr = "(import <nixpkgs/nixos> {}).config"; + std::vector<std::string> args; + + struct MyArgs : nix::LegacyArgs, nix::MixEvalArgs + { + using nix::LegacyArgs::LegacyArgs; + }; + + MyArgs myArgs(nix::baseNameOf(argv[0]), [&](Strings::iterator & arg, const Strings::iterator & end) { + if (*arg == "--help") { + nix::showManPage("nixos-option"); + } else if (*arg == "--version") { + nix::printVersion("nixos-option"); + } else if (*arg == "--all") { + all = true; + } else if (*arg == "--path") { + path = nix::getArg(*arg, arg, end); + } else if (*arg == "--options_expr") { + optionsExpr = nix::getArg(*arg, arg, end); + } else if (*arg == "--config_expr") { + configExpr = nix::getArg(*arg, arg, end); + } else if (!arg->empty() && arg->at(0) == '-') { + return false; + } else { + args.push_back(*arg); + } + return true; + }); + + myArgs.parseCmdline(nix::argvToStrings(argc, argv)); + + nix::initPlugins(); + nix::initGC(); + nix::settings.readOnlyMode = true; + auto store = nix::openStore(); + auto state = std::make_unique<EvalState>(myArgs.searchPath, store); + + Value optionsRoot = parseAndEval(*state, optionsExpr, path); + Value configRoot = parseAndEval(*state, configExpr, path); + + Context ctx{*state, *myArgs.getAutoArgs(*state), optionsRoot, configRoot}; + Out out(std::cout); + + if (all) { + if (!args.empty()) { + throw UsageError("--all cannot be used with arguments"); + } + printAll(ctx, out); + } else { + if (args.empty()) { + printOne(ctx, out, ""); + } + for (const auto & arg : args) { + printOne(ctx, out, arg); + } + } + + ctx.state.printStats(); + + return 0; +} diff --git a/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh b/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh index ea434ca8741..c53dc1000c4 100644 --- a/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh @@ -22,6 +22,7 @@ repair= profile=/nix/var/nix/profiles/system buildHost= targetHost= +maybeSudo= while [ "$#" -gt 0 ]; do i="$1"; shift 1 @@ -89,6 +90,11 @@ while [ "$#" -gt 0 ]; do targetHost="$1" shift 1 ;; + --use-remote-sudo) + # note the trailing space + maybeSudo="sudo " + shift 1 + ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -96,7 +102,6 @@ while [ "$#" -gt 0 ]; do esac done - if [ -z "$buildHost" -a -n "$targetHost" ]; then buildHost="$targetHost" fi @@ -111,9 +116,9 @@ buildHostCmd() { if [ -z "$buildHost" ]; then "$@" elif [ -n "$remoteNix" ]; then - ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "$@" + ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "$maybeSudo$@" else - ssh $SSHOPTS "$buildHost" "$@" + ssh $SSHOPTS "$buildHost" "$maybeSudo$@" fi } @@ -121,7 +126,7 @@ targetHostCmd() { if [ -z "$targetHost" ]; then "$@" else - ssh $SSHOPTS "$targetHost" "$@" + ssh $SSHOPTS "$targetHost" "$maybeSudo$@" fi } diff --git a/nixpkgs/nixos/modules/installer/tools/tools.nix b/nixpkgs/nixos/modules/installer/tools/tools.nix index 32926005959..e4db39b5c81 100644 --- a/nixpkgs/nixos/modules/installer/tools/tools.nix +++ b/nixpkgs/nixos/modules/installer/tools/tools.nix @@ -41,10 +41,7 @@ let inherit (config.system.nixos-generate-config) configuration; }; - nixos-option = makeProg { - name = "nixos-option"; - src = ./nixos-option.sh; - }; + nixos-option = pkgs.callPackage ./nixos-option { }; nixos-version = makeProg { name = "nixos-version"; @@ -120,7 +117,11 @@ in # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; - # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # pinentryFlavor = "gnome3"; + # }; # List services that you want to enable: diff --git a/nixpkgs/nixos/modules/misc/ids.nix b/nixpkgs/nixos/modules/misc/ids.nix index 3e8a5b07a5e..f8b188e7b1c 100644 --- a/nixpkgs/nixos/modules/misc/ids.nix +++ b/nixpkgs/nixos/modules/misc/ids.nix @@ -11,6 +11,9 @@ { lib, ... }: +let + inherit (lib) types; +in { options = { @@ -19,6 +22,7 @@ description = '' The user IDs used in NixOS. ''; + type = types.attrsOf types.int; }; ids.gids = lib.mkOption { @@ -26,6 +30,7 @@ description = '' The group IDs used in NixOS. ''; + type = types.attrsOf types.int; }; }; @@ -128,7 +133,7 @@ tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice. firebird = 95; #keys = 96; # unused - haproxy = 97; + #haproxy = 97; # DynamicUser as of 2019-11-08 mongodb = 98; openldap = 99; #users = 100; # unused @@ -443,7 +448,7 @@ #tcpcryptd = 93; # unused firebird = 95; keys = 96; - haproxy = 97; + #haproxy = 97; # DynamicUser as of 2019-11-08 #mongodb = 98; # unused openldap = 99; munin = 102; diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index 5214126ff7e..076e1654818 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -1,9 +1,7 @@ [ ./config/debug-info.nix - ./config/fonts/corefonts.nix ./config/fonts/fontconfig.nix ./config/fonts/fontconfig-penultimate.nix - ./config/fonts/fontconfig-ultimate.nix ./config/fonts/fontdir.nix ./config/fonts/fonts.nix ./config/fonts/ghostscript.nix @@ -37,13 +35,13 @@ ./config/terminfo.nix ./config/unix-odbc-drivers.nix ./config/users-groups.nix - ./config/vpnc.nix ./config/vte.nix ./config/zram.nix ./hardware/acpilight.nix ./hardware/all-firmware.nix ./hardware/bladeRF.nix ./hardware/brightnessctl.nix + ./hardware/brillo.nix ./hardware/ckb-next.nix ./hardware/cpu/amd-microcode.nix ./hardware/cpu/intel-microcode.nix @@ -227,6 +225,7 @@ ./services/backup/rsnapshot.nix ./services/backup/tarsnap.nix ./services/backup/tsm.nix + ./services/backup/zfs-replication.nix ./services/backup/znapzend.nix ./services/cluster/hadoop/default.nix ./services/cluster/kubernetes/addons/dns.nix @@ -308,6 +307,7 @@ ./services/desktops/gnome3/sushi.nix ./services/desktops/gnome3/tracker.nix ./services/desktops/gnome3/tracker-miners.nix + ./services/desktops/neard.nix ./services/desktops/profile-sync-daemon.nix ./services/desktops/system-config-printer.nix ./services/desktops/telepathy.nix @@ -316,11 +316,13 @@ ./services/development/bloop.nix ./services/development/hoogle.nix ./services/development/jupyter/default.nix + ./services/development/lorri.nix ./services/editors/emacs.nix ./services/editors/infinoted.nix ./services/games/factorio.nix ./services/games/minecraft-server.nix ./services/games/minetest-server.nix + ./services/games/openarena.nix ./services/games/terraria.nix ./services/hardware/acpid.nix ./services/hardware/actkbd.nix @@ -517,7 +519,6 @@ ./services/monitoring/munin.nix ./services/monitoring/nagios.nix ./services/monitoring/netdata.nix - ./services/monitoring/osquery.nix ./services/monitoring/prometheus/default.nix ./services/monitoring/prometheus/alertmanager.nix ./services/monitoring/prometheus/exporters.nix @@ -537,7 +538,6 @@ ./services/monitoring/zabbix-agent.nix ./services/monitoring/zabbix-proxy.nix ./services/monitoring/zabbix-server.nix - ./services/network-filesystems/beegfs.nix ./services/network-filesystems/cachefilesd.nix ./services/network-filesystems/davfs2.nix ./services/network-filesystems/drbd.nix @@ -548,6 +548,8 @@ ./services/network-filesystems/nfsd.nix ./services/network-filesystems/openafs/client.nix ./services/network-filesystems/openafs/server.nix + ./services/network-filesystems/orangefs/server.nix + ./services/network-filesystems/orangefs/client.nix ./services/network-filesystems/rsyncd.nix ./services/network-filesystems/samba.nix ./services/network-filesystems/tahoe.nix @@ -601,6 +603,7 @@ ./services/networking/gdomap.nix ./services/networking/git-daemon.nix ./services/networking/gnunet.nix + ./services/networking/go-shadowsocks2.nix ./services/networking/gogoclient.nix ./services/networking/gvpe.nix ./services/networking/hans.nix @@ -614,7 +617,6 @@ ./services/networking/iodine.nix ./services/networking/iperf3.nix ./services/networking/ircd-hybrid/default.nix - ./services/networking/jormungandr.nix ./services/networking/iwd.nix ./services/networking/keepalived/default.nix ./services/networking/keybase.nix @@ -713,6 +715,7 @@ ./services/networking/tinc.nix ./services/networking/tinydns.nix ./services/networking/tftpd.nix + ./services/networking/trickster.nix ./services/networking/tox-bootstrapd.nix ./services/networking/tox-node.nix ./services/networking/toxvpn.nix @@ -729,6 +732,7 @@ ./services/networking/xinetd.nix ./services/networking/xl2tpd.nix ./services/networking/xrdp.nix + ./services/networking/yggdrasil.nix ./services/networking/zerobin.nix ./services/networking/zeronet.nix ./services/networking/zerotierone.nix @@ -793,6 +797,7 @@ ./services/web-apps/cryptpad.nix ./services/web-apps/documize.nix ./services/web-apps/frab.nix + ./services/web-apps/gotify-server.nix ./services/web-apps/icingaweb2/icingaweb2.nix ./services/web-apps/icingaweb2/module-monitoring.nix ./services/web-apps/limesurvey.nix @@ -804,8 +809,10 @@ ./services/web-apps/nexus.nix ./services/web-apps/pgpkeyserver-lite.nix ./services/web-apps/matomo.nix + ./services/web-apps/moinmoin.nix ./services/web-apps/restya-board.nix ./services/web-apps/tt-rss.nix + ./services/web-apps/trac.nix ./services/web-apps/selfoss.nix ./services/web-apps/shiori.nix ./services/web-apps/virtlyst.nix @@ -833,6 +840,7 @@ ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix ./services/web-servers/traefik.nix + ./services/web-servers/ttyd.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix ./services/web-servers/zope2.nix @@ -856,6 +864,7 @@ ./services/x11/hardware/multitouch.nix ./services/x11/hardware/synaptics.nix ./services/x11/hardware/wacom.nix + ./services/x11/hardware/digimend.nix ./services/x11/hardware/cmt.nix ./services/x11/gdk-pixbuf.nix ./services/x11/redshift.nix diff --git a/nixpkgs/nixos/modules/profiles/graphical.nix b/nixpkgs/nixos/modules/profiles/graphical.nix index 649f5564ac6..d80456cede5 100644 --- a/nixpkgs/nixos/modules/profiles/graphical.nix +++ b/nixpkgs/nixos/modules/profiles/graphical.nix @@ -9,14 +9,12 @@ displayManager.sddm.enable = true; desktopManager.plasma5 = { enable = true; - enableQt4Support = false; }; libinput.enable = true; # for touchpad support on many laptops }; # Enable sound in virtualbox appliances. hardware.pulseaudio.enable = true; - hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root. environment.systemPackages = [ pkgs.glxinfo pkgs.firefox ]; } diff --git a/nixpkgs/nixos/modules/profiles/installation-device.nix b/nixpkgs/nixos/modules/profiles/installation-device.nix index fd30220ce1c..4596e163404 100644 --- a/nixpkgs/nixos/modules/profiles/installation-device.nix +++ b/nixpkgs/nixos/modules/profiles/installation-device.nix @@ -31,9 +31,6 @@ with lib; # Let the user play Rogue on TTY 8 during the installation. #services.rogue.enable = true; - # Disable some other stuff we don't need. - services.udisks2.enable = mkDefault false; - # Use less privileged nixos user users.users.nixos = { isNormalUser = true; diff --git a/nixpkgs/nixos/modules/programs/adb.nix b/nixpkgs/nixos/modules/programs/adb.nix index 250d8c252a3..83bcfe886aa 100644 --- a/nixpkgs/nixos/modules/programs/adb.nix +++ b/nixpkgs/nixos/modules/programs/adb.nix @@ -23,7 +23,8 @@ with lib; ###### implementation config = mkIf config.programs.adb.enable { services.udev.packages = [ pkgs.android-udev-rules ]; - environment.systemPackages = [ pkgs.androidenv.androidPkgs_9_0.platform-tools ]; + # Give platform-tools lower priority so mke2fs+friends are taken from other packages first + environment.systemPackages = [ (lowPrio pkgs.androidenv.androidPkgs_9_0.platform-tools) ]; users.groups.adbusers = {}; }; } diff --git a/nixpkgs/nixos/modules/programs/gnupg.nix b/nixpkgs/nixos/modules/programs/gnupg.nix index bcbc994efe9..2d262d90657 100644 --- a/nixpkgs/nixos/modules/programs/gnupg.nix +++ b/nixpkgs/nixos/modules/programs/gnupg.nix @@ -6,6 +6,19 @@ let cfg = config.programs.gnupg; + xserverCfg = config.services.xserver; + + defaultPinentryFlavor = + if xserverCfg.desktopManager.lxqt.enable + || xserverCfg.desktopManager.plasma5.enable then + "qt" + else if xserverCfg.desktopManager.xfce.enable then + "gtk2" + else if xserverCfg.enable || config.programs.sway.enable then + "gnome3" + else + null; + in { @@ -54,6 +67,20 @@ in ''; }; + agent.pinentryFlavor = mkOption { + type = types.nullOr (types.enum pkgs.pinentry.flavors); + example = "gnome3"; + description = '' + Which pinentry interface to use. If not null, the path to the + pinentry binary will be passed to gpg-agent via commandline and + thus overrides the pinentry option in gpg-agent.conf in the user's + home directory. + If not set at all, it'll pick an appropriate flavor depending on the + system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce + 4.12, gnome3 on all other systems with X enabled, ncurses otherwise). + ''; + }; + dirmngr.enable = mkOption { type = types.bool; default = false; @@ -64,6 +91,16 @@ in }; config = mkIf cfg.agent.enable { + programs.gnupg.agent.pinentryFlavor = mkDefault defaultPinentryFlavor; + + # This overrides the systemd user unit shipped with the gnupg package + systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) { + serviceConfig.ExecStart = [ "" '' + ${pkgs.gnupg}/bin/gpg-agent --supervised \ + --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry + '' ]; + }; + systemd.user.sockets.gpg-agent = { wantedBy = [ "sockets.target" ]; }; @@ -83,7 +120,9 @@ in systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable { wantedBy = [ "sockets.target" ]; }; - + + services.dbus.packages = mkIf (cfg.agent.pinentryFlavor == "gnome3") [ pkgs.gcr ]; + environment.systemPackages = with pkgs; [ cfg.package ]; systemd.packages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/programs/seahorse.nix b/nixpkgs/nixos/modules/programs/seahorse.nix index c08b0a85374..b229d2a2c0d 100644 --- a/nixpkgs/nixos/modules/programs/seahorse.nix +++ b/nixpkgs/nixos/modules/programs/seahorse.nix @@ -31,6 +31,8 @@ with lib; config = mkIf config.programs.seahorse.enable { + programs.ssh.askPassword = mkDefault "${pkgs.gnome3.seahorse}/libexec/seahorse/ssh-askpass"; + environment.systemPackages = [ pkgs.gnome3.seahorse ]; diff --git a/nixpkgs/nixos/modules/programs/shadow.nix b/nixpkgs/nixos/modules/programs/shadow.nix index 8ec4169207d..7eaf79d864e 100644 --- a/nixpkgs/nixos/modules/programs/shadow.nix +++ b/nixpkgs/nixos/modules/programs/shadow.nix @@ -6,17 +6,27 @@ with lib; let + /* + There are three different sources for user/group id ranges, each of which gets + used by different programs: + - The login.defs file, used by the useradd, groupadd and newusers commands + - The update-users-groups.pl file, used by NixOS in the activation phase to + decide on which ids to use for declaratively defined users without a static + id + - Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used + by systemd for features like ConditionUser=@system and systemd-sysusers + */ loginDefs = '' DEFAULT_HOME yes SYS_UID_MIN 400 - SYS_UID_MAX 499 + SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 - SYS_GID_MAX 499 + SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 diff --git a/nixpkgs/nixos/modules/programs/ssh.nix b/nixpkgs/nixos/modules/programs/ssh.nix index 733b8f7636f..80198990ed1 100644 --- a/nixpkgs/nixos/modules/programs/ssh.nix +++ b/nixpkgs/nixos/modules/programs/ssh.nix @@ -115,6 +115,16 @@ in ''; }; + agentPKCS11Whitelist = mkOption { + type = types.nullOr types.str; + default = null; + example = "\${pkgs.opensc}/lib/opensc-pkcs11.so"; + description = '' + A pattern-list of acceptable paths for PKCS#11 shared libraries + that may be used with the -s option to ssh-add. + ''; + }; + package = mkOption { type = types.package; default = pkgs.openssh; @@ -241,6 +251,7 @@ in ExecStart = "${cfg.package}/bin/ssh-agent " + optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") + + optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ") + "-a %t/ssh-agent"; StandardOutput = "null"; Type = "forking"; diff --git a/nixpkgs/nixos/modules/programs/ssmtp.nix b/nixpkgs/nixos/modules/programs/ssmtp.nix index 0e060e3f522..e45748af205 100644 --- a/nixpkgs/nixos/modules/programs/ssmtp.nix +++ b/nixpkgs/nixos/modules/programs/ssmtp.nix @@ -8,18 +8,16 @@ with lib; let - - cfg = config.networking.defaultMailServer; + cfg = config.services.ssmtp; in - { options = { - networking.defaultMailServer = { + services.ssmtp = { - directDelivery = mkOption { + enable = mkOption { type = types.bool; default = false; description = '' @@ -29,7 +27,7 @@ in <command>sendmail</command> or <command>postfix</command> on your machine, set this option to <literal>true</literal>, and set the option - <option>networking.defaultMailServer.hostName</option> to the + <option>services.ssmtp.hostName</option> to the host name of your preferred mail server. ''; }; @@ -129,9 +127,9 @@ in }; - config = mkIf cfg.directDelivery { + config = mkIf cfg.enable { - networking.defaultMailServer.authPassFile = mkIf (cfg.authPass != "") + services.ssmtp.authPassFile = mkIf (cfg.authPass != "") (mkDefault (toString (pkgs.writeTextFile { name = "ssmtp-authpass"; text = cfg.authPass; diff --git a/nixpkgs/nixos/modules/programs/x2goserver.nix b/nixpkgs/nixos/modules/programs/x2goserver.nix index 77a1a0da799..7d74231e956 100644 --- a/nixpkgs/nixos/modules/programs/x2goserver.nix +++ b/nixpkgs/nixos/modules/programs/x2goserver.nix @@ -69,6 +69,7 @@ in { users.users.x2go = { home = "/var/lib/x2go/db"; group = "x2go"; + isSystemUser = true; }; security.wrappers.x2gosqliteWrapper = { diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix index 7184e5d9b9a..c84d26a7921 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix @@ -81,7 +81,7 @@ in ]; programs.zsh.interactiveShellInit = with pkgs; - lib.concatStringsSep "\n" ([ + lib.mkAfter (lib.concatStringsSep "\n" ([ "source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" ] ++ optional (length(cfg.highlighters) > 0) "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})" @@ -95,6 +95,6 @@ in styles: design: "ZSH_HIGHLIGHT_STYLES[${styles}]='${design}'" ) cfg.styles) - ); + )); }; } diff --git a/nixpkgs/nixos/modules/rename.nix b/nixpkgs/nixos/modules/rename.nix index df8ebe50584..e392fef54dd 100644 --- a/nixpkgs/nixos/modules/rename.nix +++ b/nixpkgs/nixos/modules/rename.nix @@ -10,6 +10,9 @@ with lib; (mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) (mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ]) (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) + (mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ]) + (mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ]) + (mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ]) (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ] (config: let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config; @@ -135,7 +138,8 @@ with lib; # piwik was renamed to matomo (mkRenamedOptionModule [ "services" "piwik" "enable" ] [ "services" "matomo" "enable" ]) (mkRenamedOptionModule [ "services" "piwik" "webServerUser" ] [ "services" "matomo" "webServerUser" ]) - (mkRenamedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] [ "services" "matomo" "phpfpmProcessManagerConfig" ]) + (mkRemovedOptionModule [ "services" "piwik" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") + (mkRemovedOptionModule [ "services" "matomo" "phpfpmProcessManagerConfig" ] "Use services.phpfpm.pools.<name>.settings") (mkRenamedOptionModule [ "services" "piwik" "nginx" ] [ "services" "matomo" "nginx" ]) # tarsnap @@ -233,6 +237,8 @@ with lib; (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.") (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.") (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.") + (mkRemovedOptionModule [ "fonts" "enableCoreFonts" ] "Use fonts.fonts = [ pkgs.corefonts ]; instead.") + (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.") # ZSH (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) @@ -277,6 +283,13 @@ with lib; # BLCR (mkRemovedOptionModule [ "environment.blcr.enable" ] "The BLCR module has been removed") + # beegfs + (mkRemovedOptionModule [ "services.beegfsEnable" ] "The BeeGFS module has been removed") + (mkRemovedOptionModule [ "services.beegfs" ] "The BeeGFS module has been removed") + + # osquery + (mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed") + # Redis (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") @@ -290,5 +303,14 @@ with lib; (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' The prometheus exporters are now configured using `services.prometheus.exporters'. See the 18.03 release notes for more information. + '' )) + + ++ (forEach [ "enable" "substitutions" "preset" ] + (opt: mkRemovedOptionModule [ "fonts" "fontconfig" "ultimate" "${opt}" ] '' + The fonts.fontconfig.ultimate module and configuration is obsolete. + The repository has since been archived and activity has ceased. + https://github.com/bohoomil/fontconfig-ultimate/issues/171. + No action should be needed for font configuration, as the fonts.fontconfig + module is already used by default. '' )); } diff --git a/nixpkgs/nixos/modules/security/acme.nix b/nixpkgs/nixos/modules/security/acme.nix index b321c04e574..9563029f030 100644 --- a/nixpkgs/nixos/modules/security/acme.nix +++ b/nixpkgs/nixos/modules/security/acme.nix @@ -20,6 +20,16 @@ let ''; }; + server = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + ACME Directory Resource URI. Defaults to let's encrypt + production endpoint, + https://acme-v02.api.letsencrypt.org/directory, if unset. + ''; + }; + domain = mkOption { type = types.str; default = name; @@ -69,9 +79,9 @@ let plugins = mkOption { type = types.listOf (types.enum [ "cert.der" "cert.pem" "chain.pem" "external.sh" - "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" + "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "account_reg.json" ]); - default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; + default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ]; description = '' Plugins to enable. With default settings simp_le will store public certificate bundle in <filename>fullchain.pem</filename>, @@ -109,7 +119,15 @@ in { ###### interface - + imports = [ + (mkRemovedOptionModule [ "security" "acme" "production" ] '' + Use security.acme.server to define your staging ACME server URL instead. + + To use the let's encrypt staging server, use security.acme.server = + "https://acme-staging-v02.api.letsencrypt.org/directory". + '' + ) + ]; options = { security.acme = { @@ -129,6 +147,16 @@ in ''; }; + server = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + ACME Directory Resource URI. Defaults to let's encrypt + production endpoint, + <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset. + ''; + }; + preliminarySelfsigned = mkOption { type = types.bool; default = true; @@ -142,20 +170,6 @@ in ''; }; - production = mkOption { - type = types.bool; - default = true; - description = '' - If set to true, use Let's Encrypt's production environment - instead of the staging environment. The main benefit of the - staging environment is to get much higher rate limits. - - See - <literal>https://letsencrypt.org/docs/staging-environment</literal> - for more detail. - ''; - }; - certs = mkOption { default = { }; type = with types; attrsOf (submodule certOpts); @@ -198,13 +212,24 @@ in ++ optionals (data.email != null) [ "--email" data.email ] ++ concatMap (p: [ "-f" p ]) data.plugins ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) - ++ optionals (!cfg.production) ["--server" "https://acme-staging.api.letsencrypt.org/directory"]; + ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; acmeService = { description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; wants = [ "network-online.target" ]; + # simp_le uses requests, which uses certifi under the hood, + # which doesn't respect the system trust store. + # At least in the acme test, we provision a fake CA, impersonating the LE endpoint. + # REQUESTS_CA_BUNDLE is a way to teach python requests to use something else + environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; serviceConfig = { Type = "oneshot"; + # With RemainAfterExit the service is considered active even + # after the main process having exited, which means when it + # gets changed, the activation phase restarts it, meaning + # the permissions of the StateDirectory get adjusted + # according to the specified group + RemainAfterExit = true; SuccessExitStatus = [ "0" "1" ]; User = data.user; Group = data.group; diff --git a/nixpkgs/nixos/modules/security/pam_mount.nix b/nixpkgs/nixos/modules/security/pam_mount.nix index 8b131c54a2a..75f58462d13 100644 --- a/nixpkgs/nixos/modules/security/pam_mount.nix +++ b/nixpkgs/nixos/modules/security/pam_mount.nix @@ -50,9 +50,6 @@ in <pam_mount> <debug enable="0" /> - ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} - ${concatStringsSep "\n" cfg.extraVolumes} - <!-- if activated, requires ofl from hxtools to be present --> <logout wait="0" hup="no" term="no" kill="no" /> <!-- set PATH variable for pam_mount module --> @@ -64,6 +61,9 @@ in <cryptmount>${pkgs.pam_mount}/bin/mount.crypt %(VOLUME) %(MNTPT)</cryptmount> <cryptumount>${pkgs.pam_mount}/bin/umount.crypt %(MNTPT)</cryptumount> <pmvarrun>${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun> + + ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} + ${concatStringsSep "\n" cfg.extraVolumes} </pam_mount> ''; }]; diff --git a/nixpkgs/nixos/modules/services/admin/oxidized.nix b/nixpkgs/nixos/modules/services/admin/oxidized.nix index 39112c3970d..da81be3f23e 100644 --- a/nixpkgs/nixos/modules/services/admin/oxidized.nix +++ b/nixpkgs/nixos/modules/services/admin/oxidized.nix @@ -89,6 +89,7 @@ in group = cfg.group; home = cfg.dataDir; createHome = true; + isSystemUser = true; }; systemd.services.oxidized = { diff --git a/nixpkgs/nixos/modules/services/audio/jack.nix b/nixpkgs/nixos/modules/services/audio/jack.nix index aa3351f401a..ceff366d0bb 100644 --- a/nixpkgs/nixos/modules/services/audio/jack.nix +++ b/nixpkgs/nixos/modules/services/audio/jack.nix @@ -223,6 +223,7 @@ in { group = "jackaudio"; extraGroups = [ "audio" ]; description = "JACK Audio system service user"; + isSystemUser = true; }; # http://jackaudio.org/faq/linux_rt_config.html security.pam.loginLimits = [ diff --git a/nixpkgs/nixos/modules/services/audio/mpd.nix b/nixpkgs/nixos/modules/services/audio/mpd.nix index 0df8f9688d2..7932d094197 100644 --- a/nixpkgs/nixos/modules/services/audio/mpd.nix +++ b/nixpkgs/nixos/modules/services/audio/mpd.nix @@ -18,7 +18,6 @@ let ''} state_file "${cfg.dataDir}/state" sticker_file "${cfg.dataDir}/sticker.sql" - log_file "syslog" user "${cfg.user}" group "${cfg.group}" @@ -181,6 +180,7 @@ in { ProtectKernelModules = true; RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; RestrictNamespaces = true; + Restart = "always"; }; }; diff --git a/nixpkgs/nixos/modules/services/audio/roon-server.nix b/nixpkgs/nixos/modules/services/audio/roon-server.nix index 4eda3c5708d..6aed485638c 100644 --- a/nixpkgs/nixos/modules/services/audio/roon-server.nix +++ b/nixpkgs/nixos/modules/services/audio/roon-server.nix @@ -66,7 +66,8 @@ in { if cfg.user == "roon-server" then { isSystemUser = true; description = "Roon Server user"; - groups = [ cfg.group "audio" ]; + group = cfg.group; + extraGroups = [ "audio" ]; } else {}; }; diff --git a/nixpkgs/nixos/modules/services/backup/automysqlbackup.nix b/nixpkgs/nixos/modules/services/backup/automysqlbackup.nix index 1884f3536a9..e3a8d1f7993 100644 --- a/nixpkgs/nixos/modules/services/backup/automysqlbackup.nix +++ b/nixpkgs/nixos/modules/services/backup/automysqlbackup.nix @@ -99,7 +99,10 @@ in environment.systemPackages = [ pkg ]; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; users.groups.${group} = { }; systemd.tmpfiles.rules = [ diff --git a/nixpkgs/nixos/modules/services/backup/znapzend.nix b/nixpkgs/nixos/modules/services/backup/znapzend.nix index f317078ddda..203631a577f 100644 --- a/nixpkgs/nixos/modules/services/backup/znapzend.nix +++ b/nixpkgs/nixos/modules/services/backup/znapzend.nix @@ -34,6 +34,8 @@ let description = "string of the form number{b|k|M|G}"; }; + enabledFeatures = concatLists (mapAttrsToList (name: enabled: optional enabled name) cfg.features); + # Type for a string that must contain certain other strings (the list parameter). # Note that these would need regex escaping. stringContainingStrings = list: let @@ -354,6 +356,22 @@ in ''; default = false; }; + + features.recvu = mkEnableOption '' + recvu feature which uses <literal>-u</literal> on the receiving end to keep the destination + filesystem unmounted. + ''; + features.compressed = mkEnableOption '' + compressed feature which adds the options <literal>-Lce</literal> to + the <command>zfs send</command> command. When this is enabled, make + sure that both the sending and receiving pool have the same relevant + features enabled. Using <literal>-c</literal> will skip unneccessary + decompress-compress stages, <literal>-L</literal> is for large block + support and -e is for embedded data support. see + <citerefentry><refentrytitle>znapzend</refentrytitle><manvolnum>1</manvolnum></citerefentry> + and <citerefentry><refentrytitle>zfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for more info. + ''; }; }; @@ -381,12 +399,22 @@ in ''; serviceConfig = { + # znapzendzetup --import apparently tries to connect to the backup + # host 3 times with a timeout of 30 seconds, leading to a startup + # delay of >90s when the host is down, which is just above the default + # service timeout of 90 seconds. Increase the timeout so it doesn't + # make the service fail in that case. + TimeoutStartSec = 180; + # Needs to have write access to ZFS + User = "root"; ExecStart = let args = concatStringsSep " " [ "--logto=${cfg.logTo}" "--loglevel=${cfg.logLevel}" (optionalString cfg.noDestroy "--nodestroy") (optionalString cfg.autoCreation "--autoCreation") + (optionalString (enabledFeatures != []) + "--features=${concatStringsSep "," enabledFeatures}") ]; in "${pkgs.znapzend}/bin/znapzend ${args}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "on-failure"; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix index 47e588de3c9..f12e866930d 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix @@ -3,7 +3,7 @@ with lib; let - version = "1.5.0"; + version = "1.6.4"; cfg = config.services.kubernetes.addons.dns; ports = { dns = 10053; @@ -55,9 +55,9 @@ in { type = types.attrs; default = { imageName = "coredns/coredns"; - imageDigest = "sha256:e83beb5e43f8513fa735e77ffc5859640baea30a882a11cc75c4c3244a737d3c"; + imageDigest = "sha256:493ee88e1a92abebac67cbd4b5658b4730e0f33512461442d8d9214ea6734a9b"; finalImageTag = version; - sha256 = "15sbmhrxjxidj0j0cccn1qxpg6al175w43m6ngspl0mc132zqc9q"; + sha256 = "0fm9zdjavpf5hni8g7fkdd3csjbhd7n7py7llxjc66sbii087028"; }; }; }; @@ -68,7 +68,7 @@ in { services.kubernetes.addonManager.bootstrapAddons = { coredns-cr = { - apiVersion = "rbac.authorization.k8s.io/v1beta1"; + apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRole"; metadata = { labels = { @@ -94,7 +94,7 @@ in { }; coredns-crb = { - apiVersion = "rbac.authorization.k8s.io/v1beta1"; + apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRoleBinding"; metadata = { annotations = { @@ -170,7 +170,7 @@ in { }; coredns-deploy = { - apiVersion = "extensions/v1beta1"; + apiVersion = "apps/v1"; kind = "Deployment"; metadata = { labels = { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix index d799e638fc9..548ffed1ddb 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix @@ -40,6 +40,7 @@ in cni.config = mkDefault [{ name = "mynet"; type = "flannel"; + cniVersion = "0.3.1"; delegate = { isDefaultGateway = true; bridge = "docker0"; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix index 250da4c807e..62d893dfefc 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -92,7 +92,7 @@ in default = []; example = literalExample '' [{ - "cniVersion": "0.2.0", + "cniVersion": "0.3.1", "name": "mynet", "type": "bridge", "bridge": "cni0", @@ -106,7 +106,7 @@ in ] } } { - "cniVersion": "0.2.0", + "cniVersion": "0.3.1", "type": "loopback" }] ''; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix index bd4bf04ea83..3943c908840 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -31,6 +31,12 @@ in type = listOf str; }; + hostname = mkOption { + description = "Kubernetes proxy hostname override."; + default = config.networking.hostName; + type = str; + }; + kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes proxy"; verbosity = mkOption { @@ -59,6 +65,7 @@ in "--cluster-cidr=${top.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ + --hostname-override=${cfg.hostname} \ --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} @@ -69,6 +76,8 @@ in }; }; + services.kubernetes.proxy.hostname = with config.networking; mkDefault hostName; + services.kubernetes.pki.certs = { kubeProxyClient = top.lib.mkCert { name = "kube-proxy-client"; diff --git a/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix b/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix index d1a1383e45b..c70d999ca96 100644 --- a/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix @@ -18,7 +18,7 @@ let ${optionalString (cfg.controlAddr != null) ''controlAddr=${cfg.controlAddr}''} ${toString (map (x: "NodeName=${x}\n") cfg.nodeName)} ${toString (map (x: "PartitionName=${x}\n") cfg.partitionName)} - PlugStackConfig=${plugStackConfig} + PlugStackConfig=${plugStackConfig}/plugstack.conf ProctrackType=${cfg.procTrackType} ${cfg.extraConfig} ''; @@ -39,6 +39,8 @@ let DbdHost=${cfg.dbdserver.dbdHost} SlurmUser=${cfg.user} StorageType=accounting_storage/mysql + StorageUser=${cfg.dbdserver.storageUser} + ${optionalString (cfg.dbdserver.storagePass != null) "StoragePass=${cfg.dbdserver.storagePass}"} ${cfg.dbdserver.extraConfig} ''; @@ -48,7 +50,6 @@ let name = "etc-slurm"; paths = [ configFile cgroupConfig plugStackConfig ] ++ cfg.extraConfigPaths; }; - in { @@ -86,6 +87,37 @@ in ''; }; + storageUser = mkOption { + type = types.str; + default = cfg.user; + description = '' + Database user name. + ''; + }; + + storagePass = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Database password. Note that this password will be publicable + readable in the nix store. Use <option>configFile</option> + to store the and config file and password outside the nix store. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to <literal>slurmdbd.conf</literal>. The password for the database connection + is stored in the config file. Use this option to specfify a path + outside the nix store. If this option is unset a configuration file + will be generated. See also: + <citerefentry><refentrytitle>slurmdbd.conf</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -112,7 +144,7 @@ in package = mkOption { type = types.package; - default = pkgs.slurm; + default = pkgs.slurm.override { enableX11 = ! cfg.enableSrunX11; }; defaultText = "pkgs.slurm"; example = literalExample "pkgs.slurm-full"; description = '' @@ -178,9 +210,14 @@ in If enabled srun will accept the option "--x11" to allow for X11 forwarding from within an interactive session or a batch job. This activates the slurm-spank-x11 module. Note that this option also enables - 'services.openssh.forwardX11' on the client. + <option>services.openssh.forwardX11</option> on the client. This option requires slurm to be compiled without native X11 support. + The default behavior is to re-compile the slurm package with native X11 + support disabled if this option is set to true. + + To use the native X11 support add <literal>PrologFlags=X11</literal> in <option>extraConfig</option>. + Note that this method will only work RSA SSH host keys. ''; }; @@ -356,7 +393,11 @@ in requires = [ "munged.service" "mysql.service" ]; # slurm strips the last component off the path - environment.SLURM_CONF = "${slurmdbdConf}/slurm.conf"; + environment.SLURM_CONF = + if (cfg.dbdserver.configFile == null) then + "${slurmdbdConf}/slurm.conf" + else + cfg.dbdserver.configFile; serviceConfig = { Type = "forking"; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix index 12cc3d2b1cc..32f361454bc 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -191,6 +191,7 @@ in createHome = true; description = "Buildkite agent user"; extraGroups = [ "keys" ]; + isSystemUser = true; }; environment.systemPackages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix b/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix index 2da10a9a5e2..30c5550f71c 100644 --- a/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix @@ -242,8 +242,8 @@ in environment.variables = hydraEnv; nix.extraOptions = '' - gc-keep-outputs = true - gc-keep-derivations = true + keep-outputs = true + keep-derivations = true # The default (`true') slows Nix down a lot since the build farm # has so many GC roots. diff --git a/nixpkgs/nixos/modules/services/databases/mysql.nix b/nixpkgs/nixos/modules/services/databases/mysql.nix index 39192d05948..5549cfa5cf4 100644 --- a/nixpkgs/nixos/modules/services/databases/mysql.nix +++ b/nixpkgs/nixos/modules/services/databases/mysql.nix @@ -8,15 +8,11 @@ let mysql = cfg.package; - isMariaDB = - let - pName = _p: (builtins.parseDrvName (_p.name)).name; - in pName mysql == pName pkgs.mariadb; + isMariaDB = lib.getName mysql == lib.getName pkgs.mariadb; + isMysqlAtLeast57 = - let - pName = _p: (builtins.parseDrvName (_p.name)).name; - in (pName mysql == pName pkgs.mysql57) - && ((builtins.compareVersions mysql.version "5.7") >= 0); + (lib.getName mysql == lib.getName pkgs.mysql57) + && (builtins.compareVersions mysql.version "5.7" >= 0); mysqldOptions = "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}"; diff --git a/nixpkgs/nixos/modules/services/databases/redis.nix b/nixpkgs/nixos/modules/services/databases/redis.nix index 9c389d80a6d..95128a641d9 100644 --- a/nixpkgs/nixos/modules/services/databases/redis.nix +++ b/nixpkgs/nixos/modules/services/databases/redis.nix @@ -185,27 +185,22 @@ in ###### implementation config = mkIf config.services.redis.enable { - - boot.kernel.sysctl = mkIf cfg.vmOverCommit { - "vm.overcommit_memory" = "1"; - }; + boot.kernel.sysctl = (mkMerge [ + { "vm.nr_hugepages" = "0"; } + ( mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; } ) + ]); networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; - users.users.redis.description = "Redis database user"; + users.users.redis = { + description = "Redis database user"; + isSystemUser = true; + }; environment.systemPackages = [ cfg.package ]; - systemd.services.disable-transparent-huge-pages = { - description = "Disable Transparent Huge Pages (required by Redis)"; - before = [ "redis.service" ]; - wantedBy = [ "redis.service" ]; - script = "echo never > /sys/kernel/mm/transparent_hugepage/enabled"; - serviceConfig.Type = "oneshot"; - }; - systemd.services.redis = { description = "Redis Server"; diff --git a/nixpkgs/nixos/modules/services/databases/rethinkdb.nix b/nixpkgs/nixos/modules/services/databases/rethinkdb.nix index 4828e594b32..f18fbaf5b06 100644 --- a/nixpkgs/nixos/modules/services/databases/rethinkdb.nix +++ b/nixpkgs/nixos/modules/services/databases/rethinkdb.nix @@ -99,6 +99,7 @@ in users.users.rethinkdb = mkIf (cfg.user == "rethinkdb") { name = "rethinkdb"; description = "RethinkDB server user"; + isSystemUser = true; }; users.groups = optionalAttrs (cfg.group == "rethinkdb") (singleton diff --git a/nixpkgs/nixos/modules/services/desktops/geoclue2.nix b/nixpkgs/nixos/modules/services/desktops/geoclue2.nix index 6007dddf50c..542b2ead410 100644 --- a/nixpkgs/nixos/modules/services/desktops/geoclue2.nix +++ b/nixpkgs/nixos/modules/services/desktops/geoclue2.nix @@ -188,34 +188,41 @@ in systemd.packages = [ package ]; - users.users.geoclue = { - isSystemUser = true; - home = "/var/lib/geoclue"; - group = "geoclue"; - description = "Geoinformation service"; - }; - - users.groups.geoclue = {}; + # we cannot use DynamicUser as we need the the geoclue user to exist for the dbus policy to work + users = { + users.geoclue = { + isSystemUser = true; + home = "/var/lib/geoclue"; + group = "geoclue"; + description = "Geoinformation service"; + }; - systemd.tmpfiles.rules = [ - "d /var/lib/geoclue 0755 geoclue geoclue" - ]; + groups.geoclue = {}; + }; - # restart geoclue service when the configuration changes - systemd.services.geoclue.restartTriggers = [ - config.environment.etc."geoclue/geoclue.conf".source - ]; + systemd.services.geoclue = { + # restart geoclue service when the configuration changes + restartTriggers = [ + config.environment.etc."geoclue/geoclue.conf".source + ]; + serviceConfig.StateDirectory = "geoclue"; + }; # this needs to run as a user service, since it's associated with the # user who is making the requests systemd.user.services = mkIf cfg.enableDemoAgent { geoclue-agent = { description = "Geoclue agent"; - script = "${package}/libexec/geoclue-2.0/demos/agent"; # this should really be `partOf = [ "geoclue.service" ]`, but # we can't be part of a system service, and the agent should # be okay with the main service coming and going wantedBy = [ "default.target" ]; + serviceConfig = { + Type = "exec"; + ExecStart = "${package}/libexec/geoclue-2.0/demos/agent"; + Restart = "on-failure"; + PrivateTmp = true; + }; }; }; @@ -256,4 +263,6 @@ in }; } // mapAttrs' appConfigToINICompatible cfg.appConfig); }; + + meta.maintainers = with lib.maintainers; [ worldofpeace ]; } diff --git a/nixpkgs/nixos/modules/services/desktops/neard.nix b/nixpkgs/nixos/modules/services/desktops/neard.nix new file mode 100644 index 00000000000..9b0f8d1b3a7 --- /dev/null +++ b/nixpkgs/nixos/modules/services/desktops/neard.nix @@ -0,0 +1,23 @@ +# neard service. +{ config, lib, pkgs, ... }: + +with lib; + +{ + ###### interface + options = { + services.neard = { + enable = mkEnableOption "neard, NFC daemon"; + }; + }; + + + ###### implementation + config = mkIf config.services.neard.enable { + environment.systemPackages = [ pkgs.neard ]; + + services.dbus.packages = [ pkgs.neard ]; + + systemd.packages = [ pkgs.neard ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix b/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix index 8a80be266b2..09c68c587b4 100644 --- a/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix +++ b/nixpkgs/nixos/modules/services/desktops/system-config-printer.nix @@ -33,6 +33,9 @@ with lib; pkgs.system-config-printer ]; + # for $out/bin/install-printer-driver + services.packagekit.enable = true; + }; } diff --git a/nixpkgs/nixos/modules/services/desktops/tumbler.nix b/nixpkgs/nixos/modules/services/desktops/tumbler.nix index d18088d4634..a833e99ff8c 100644 --- a/nixpkgs/nixos/modules/services/desktops/tumbler.nix +++ b/nixpkgs/nixos/modules/services/desktops/tumbler.nix @@ -7,12 +7,17 @@ with lib; let cfg = config.services.tumbler; - tumbler = cfg.package; in { + imports = [ + (mkRemovedOptionModule + [ "services" "tumbler" "package" ] + "") + ]; + ###### interface options = { @@ -21,13 +26,6 @@ in enable = mkEnableOption "Tumbler, A D-Bus thumbnailer service"; - package = mkOption { - type = types.package; - default = pkgs.xfce4-14.tumbler; - description = "Which tumbler package to use"; - example = pkgs.xfce4-12.tumbler; - }; - }; }; @@ -37,11 +35,11 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ + environment.systemPackages = with pkgs.xfce; [ tumbler ]; - services.dbus.packages = [ + services.dbus.packages = with pkgs.xfce; [ tumbler ]; diff --git a/nixpkgs/nixos/modules/services/development/lorri.nix b/nixpkgs/nixos/modules/services/development/lorri.nix new file mode 100644 index 00000000000..68264ee869d --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/lorri.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.lorri; + socketPath = "lorri/daemon.socket"; +in { + options = { + services.lorri = { + enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Enables the daemon for `lorri`, a nix-shell replacement for project + development. The socket-activated daemon starts on the first request + issued by the `lorri` command. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.user.sockets.lorri = { + description = "Socket for Lorri Daemon"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = "%t/${socketPath}"; + RuntimeDirectory = "lorri"; + }; + }; + + systemd.user.services.lorri = { + description = "Lorri Daemon"; + requires = [ "lorri.socket" ]; + after = [ "lorri.socket" ]; + path = with pkgs; [ config.nix.package gnutar gzip ]; + serviceConfig = { + ExecStart = "${pkgs.lorri}/bin/lorri daemon"; + PrivateTmp = true; + ProtectSystem = "strict"; + ProtectHome = "read-only"; + Restart = "on-failure"; + }; + }; + + environment.systemPackages = [ pkgs.lorri ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/editors/infinoted.nix b/nixpkgs/nixos/modules/services/editors/infinoted.nix index 9cc8d421270..be366761694 100644 --- a/nixpkgs/nixos/modules/services/editors/infinoted.nix +++ b/nixpkgs/nixos/modules/services/editors/infinoted.nix @@ -115,6 +115,7 @@ in { { name = "infinoted"; description = "Infinoted user"; group = cfg.group; + isSystemUser = true; }; users.groups = optional (cfg.group == "infinoted") { name = "infinoted"; diff --git a/nixpkgs/nixos/modules/services/games/openarena.nix b/nixpkgs/nixos/modules/services/games/openarena.nix new file mode 100644 index 00000000000..8c014d78809 --- /dev/null +++ b/nixpkgs/nixos/modules/services/games/openarena.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.openarena; +in +{ + options = { + services.openarena = { + enable = mkEnableOption "OpenArena"; + + openPorts = mkOption { + type = types.bool; + default = false; + description = "Whether to open firewall ports for OpenArena"; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = ''Extra flags to pass to <command>oa_ded</command>''; + example = [ + "+set dedicated 2" + "+set sv_hostname 'My NixOS OpenArena Server'" + # Load a map. Mandatory for clients to be able to connect. + "+map oa_dm1" + ]; + }; + }; + }; + + config = mkIf cfg.enable { + networking.firewall = mkIf cfg.openPorts { + allowedUDPPorts = [ 27960 ]; + }; + + systemd.services.openarena = { + description = "OpenArena"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + StateDirectory = "openarena"; + ExecStart = "${pkgs.openarena}/bin/oa_ded +set fs_basepath ${pkgs.openarena}/openarena-0.8.8 +set fs_homepath /var/lib/openarena ${concatStringsSep " " cfg.extraFlags}"; + Restart = "on-failure"; + + # Hardening + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateDevices = true; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/hardware/bluetooth.nix b/nixpkgs/nixos/modules/services/hardware/bluetooth.nix index c5f9d1f9b72..7b13beea1ca 100644 --- a/nixpkgs/nixos/modules/services/hardware/bluetooth.nix +++ b/nixpkgs/nixos/modules/services/hardware/bluetooth.nix @@ -36,17 +36,25 @@ in { ''; }; + config = mkOption { + type = with types; attrsOf (attrsOf (oneOf [ bool int str ])); + example = { + General = { + ControllerMode = "bredr"; + }; + }; + description = "Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf)."; + }; + extraConfig = mkOption { - type = types.lines; - default = ""; + type = with types; nullOr lines; + default = null; example = '' [General] ControllerMode = bredr ''; description = '' Set additional configuration for system-wide bluetooth (/etc/bluetooth/main.conf). - - NOTE: We already include [Policy], so any configuration under the Policy group should come first. ''; }; }; @@ -56,16 +64,18 @@ in { ###### implementation config = mkIf cfg.enable { + warnings = optional (cfg.extraConfig != null) "hardware.bluetooth.`extraConfig` is deprecated, please use hardware.bluetooth.`config`."; + + hardware.bluetooth.config = { + Policy = { + AutoEnable = mkDefault cfg.powerOnBoot; + }; + }; environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ]; environment.etc = singleton { - source = pkgs.writeText "main.conf" '' - [Policy] - AutoEnable=${lib.boolToString cfg.powerOnBoot} - - ${cfg.extraConfig} - ''; + source = pkgs.writeText "main.conf" (generators.toINI { } cfg.config + optionalString (cfg.extraConfig != null) cfg.extraConfig); target = "bluetooth/main.conf"; }; diff --git a/nixpkgs/nixos/modules/services/hardware/fancontrol.nix b/nixpkgs/nixos/modules/services/hardware/fancontrol.nix index 616e4add31e..bb4541a784d 100644 --- a/nixpkgs/nixos/modules/services/hardware/fancontrol.nix +++ b/nixpkgs/nixos/modules/services/hardware/fancontrol.nix @@ -4,42 +4,41 @@ with lib; let cfg = config.hardware.fancontrol; - configFile = pkgs.writeText "fan.conf" cfg.config; - -in { + configFile = pkgs.writeText "fancontrol.conf" cfg.config; +in{ options.hardware.fancontrol = { - enable = mkEnableOption "fancontrol (requires fancontrol.config)"; + enable = mkEnableOption "software fan control (requires fancontrol.config)"; config = mkOption { - type = types.lines; default = null; + type = types.lines; + description = "Fancontrol configuration file content. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> from the lm_sensors package."; example = '' # Configuration file generated by pwmconfig - INTERVAL=1 - DEVPATH=hwmon0=devices/platform/nct6775.656 hwmon1=devices/pci0000:00/0000:00:18.3 - DEVNAME=hwmon0=nct6779 hwmon1=k10temp - FCTEMPS=hwmon0/pwm2=hwmon1/temp1_input - FCFANS=hwmon0/pwm2=hwmon0/fan2_input - MINTEMP=hwmon0/pwm2=25 - MAXTEMP=hwmon0/pwm2=60 - MINSTART=hwmon0/pwm2=25 - MINSTOP=hwmon0/pwm2=10 - MINPWM=hwmon0/pwm2=0 - MAXPWM=hwmon0/pwm2=255 + INTERVAL=10 + DEVPATH=hwmon3=devices/virtual/thermal/thermal_zone2 hwmon4=devices/platform/f71882fg.656 + DEVNAME=hwmon3=soc_dts1 hwmon4=f71869a + FCTEMPS=hwmon4/device/pwm1=hwmon3/temp1_input + FCFANS= hwmon4/device/pwm1=hwmon4/device/fan1_input + MINTEMP=hwmon4/device/pwm1=35 + MAXTEMP=hwmon4/device/pwm1=65 + MINSTART=hwmon4/device/pwm1=150 + MINSTOP=hwmon4/device/pwm1=0 ''; - description = "Contents for configuration file. See <citerefentry><refentrytitle>pwmconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry>."; }; }; - config = mkIf cfg.enable { systemd.services.fancontrol = { - description = "Fan speed control from lm_sensors"; + unitConfig.Documentation = "man:fancontrol(8)"; + description = "software fan control"; wantedBy = [ "multi-user.target" ]; + after = [ "lm_sensors.service" ]; + serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.lm_sensors}/bin/fancontrol ${configFile}"; + ExecStart = "${pkgs.lm_sensors}/sbin/fancontrol ${configFile}"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/hardware/fwupd.nix b/nixpkgs/nixos/modules/services/hardware/fwupd.nix index 6c341bcbf24..51877970a8b 100644 --- a/nixpkgs/nixos/modules/services/hardware/fwupd.nix +++ b/nixpkgs/nixos/modules/services/hardware/fwupd.nix @@ -74,7 +74,7 @@ in { default = false; description = '' Whether to enable test remote. This is used by - <link xlink:href="https://github.com/hughsie/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>. + <link xlink:href="https://github.com/fwupd/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>. ''; }; @@ -115,10 +115,6 @@ in { services.udev.packages = [ cfg.package ]; systemd.packages = [ cfg.package ]; - - systemd.tmpfiles.rules = [ - "d /var/lib/fwupd 0755 root root -" - ]; }; meta = { diff --git a/nixpkgs/nixos/modules/services/hardware/tlp.nix b/nixpkgs/nixos/modules/services/hardware/tlp.nix index 4f8af797828..adc1881a525 100644 --- a/nixpkgs/nixos/modules/services/hardware/tlp.nix +++ b/nixpkgs/nixos/modules/services/hardware/tlp.nix @@ -37,7 +37,7 @@ in enable = mkOption { type = types.bool; default = false; - description = "Whether to enable the TLP daemon."; + description = "Whether to enable the TLP power management daemon."; }; extraConfig = mkOption { diff --git a/nixpkgs/nixos/modules/services/hardware/trezord.nix b/nixpkgs/nixos/modules/services/hardware/trezord.nix index 62824ed7350..c517e9fbb2b 100644 --- a/nixpkgs/nixos/modules/services/hardware/trezord.nix +++ b/nixpkgs/nixos/modules/services/hardware/trezord.nix @@ -44,20 +44,7 @@ in { ### implementation config = mkIf cfg.enable { - services.udev.packages = lib.singleton (pkgs.writeTextFile { - name = "trezord-udev-rules"; - destination = "/etc/udev/rules.d/51-trezor.rules"; - text = '' - # TREZOR v1 (One) - SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n" - KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="trezord", TAG+="uaccess" - - # TREZOR v2 (T) - SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n" - SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n" - KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="trezord", TAG+="uaccess" - ''; - }); + services.udev.packages = [ pkgs.trezor-udev-rules ]; systemd.services.trezord = { description = "TREZOR Bridge"; @@ -74,6 +61,7 @@ in { users.users.trezord = { group = "trezord"; description = "Trezor bridge daemon user"; + isSystemUser = true; }; users.groups.trezord = {}; diff --git a/nixpkgs/nixos/modules/services/hardware/udisks2.nix b/nixpkgs/nixos/modules/services/hardware/udisks2.nix index ed8703be921..e898f326058 100644 --- a/nixpkgs/nixos/modules/services/hardware/udisks2.nix +++ b/nixpkgs/nixos/modules/services/hardware/udisks2.nix @@ -34,10 +34,7 @@ with lib; services.dbus.packages = [ pkgs.udisks2 ]; - system.activationScripts.udisks2 = - '' - mkdir -m 0755 -p /var/lib/udisks2 - ''; + systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ]; services.udev.packages = [ pkgs.udisks2 ]; diff --git a/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix b/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix index 93ced0b9f04..39bbcaf4627 100644 --- a/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix +++ b/nixpkgs/nixos/modules/services/hardware/usbmuxd.nix @@ -47,6 +47,7 @@ in name = cfg.user; description = "usbmuxd user"; group = cfg.group; + isSystemUser = true; }; users.groups = optional (cfg.group == defaultUserGroup) { diff --git a/nixpkgs/nixos/modules/services/hardware/vdr.nix b/nixpkgs/nixos/modules/services/hardware/vdr.nix index 6e246f70f51..8a6cde51b06 100644 --- a/nixpkgs/nixos/modules/services/hardware/vdr.nix +++ b/nixpkgs/nixos/modules/services/hardware/vdr.nix @@ -66,6 +66,7 @@ in { users.users.vdr = { group = "vdr"; home = libDir; + isSystemUser = true; }; users.groups.vdr = {}; diff --git a/nixpkgs/nixos/modules/services/mail/mailcatcher.nix b/nixpkgs/nixos/modules/services/mail/mailcatcher.nix index f5b4508b335..84f06ed199d 100644 --- a/nixpkgs/nixos/modules/services/mail/mailcatcher.nix +++ b/nixpkgs/nixos/modules/services/mail/mailcatcher.nix @@ -25,6 +25,13 @@ in description = "The port address of the http server."; }; + http.path = mkOption { + type = with types; nullOr str; + default = null; + description = "Prefix to all HTTP paths."; + example = "/mailcatcher"; + }; + smtp.ip = mkOption { type = types.str; default = "127.0.0.1"; @@ -53,7 +60,7 @@ in serviceConfig = { DynamicUser = true; Restart = "always"; - ExecStart = "${pkgs.mailcatcher}/bin/mailcatcher --foreground --no-quit --http-ip ${cfg.http.ip} --http-port ${toString cfg.http.port} --smtp-ip ${cfg.smtp.ip} --smtp-port ${toString cfg.smtp.port}"; + ExecStart = "${pkgs.mailcatcher}/bin/mailcatcher --foreground --no-quit --http-ip ${cfg.http.ip} --http-port ${toString cfg.http.port} --smtp-ip ${cfg.smtp.ip} --smtp-port ${toString cfg.smtp.port}" + optionalString (cfg.http.path != null) " --http-path ${cfg.http.path}"; AmbientCapabilities = optionalString (cfg.http.port < 1024 || cfg.smtp.port < 1024) "cap_net_bind_service"; }; }; diff --git a/nixpkgs/nixos/modules/services/mail/mailhog.nix b/nixpkgs/nixos/modules/services/mail/mailhog.nix index b78f4c8e0e6..0f998c6d0ea 100644 --- a/nixpkgs/nixos/modules/services/mail/mailhog.nix +++ b/nixpkgs/nixos/modules/services/mail/mailhog.nix @@ -27,6 +27,7 @@ in { users.users.mailhog = { name = cfg.user; description = "MailHog service user"; + isSystemUser = true; }; systemd.services.mailhog = { diff --git a/nixpkgs/nixos/modules/services/mail/opensmtpd.nix b/nixpkgs/nixos/modules/services/mail/opensmtpd.nix index a870550ba50..1fabe2da45c 100644 --- a/nixpkgs/nixos/modules/services/mail/opensmtpd.nix +++ b/nixpkgs/nixos/modules/services/mail/opensmtpd.nix @@ -101,6 +101,12 @@ in { }; }; + systemd.tmpfiles.rules = [ + "d /var/spool/smtpd 711 root - - -" + "d /var/spool/smtpd/offline 770 root smtpq - -" + "d /var/spool/smtpd/purge 700 smtpq root - -" + ]; + systemd.services.opensmtpd = let procEnv = pkgs.buildEnv { name = "opensmtpd-procs"; @@ -110,18 +116,6 @@ in { in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - preStart = '' - mkdir -p /var/spool/smtpd - chmod 711 /var/spool/smtpd - - mkdir -p /var/spool/smtpd/offline - chown root.smtpq /var/spool/smtpd/offline - chmod 770 /var/spool/smtpd/offline - - mkdir -p /var/spool/smtpd/purge - chown smtpq.root /var/spool/smtpd/purge - chmod 700 /var/spool/smtpd/purge - ''; serviceConfig.ExecStart = "${cfg.package}/sbin/smtpd -d -f ${conf} ${args}"; environment.OPENSMTPD_PROC_PATH = "${procEnv}/libexec/opensmtpd"; }; diff --git a/nixpkgs/nixos/modules/services/mail/postfix.nix b/nixpkgs/nixos/modules/services/mail/postfix.nix index d5fd76da970..df438a0c69d 100644 --- a/nixpkgs/nixos/modules/services/mail/postfix.nix +++ b/nixpkgs/nixos/modules/services/mail/postfix.nix @@ -631,6 +631,14 @@ in setgid = true; }; + security.wrappers.mailq = { + program = "mailq"; + source = "${pkgs.postfix}/bin/mailq"; + group = setgidGroup; + setuid = false; + setgid = true; + }; + security.wrappers.postqueue = { program = "postqueue"; source = "${pkgs.postfix}/bin/postqueue"; diff --git a/nixpkgs/nixos/modules/services/mail/roundcube.nix b/nixpkgs/nixos/modules/services/mail/roundcube.nix index bdedfa1bb70..36dda619ad0 100644 --- a/nixpkgs/nixos/modules/services/mail/roundcube.nix +++ b/nixpkgs/nixos/modules/services/mail/roundcube.nix @@ -160,7 +160,7 @@ in ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create role ${cfg.database.username} with login password '${cfg.database.password}'"; ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create database ${cfg.database.dbname} with owner ${cfg.database.username}"; fi - PGPASSWORD=${cfg.database.password} ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \ + PGPASSWORD="${cfg.database.password}" ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \ -f ${cfg.package}/SQL/postgres.initial.sql \ -h ${cfg.database.host} ${cfg.database.dbname} touch /var/lib/roundcube/db-created diff --git a/nixpkgs/nixos/modules/services/mail/rspamd.nix b/nixpkgs/nixos/modules/services/mail/rspamd.nix index 4db35d9e89a..7ef23ad1726 100644 --- a/nixpkgs/nixos/modules/services/mail/rspamd.nix +++ b/nixpkgs/nixos/modules/services/mail/rspamd.nix @@ -60,7 +60,7 @@ let }; type = mkOption { type = types.nullOr (types.enum [ - "normal" "controller" "fuzzy_storage" "rspamd_proxy" "lua" "proxy" + "normal" "controller" "fuzzy" "rspamd_proxy" "lua" "proxy" ]); description = '' The type of this worker. The type <literal>proxy</literal> is diff --git a/nixpkgs/nixos/modules/services/misc/airsonic.nix b/nixpkgs/nixos/modules/services/misc/airsonic.nix index 919d3b2f6e6..c296e048cea 100644 --- a/nixpkgs/nixos/modules/services/misc/airsonic.nix +++ b/nixpkgs/nixos/modules/services/misc/airsonic.nix @@ -148,6 +148,7 @@ in { name = cfg.user; home = cfg.home; createHome = true; + isSystemUser = true; }; }; } diff --git a/nixpkgs/nixos/modules/services/misc/beanstalkd.nix b/nixpkgs/nixos/modules/services/misc/beanstalkd.nix index 06e881406b5..bcd133c9741 100644 --- a/nixpkgs/nixos/modules/services/misc/beanstalkd.nix +++ b/nixpkgs/nixos/modules/services/misc/beanstalkd.nix @@ -44,7 +44,8 @@ in serviceConfig = { DynamicUser = true; Restart = "always"; - ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port}"; + ExecStart = "${pkg}/bin/beanstalkd -l ${cfg.listen.address} -p ${toString cfg.listen.port} -b $STATE_DIRECTORY"; + StateDirectory = "beanstalkd"; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/docker-registry.nix b/nixpkgs/nixos/modules/services/misc/docker-registry.nix index c87607d2666..89bac4f47d7 100644 --- a/nixpkgs/nixos/modules/services/misc/docker-registry.nix +++ b/nixpkgs/nixos/modules/services/misc/docker-registry.nix @@ -145,11 +145,13 @@ in { }; users.users.docker-registry = - if cfg.storagePath != null + (if cfg.storagePath != null then { createHome = true; home = cfg.storagePath; } - else {}; + else {}) // { + isSystemUser = true; + }; }; } diff --git a/nixpkgs/nixos/modules/services/misc/errbot.nix b/nixpkgs/nixos/modules/services/misc/errbot.nix index 256adce2f02..b447ba5d438 100644 --- a/nixpkgs/nixos/modules/services/misc/errbot.nix +++ b/nixpkgs/nixos/modules/services/misc/errbot.nix @@ -76,7 +76,10 @@ in { }; config = mkIf (cfg.instances != {}) { - users.users.errbot.group = "errbot"; + users.users.errbot = { + group = "errbot"; + isSystemUser = true; + }; users.groups.errbot = {}; systemd.services = mapAttrs' (name: instanceCfg: nameValuePair "errbot-${name}" ( diff --git a/nixpkgs/nixos/modules/services/misc/gitea.nix b/nixpkgs/nixos/modules/services/misc/gitea.nix index 4992b13c9d4..c8c59fb256e 100644 --- a/nixpkgs/nixos/modules/services/misc/gitea.nix +++ b/nixpkgs/nixos/modules/services/misc/gitea.nix @@ -409,6 +409,7 @@ in home = cfg.stateDir; useDefaultShell = true; group = "gitea"; + isSystemUser = true; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/gitlab.nix b/nixpkgs/nixos/modules/services/misc/gitlab.nix index 34be9d69a46..07ea9c45843 100644 --- a/nixpkgs/nixos/modules/services/misc/gitlab.nix +++ b/nixpkgs/nixos/modules/services/misc/gitlab.nix @@ -608,6 +608,8 @@ in { # objects owners and extensions; for now we tack on what's needed # here. systemd.services.postgresql.postStart = mkAfter (optionalString databaseActuallyCreateLocally '' + set -eu + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${cfg.databaseName}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${cfg.databaseName}" OWNER "${cfg.databaseUsername}"' current_owner=$($PSQL -tAc "SELECT pg_catalog.pg_get_userbyid(datdba) FROM pg_catalog.pg_database WHERE datname = '${cfg.databaseName}'") if [[ "$current_owner" != "${cfg.databaseUsername}" ]]; then @@ -666,7 +668,6 @@ in { "d ${gitlabConfig.production.shared.path}/artifacts 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/lfs-objects 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/pages 0750 ${cfg.user} ${cfg.group} -" - "L+ ${cfg.statePath}/lib - - - - ${cfg.packages.gitlab}/share/gitlab/lib" "L+ /run/gitlab/config - - - - ${cfg.statePath}/config" "L+ /run/gitlab/log - - - - ${cfg.statePath}/log" "L+ /run/gitlab/tmp - - - - ${cfg.statePath}/tmp" @@ -740,7 +741,6 @@ in { gitlab-workhorse ]; serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root Type = "simple"; User = cfg.user; Group = cfg.group; @@ -782,13 +782,18 @@ in { ExecStartPre = let preStartFullPrivileges = '' shopt -s dotglob nullglob + set -eu + chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/* chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/config/* ''; preStart = '' + set -eu + cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION rm -rf ${cfg.statePath}/db/* rm -rf ${cfg.statePath}/config/initializers/* + rm -f ${cfg.statePath}/lib cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db diff --git a/nixpkgs/nixos/modules/services/misc/gollum.nix b/nixpkgs/nixos/modules/services/misc/gollum.nix index 7653b415bf0..f4a9c72b154 100644 --- a/nixpkgs/nixos/modules/services/misc/gollum.nix +++ b/nixpkgs/nixos/modules/services/misc/gollum.nix @@ -71,6 +71,7 @@ in group = config.users.users.gollum.name; description = "Gollum user"; createHome = false; + isSystemUser = true; }; users.groups.gollum = { }; diff --git a/nixpkgs/nixos/modules/services/misc/jellyfin.nix b/nixpkgs/nixos/modules/services/misc/jellyfin.nix index 55559206568..6ecdfb57dc3 100644 --- a/nixpkgs/nixos/modules/services/misc/jellyfin.nix +++ b/nixpkgs/nixos/modules/services/misc/jellyfin.nix @@ -41,7 +41,10 @@ in }; users.users = mkIf (cfg.user == "jellyfin") { - jellyfin.group = cfg.group; + jellyfin = { + group = cfg.group; + isSystemUser = true; + }; }; users.groups = mkIf (cfg.group == "jellyfin") { diff --git a/nixpkgs/nixos/modules/services/misc/lidarr.nix b/nixpkgs/nixos/modules/services/misc/lidarr.nix index 40755c16217..8ff1adadcf2 100644 --- a/nixpkgs/nixos/modules/services/misc/lidarr.nix +++ b/nixpkgs/nixos/modules/services/misc/lidarr.nix @@ -10,6 +10,12 @@ in services.lidarr = { enable = mkEnableOption "Lidarr"; + dataDir = mkOption { + type = types.str; + default = "/var/lib/lidarr/.config/Lidarr"; + description = "The directory where Lidarr stores its data files."; + }; + package = mkOption { type = types.package; default = pkgs.lidarr; @@ -44,6 +50,10 @@ in }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.lidarr = { description = "Lidarr"; after = [ "network.target" ]; @@ -53,11 +63,8 @@ in Type = "simple"; User = cfg.user; Group = cfg.group; - ExecStart = "${cfg.package}/bin/Lidarr"; + ExecStart = "${cfg.package}/bin/Lidarr -nobrowser -data='${cfg.dataDir}'"; Restart = "on-failure"; - - StateDirectory = "lidarr"; - StateDirectoryMode = "0770"; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix index 0f4eb2ccfca..50661b873f6 100644 --- a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix @@ -407,6 +407,9 @@ in { "192.168.0.0/16" "100.64.0.0/10" "169.254.0.0/16" + "::1/128" + "fe80::/64" + "fc00::/7" ]; description = '' List of IP address CIDR ranges that the URL preview spider is denied diff --git a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix index ff4e4f5b97d..dcec4d4fc6c 100644 --- a/nixpkgs/nixos/modules/services/misc/nix-daemon.nix +++ b/nixpkgs/nixos/modules/services/misc/nix-daemon.nix @@ -61,7 +61,7 @@ let '' else '' echo "Checking that Nix can read nix.conf..." ln -s $out ./nix.conf - NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config ${optionalString isNix23 "--no-net"} >/dev/null + NIX_CONF_DIR=$PWD ${cfg.package}/bin/nix show-config ${optionalString isNix23 "--no-net --option experimental-features nix-command"} >/dev/null '') ); @@ -152,8 +152,8 @@ in type = types.lines; default = ""; example = '' - gc-keep-outputs = true - gc-keep-derivations = true + keep-outputs = true + keep-derivations = true ''; description = "Additional text appended to <filename>nix.conf</filename>."; }; diff --git a/nixpkgs/nixos/modules/services/misc/osrm.nix b/nixpkgs/nixos/modules/services/misc/osrm.nix index f89f37ccd9d..79c347ab7e0 100644 --- a/nixpkgs/nixos/modules/services/misc/osrm.nix +++ b/nixpkgs/nixos/modules/services/misc/osrm.nix @@ -59,6 +59,7 @@ in group = config.users.users.osrm.name; description = "OSRM user"; createHome = false; + isSystemUser = true; }; users.groups.osrm = { }; diff --git a/nixpkgs/nixos/modules/services/misc/redmine.nix b/nixpkgs/nixos/modules/services/misc/redmine.nix index 24b9e27ac2d..bf9a6914a48 100644 --- a/nixpkgs/nixos/modules/services/misc/redmine.nix +++ b/nixpkgs/nixos/modules/services/misc/redmine.nix @@ -62,20 +62,11 @@ in services.redmine = { enable = mkEnableOption "Redmine"; - # default to the 4.x series not forcing major version upgrade of those on the 3.x series package = mkOption { type = types.package; - default = if versionAtLeast config.system.stateVersion "19.03" - then pkgs.redmine_4 - else pkgs.redmine - ; - defaultText = "pkgs.redmine"; - description = '' - Which Redmine package to use. This defaults to version 3.x if - <literal>system.stateVersion < 19.03</literal> and version 4.x - otherwise. - ''; - example = "pkgs.redmine_4.override { ruby = pkgs.ruby_2_4; }"; + default = pkgs.redmine; + description = "Which Redmine package to use."; + example = "pkgs.redmine.override { ruby = pkgs.ruby_2_4; }"; }; user = mkOption { diff --git a/nixpkgs/nixos/modules/services/misc/zoneminder.nix b/nixpkgs/nixos/modules/services/misc/zoneminder.nix index 3bff04e7127..d7f7324580c 100644 --- a/nixpkgs/nixos/modules/services/misc/zoneminder.nix +++ b/nixpkgs/nixos/modules/services/misc/zoneminder.nix @@ -265,7 +265,7 @@ in { } location /cache/ { - alias /var/cache/${dirName}; + alias /var/cache/${dirName}/; } location ~ \.php$ { diff --git a/nixpkgs/nixos/modules/services/monitoring/collectd.nix b/nixpkgs/nixos/modules/services/monitoring/collectd.nix index 6a4c678eb21..731ac743b7c 100644 --- a/nixpkgs/nixos/modules/services/monitoring/collectd.nix +++ b/nixpkgs/nixos/modules/services/monitoring/collectd.nix @@ -16,13 +16,29 @@ let NotifyLevel "OKAY" </Plugin> + ${concatStrings (mapAttrsToList (plugin: pluginConfig: '' + LoadPlugin ${plugin} + <Plugin "${plugin}"> + ${pluginConfig} + </Plugin> + '') cfg.plugins)} + ${concatMapStrings (f: '' - Include "${f}" + Include "${f}" '') cfg.include} ${cfg.extraConfig} ''; + package = + if cfg.buildMinimalPackage + then minimalPackage + else cfg.package; + + minimalPackage = cfg.package.override { + enabledPlugins = [ "syslog" ] ++ builtins.attrNames cfg.plugins; + }; + in { options.services.collectd = with types; { enable = mkEnableOption "collectd agent"; @@ -33,7 +49,15 @@ in { description = '' Which collectd package to use. ''; - type = package; + type = types.package; + }; + + buildMinimalPackage = mkOption { + default = false; + description = '' + Build a minimal collectd package with only the configured `services.collectd.plugins` + ''; + type = types.bool; }; user = mkOption { @@ -68,6 +92,15 @@ in { type = listOf str; }; + plugins = mkOption { + default = {}; + example = { cpu = ""; memory = ""; network = "Server 192.168.1.1 25826"; }; + description = '' + Attribute set of plugin names to plugin config segments + ''; + type = types.attrsOf types.str; + }; + extraConfig = mkOption { default = ""; description = '' @@ -89,7 +122,7 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${cfg.package}/sbin/collectd -C ${conf} -f"; + ExecStart = "${package}/sbin/collectd -C ${conf} -f"; User = cfg.user; Restart = "on-failure"; RestartSec = 3; @@ -98,6 +131,7 @@ in { users.users = optional (cfg.user == "collectd") { name = "collectd"; + isSystemUser = true; }; }; } diff --git a/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix b/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix index b90579bb70c..fe19ed56195 100644 --- a/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix +++ b/nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix @@ -49,6 +49,7 @@ in { users.users = singleton { name = "fusion-inventory"; description = "FusionInventory user"; + isSystemUser = true; }; systemd.services.fusion-inventory = { diff --git a/nixpkgs/nixos/modules/services/monitoring/grafana.nix b/nixpkgs/nixos/modules/services/monitoring/grafana.nix index bf1084eecc3..0f8bc2471e3 100644 --- a/nixpkgs/nixos/modules/services/monitoring/grafana.nix +++ b/nixpkgs/nixos/modules/services/monitoring/grafana.nix @@ -43,7 +43,7 @@ let ANALYTICS_REPORTING_ENABLED = boolToString cfg.analytics.reporting.enable; - SMTP_ENABLE = boolToString cfg.smtp.enable; + SMTP_ENABLED = boolToString cfg.smtp.enable; SMTP_HOST = cfg.smtp.host; SMTP_USER = cfg.smtp.user; SMTP_PASSWORD = cfg.smtp.password; diff --git a/nixpkgs/nixos/modules/services/monitoring/netdata.nix b/nixpkgs/nixos/modules/services/monitoring/netdata.nix index 463b1b882ac..3ffde8e9bce 100644 --- a/nixpkgs/nixos/modules/services/monitoring/netdata.nix +++ b/nixpkgs/nixos/modules/services/monitoring/netdata.nix @@ -138,7 +138,7 @@ in { description = "Real time performance monitoring"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = (with pkgs; [ gawk curl ]) ++ lib.optional cfg.python.enable + path = (with pkgs; [ curl gawk which ]) ++ lib.optional cfg.python.enable (pkgs.python3.withPackages cfg.python.extraPackages); serviceConfig = { Environment="PYTHONPATH=${pkgs.netdata}/libexec/netdata/python.d/python_modules"; @@ -181,6 +181,7 @@ in { users.users = optional (cfg.user == defaultUser) { name = defaultUser; + isSystemUser = true; }; users.groups = optional (cfg.group == defaultUser) { diff --git a/nixpkgs/nixos/modules/services/monitoring/osquery.nix b/nixpkgs/nixos/modules/services/monitoring/osquery.nix deleted file mode 100644 index c8c625577d3..00000000000 --- a/nixpkgs/nixos/modules/services/monitoring/osquery.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; - -let - cfg = config.services.osquery; - -in - -{ - - options = { - - services.osquery = { - - enable = mkEnableOption "osquery"; - - loggerPath = mkOption { - type = types.path; - description = "Base directory used for logging."; - default = "/var/log/osquery"; - }; - - pidfile = mkOption { - type = types.path; - description = "Path used for pid file."; - default = "/var/osquery/osqueryd.pidfile"; - }; - - utc = mkOption { - type = types.bool; - description = "Attempt to convert all UNIX calendar times to UTC."; - default = true; - }; - - databasePath = mkOption { - type = types.path; - description = "Path used for database file."; - default = "/var/osquery/osquery.db"; - }; - - extraConfig = mkOption { - type = types.attrs // { - merge = loc: foldl' (res: def: recursiveUpdate res def.value) {}; - }; - description = "Extra config to be recursively merged into the JSON config file."; - default = { }; - }; - }; - - }; - - config = mkIf cfg.enable { - - environment.systemPackages = [ pkgs.osquery ]; - - environment.etc."osquery/osquery.conf".text = toJSON ( - recursiveUpdate { - options = { - config_plugin = "filesystem"; - logger_plugin = "filesystem"; - logger_path = cfg.loggerPath; - database_path = cfg.databasePath; - utc = cfg.utc; - }; - } cfg.extraConfig - ); - - systemd.services.osqueryd = { - description = "The osquery Daemon"; - after = [ "network.target" "syslog.service" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.osquery ]; - preStart = '' - mkdir -p ${escapeShellArg cfg.loggerPath} - mkdir -p "$(dirname ${escapeShellArg cfg.pidfile})" - mkdir -p "$(dirname ${escapeShellArg cfg.databasePath})" - ''; - serviceConfig = { - TimeoutStartSec = "infinity"; - ExecStart = "${pkgs.osquery}/bin/osqueryd --logger_path ${escapeShellArg cfg.loggerPath} --pidfile ${escapeShellArg cfg.pidfile} --database_path ${escapeShellArg cfg.databasePath}"; - KillMode = "process"; - KillSignal = "SIGTERM"; - Restart = "on-failure"; - }; - }; - - }; - -} diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix index 35b513bac57..53f32b8fadc 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -197,6 +197,9 @@ in services.prometheus.exporters.minio.minioAccessSecret = mkDefault config.services.minio.secretKey; })] ++ [(mkIf config.services.rspamd.enable { services.prometheus.exporters.rspamd.url = mkDefault "http://localhost:11334/stat"; + })] ++ [(mkIf config.services.nginx.enable { + systemd.services.prometheus-nginx-exporter.after = [ "nginx.service" ]; + systemd.services.prometheus-nginx-exporter.requires = [ "nginx.service" ]; })] ++ (mapAttrsToList (name: conf: mkExporterConf { inherit name; diff --git a/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix b/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix index 856b9432892..b3383ed628b 100644 --- a/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix +++ b/nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix @@ -131,6 +131,7 @@ in users.users.${user} = { description = "Zabbix Agent daemon user"; inherit group; + isSystemUser = true; }; users.groups.${group} = { }; diff --git a/nixpkgs/nixos/modules/services/network-filesystems/beegfs.nix b/nixpkgs/nixos/modules/services/network-filesystems/beegfs.nix deleted file mode 100644 index 2e03a422665..00000000000 --- a/nixpkgs/nixos/modules/services/network-filesystems/beegfs.nix +++ /dev/null @@ -1,357 +0,0 @@ -{ config, lib, pkgs, ...} : - -with lib; - -let - cfg = config.services.beegfs; - - # functions for the generations of config files - - configMgmtd = name: cfg: pkgs.writeText "mgmt-${name}.conf" '' - storeMgmtdDirectory = ${cfg.mgmtd.storeDir} - storeAllowFirstRunInit = false - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.mgmtd.extraConfig} - ''; - - configAdmon = name: cfg: pkgs.writeText "admon-${name}.conf" '' - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.admon.extraConfig} - ''; - - configMeta = name: cfg: pkgs.writeText "meta-${name}.conf" '' - storeMetaDirectory = ${cfg.meta.storeDir} - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - storeAllowFirstRunInit = false - - ${cfg.meta.extraConfig} - ''; - - configStorage = name: cfg: pkgs.writeText "storage-${name}.conf" '' - storeStorageDirectory = ${cfg.storage.storeDir} - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - storeAllowFirstRunInit = false - - ${cfg.storage.extraConfig} - ''; - - configHelperd = name: cfg: pkgs.writeText "helperd-${name}.conf" '' - connAuthFile = ${cfg.connAuthFile} - ${cfg.helperd.extraConfig} - ''; - - configClientFilename = name : "/etc/beegfs/client-${name}.conf"; - - configClient = name: cfg: '' - sysMgmtdHost = ${cfg.mgmtdHost} - connAuthFile = ${cfg.connAuthFile} - connPortShift = ${toString cfg.connPortShift} - - ${cfg.client.extraConfig} - ''; - - serviceList = [ - { service = "admon"; cfgFile = configAdmon; } - { service = "meta"; cfgFile = configMeta; } - { service = "mgmtd"; cfgFile = configMgmtd; } - { service = "storage"; cfgFile = configStorage; } - ]; - - # functions to generate systemd.service entries - - systemdEntry = service: cfgFile: (mapAttrs' ( name: cfg: - (nameValuePair "beegfs-${service}-${name}" (mkIf cfg.${service}.enable { - wantedBy = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = rec { - ExecStart = '' - ${pkgs.beegfs}/bin/beegfs-${service} \ - cfgFile=${cfgFile name cfg} \ - pidFile=${PIDFile} - ''; - PIDFile = "/run/beegfs-${service}-${name}.pid"; - TimeoutStopSec = "300"; - }; - }))) cfg); - - systemdHelperd = mapAttrs' ( name: cfg: - (nameValuePair "beegfs-helperd-${name}" (mkIf cfg.client.enable { - wantedBy = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = rec { - ExecStart = '' - ${pkgs.beegfs}/bin/beegfs-helperd \ - cfgFile=${configHelperd name cfg} \ - pidFile=${PIDFile} - ''; - PIDFile = "/run/beegfs-helperd-${name}.pid"; - TimeoutStopSec = "300"; - }; - }))) cfg; - - # wrappers to beegfs tools. Avoid typing path of config files - utilWrappers = mapAttrsToList ( name: cfg: - ( pkgs.runCommand "beegfs-utils-${name}" { - nativeBuildInputs = [ pkgs.makeWrapper ]; - preferLocalBuild = true; - } '' - mkdir -p $out/bin - - makeWrapper ${pkgs.beegfs}/bin/beegfs-check-servers \ - $out/bin/beegfs-check-servers-${name} \ - --add-flags "-c ${configClientFilename name}" \ - --prefix PATH : ${lib.makeBinPath [ pkgs.beegfs ]} - - makeWrapper ${pkgs.beegfs}/bin/beegfs-ctl \ - $out/bin/beegfs-ctl-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" - - makeWrapper ${pkgs.beegfs}/bin/beegfs-ctl \ - $out/bin/beegfs-df-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" \ - --add-flags --listtargets \ - --add-flags --hidenodeid \ - --add-flags --pools \ - --add-flags --spaceinfo - - makeWrapper ${pkgs.beegfs}/bin/beegfs-fsck \ - $out/bin/beegfs-fsck-${name} \ - --add-flags "--cfgFile=${configClientFilename name}" - '' - )) cfg; -in -{ - ###### interface - - options = { - services.beegfsEnable = mkEnableOption "BeeGFS"; - - services.beegfs = mkOption { - default = {}; - description = '' - BeeGFS configurations. Every mount point requires a separate configuration. - ''; - type = with types; attrsOf (submodule ({ ... } : { - options = { - mgmtdHost = mkOption { - type = types.str; - default = null; - example = "master"; - description = ''Hostname of managament host.''; - }; - - connAuthFile = mkOption { - type = types.str; - default = ""; - example = "/etc/my.key"; - description = "File containing shared secret authentication."; - }; - - connPortShift = mkOption { - type = types.int; - default = 0; - example = 5; - description = '' - For each additional beegfs configuration shift all - service TCP/UDP ports by at least 5. - ''; - }; - - client = { - enable = mkEnableOption "BeeGFS client"; - - mount = mkOption { - type = types.bool; - default = true; - description = "Create fstab entry automatically"; - }; - - mountPoint = mkOption { - type = types.str; - default = "/run/beegfs"; - description = '' - Mount point under which the beegfs filesytem should be mounted. - If mounted manually the mount option specifing the config file is needed: - cfgFile=/etc/beegfs/beegfs-client-<name>.conf - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-client.conf. - See documentation for further details. - ''; - }; - }; - - helperd = { - enable = mkOption { - type = types.bool; - default = true; - description = '' - Enable the BeeGFS helperd. - The helpered is need for logging purposes on the client. - Disabling <literal>helperd</literal> allows for runing the client - with <literal>allowUnfree = false</literal>. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-helperd.conf. See documentation - for further details. - ''; - }; - }; - - mgmtd = { - enable = mkEnableOption "BeeGFS mgmtd daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-mgmtd"; - description = '' - Data directory for mgmtd. - Must not be shared with other beegfs daemons. - This directory must exist and it must be initialized - with beegfs-setup-mgmtd, e.g. "beegfs-setup-mgmtd -C -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-mgmtd.conf. See documentation - for further details. - ''; - }; - }; - - admon = { - enable = mkEnableOption "BeeGFS admon daemon"; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional lines for beegfs-admon.conf. See documentation - for further details. - ''; - }; - }; - - meta = { - enable = mkEnableOption "BeeGFS meta data daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-meta"; - description = '' - Data directory for meta data service. - Must not be shared with other beegfs daemons. - The underlying filesystem must be mounted with xattr turned on. - This directory must exist and it must be initialized - with beegfs-setup-meta, e.g. - "beegfs-setup-meta -C -s <serviceID> -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Additional lines for beegfs-meta.conf. See documentation - for further details. - ''; - }; - }; - - storage = { - enable = mkEnableOption "BeeGFS storage daemon"; - - storeDir = mkOption { - type = types.path; - default = null; - example = "/data/beegfs-storage"; - description = '' - Data directories for storage service. - Must not be shared with other beegfs daemons. - The underlying filesystem must be mounted with xattr turned on. - This directory must exist and it must be initialized - with beegfs-setup-storage, e.g. - "beegfs-setup-storage -C -s <serviceID> -i <storageTargetID> -p <storeDir>" - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Addional lines for beegfs-storage.conf. See documentation - for further details. - ''; - }; - }; - }; - })); - }; - }; - - ###### implementation - - config = - mkIf config.services.beegfsEnable { - - environment.systemPackages = utilWrappers; - - # Put the client.conf files in /etc since they are needed - # by the commandline tools - environment.etc = mapAttrs' ( name: cfg: - (nameValuePair "beegfs/client-${name}.conf" (mkIf (cfg.client.enable) - { - enable = true; - text = configClient name cfg; - }))) cfg; - - # Kernel module, we need it only once per host. - boot = mkIf ( - foldr (a: b: a || b) false - (map (x: x.client.enable) (collect (x: x ? client) cfg))) - { - kernelModules = [ "beegfs" ]; - extraModulePackages = [ pkgs.linuxPackages.beegfs-module ]; - }; - - # generate fstab entries - fileSystems = mapAttrs' (name: cfg: - (nameValuePair cfg.client.mountPoint (optionalAttrs cfg.client.mount (mkIf cfg.client.enable { - device = "beegfs_nodev"; - fsType = "beegfs"; - mountPoint = cfg.client.mountPoint; - options = [ "cfgFile=${configClientFilename name}" "_netdev" ]; - })))) cfg; - - # generate systemd services - systemd.services = systemdHelperd // - foldr (a: b: a // b) {} - (map (x: systemdEntry x.service x.cfgFile) serviceList); - }; -} diff --git a/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix b/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix index 656a2d21b86..543a7b25d5d 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/ceph.nix @@ -9,12 +9,14 @@ let expandCamelCase = replaceStrings upperChars (map (s: " ${s}") lowerChars); expandCamelCaseAttrs = mapAttrs' (name: value: nameValuePair (expandCamelCase name) value); - makeServices = (daemonType: daemonIds: extraServiceConfig: + makeServices = (daemonType: daemonIds: mkMerge (map (daemonId: - { "ceph-${daemonType}-${daemonId}" = makeService daemonType daemonId cfg.global.clusterName pkgs.ceph extraServiceConfig; }) + { "ceph-${daemonType}-${daemonId}" = makeService daemonType daemonId cfg.global.clusterName pkgs.ceph; }) daemonIds)); - makeService = (daemonType: daemonId: clusterName: ceph: extraServiceConfig: { + makeService = (daemonType: daemonId: clusterName: ceph: + let + stateDirectory = "ceph/${if daemonType == "rgw" then "radosgw" else daemonType}/${clusterName}-${daemonId}"; in { enable = true; description = "Ceph ${builtins.replaceStrings lowerChars upperChars daemonType} daemon ${daemonId}"; after = [ "network-online.target" "time-sync.target" ] ++ optional (daemonType == "osd") "ceph-mon.target"; @@ -22,6 +24,11 @@ let partOf = [ "ceph-${daemonType}.target" ]; wantedBy = [ "ceph-${daemonType}.target" ]; + path = [ pkgs.getopt ]; + + # Don't start services that are not yet initialized + unitConfig.ConditionPathExists = "/var/lib/${stateDirectory}/keyring"; + serviceConfig = { LimitNOFILE = 1048576; LimitNPROC = 1048576; @@ -34,22 +41,22 @@ let Restart = "on-failure"; StartLimitBurst = "5"; StartLimitInterval = "30min"; + StateDirectory = stateDirectory; + User = "ceph"; + Group = if daemonType == "osd" then "disk" else "ceph"; ExecStart = ''${ceph.out}/bin/${if daemonType == "rgw" then "radosgw" else "ceph-${daemonType}"} \ - -f --cluster ${clusterName} --id ${daemonId} --setuser ceph \ - --setgroup ${if daemonType == "osd" then "disk" else "ceph"}''; - } // extraServiceConfig - // optionalAttrs (daemonType == "osd") { ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh \ - --id ${daemonId} --cluster ${clusterName}''; }; - } // optionalAttrs (builtins.elem daemonType [ "mds" "mon" "rgw" "mgr" ]) { - preStart = '' - daemonPath="/var/lib/ceph/${if daemonType == "rgw" then "radosgw" else daemonType}/${clusterName}-${daemonId}" - if [ ! -d $daemonPath ]; then - mkdir -m 755 -p $daemonPath - chown -R ceph:ceph $daemonPath - fi - ''; - } // optionalAttrs (daemonType == "osd") { path = [ pkgs.getopt ]; } - ); + -f --cluster ${clusterName} --id ${daemonId}''; + } // optionalAttrs (daemonType == "osd") { + ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}''; + StartLimitBurst = "30"; + RestartSec = "20s"; + PrivateDevices = "no"; # osd needs disk access + } // optionalAttrs ( daemonType == "mon") { + RestartSec = "10"; + } // optionalAttrs (lib.elem daemonType ["mgr" "mds"]) { + StartLimitBurst = "3"; + }; + }); makeTarget = (daemonType: { @@ -58,6 +65,7 @@ let partOf = [ "ceph.target" ]; wantedBy = [ "ceph.target" ]; before = [ "ceph.target" ]; + unitConfig.StopWhenUnneeded = true; }; } ); @@ -377,22 +385,22 @@ in systemd.services = let services = [] - ++ optional cfg.mon.enable (makeServices "mon" cfg.mon.daemons { RestartSec = "10"; }) - ++ optional cfg.mds.enable (makeServices "mds" cfg.mds.daemons { StartLimitBurst = "3"; }) - ++ optional cfg.osd.enable (makeServices "osd" cfg.osd.daemons { StartLimitBurst = "30"; - RestartSec = "20s"; - PrivateDevices = "no"; # osd needs disk access - }) - ++ optional cfg.rgw.enable (makeServices "rgw" cfg.rgw.daemons { }) - ++ optional cfg.mgr.enable (makeServices "mgr" cfg.mgr.daemons { StartLimitBurst = "3"; }); + ++ optional cfg.mon.enable (makeServices "mon" cfg.mon.daemons) + ++ optional cfg.mds.enable (makeServices "mds" cfg.mds.daemons) + ++ optional cfg.osd.enable (makeServices "osd" cfg.osd.daemons) + ++ optional cfg.rgw.enable (makeServices "rgw" cfg.rgw.daemons) + ++ optional cfg.mgr.enable (makeServices "mgr" cfg.mgr.daemons); in mkMerge services; systemd.targets = let targets = [ - { ceph = { description = "Ceph target allowing to start/stop all ceph service instances at once"; - wantedBy = [ "multi-user.target" ]; }; } - ] ++ optional cfg.mon.enable (makeTarget "mon") + { ceph = { + description = "Ceph target allowing to start/stop all ceph service instances at once"; + wantedBy = [ "multi-user.target" ]; + unitConfig.StopWhenUnneeded = true; + }; } ] + ++ optional cfg.mon.enable (makeTarget "mon") ++ optional cfg.mds.enable (makeTarget "mds") ++ optional cfg.osd.enable (makeTarget "osd") ++ optional cfg.rgw.enable (makeTarget "rgw") @@ -401,7 +409,11 @@ in mkMerge targets; systemd.tmpfiles.rules = [ + "d /etc/ceph - ceph ceph - -" "d /run/ceph 0770 ceph ceph -" - ]; + "d /var/lib/ceph - ceph ceph - -"] + ++ optionals cfg.mgr.enable [ "d /var/lib/ceph/mgr - ceph ceph - -"] + ++ optionals cfg.mon.enable [ "d /var/lib/ceph/mon - ceph ceph - -"] + ++ optionals cfg.osd.enable [ "d /var/lib/ceph/osd - ceph ceph - -"]; }; } diff --git a/nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix b/nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix new file mode 100644 index 00000000000..b69d9e713c3 --- /dev/null +++ b/nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ...} : + +with lib; + +let + cfg = config.services.orangefs.client; + +in { + ###### interface + + options = { + services.orangefs.client = { + enable = mkEnableOption "OrangeFS client daemon"; + + extraOptions = mkOption { + type = with types; listOf str; + default = []; + description = "Extra command line options for pvfs2-client."; + }; + + fileSystems = mkOption { + description = '' + The orangefs file systems to be mounted. + This option is prefered over using <option>fileSystems</option> directly since + the pvfs client service needs to be running for it to be mounted. + ''; + + example = [{ + mountPoint = "/orangefs"; + target = "tcp://server:3334/orangefs"; + }]; + + type = with types; listOf (submodule ({ ... } : { + options = { + + mountPoint = mkOption { + type = types.str; + default = "/orangefs"; + description = "Mount point."; + }; + + options = mkOption { + type = with types; listOf str; + default = []; + description = "Mount options"; + }; + + target = mkOption { + type = types.str; + default = null; + example = "tcp://server:3334/orangefs"; + description = "Target URL"; + }; + }; + })); + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.orangefs ]; + + boot.supportedFilesystems = [ "pvfs2" ]; + boot.kernelModules = [ "orangefs" ]; + + systemd.services.orangefs-client = { + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + Type = "simple"; + + ExecStart = '' + ${pkgs.orangefs}/bin/pvfs2-client-core \ + --logtype=syslog ${concatStringsSep " " cfg.extraOptions} + ''; + + TimeoutStopSec = "120"; + }; + }; + + systemd.mounts = map (fs: { + requires = [ "orangefs-client.service" ]; + after = [ "orangefs-client.service" ]; + bindsTo = [ "orangefs-client.service" ]; + wantedBy = [ "remote-fs.target" ]; + type = "pvfs2"; + options = concatStringsSep "," fs.options; + what = fs.target; + where = fs.mountPoint; + }) cfg.fileSystems; + }; +} + diff --git a/nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix b/nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix new file mode 100644 index 00000000000..74ebdc13402 --- /dev/null +++ b/nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix @@ -0,0 +1,225 @@ +{ config, lib, pkgs, ...} : + +with lib; + +let + cfg = config.services.orangefs.server; + + aliases = mapAttrsToList (alias: url: alias) cfg.servers; + + # Maximum handle number is 2^63 + maxHandle = 9223372036854775806; + + # One range of handles for each meta/data instance + handleStep = maxHandle / (length aliases) / 2; + + fileSystems = mapAttrsToList (name: fs: '' + <FileSystem> + Name ${name} + ID ${toString fs.id} + RootHandle ${toString fs.rootHandle} + + ${fs.extraConfig} + + <MetaHandleRanges> + ${concatStringsSep "\n" ( + imap0 (i: alias: + let + begin = i * handleStep + 3; + end = begin + handleStep - 1; + in "Range ${alias} ${toString begin}-${toString end}") aliases + )} + </MetaHandleRanges> + + <DataHandleRanges> + ${concatStringsSep "\n" ( + imap0 (i: alias: + let + begin = i * handleStep + 3 + (length aliases) * handleStep; + end = begin + handleStep - 1; + in "Range ${alias} ${toString begin}-${toString end}") aliases + )} + </DataHandleRanges> + + <StorageHints> + TroveSyncMeta ${if fs.troveSyncMeta then "yes" else "no"} + TroveSyncData ${if fs.troveSyncData then "yes" else "no"} + ${fs.extraStorageHints} + </StorageHints> + + </FileSystem> + '') cfg.fileSystems; + + configFile = '' + <Defaults> + LogType ${cfg.logType} + DataStorageSpace ${cfg.dataStorageSpace} + MetaDataStorageSpace ${cfg.metadataStorageSpace} + + BMIModules ${concatStringsSep "," cfg.BMIModules} + ${cfg.extraDefaults} + </Defaults> + + ${cfg.extraConfig} + + <Aliases> + ${concatStringsSep "\n" (mapAttrsToList (alias: url: "Alias ${alias} ${url}") cfg.servers)} + </Aliases> + + ${concatStringsSep "\n" fileSystems} + ''; + +in { + ###### interface + + options = { + services.orangefs.server = { + enable = mkEnableOption "OrangeFS server"; + + logType = mkOption { + type = with types; enum [ "file" "syslog" ]; + default = "syslog"; + description = "Destination for log messages."; + }; + + dataStorageSpace = mkOption { + type = types.str; + default = null; + example = "/data/storage"; + description = "Directory for data storage."; + }; + + metadataStorageSpace = mkOption { + type = types.str; + default = null; + example = "/data/meta"; + description = "Directory for meta data storage."; + }; + + BMIModules = mkOption { + type = with types; listOf str; + default = [ "bmi_tcp" ]; + example = [ "bmi_tcp" "bmi_ib"]; + description = "List of BMI modules to load."; + }; + + extraDefaults = mkOption { + type = types.lines; + default = ""; + description = "Extra config for <literal><Defaults></literal> section."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Extra config for the global section."; + }; + + servers = mkOption { + type = with types; attrsOf types.str; + default = {}; + example = '' + { + node1="tcp://node1:3334"; + node2="tcp://node2:3334"; + } + ''; + description = "URLs for storage server including port. The attribute names define the server alias."; + }; + + fileSystems = mkOption { + description = '' + These options will create the <literal><FileSystem></literal> sections of config file. + ''; + default = { orangefs = {}; }; + defaultText = literalExample "{ orangefs = {}; }"; + example = literalExample '' + { + fs1 = { + id = 101; + }; + + fs2 = { + id = 102; + }; + } + ''; + type = with types; attrsOf (submodule ({ ... } : { + options = { + id = mkOption { + type = types.int; + default = 1; + description = "File system ID (must be unique within configuration)."; + }; + + rootHandle = mkOption { + type = types.int; + default = 3; + description = "File system root ID."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Extra config for <literal><FileSystem></literal> section."; + }; + + troveSyncMeta = mkOption { + type = types.bool; + default = true; + description = "Sync meta data."; + }; + + troveSyncData = mkOption { + type = types.bool; + default = false; + description = "Sync data."; + }; + + extraStorageHints = mkOption { + type = types.lines; + default = ""; + description = "Extra config for <literal><StorageHints></literal> section."; + }; + }; + })); + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.orangefs ]; + + # orangefs daemon will run as user + users.users.orangefs.isSystemUser = true; + users.groups.orangefs = {}; + + # To format the file system the config file is needed. + environment.etc."orangefs/server.conf" = { + text = configFile; + user = "orangefs"; + group = "orangefs"; + }; + + systemd.services.orangefs-server = { + wantedBy = [ "multi-user.target" ]; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + # Run as "simple" in forground mode. + # This is more reliable + ExecStart = '' + ${pkgs.orangefs}/bin/pvfs2-server -d \ + /etc/orangefs/server.conf + ''; + TimeoutStopSec = "120"; + User = "orangefs"; + Group = "orangefs"; + }; + }; + }; + +} diff --git a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix index ce565dbaab8..875ab70bfc7 100644 --- a/nixpkgs/nixos/modules/services/network-filesystems/samba.nix +++ b/nixpkgs/nixos/modules/services/network-filesystems/samba.nix @@ -12,11 +12,6 @@ let samba = cfg.package; - setupScript = - '' - mkdir -p /var/lock/samba /var/log/samba /var/cache/samba /var/lib/samba/private - ''; - shareConfig = name: let share = getAttr name cfg.shares; in "[${name}]\n " + (smbToString ( @@ -45,7 +40,7 @@ let daemonService = appName: args: { description = "Samba Service Daemon ${appName}"; - after = [ "network.target" ]; + after = [ (mkIf (cfg.enableNmbd && "${appName}" == "smbd") "samba-nmbd.service") ]; requiredBy = [ "samba.target" ]; partOf = [ "samba.target" ]; @@ -62,6 +57,7 @@ let Type = "notify"; NotifyAccess = "all"; #may not do anything... }; + unitConfig.RequiresMountsFor = "/var/lib/samba"; restartTriggers = [ configFile ]; }; @@ -119,7 +115,7 @@ in type = types.package; default = pkgs.samba; defaultText = "pkgs.samba"; - example = literalExample "pkgs.samba3"; + example = literalExample "pkgs.samba4Full"; description = '' Defines which package should be used for the samba server. ''; @@ -228,8 +224,7 @@ in systemd = { targets.samba = { description = "Samba Server"; - requires = [ "samba-setup.service" ]; - after = [ "samba-setup.service" "network.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; }; # Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd @@ -238,12 +233,13 @@ in samba-smbd = daemonService "smbd" ""; samba-nmbd = mkIf cfg.enableNmbd (daemonService "nmbd" ""); samba-winbindd = mkIf cfg.enableWinbindd (daemonService "winbindd" ""); - samba-setup = { - description = "Samba Setup Task"; - script = setupScript; - unitConfig.RequiresMountsFor = "/var/lib/samba"; - }; }; + tmpfiles.rules = [ + "d /var/lock/samba - - - - -" + "d /var/log/samba - - - - -" + "d /var/cache/samba - - - - -" + "d /var/lib/samba/private - - - - -" + ]; }; security.pam.services.samba = {}; diff --git a/nixpkgs/nixos/modules/services/networking/bind.nix b/nixpkgs/nixos/modules/services/networking/bind.nix index 06af4dbcca4..d09c6735e12 100644 --- a/nixpkgs/nixos/modules/services/networking/bind.nix +++ b/nixpkgs/nixos/modules/services/networking/bind.nix @@ -78,7 +78,11 @@ in cacheNetworks = mkOption { default = ["127.0.0.0/24"]; description = " - What networks are allowed to use us as a resolver. + What networks are allowed to use us as a resolver. Note + that this is for recursive queries -- all networks are + allowed to query zones configured with the `zones` option. + It is recommended that you limit cacheNetworks to avoid your + server being used for DNS amplification attacks. "; }; diff --git a/nixpkgs/nixos/modules/services/networking/bitcoind.nix b/nixpkgs/nixos/modules/services/networking/bitcoind.nix index 1439d739da9..4e00a886547 100644 --- a/nixpkgs/nixos/modules/services/networking/bitcoind.nix +++ b/nixpkgs/nixos/modules/services/networking/bitcoind.nix @@ -177,9 +177,6 @@ in { NoNewPrivileges = "true"; PrivateDevices = "true"; MemoryDenyWriteExecute = "true"; - - # Permission for preStart - PermissionsStartOnly = "true"; }; }; users.users.${cfg.user} = { @@ -187,6 +184,7 @@ in { group = cfg.group; description = "Bitcoin daemon user"; home = cfg.dataDir; + isSystemUser = true; }; users.groups.${cfg.group} = { name = cfg.group; diff --git a/nixpkgs/nixos/modules/services/networking/connman.nix b/nixpkgs/nixos/modules/services/networking/connman.nix index 31127f79049..cac517f410e 100644 --- a/nixpkgs/nixos/modules/services/networking/connman.nix +++ b/nixpkgs/nixos/modules/services/networking/connman.nix @@ -4,7 +4,7 @@ with pkgs; with lib; let - cfg = config.networking.connman; + cfg = config.services.connman; configFile = pkgs.writeText "connman.conf" '' [General] NetworkInterfaceBlacklist=${concatStringsSep "," cfg.networkInterfaceBlacklist} @@ -17,7 +17,7 @@ in { options = { - networking.connman = { + services.connman = { enable = mkOption { type = types.bool; @@ -71,13 +71,13 @@ in { assertions = [{ assertion = !config.networking.useDHCP; - message = "You can not use services.networking.connman with services.networking.useDHCP"; + message = "You can not use services.connman with networking.useDHCP"; }{ assertion = config.networking.wireless.enable; - message = "You must use services.networking.connman with services.networking.wireless"; + message = "You must use services.connman with networking.wireless"; }{ assertion = !config.networking.networkmanager.enable; - message = "You can not use services.networking.connman with services.networking.networkmanager"; + message = "You can not use services.connman with networking.networkmanager"; }]; environment.systemPackages = [ connman ]; diff --git a/nixpkgs/nixos/modules/services/networking/dnscache.nix b/nixpkgs/nixos/modules/services/networking/dnscache.nix index 5051fc916d9..d123bca9321 100644 --- a/nixpkgs/nixos/modules/services/networking/dnscache.nix +++ b/nixpkgs/nixos/modules/services/networking/dnscache.nix @@ -84,7 +84,7 @@ in { config = mkIf config.services.dnscache.enable { environment.systemPackages = [ pkgs.djbdns ]; - users.users.dnscache = {}; + users.users.dnscache.isSystemUser = true; systemd.services.dnscache = { description = "djbdns dnscache server"; diff --git a/nixpkgs/nixos/modules/services/networking/dnschain.nix b/nixpkgs/nixos/modules/services/networking/dnschain.nix index 5b58ea9b0c9..b837bf816a1 100644 --- a/nixpkgs/nixos/modules/services/networking/dnschain.nix +++ b/nixpkgs/nixos/modules/services/networking/dnschain.nix @@ -137,7 +137,7 @@ in ]; services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveDNSChainQueries { - forwardZones = + forwardZonesRecurse = { bit = "127.0.0.1:${toString cfg.dns.port}"; dns = "127.0.0.1:${toString cfg.dns.port}"; }; diff --git a/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix index bf13d5c6f5f..79f9e1a4308 100644 --- a/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -142,6 +142,7 @@ in { description = "dnscrypt-wrapper daemon user"; home = "${dataDir}"; createHome = true; + isSystemUser = true; }; users.groups.dnscrypt-wrapper = { }; diff --git a/nixpkgs/nixos/modules/services/networking/dnsdist.nix b/nixpkgs/nixos/modules/services/networking/dnsdist.nix index 12eee136e63..8249da69bc1 100644 --- a/nixpkgs/nixos/modules/services/networking/dnsdist.nix +++ b/nixpkgs/nixos/modules/services/networking/dnsdist.nix @@ -46,11 +46,10 @@ in { RestartSec="1"; DynamicUser = true; StartLimitInterval="0"; - PrivateTmp=true; PrivateDevices=true; - CapabilityBoundingSet="CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; + AmbientCapabilities="CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet="CAP_NET_BIND_SERVICE"; ExecStart = "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}"; - ProtectSystem="full"; ProtectHome=true; RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6"; LimitNOFILE="16384"; diff --git a/nixpkgs/nixos/modules/services/networking/eternal-terminal.nix b/nixpkgs/nixos/modules/services/networking/eternal-terminal.nix index be7337ece7e..a2e5b30dc0f 100644 --- a/nixpkgs/nixos/modules/services/networking/eternal-terminal.nix +++ b/nixpkgs/nixos/modules/services/networking/eternal-terminal.nix @@ -23,6 +23,8 @@ in type = types.int; description = '' The port the server should listen on. Will use the server's default (2022) if not specified. + + Make sure to open this port in the firewall if necessary. ''; }; @@ -86,4 +88,8 @@ in }; }; }; + + meta = { + maintainers = with lib.maintainers; [ pingiun ]; + }; } diff --git a/nixpkgs/nixos/modules/services/networking/go-shadowsocks2.nix b/nixpkgs/nixos/modules/services/networking/go-shadowsocks2.nix new file mode 100644 index 00000000000..afbd7ea27c6 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/go-shadowsocks2.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.go-shadowsocks2.server; +in { + options.services.go-shadowsocks2.server = { + enable = mkEnableOption "go-shadowsocks2 server"; + + listenAddress = mkOption { + type = types.str; + description = "Server listen address or URL"; + example = "ss://AEAD_CHACHA20_POLY1305:your-password@:8488"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.go-shadowsocks2-server = { + description = "go-shadowsocks2 server"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.go-shadowsocks2}/bin/go-shadowsocks2 -s '${cfg.listenAddress}'"; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/hans.nix b/nixpkgs/nixos/modules/services/networking/hans.nix index 20e57e4626e..4f60300f5ff 100644 --- a/nixpkgs/nixos/modules/services/networking/hans.nix +++ b/nixpkgs/nixos/modules/services/networking/hans.nix @@ -138,6 +138,7 @@ in users.users = singleton { name = hansUser; description = "Hans daemon user"; + isSystemUser = true; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/haproxy.nix b/nixpkgs/nixos/modules/services/networking/haproxy.nix index 0438d0bf8d8..aff71e5e97d 100644 --- a/nixpkgs/nixos/modules/services/networking/haproxy.nix +++ b/nixpkgs/nixos/modules/services/networking/haproxy.nix @@ -1,7 +1,16 @@ { config, lib, pkgs, ... }: + let cfg = config.services.haproxy; - haproxyCfg = pkgs.writeText "haproxy.conf" cfg.config; + + haproxyCfg = pkgs.writeText "haproxy.conf" '' + global + # needed for hot-reload to work without dropping packets in multi-worker mode + stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level user + + ${cfg.config} + ''; + in with lib; { @@ -25,9 +34,7 @@ with lib; <filename>haproxy.conf</filename>. ''; }; - }; - }; config = mkIf cfg.enable { @@ -42,21 +49,16 @@ with lib; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "forking"; - PIDFile = "/run/haproxy.pid"; - ExecStartPre = "${pkgs.haproxy}/sbin/haproxy -c -q -f ${haproxyCfg}"; - ExecStart = "${pkgs.haproxy}/sbin/haproxy -D -f ${haproxyCfg} -p /run/haproxy.pid"; - ExecReload = "-${pkgs.bash}/bin/bash -c \"exec ${pkgs.haproxy}/sbin/haproxy -D -f ${haproxyCfg} -p /run/haproxy.pid -sf $MAINPID\""; + DynamicUser = true; + Type = "notify"; + # when running the config test, don't be quiet so we can see what goes wrong + ExecStartPre = "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}"; + ExecStart = "${pkgs.haproxy}/sbin/haproxy -Ws -f ${haproxyCfg}"; + Restart = "on-failure"; + RuntimeDirectory = "haproxy"; + # needed in case we bind to port < 1024 + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; }; - - environment.systemPackages = [ pkgs.haproxy ]; - - users.users.haproxy = { - group = "haproxy"; - uid = config.ids.uids.haproxy; - }; - - users.groups.haproxy.gid = config.ids.uids.haproxy; }; } diff --git a/nixpkgs/nixos/modules/services/networking/jormungandr.nix b/nixpkgs/nixos/modules/services/networking/jormungandr.nix deleted file mode 100644 index 152cceb4bf9..00000000000 --- a/nixpkgs/nixos/modules/services/networking/jormungandr.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - cfg = config.services.jormungandr; - - inherit (lib) mkEnableOption mkIf mkOption; - inherit (lib) optionalString types; - - dataDir = "/var/lib/jormungandr"; - - # Default settings so far, as the service matures we will - # move these out as separate settings - configSettings = { - storage = dataDir; - p2p = { - public_address = "/ip4/127.0.0.1/tcp/8299"; - topics_of_interest = { - messages = "high"; - blocks = "high"; - }; - }; - rest = { - listen = "127.0.0.1:8607"; - }; - }; - - configFile = if cfg.configFile == null then - pkgs.writeText "jormungandr.yaml" (builtins.toJSON configSettings) - else cfg.configFile; - -in { - - options = { - - services.jormungandr = { - enable = mkEnableOption "jormungandr service"; - - configFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/lib/jormungandr/node.yaml"; - description = '' - The path of the jormungandr blockchain configuration file in YAML format. - If no file is specified, a file is generated using the other options. - ''; - }; - - secretFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/etc/secret/jormungandr.yaml"; - description = '' - The path of the jormungandr blockchain secret node configuration file in - YAML format. Do not store this in nix store! - ''; - }; - - genesisBlockHash = mkOption { - type = types.nullOr types.str; - default = null; - example = "d70495af81ae8600aca3e642b2427327cb6001ec4d7a0037e96a00dabed163f9"; - description = '' - Set the genesis block hash (the hash of the block0) so we can retrieve - the genesis block (and the blockchain configuration) from the existing - storage or from the network. - ''; - }; - - genesisBlockFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/lib/jormungandr/block-0.bin"; - description = '' - The path of the genesis block file if we are hosting it locally. - ''; - }; - - }; - }; - - config = mkIf cfg.enable { - - systemd.services.jormungandr = { - description = "jormungandr server"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - environment = { - RUST_BACKTRACE = "full"; - }; - serviceConfig = { - DynamicUser = true; - StateDirectory = baseNameOf dataDir; - ExecStart = '' - ${pkgs.jormungandr}/bin/jormungandr --config ${configFile} \ - ${optionalString (cfg.secretFile != null) " --secret ${cfg.secretFile}"} \ - ${optionalString (cfg.genesisBlockHash != null) " --genesis-block-hash ${cfg.genesisBlockHash}"} \ - ${optionalString (cfg.genesisBlockFile != null) " --genesis-block ${cfg.genesisBlockFile}"} - ''; - }; - }; - }; -} diff --git a/nixpkgs/nixos/modules/services/networking/matterbridge.nix b/nixpkgs/nixos/modules/services/networking/matterbridge.nix index 1fd63348c16..682eaa6eb29 100644 --- a/nixpkgs/nixos/modules/services/networking/matterbridge.nix +++ b/nixpkgs/nixos/modules/services/networking/matterbridge.nix @@ -95,6 +95,7 @@ in users.users = optional (cfg.user == "matterbridge") { name = "matterbridge"; group = "matterbridge"; + isSystemUser = true; }; users.groups = optional (cfg.group == "matterbridge") diff --git a/nixpkgs/nixos/modules/services/networking/morty.nix b/nixpkgs/nixos/modules/services/networking/morty.nix index 1b3084fe9ab..e3a6444c116 100644 --- a/nixpkgs/nixos/modules/services/networking/morty.nix +++ b/nixpkgs/nixos/modules/services/networking/morty.nix @@ -74,6 +74,7 @@ in { description = "Morty user"; createHome = true; home = "/var/lib/morty"; + isSystemUser = true; }; systemd.services.morty = diff --git a/nixpkgs/nixos/modules/services/networking/nat.nix b/nixpkgs/nixos/modules/services/networking/nat.nix index 89d8590093d..5681bda51cb 100644 --- a/nixpkgs/nixos/modules/services/networking/nat.nix +++ b/nixpkgs/nixos/modules/services/networking/nat.nix @@ -29,7 +29,7 @@ let iptables -w -t nat -N nixos-nat-post # We can't match on incoming interface in POSTROUTING, so - # mark packets coming from the external interfaces. + # mark packets coming from the internal interfaces. ${concatMapStrings (iface: '' iptables -w -t nat -A nixos-nat-pre \ -i '${iface}' -j MARK --set-mark 1 diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index 05a78d1c448..90d1032c41b 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -17,9 +17,6 @@ let networkmanager-vpnc ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; - dynamicHostsEnabled = - cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {}; - delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; enableIwd = cfg.wifi.backend == "iwd"; @@ -335,55 +332,20 @@ in { so you don't need to to that yourself. ''; }; - - dynamicHosts = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enabling this option requires the - <option>networking.networkmanager.dns</option> option to be - set to <literal>dnsmasq</literal>. If enabled, the directories - defined by the - <option>networking.networkmanager.dynamicHosts.hostsDirs</option> - option will be set up when the service starts. The dnsmasq instance - managed by NetworkManager will then watch those directories for - hosts files (see the <literal>--hostsdir</literal> option of - dnsmasq). This way a non-privileged user can add or override DNS - entries on the local system (depending on what hosts directories - that are configured).. - ''; - }; - hostsDirs = mkOption { - type = with types; attrsOf (submodule { - options = { - user = mkOption { - type = types.str; - default = "root"; - description = '' - The user that will own the hosts directory. - ''; - }; - group = mkOption { - type = types.str; - default = "root"; - description = '' - The group that will own the hosts directory. - ''; - }; - }; - }); - default = {}; - description = '' - Defines a set of directories (relative to - <literal>/run/NetworkManager/hostdirs</literal>) that dnsmasq will - watch for hosts files. - ''; - }; - }; }; }; + imports = [ + (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' + This option was removed because allowing (multiple) regular users to + override host entries affecting the whole system opens up a huge attack + vector. There seem to be very rare cases where this might be useful. + Consider setting system-wide host entries using networking.hosts, provide + them via the DNS server in your network, or use environment.etc + to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir. + '') + ]; + ###### implementation @@ -396,12 +358,6 @@ in { Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager. ''; } - { assertion = !dynamicHostsEnabled || (dynamicHostsEnabled && cfg.dns == "dnsmasq"); - message = '' - To use networking.networkmanager.dynamicHosts you also need to set - `networking.networkmanager.dns = "dnsmasq"` - ''; - } ]; environment.etc = with pkgs; [ @@ -435,12 +391,6 @@ in { target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; mode = "0544"; }) cfg.dispatcherScripts - ++ optional dynamicHostsEnabled - { target = "NetworkManager/dnsmasq.d/dyndns.conf"; - text = concatMapStrings (n: '' - hostsdir=/run/NetworkManager/hostsdirs/${n} - '') (attrNames cfg.dynamicHosts.hostsDirs); - } ++ optional cfg.enableStrongSwan { source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; target = "NetworkManager/VPN/nm-strongswan-service.name"; @@ -496,21 +446,6 @@ in { systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; - systemd.services.nm-setup-hostsdirs = mkIf dynamicHostsEnabled { - wantedBy = [ "NetworkManager.service" ]; - before = [ "NetworkManager.service" ]; - partOf = [ "NetworkManager.service" ]; - script = concatStrings (mapAttrsToList (n: d: '' - mkdir -p "/run/NetworkManager/hostsdirs/${n}" - chown "${d.user}:${d.group}" "/run/NetworkManager/hostsdirs/${n}" - chmod 0775 "/run/NetworkManager/hostsdirs/${n}" - '') cfg.dynamicHosts.hostsDirs); - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - }; - systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; @@ -521,15 +456,19 @@ in { }; # Turn off NixOS' network management when networking is managed entirely by NetworkManager - networking = (mkIf (!delegateWireless) { - useDHCP = false; - # Use mkDefault to trigger the assertion about the conflict above - wireless.enable = mkDefault false; - }) // (mkIf cfg.enableStrongSwan { - networkmanager.packages = [ pkgs.networkmanager_strongswan ]; - }) // (mkIf enableIwd { - wireless.iwd.enable = true; - }); + networking = mkMerge [ + (mkIf (!delegateWireless) { + useDHCP = false; + }) + + (mkIf cfg.enableStrongSwan { + networkmanager.packages = [ pkgs.networkmanager_strongswan ]; + }) + + (mkIf enableIwd { + wireless.iwd.enable = true; + }) + ]; security.polkit.extraConfig = polkitConf; diff --git a/nixpkgs/nixos/modules/services/networking/nghttpx/default.nix b/nixpkgs/nixos/modules/services/networking/nghttpx/default.nix index d6e1906e388..881a2670f5d 100644 --- a/nixpkgs/nixos/modules/services/networking/nghttpx/default.nix +++ b/nixpkgs/nixos/modules/services/networking/nghttpx/default.nix @@ -96,6 +96,7 @@ in users.groups.nghttpx = { }; users.users.nghttpx = { group = config.users.groups.nghttpx.name; + isSystemUser = true; }; diff --git a/nixpkgs/nixos/modules/services/networking/owamp.nix b/nixpkgs/nixos/modules/services/networking/owamp.nix index 821a0258f4b..dbb2e3b4c40 100644 --- a/nixpkgs/nixos/modules/services/networking/owamp.nix +++ b/nixpkgs/nixos/modules/services/networking/owamp.nix @@ -21,6 +21,7 @@ in name = "owamp"; group = "owamp"; description = "Owamp daemon"; + isSystemUser = true; }; users.groups = singleton { diff --git a/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix b/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix index ebfdd9f35b7..e55ea363378 100644 --- a/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixpkgs/nixos/modules/services/networking/pdns-recursor.nix @@ -91,10 +91,18 @@ in { forwardZones = mkOption { type = types.attrs; + default = {}; + description = '' + DNS zones to be forwarded to other authoritative servers. + ''; + }; + + forwardZonesRecurse = mkOption { + type = types.attrs; example = { eth = "127.0.0.1:5353"; }; default = {}; description = '' - DNS zones to be forwarded to other servers. + DNS zones to be forwarded to other recursive servers. ''; }; @@ -158,7 +166,8 @@ in { webserver-port = cfg.api.port; webserver-allow-from = cfg.api.allowFrom; - forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + forward-zones-recurse = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZonesRecurse; export-etc-hosts = cfg.exportHosts; dnssec = cfg.dnssecValidation; serve-rfc1918 = cfg.serveRFC1918; diff --git a/nixpkgs/nixos/modules/services/networking/smokeping.nix b/nixpkgs/nixos/modules/services/networking/smokeping.nix index d4d0594a9cd..b48b0b3a9d6 100644 --- a/nixpkgs/nixos/modules/services/networking/smokeping.nix +++ b/nixpkgs/nixos/modules/services/networking/smokeping.nix @@ -299,7 +299,8 @@ in mkdir -m 0755 -p ${smokepingHome}/cache ${smokepingHome}/data rm -f ${smokepingHome}/cropper ln -s ${cfg.package}/htdocs/cropper ${smokepingHome}/cropper - cp ${cgiHome} ${smokepingHome}/smokeping.fcgi + rm -f ${smokepingHome}/smokeping.fcgi + ln -s ${cgiHome} ${smokepingHome}/smokeping.fcgi ${cfg.package}/bin/smokeping --check --config=${configPath} ${cfg.package}/bin/smokeping --static --config=${configPath} ''; @@ -314,5 +315,7 @@ in serviceConfig.Restart = "always"; }; }; + + meta.maintainers = with lib.maintainers; [ erictapen ]; } diff --git a/nixpkgs/nixos/modules/services/networking/stunnel.nix b/nixpkgs/nixos/modules/services/networking/stunnel.nix index cbc899f2b4d..ab51bba2f6a 100644 --- a/nixpkgs/nixos/modules/services/networking/stunnel.nix +++ b/nixpkgs/nixos/modules/services/networking/stunnel.nix @@ -57,7 +57,13 @@ let }; CAPath = mkOption { - type = types.path; + type = types.nullOr types.path; + default = null; + description = "Path to a directory containing certificates to validate against."; + }; + + CAFile = mkOption { + type = types.nullOr types.path; default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; description = "Path to a file containing certificates to validate against."; }; @@ -196,6 +202,7 @@ in verifyChain = ${yesNo v.verifyChain} verifyPeer = ${yesNo v.verifyPeer} ${optionalString (v.CAPath != null) "CApath = ${v.CAPath}"} + ${optionalString (v.CAFile != null) "CAFile = ${v.CAFile}"} ${optionalString (v.verifyHostname != null) "checkHost = ${v.verifyHostname}"} OCSPaia = yes @@ -216,6 +223,12 @@ in }; }; + meta.maintainers = with maintainers; [ + # Server side + lschuermann + # Client side + das_j + ]; }; } diff --git a/nixpkgs/nixos/modules/services/networking/syncthing.nix b/nixpkgs/nixos/modules/services/networking/syncthing.nix index 165fd5970cf..b3f2af5b179 100644 --- a/nixpkgs/nixos/modules/services/networking/syncthing.nix +++ b/nixpkgs/nixos/modules/services/networking/syncthing.nix @@ -18,6 +18,7 @@ let fsWatcherEnabled = folder.watch; fsWatcherDelayS = folder.watchDelay; ignorePerms = folder.ignorePerms; + versioning = folder.versioning; }) (filterAttrs ( _: folder: folder.enable @@ -220,6 +221,69 @@ in { ''; }; + versioning = mkOption { + default = null; + description = '' + How to keep changed/deleted files with syncthing. + There are 4 different types of versioning with different parameters. + See https://docs.syncthing.net/users/versioning.html + ''; + example = [ + { + versioning = { + type = "simple"; + params.keep = "10"; + }; + } + { + versioning = { + type = "trashcan"; + params.cleanoutDays = "1000"; + }; + } + { + versioning = { + type = "staggered"; + params = { + cleanInterval = "3600"; + maxAge = "31536000"; + versionsPath = "/syncthing/backup"; + }; + }; + } + { + versioning = { + type = "external"; + params.versionsPath = pkgs.writers.writeBash "backup" '' + folderpath="$1" + filepath="$2" + rm -rf "$folderpath/$filepath" + ''; + }; + } + ]; + type = with types; nullOr (submodule { + options = { + type = mkOption { + type = enum [ "external" "simple" "staggered" "trashcan" ]; + description = '' + Type of versioning. + See https://docs.syncthing.net/users/versioning.html + ''; + }; + params = mkOption { + type = attrsOf (either str path); + description = '' + Parameters for versioning. Structure depends on versioning.type. + See https://docs.syncthing.net/users/versioning.html + ''; + }; + }; + }); + }; + + + rescanInterval = mkOption { type = types.int; default = 3600; diff --git a/nixpkgs/nixos/modules/services/networking/thelounge.nix b/nixpkgs/nixos/modules/services/networking/thelounge.nix index b1d23372955..875d8f66169 100644 --- a/nixpkgs/nixos/modules/services/networking/thelounge.nix +++ b/nixpkgs/nixos/modules/services/networking/thelounge.nix @@ -56,6 +56,7 @@ in { users.users.thelounge = { description = "thelounge service user"; group = "thelounge"; + isSystemUser = true; }; users.groups.thelounge = {}; systemd.services.thelounge = { diff --git a/nixpkgs/nixos/modules/services/networking/tinydns.nix b/nixpkgs/nixos/modules/services/networking/tinydns.nix index 7d5db71601e..79507b2ebcd 100644 --- a/nixpkgs/nixos/modules/services/networking/tinydns.nix +++ b/nixpkgs/nixos/modules/services/networking/tinydns.nix @@ -32,11 +32,12 @@ with lib; config = mkIf config.services.tinydns.enable { environment.systemPackages = [ pkgs.djbdns ]; - users.users.tinydns = {}; + users.users.tinydns.isSystemUser = true; systemd.services.tinydns = { description = "djbdns tinydns server"; wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; path = with pkgs; [ daemontools djbdns ]; preStart = '' rm -rf /var/lib/tinydns diff --git a/nixpkgs/nixos/modules/services/networking/trickster.nix b/nixpkgs/nixos/modules/services/networking/trickster.nix new file mode 100644 index 00000000000..8760dd5a938 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/trickster.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.trickster; +in +{ + + options = { + services.trickster = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable Trickster. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.trickster; + defaultText = "pkgs.trickster"; + description = '' + Package that should be used for trickster. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to configuration file. + ''; + }; + + instance-id = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Instance ID for when running multiple processes (default null). + ''; + }; + + log-level = mkOption { + type = types.str; + default = "info"; + description = '' + Level of Logging to use (debug, info, warn, error) (default "info"). + ''; + }; + + metrics-port = mkOption { + type = types.port; + default = 8082; + description = '' + Port that the /metrics endpoint will listen on. + ''; + }; + + origin = mkOption { + type = types.str; + default = "http://prometheus:9090"; + description = '' + URL to the Prometheus Origin. Enter it like you would in grafana, e.g., http://prometheus:9090 (default http://prometheus:9090). + ''; + }; + + profiler-port = mkOption { + type = types.nullOr types.port; + default = null; + description = '' + Port that the /debug/pprof endpoint will listen on. + ''; + }; + + proxy-port = mkOption { + type = types.port; + default = 9090; + description = '' + Port that the Proxy server will listen on. + ''; + }; + + }; + }; + + config = mkIf cfg.enable { + systemd.services.trickster = { + description = "Dashboard Accelerator for Prometheus"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${cfg.package}/bin/trickster \ + -log-level ${cfg.log-level} \ + -metrics-port ${toString cfg.metrics-port} \ + -origin ${cfg.origin} \ + -proxy-port ${toString cfg.proxy-port} \ + ${optionalString (cfg.configFile != null) "-config ${cfg.configFile}"} \ + ${optionalString (cfg.profiler-port != null) "-profiler-port ${cfg.profiler-port}"} \ + ${optionalString (cfg.instance-id != null) "-instance-id ${cfg.instance-id}"} + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + }; + }; + + }; +} + diff --git a/nixpkgs/nixos/modules/services/networking/vsftpd.nix b/nixpkgs/nixos/modules/services/networking/vsftpd.nix index 67be60da567..90093d9a78d 100644 --- a/nixpkgs/nixos/modules/services/networking/vsftpd.nix +++ b/nixpkgs/nixos/modules/services/networking/vsftpd.nix @@ -34,6 +34,15 @@ let }; optionDescription = [ + (yesNoOption "allowWriteableChroot" "allow_writeable_chroot" false '' + Allow the use of writeable root inside chroot(). + '') + (yesNoOption "virtualUseLocalPrivs" "virtual_use_local_privs" false '' + If enabled, virtual users will use the same privileges as local + users. By default, virtual users will use the same privileges as + anonymous users, which tends to be more restrictive (especially + in terms of write access). + '') (yesNoOption "anonymousUser" "anonymous_enable" false '' Whether to enable the anonymous FTP user. '') @@ -76,9 +85,21 @@ let outgoing data connections can only connect to the client. Only enable if you know what you are doing! '') - (yesNoOption "ssl_tlsv1" "ssl_tlsv1" true '' '') - (yesNoOption "ssl_sslv2" "ssl_sslv2" false '' '') - (yesNoOption "ssl_sslv3" "ssl_sslv3" false '' '') + (yesNoOption "ssl_tlsv1" "ssl_tlsv1" true '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit TLS v1 protocol connections. + TLS v1 connections are preferred. + '') + (yesNoOption "ssl_sslv2" "ssl_sslv2" false '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit SSL v2 protocol connections. + TLS v1 connections are preferred. + '') + (yesNoOption "ssl_sslv3" "ssl_sslv3" false '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit SSL v3 protocol connections. + TLS v1 connections are preferred. + '') ]; configFile = pkgs.writeText "vsftpd.conf" @@ -98,6 +119,9 @@ let listen=YES nopriv_user=vsftpd secure_chroot_dir=/var/empty + ${optionalString (cfg.localRoot != null) '' + local_root=${cfg.localRoot} + ''} syslog_enable=YES ${optionalString (pkgs.stdenv.hostPlatform.system == "x86_64-linux") '' seccomp_sandbox=NO @@ -106,6 +130,11 @@ let ${optionalString cfg.anonymousUser '' anon_root=${cfg.anonymousUserHome} ''} + ${optionalString cfg.enableVirtualUsers '' + guest_enable=YES + guest_username=vsftpd + pam_service_name=vsftpd + ''} ${cfg.extraConfig} ''; @@ -119,10 +148,7 @@ in services.vsftpd = { - enable = mkOption { - default = false; - description = "Whether to enable the vsftpd FTP server."; - }; + enable = mkEnableOption "vsftpd"; userlist = mkOption { default = []; @@ -143,6 +169,61 @@ in ''; }; + enableVirtualUsers = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the <literal>pam_userdb</literal>-based + virtual user system + ''; + }; + + userDbPath = mkOption { + type = types.nullOr types.str; + example = "/etc/vsftpd/userDb"; + default = null; + description = '' + Only applies if <option>enableVirtualUsers</option> is true. + Path pointing to the <literal>pam_userdb</literal> user + database used by vsftpd to authenticate the virtual users. + + This user list should be stored in the Berkeley DB database + format. + + To generate a new user database, create a text file, add + your users using the following format: + <programlisting> + user1 + password1 + user2 + password2 + </programlisting> + + You can then install <literal>pkgs.db</literal> to generate + the Berkeley DB using + <programlisting> + db_load -T -t hash -f logins.txt userDb.db + </programlisting> + + Caution: <literal>pam_userdb</literal> will automatically + append a <literal>.db</literal> suffix to the filename you + provide though this option. This option shouldn't include + this filetype suffix. + ''; + }; + + localRoot = mkOption { + type = types.nullOr types.str; + default = null; + example = "/var/www/$USER"; + description = '' + This option represents a directory which vsftpd will try to + change into after a local (i.e. non- anonymous) login. + + Failure is silently ignored. + ''; + }; + anonymousUserHome = mkOption { type = types.path; default = "/home/ftp/"; @@ -186,18 +267,25 @@ in config = mkIf cfg.enable { - assertions = singleton + assertions = [ { assertion = (cfg.forceLocalLoginsSSL -> cfg.rsaCertFile != null) && (cfg.forceLocalDataSSL -> cfg.rsaCertFile != null); message = "vsftpd: If forceLocalLoginsSSL or forceLocalDataSSL is true then a rsaCertFile must be provided!"; - }; + } + { + assertion = (cfg.enableVirtualUsers -> cfg.userDbPath != null) + && (cfg.enableVirtualUsers -> cfg.localUsers != null); + message = "vsftpd: If enableVirtualUsers is true, you need to setup both the userDbPath and localUsers options."; + }]; users.users = [ { name = "vsftpd"; uid = config.ids.uids.vsftpd; description = "VSFTPD user"; - home = "/homeless-shelter"; + home = if cfg.localRoot != null + then cfg.localRoot # <= Necessary for virtual users. + else "/homeless-shelter"; } ] ++ optional cfg.anonymousUser { name = "ftp"; @@ -213,23 +301,24 @@ in # = false and whitelist root services.vsftpd.userlist = if cfg.userlistDeny then ["root"] else []; - systemd.services.vsftpd = - { description = "Vsftpd Server"; + systemd = { + tmpfiles.rules = optional cfg.anonymousUser + #Type Path Mode User Gr Age Arg + "d '${builtins.toString cfg.anonymousUserHome}' 0555 'ftp' 'ftp' - -"; + services.vsftpd = { + description = "Vsftpd Server"; wantedBy = [ "multi-user.target" ]; - preStart = - optionalString cfg.anonymousUser - '' - mkdir -p -m 555 ${cfg.anonymousUserHome} - chown -R ftp:ftp ${cfg.anonymousUserHome} - ''; - serviceConfig.ExecStart = "@${vsftpd}/sbin/vsftpd vsftpd ${configFile}"; serviceConfig.Restart = "always"; serviceConfig.Type = "forking"; }; + }; + security.pam.services.vsftpd.text = mkIf (cfg.enableVirtualUsers && cfg.userDbPath != null)'' + auth required pam_userdb.so db=${cfg.userDbPath} + account required pam_userdb.so db=${cfg.userDbPath} + ''; }; - } diff --git a/nixpkgs/nixos/modules/services/networking/wireguard.nix b/nixpkgs/nixos/modules/services/networking/wireguard.nix index 4176da2c8cb..980961225c9 100644 --- a/nixpkgs/nixos/modules/services/networking/wireguard.nix +++ b/nixpkgs/nixos/modules/services/networking/wireguard.nix @@ -112,6 +112,32 @@ let Determines whether to add allowed IPs as routes or not. ''; }; + + socketNamespace = mkOption { + default = null; + type = with types; nullOr str; + example = "container"; + description = ''The pre-existing network namespace in which the + WireGuard interface is created, and which retains the socket even if the + interface is moved via <option>interfaceNamespace</option>. When + <literal>null</literal>, the interface is created in the init namespace. + See <link + xlink:href="https://www.wireguard.com/netns/">documentation</link>. + ''; + }; + + interfaceNamespace = mkOption { + default = null; + type = with types; nullOr str; + example = "init"; + description = ''The pre-existing network namespace the WireGuard + interface is moved to. The special value <literal>init</literal> means + the init namespace. When <literal>null</literal>, the interface is not + moved. + See <link + xlink:href="https://www.wireguard.com/netns/">documentation</link>. + ''; + }; }; }; @@ -239,6 +265,10 @@ let if peer.presharedKey != null then pkgs.writeText "wg-psk" peer.presharedKey else peer.presharedKeyFile; + src = interfaceCfg.socketNamespace; + dst = interfaceCfg.interfaceNamespace; + ip = nsWrap "ip" src dst; + wg = nsWrap "wg" src dst; in nameValuePair "wireguard-${interfaceName}-peer-${unitName}" { description = "WireGuard Peer - ${interfaceName} - ${peer.publicKey}"; @@ -255,16 +285,16 @@ let }; script = let - wg_setup = "wg set ${interfaceName} peer ${peer.publicKey}" + + wg_setup = "${wg} set ${interfaceName} peer ${peer.publicKey}" + optionalString (psk != null) " preshared-key ${psk}" + optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" + optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" + optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}"; route_setup = - optionalString (interfaceCfg.allowedIPsAsRoutes != false) + optionalString interfaceCfg.allowedIPsAsRoutes (concatMapStringsSep "\n" (allowedIP: - "ip route replace ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" + "${ip} route replace ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" ) peer.allowedIPs); in '' ${wg_setup} @@ -272,13 +302,13 @@ let ''; postStop = let - route_destroy = optionalString (interfaceCfg.allowedIPsAsRoutes != false) + route_destroy = optionalString interfaceCfg.allowedIPsAsRoutes (concatMapStringsSep "\n" (allowedIP: - "ip route delete ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" + "${ip} route delete ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" ) peer.allowedIPs); in '' - wg set ${interfaceName} peer ${peer.publicKey} remove + ${wg} set ${interfaceName} peer ${peer.publicKey} remove ${route_destroy} ''; }; @@ -287,6 +317,13 @@ let # exactly one way to specify the private key must be set #assert (values.privateKey != null) != (values.privateKeyFile != null); let privKey = if values.privateKeyFile != null then values.privateKeyFile else pkgs.writeText "wg-key" values.privateKey; + src = values.socketNamespace; + dst = values.interfaceNamespace; + ipPreMove = nsWrap "ip" src null; + ipPostMove = nsWrap "ip" src dst; + wg = nsWrap "wg" src dst; + ns = if dst == "init" then "1" else dst; + in nameValuePair "wireguard-${name}" { @@ -307,26 +344,33 @@ let ${values.preSetup} - ip link add dev ${name} type wireguard + ${ipPreMove} link add dev ${name} type wireguard + ${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) "${ipPreMove} link set ${name} netns ${ns}"} ${concatMapStringsSep "\n" (ip: - "ip address add ${ip} dev ${name}" + "${ipPostMove} address add ${ip} dev ${name}" ) values.ips} - wg set ${name} private-key ${privKey} ${ + ${wg} set ${name} private-key ${privKey} ${ optionalString (values.listenPort != null) " listen-port ${toString values.listenPort}"} - ip link set up dev ${name} + ${ipPostMove} link set up dev ${name} ${values.postSetup} ''; postStop = '' - ip link del dev ${name} + ${ipPostMove} link del dev ${name} ${values.postShutdown} ''; }; + nsWrap = cmd: src: dst: + let + nsList = filter (ns: ns != null) [ src dst ]; + ns = last nsList; + in + if (length nsList > 0 && ns != "init") then "ip netns exec ${ns} ${cmd}" else cmd; in { diff --git a/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix b/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix index 294c0d70ede..8f05c3949fb 100644 --- a/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix @@ -236,9 +236,12 @@ in { ${if ifaces == [] then '' for i in $(cd /sys/class/net && echo *); do DEVTYPE= - source /sys/class/net/$i/uevent - if [ "$DEVTYPE" = "wlan" -o -e /sys/class/net/$i/wireless ]; then - ifaces="$ifaces''${ifaces:+ -N} -i$i" + UEVENT_PATH=/sys/class/net/$i/uevent + if [ -e "$UEVENT_PATH" ]; then + source "$UEVENT_PATH" + if [ "$DEVTYPE" = "wlan" -o -e /sys/class/net/$i/wireless ]; then + ifaces="$ifaces''${ifaces:+ -N} -i$i" + fi fi done '' else '' diff --git a/nixpkgs/nixos/modules/services/networking/yggdrasil.nix b/nixpkgs/nixos/modules/services/networking/yggdrasil.nix new file mode 100644 index 00000000000..5d65f8e3413 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/yggdrasil.nix @@ -0,0 +1,187 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.yggdrasil; + configProvided = (cfg.config != {}); + configAsFile = (if configProvided then + toString (pkgs.writeTextFile { + name = "yggdrasil-conf"; + text = builtins.toJSON cfg.config; + }) + else null); + configFileProvided = (cfg.configFile != null); + generateConfig = ( + if configProvided && configFileProvided then + "${pkgs.jq}/bin/jq -s add /run/yggdrasil/configFile.json ${configAsFile}" + else if configProvided then + "cat ${configAsFile}" + else if configFileProvided then + "cat /run/yggdrasil/configFile.json" + else + "${cfg.package}/bin/yggdrasil -genconf" + ); + +in { + options = with types; { + services.yggdrasil = { + enable = mkEnableOption "the yggdrasil system service"; + + configFile = mkOption { + type = nullOr str; + default = null; + example = "/run/keys/yggdrasil.conf"; + description = '' + A file which contains JSON configuration for yggdrasil. + + You do not have to supply a complete configuration, as + yggdrasil will use default values for anything which is + omitted. If the encryption and signing keys are omitted, + yggdrasil will generate new ones each time the service is + started, resulting in a random IPv6 address on the yggdrasil + network each time. + + If both this option and <option>config</option> are + supplied, they will be combined, with values from + <option>config</option> taking precedence. + + You can use the command <code>nix-shell -p yggdrasil --run + "yggdrasil -genconf -json"</code> to generate a default + JSON configuration. + ''; + }; + + config = mkOption { + type = attrs; + default = {}; + example = { + Peers = [ + "tcp://aa.bb.cc.dd:eeeee" + "tcp://[aaaa:bbbb:cccc:dddd::eeee]:fffff" + ]; + Listen = [ + "tcp://0.0.0.0:xxxxx" + ]; + }; + description = '' + Configuration for yggdrasil, as a Nix attribute set. + + Warning: this is stored in the WORLD-READABLE Nix store! + Therefore, it is not appropriate for private keys. If you + do not specify the keys, yggdrasil will generate a new set + each time the service is started, creating a random IPv6 + address on the yggdrasil network each time. + + If you wish to specify the keys, use + <option>configFile</option>. If both + <option>configFile</option> and <option>config</option> are + supplied, they will be combined, with values from + <option>config</option> taking precedence. + + You can use the command <code>nix-shell -p yggdrasil --run + "yggdrasil -genconf"</code> to generate default + configuration values with documentation. + ''; + }; + + openMulticastPort = mkOption { + type = bool; + default = false; + description = '' + Whether to open the UDP port used for multicast peer + discovery. The NixOS firewall blocks link-local + communication, so in order to make local peering work you + will also need to set <code>LinkLocalTCPPort</code> in your + yggdrasil configuration (<option>config</option> or + <option>configFile</option>) to a port number other than 0, + and then add that port to + <option>networking.firewall.allowedTCPPorts</option>. + ''; + }; + + denyDhcpcdInterfaces = mkOption { + type = listOf str; + default = []; + example = [ "tap*" ]; + description = '' + Disable the DHCP client for any interface whose name matches + any of the shell glob patterns in this list. Use this + option to prevent the DHCP client from broadcasting requests + on the yggdrasil network. It is only necessary to do so + when yggdrasil is running in TAP mode, because TUN + interfaces do not support broadcasting. + ''; + }; + + package = mkOption { + type = package; + default = pkgs.yggdrasil; + defaultText = "pkgs.yggdrasil"; + description = "Yggdrasil package to use."; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { assertion = config.networking.enableIPv6; + message = "networking.enableIPv6 must be true for yggdrasil to work"; + } + ]; + + systemd.services.yggdrasil = { + description = "Yggdrasil Network Service"; + path = [ cfg.package ] ++ optional (configProvided && configFileProvided) pkgs.jq; + bindsTo = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + ${generateConfig} | yggdrasil -normaliseconf -useconf > /run/yggdrasil/yggdrasil.conf + ''; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/yggdrasil -useconffile /run/yggdrasil/yggdrasil.conf"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + + RuntimeDirectory = "yggdrasil"; + RuntimeDirectoryMode = "0700"; + BindReadOnlyPaths = mkIf configFileProvided + [ "${cfg.configFile}:/run/yggdrasil/configFile.json" ]; + + # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails + # to set up the network adapter when DynamicUser is set. See + # github.com/yggdrasil-network/yggdrasil-go/issues/557. The + # following options are implied by DynamicUser according to + # the systemd.exec documentation, and can be removed if the + # upstream issue is fixed and DynamicUser is set to true: + PrivateTmp = true; + RemoveIPC = true; + NoNewPrivileges = true; + ProtectSystem = "strict"; + RestrictSUIDSGID = true; + # End of list of options implied by DynamicUser. + + AmbientCapabilities = "CAP_NET_ADMIN"; + CapabilityBoundingSet = "CAP_NET_ADMIN"; + MemoryDenyWriteExecute = true; + ProtectControlGroups = true; + ProtectHome = "tmpfs"; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources"; + }; + }; + + networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces; + networking.firewall.allowedUDPPorts = mkIf cfg.openMulticastPort [ 9001 ]; + + # Make yggdrasilctl available on the command line. + environment.systemPackages = [ cfg.package ]; + }; + meta.maintainers = with lib.maintainers; [ gazally ]; +} diff --git a/nixpkgs/nixos/modules/services/networking/znc/default.nix b/nixpkgs/nixos/modules/services/networking/znc/default.nix index 05f97bfa539..0a9848a4934 100644 --- a/nixpkgs/nixos/modules/services/networking/znc/default.nix +++ b/nixpkgs/nixos/modules/services/networking/znc/default.nix @@ -239,7 +239,7 @@ in services.znc = { configFile = mkDefault (pkgs.writeText "znc-generated.conf" semanticString); config = { - Version = (builtins.parseDrvName pkgs.znc.name).version; + Version = lib.getVersion pkgs.znc; Listener.l.Port = mkDefault 5000; Listener.l.SSL = mkDefault true; }; diff --git a/nixpkgs/nixos/modules/services/printing/cupsd.nix b/nixpkgs/nixos/modules/services/printing/cupsd.nix index 3fcae611dc7..1071c05d514 100644 --- a/nixpkgs/nixos/modules/services/printing/cupsd.nix +++ b/nixpkgs/nixos/modules/services/printing/cupsd.nix @@ -31,7 +31,7 @@ let # part of CUPS itself, e.g. the SMB backend is part of Samba. Since # we can't update ${cups.out}/lib/cups itself, we create a symlink tree # here and add the additional programs. The ServerBin directive in - # cupsd.conf tells cupsd to use this tree. + # cups-files.conf tells cupsd to use this tree. bindir = pkgs.buildEnv { name = "cups-progs"; paths = diff --git a/nixpkgs/nixos/modules/services/scheduling/marathon.nix b/nixpkgs/nixos/modules/services/scheduling/marathon.nix index 0961a67770e..2e0d20c64b2 100644 --- a/nixpkgs/nixos/modules/services/scheduling/marathon.nix +++ b/nixpkgs/nixos/modules/services/scheduling/marathon.nix @@ -93,6 +93,6 @@ in { }; }; - users.users.${cfg.user} = { }; + users.users.${cfg.user}.isSystemUser = true; }; } diff --git a/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix b/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix index 80fd65891ff..d1817db0755 100644 --- a/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixpkgs/nixos/modules/services/security/bitwarden_rs/default.nix @@ -74,7 +74,10 @@ in { webVaultEnabled = mkDefault true; }; - users.users.bitwarden_rs = { inherit group; }; + users.users.bitwarden_rs = { + inherit group; + isSystemUser = true; + }; users.groups.bitwarden_rs = { }; systemd.services.bitwarden_rs = { diff --git a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix index bb03f7fc9e4..2abb9ec32ac 100644 --- a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix @@ -546,6 +546,7 @@ in users.users.oauth2_proxy = { description = "OAuth2 Proxy"; + isSystemUser = true; }; systemd.services.oauth2_proxy = { diff --git a/nixpkgs/nixos/modules/services/security/vault.nix b/nixpkgs/nixos/modules/services/security/vault.nix index d5962ba9af9..b0ab8fadcbe 100644 --- a/nixpkgs/nixos/modules/services/security/vault.nix +++ b/nixpkgs/nixos/modules/services/security/vault.nix @@ -119,9 +119,8 @@ in }; users.groups.vault.gid = config.ids.gids.vault; - systemd.tmpfiles.rules = optional (cfg.storagePath != null) [ - "d '${cfg.storagePath}' 0700 vault vault - -" - ]; + systemd.tmpfiles.rules = optional (cfg.storagePath != null) + "d '${cfg.storagePath}' 0700 vault vault - -"; systemd.services.vault = { description = "Vault server daemon"; diff --git a/nixpkgs/nixos/modules/services/torrent/magnetico.nix b/nixpkgs/nixos/modules/services/torrent/magnetico.nix index 02fa2ac0750..719827713ff 100644 --- a/nixpkgs/nixos/modules/services/torrent/magnetico.nix +++ b/nixpkgs/nixos/modules/services/torrent/magnetico.nix @@ -35,6 +35,7 @@ let (if (cfg.web.credentialsFile != null || cfg.web.credentials != { }) then "--credentials=${toString credFile}" else "--no-auth") + "--addr=${address}:${toString port}" ] ++ extraOptions); in { @@ -171,12 +172,13 @@ in { users.users.magnetico = { description = "Magnetico daemons user"; + isSystemUser = true; }; systemd.services.magneticod = { description = "Magnetico DHT crawler"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; + after = [ "network.target" ]; serviceConfig = { User = "magnetico"; @@ -188,7 +190,7 @@ in { systemd.services.magneticow = { description = "Magnetico web interface"; wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" "magneticod.service"]; + after = [ "network.target" "magneticod.service"]; serviceConfig = { User = "magnetico"; @@ -201,7 +203,7 @@ in { assertions = [ { - assertion = cfg.web.credentialsFile != null || cfg.web.credentials != { }; + assertion = cfg.web.credentialsFile == null || cfg.web.credentials == { }; message = '' The options services.magnetico.web.credentialsFile and services.magnetico.web.credentials are mutually exclusives. diff --git a/nixpkgs/nixos/modules/services/web-apps/codimd.nix b/nixpkgs/nixos/modules/services/web-apps/codimd.nix index 7ae7cd9c52d..5f56f8ed5a0 100644 --- a/nixpkgs/nixos/modules/services/web-apps/codimd.nix +++ b/nixpkgs/nixos/modules/services/web-apps/codimd.nix @@ -893,6 +893,7 @@ in extraGroups = cfg.groups; home = cfg.workDir; createHome = true; + isSystemUser = true; }; systemd.services.codimd = { diff --git a/nixpkgs/nixos/modules/services/web-apps/frab.nix b/nixpkgs/nixos/modules/services/web-apps/frab.nix index 7914e5cc0ee..a9a30b40922 100644 --- a/nixpkgs/nixos/modules/services/web-apps/frab.nix +++ b/nixpkgs/nixos/modules/services/web-apps/frab.nix @@ -177,6 +177,7 @@ in { name = cfg.user; group = cfg.group; home = "${cfg.statePath}"; + isSystemUser = true; } ]; diff --git a/nixpkgs/nixos/modules/services/web-apps/gotify-server.nix b/nixpkgs/nixos/modules/services/web-apps/gotify-server.nix new file mode 100644 index 00000000000..03e01f46a94 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/gotify-server.nix @@ -0,0 +1,49 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + cfg = config.services.gotify; +in { + options = { + services.gotify = { + enable = mkEnableOption "Gotify webserver"; + + port = mkOption { + type = types.port; + description = '' + Port the server listens to. + ''; + }; + + stateDirectoryName = mkOption { + type = types.str; + default = "gotify-server"; + description = '' + The name of the directory below <filename>/var/lib</filename> where + gotify stores its runtime data. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.gotify-server = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "Simple server for sending and receiving messages"; + + environment = { + GOTIFY_SERVER_PORT = toString cfg.port; + }; + + serviceConfig = { + WorkingDirectory = "/var/lib/${cfg.stateDirectoryName}"; + StateDirectory = cfg.stateDirectoryName; + Restart = "always"; + DynamicUser = "yes"; + ExecStart = "${pkgs.gotify-server}/bin/server"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix b/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix index 68b57a9b90d..bd524524130 100644 --- a/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixpkgs/nixos/modules/services/web-apps/limesurvey.nix @@ -277,7 +277,10 @@ in systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixpkgs/nixos/modules/services/web-apps/matomo-doc.xml b/nixpkgs/nixos/modules/services/web-apps/matomo-doc.xml index 8485492c51c..69d1170e452 100644 --- a/nixpkgs/nixos/modules/services/web-apps/matomo-doc.xml +++ b/nixpkgs/nixos/modules/services/web-apps/matomo-doc.xml @@ -86,12 +86,6 @@ GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; <itemizedlist> <listitem> <para> - Matomo's file integrity check will warn you. This is due to the patches - necessary for NixOS, you can safely ignore this. - </para> - </listitem> - <listitem> - <para> Matomo will warn you that the JavaScript tracker is not writable. This is because it's located in the read-only nix store. You can safely ignore this, unless you need a plugin that needs JavaScript tracker access. @@ -105,7 +99,7 @@ GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost'; <para> You can use other web servers by forwarding calls for <filename>index.php</filename> and <filename>piwik.php</filename> to the - <literal>/run/phpfpm-matomo.sock</literal> fastcgi unix socket. You can use + <literal><link linkend="opt-services.phpfpm.pools._name_.socket">services.phpfpm.pools.<name>.socket</link></literal> fastcgi unix socket. You can use the nginx configuration in the module code as a reference to what else should be configured. </para> diff --git a/nixpkgs/nixos/modules/services/web-apps/matomo.nix b/nixpkgs/nixos/modules/services/web-apps/matomo.nix index 1e34aff8d17..352cc4c647b 100644 --- a/nixpkgs/nixos/modules/services/web-apps/matomo.nix +++ b/nixpkgs/nixos/modules/services/web-apps/matomo.nix @@ -2,15 +2,13 @@ with lib; let cfg = config.services.matomo; + fpm = config.services.phpfpm.pools.${pool}; user = "matomo"; dataDir = "/var/lib/${user}"; deprecatedDataDir = "/var/lib/piwik"; pool = user; - # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, - # and therefore is not accessible by the web server. - phpSocket = "/run/phpfpm-${pool}.sock"; phpExecutionUnit = "phpfpm-${pool}"; databaseService = "mysql.service"; @@ -50,7 +48,7 @@ in { default = null; example = "lighttpd"; description = '' - Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for Matomo if the nginx + Name of the web server user that forwards requests to <option>services.phpfpm.pools.<name>.socket</option> the fastcgi socket for Matomo if the nginx option is not used. Either this option or the nginx option is mandatory. If you want to use another webserver than nginx, you need to set this to that server's user and pass fastcgi requests to `index.php`, `matomo.php` and `piwik.php` (legacy name) to this socket. @@ -71,25 +69,6 @@ in { ''; }; - phpfpmProcessManagerConfig = mkOption { - type = types.str; - default = '' - ; default phpfpm process manager settings - pm = dynamic - pm.max_children = 75 - pm.start_servers = 10 - pm.min_spare_servers = 5 - pm.max_spare_servers = 20 - pm.max_requests = 500 - - ; log worker's stdout, but this has a performance hit - catch_workers_output = yes - ''; - description = '' - Settings for phpfpm's process manager. You might need to change this depending on the load for Matomo. - ''; - }; - nginx = mkOption { type = types.nullOr (types.submodule ( recursiveUpdate @@ -233,15 +212,24 @@ in { else if (cfg.webServerUser != null) then cfg.webServerUser else ""; in { ${pool} = { - listen = phpSocket; - extraConfig = '' - listen.owner = ${socketOwner} - listen.group = root - listen.mode = 0600 - user = ${user} - env[PIWIK_USER_PATH] = ${dataDir} - ${cfg.phpfpmProcessManagerConfig} + inherit user; + phpOptions = '' + error_log = 'stderr' + log_errors = on ''; + settings = mapAttrs (name: mkDefault) { + "listen.owner" = socketOwner; + "listen.group" = "root"; + "listen.mode" = "0660"; + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + "catch_workers_output" = true; + }; + phpEnv.PIWIK_USER_PATH = dataDir; }; }; @@ -264,15 +252,15 @@ in { }; # allow index.php for webinterface locations."= /index.php".extraConfig = '' - fastcgi_pass unix:${phpSocket}; + fastcgi_pass unix:${fpm.socket}; ''; # allow matomo.php for tracking locations."= /matomo.php".extraConfig = '' - fastcgi_pass unix:${phpSocket}; + fastcgi_pass unix:${fpm.socket}; ''; # allow piwik.php for tracking (deprecated name) locations."= /piwik.php".extraConfig = '' - fastcgi_pass unix:${phpSocket}; + fastcgi_pass unix:${fpm.socket}; ''; # Any other attempt to access any php files is forbidden locations."~* ^.+\\.php$".extraConfig = '' diff --git a/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix b/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix index ec2568bf952..43edc04e1a4 100644 --- a/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixpkgs/nixos/modules/services/web-apps/mediawiki.nix @@ -461,7 +461,10 @@ in systemd.services.httpd.after = optional (cfg.database.createLocally && cfg.database.type == "mysql") "mysql.service"; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; environment.systemPackages = [ mediawikiScripts ]; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/moinmoin.nix b/nixpkgs/nixos/modules/services/web-apps/moinmoin.nix new file mode 100644 index 00000000000..0fee64be0bb --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/moinmoin.nix @@ -0,0 +1,303 @@ +{ config, lib, pkgs, ... }: +with lib; + +let + cfg = config.services.moinmoin; + python = pkgs.python27; + pkg = python.pkgs.moinmoin; + dataDir = "/var/lib/moin"; + usingGunicorn = cfg.webServer == "nginx-gunicorn" || cfg.webServer == "gunicorn"; + usingNginx = cfg.webServer == "nginx-gunicorn"; + user = "moin"; + group = "moin"; + + uLit = s: ''u"${s}"''; + indentLines = n: str: concatMapStrings (line: "${fixedWidthString n " " " "}${line}\n") (splitString "\n" str); + + moinCliWrapper = wikiIdent: pkgs.writeShellScriptBin "moin-${wikiIdent}" '' + ${pkgs.su}/bin/su -s ${pkgs.runtimeShell} -c "${pkg}/bin/moin --config-dir=/var/lib/moin/${wikiIdent}/config $*" ${user} + ''; + + wikiConfig = wikiIdent: w: '' + # -*- coding: utf-8 -*- + + from MoinMoin.config import multiconfig, url_prefix_static + + class Config(multiconfig.DefaultConfig): + ${optionalString (w.webLocation != "/") '' + url_prefix_static = '${w.webLocation}' + url_prefix_static + ''} + + sitename = u'${w.siteName}' + page_front_page = u'${w.frontPage}' + + data_dir = '${dataDir}/${wikiIdent}/data' + data_underlay_dir = '${dataDir}/${wikiIdent}/underlay' + + language_default = u'${w.languageDefault}' + ${optionalString (w.superUsers != []) '' + superuser = [${concatMapStringsSep ", " uLit w.superUsers}] + ''} + + ${indentLines 4 w.extraConfig} + ''; + wikiConfigFile = name: wiki: pkgs.writeText "${name}.py" (wikiConfig name wiki); + +in +{ + options.services.moinmoin = with types; { + enable = mkEnableOption "MoinMoin Wiki Engine"; + + webServer = mkOption { + type = enum [ "nginx-gunicorn" "gunicorn" "none" ]; + default = "nginx-gunicorn"; + example = "none"; + description = '' + Which web server to use to serve the wiki. + Use <literal>none</literal> if you want to configure this yourself. + ''; + }; + + gunicorn.workers = mkOption { + type = ints.positive; + default = 3; + example = 10; + description = '' + The number of worker processes for handling requests. + ''; + }; + + wikis = mkOption { + type = attrsOf (submodule ({ name, ... }: { + options = { + siteName = mkOption { + type = str; + default = "Untitled Wiki"; + example = "ExampleWiki"; + description = '' + Short description of your wiki site, displayed below the logo on each page, and + used in RSS documents as the channel title. + ''; + }; + + webHost = mkOption { + type = str; + description = "Host part of the wiki URL. If undefined, the name of the attribute set will be used."; + example = "wiki.example.org"; + }; + + webLocation = mkOption { + type = str; + default = "/"; + example = "/moin"; + description = "Location part of the wiki URL."; + }; + + frontPage = mkOption { + type = str; + default = "LanguageSetup"; + example = "FrontPage"; + description = '' + Front page name. Set this to something like <literal>FrontPage</literal> once languages are + configured. + ''; + }; + + superUsers = mkOption { + type = listOf str; + default = []; + example = [ "elvis" ]; + description = '' + List of trusted user names with wiki system administration super powers. + + Please note that accounts for these users need to be created using the <command>moin</command> command-line utility, e.g.: + <command>moin-<replaceable>WIKINAME</replaceable> account create --name=<replaceable>NAME</replaceable> --email=<replaceable>EMAIL</replaceable> --password=<replaceable>PASSWORD</replaceable></command>. + ''; + }; + + languageDefault = mkOption { + type = str; + default = "en"; + example = "de"; + description = "The ISO-639-1 name of the main wiki language. Languages that MoinMoin does not support are ignored."; + }; + + extraConfig = mkOption { + type = lines; + default = ""; + example = '' + show_hosts = True + search_results_per_page = 100 + acl_rights_default = u"Known:read,write,delete,revert All:read" + logo_string = u"<h2>\U0001f639</h2>" + theme_default = u"modernized" + + user_checkbox_defaults = {'show_page_trail': 0, 'edit_on_doubleclick': 0} + navi_bar = [u'SomePage'] + multiconfig.DefaultConfig.navi_bar + actions_excluded = multiconfig.DefaultConfig.actions_excluded + ['newaccount'] + + mail_smarthost = "mail.example.org" + mail_from = u"Example.Org Wiki <wiki@example.org>" + ''; + description = '' + Additional configuration to be appended verbatim to this wiki's config. + + See <link xlink:href='http://moinmo.in/HelpOnConfiguration' /> for documentation. + ''; + }; + + }; + config = { + webHost = mkDefault name; + }; + })); + example = literalExample '' + { + "mywiki" = { + siteName = "Example Wiki"; + webHost = "wiki.example.org"; + superUsers = [ "admin" ]; + frontPage = "Index"; + extraConfig = "page_category_regex = ur'(?P<all>(Category|Kategorie)(?P<key>(?!Template)\S+))'" + }; + } + ''; + description = '' + Configurations of the individual wikis. Attribute names must be valid Python + identifiers of the form <literal>[A-Za-z_][A-Za-z0-9_]*</literal>. + + For every attribute <replaceable>WIKINAME</replaceable>, a helper script + moin-<replaceable>WIKINAME</replaceable> is created which runs the + <command>moin</command> command under the <literal>moin</literal> user (to avoid + file ownership issues) and with the right configuration directory passed to it. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = forEach (attrNames cfg.wikis) (wname: + { assertion = builtins.match "[A-Za-z_][A-Za-z0-9_]*" wname != null; + message = "${wname} is not valid Python identifier"; + } + ); + + users.users = { + moin = { + description = "MoinMoin wiki"; + home = dataDir; + group = group; + isSystemUser = true; + }; + }; + + users.groups = { + moin = { + members = mkIf usingNginx [ config.services.nginx.user ]; + }; + }; + + environment.systemPackages = [ pkg ] ++ map moinCliWrapper (attrNames cfg.wikis); + + systemd.services = mkIf usingGunicorn + (flip mapAttrs' cfg.wikis (wikiIdent: wiki: + nameValuePair "moin-${wikiIdent}" + { + description = "MoinMoin wiki ${wikiIdent} - gunicorn process"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + restartIfChanged = true; + restartTriggers = [ (wikiConfigFile wikiIdent wiki) ]; + + environment = let + penv = python.buildEnv.override { + # setuptools: https://github.com/benoitc/gunicorn/issues/1716 + extraLibs = [ python.pkgs.gevent python.pkgs.setuptools pkg ]; + }; + in { + PYTHONPATH = "${dataDir}/${wikiIdent}/config:${penv}/${python.sitePackages}"; + }; + + preStart = '' + umask 0007 + rm -rf ${dataDir}/${wikiIdent}/underlay + cp -r ${pkg}/share/moin/underlay ${dataDir}/${wikiIdent}/ + chmod -R u+w ${dataDir}/${wikiIdent}/underlay + ''; + + serviceConfig = { + User = user; + Group = group; + WorkingDirectory = "${dataDir}/${wikiIdent}"; + ExecStart = ''${python.pkgs.gunicorn}/bin/gunicorn moin_wsgi \ + --name gunicorn-${wikiIdent} \ + --workers ${toString cfg.gunicorn.workers} \ + --worker-class gevent \ + --bind unix:/run/moin/${wikiIdent}/gunicorn.sock + ''; + + Restart = "on-failure"; + RestartSec = "2s"; + StartLimitIntervalSec = "30s"; + + StateDirectory = "moin/${wikiIdent}"; + StateDirectoryMode = "0750"; + RuntimeDirectory = "moin/${wikiIdent}"; + RuntimeDirectoryMode = "0750"; + + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateNetwork = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + }; + } + )); + + services.nginx = mkIf usingNginx { + enable = true; + virtualHosts = flip mapAttrs' cfg.wikis (name: w: nameValuePair w.webHost { + forceSSL = mkDefault true; + enableACME = mkDefault true; + locations."${w.webLocation}" = { + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + + proxy_pass http://unix:/run/moin/${name}/gunicorn.sock; + ''; + }; + }); + }; + + systemd.tmpfiles.rules = [ + "d /run/moin 0750 ${user} ${group} - -" + "d ${dataDir} 0550 ${user} ${group} - -" + ] + ++ (concatLists (flip mapAttrsToList cfg.wikis (wikiIdent: wiki: [ + "d ${dataDir}/${wikiIdent} 0750 ${user} ${group} - -" + "d ${dataDir}/${wikiIdent}/config 0550 ${user} ${group} - -" + "L+ ${dataDir}/${wikiIdent}/config/wikiconfig.py - - - - ${wikiConfigFile wikiIdent wiki}" + # needed in order to pass module name to gunicorn + "L+ ${dataDir}/${wikiIdent}/config/moin_wsgi.py - - - - ${pkg}/share/moin/server/moin.wsgi" + # seed data files + "C ${dataDir}/${wikiIdent}/data 0770 ${user} ${group} - ${pkg}/share/moin/data" + # fix nix store permissions + "Z ${dataDir}/${wikiIdent}/data 0770 ${user} ${group} - -" + ]))); + }; + + meta.maintainers = with lib.maintainers; [ b42 ]; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/moodle.nix b/nixpkgs/nixos/modules/services/web-apps/moodle.nix index 211bc17ee19..ac59f9e0012 100644 --- a/nixpkgs/nixos/modules/services/web-apps/moodle.nix +++ b/nixpkgs/nixos/modules/services/web-apps/moodle.nix @@ -309,7 +309,9 @@ in systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; - users.users.${user}.group = group; - + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix index db5dc915c89..b67f0880878 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix @@ -390,6 +390,7 @@ in { in { wantedBy = [ "multi-user.target" ]; before = [ "phpfpm-nextcloud.service" ]; + path = [ occ ]; script = '' chmod og+x ${cfg.home} ln -sf ${pkgs.nextcloud}/apps ${cfg.home}/ @@ -467,7 +468,7 @@ in { }; "/" = { priority = 200; - extraConfig = "rewrite ^ /index.php$request_uri;"; + extraConfig = "rewrite ^ /index.php;"; }; "~ ^/store-apps" = { priority = 201; @@ -494,6 +495,7 @@ in { extraConfig = '' include ${config.services.nginx.package}/conf/fastcgi.conf; fastcgi_split_path_info ^(.+\.php)(\\/.*)$; + try_files $fastcgi_script_name =404; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; fastcgi_param modHeadersAvailable true; @@ -531,6 +533,7 @@ in { add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; client_max_body_size ${cfg.maxUploadSize}; diff --git a/nixpkgs/nixos/modules/services/web-apps/nexus.nix b/nixpkgs/nixos/modules/services/web-apps/nexus.nix index 3af97e146d0..d4d507362c9 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nexus.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nexus.nix @@ -68,6 +68,7 @@ in -Dkaraf.data=${cfg.home}/nexus3 -Djava.io.tmpdir=${cfg.home}/nexus3/tmp -Dkaraf.startLocalConsole=false + -Djava.endorsed.dirs=${cfg.package}/lib/endorsed ''; description = '' diff --git a/nixpkgs/nixos/modules/services/web-apps/trac.nix b/nixpkgs/nixos/modules/services/web-apps/trac.nix new file mode 100644 index 00000000000..207fb857438 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/trac.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.trac; + + inherit (lib) mkEnableOption mkIf mkOption types; + +in { + + options = { + + services.trac = { + enable = mkEnableOption "Trac service"; + + listen = { + ip = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + IP address that Trac should listen on. + ''; + }; + + port = mkOption { + type = types.port; + default = 8000; + description = '' + Listen port for Trac. + ''; + }; + }; + + dataDir = mkOption { + default = "/var/lib/trac"; + type = types.path; + description = '' + The directory for storing the Trac data. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open ports in the firewall for Trac. + ''; + }; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.trac = { + description = "Trac server"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = baseNameOf cfg.dataDir; + ExecStart = '' + ${pkgs.trac}/bin/tracd -s \ + -b ${toString cfg.listen.ip} \ + -p ${toString cfg.listen.port} \ + ${cfg.dataDir} + ''; + }; + preStart = '' + if [ ! -e ${cfg.dataDir}/VERSION ]; then + ${pkgs.trac}/bin/trac-admin ${cfg.dataDir} initenv Trac "sqlite:db/trac.db" + fi + ''; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.listen.port ]; + }; + + }; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/virtlyst.nix b/nixpkgs/nixos/modules/services/web-apps/virtlyst.nix index e5c0bff2168..37bdbb0e3b4 100644 --- a/nixpkgs/nixos/modules/services/web-apps/virtlyst.nix +++ b/nixpkgs/nixos/modules/services/web-apps/virtlyst.nix @@ -54,6 +54,7 @@ in home = stateDir; createHome = true; group = mkIf config.virtualisation.libvirtd.enable "libvirtd"; + isSystemUser = true; }; systemd.services.virtlyst = { diff --git a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix index e311dd917dd..f1370c2854b 100644 --- a/nixpkgs/nixos/modules/services/web-apps/wordpress.nix +++ b/nixpkgs/nixos/modules/services/web-apps/wordpress.nix @@ -367,7 +367,10 @@ in }) ]; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix index b0374d949fc..f5a6051b4b5 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -6,6 +6,8 @@ let mainCfg = config.services.httpd; + runtimeDir = "/run/httpd"; + httpd = mainCfg.package.out; httpdConf = mainCfg.configFile; @@ -27,103 +29,29 @@ let listenToString = l: "${l.ip}:${toString l.port}"; - extraModules = attrByPath ["extraModules"] [] mainCfg; - extraForeignModules = filter isAttrs extraModules; - extraApacheModules = filter isString extraModules; - - - makeServerInfo = cfg: { - # Canonical name must not include a trailing slash. - canonicalNames = - let defaultPort = (head (defaultListen cfg)).port; in - map (port: - (if cfg.enableSSL then "https" else "http") + "://" + - cfg.hostName + - (if port != defaultPort then ":${toString port}" else "") - ) (map (x: x.port) (getListen cfg)); - - # Admin address: inherit from the main server if not specified for - # a virtual host. - adminAddr = if cfg.adminAddr != null then cfg.adminAddr else mainCfg.adminAddr; - - vhostConfig = cfg; - serverConfig = mainCfg; - fullConfig = config; # machine config - }; - - allHosts = [mainCfg] ++ mainCfg.virtualHosts; - - callSubservices = serverInfo: defs: - let f = svc: - let - svcFunction = - if svc ? function then svc.function - # instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix; - else if svc ? serviceExpression then import (toString svc.serviceExpression) - else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix"); - config = (evalModules - { modules = [ { options = res.options; config = svc.config or svc; } ]; - check = false; - }).config; - defaults = { - extraConfig = ""; - extraModules = []; - extraModulesPre = []; - extraPath = []; - extraServerPath = []; - globalEnvVars = []; - robotsEntries = ""; - startupScript = ""; - enablePHP = false; - enablePerl = false; - phpOptions = ""; - options = {}; - documentRoot = null; - }; - res = defaults // svcFunction { inherit config lib pkgs serverInfo php; }; - in res; - in map f defs; - - - # !!! callSubservices is expensive - subservicesFor = cfg: callSubservices (makeServerInfo cfg) cfg.extraSubservices; - - mainSubservices = subservicesFor mainCfg; - - allSubservices = mainSubservices ++ concatMap subservicesFor mainCfg.virtualHosts; - - enableSSL = any (vhost: vhost.enableSSL) allHosts; + enableUserDir = any (vhost: vhost.enableUserDir) allHosts; - # Names of modules from ${httpd}/modules that we want to load. - apacheModules = - [ # HTTP authentication mechanisms: basic and digest. - "auth_basic" "auth_digest" - - # Authentication: is the user who he claims to be? - "authn_file" "authn_dbm" "authn_anon" "authn_core" - - # Authorization: is the user allowed access? - "authz_user" "authz_groupfile" "authz_host" "authz_core" - - # Other modules. - "ext_filter" "include" "log_config" "env" "mime_magic" - "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif" - "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs" - "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" - "userdir" "alias" "rewrite" "proxy" "proxy_http" - "unixd" "cache" "cache_disk" "slotmem_shm" "socache_shmcb" + # NOTE: generally speaking order of modules is very important + modules = + [ # required apache modules our httpd service cannot run without + "authn_core" "authz_core" + "log_config" + "mime" "autoindex" "negotiation" "dir" + "alias" "rewrite" + "unixd" "slotmem_shm" "socache_shmcb" "mpm_${mainCfg.multiProcessingModule}" - - # For compatibility with old configurations, the new module mod_access_compat is provided. - "access_compat" ] ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) ++ optional enableSSL "ssl" - ++ extraApacheModules; + ++ optional enableUserDir "userdir" + ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; } + ++ optional mainCfg.enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; } + ++ optional mainCfg.enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } + ++ mainCfg.extraModules; allDenied = "Require all denied"; @@ -147,20 +75,22 @@ let browserHacks = '' - BrowserMatch "Mozilla/2" nokeepalive - BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 - BrowserMatch "RealPlayer 4\.0" force-response-1.0 - BrowserMatch "Java/1\.0" force-response-1.0 - BrowserMatch "JDK/1\.0" force-response-1.0 - BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully - BrowserMatch "^WebDrive" redirect-carefully - BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully - BrowserMatch "^gnome-vfs" redirect-carefully + <IfModule mod_setenvif.c> + BrowserMatch "Mozilla/2" nokeepalive + BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "RealPlayer 4\.0" force-response-1.0 + BrowserMatch "Java/1\.0" force-response-1.0 + BrowserMatch "JDK/1\.0" force-response-1.0 + BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully + BrowserMatch "^WebDrive" redirect-carefully + BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully + BrowserMatch "^gnome-vfs" redirect-carefully + </IfModule> ''; sslConf = '' - SSLSessionCache shmcb:${mainCfg.stateDir}/ssl_scache(512000) + SSLSessionCache shmcb:${runtimeDir}/ssl_scache(512000) Mutex posixsem @@ -188,13 +118,18 @@ let perServerConf = isMainServer: cfg: let - serverInfo = makeServerInfo cfg; - - subservices = callSubservices serverInfo cfg.extraSubservices; + # Canonical name must not include a trailing slash. + canonicalNames = + let defaultPort = (head (defaultListen cfg)).port; in + map (port: + (if cfg.enableSSL then "https" else "http") + "://" + + cfg.hostName + + (if port != defaultPort then ":${toString port}" else "") + ) (map (x: x.port) (getListen cfg)); maybeDocumentRoot = fold (svc: acc: if acc == null then svc.documentRoot else assert svc.documentRoot == null; acc - ) null ([ cfg ] ++ subservices); + ) null ([ cfg ]); documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out"; @@ -209,15 +144,11 @@ let </Directory> ''; - robotsTxt = - concatStringsSep "\n" (filter (x: x != "") ( - # If this is a vhost, the include the entries for the main server as well. - (if isMainServer then [] else [mainCfg.robotsEntries] ++ map (svc: svc.robotsEntries) mainSubservices) - ++ [cfg.robotsEntries] - ++ (map (svc: svc.robotsEntries) subservices))); + # If this is a vhost, the include the entries for the main server as well. + robotsTxt = concatStringsSep "\n" (filter (x: x != "") ([ cfg.robotsEntries ] ++ lib.optional (!isMainServer) mainCfg.robotsEntries)); in '' - ${concatStringsSep "\n" (map (n: "ServerName ${n}") serverInfo.canonicalNames)} + ${concatStringsSep "\n" (map (n: "ServerName ${n}") canonicalNames)} ${concatMapStrings (alias: "ServerAlias ${alias}\n") cfg.serverAliases} @@ -292,8 +223,6 @@ let in concatMapStrings makeDirConf cfg.servedDirs } - ${concatMapStrings (svc: svc.extraConfig) subservices} - ${cfg.extraConfig} ''; @@ -302,13 +231,13 @@ let ServerRoot ${httpd} - DefaultRuntimeDir ${mainCfg.stateDir}/runtime + DefaultRuntimeDir ${runtimeDir}/runtime - PidFile ${mainCfg.stateDir}/httpd.pid + PidFile ${runtimeDir}/httpd.pid ${optionalString (mainCfg.multiProcessingModule != "prefork") '' # mod_cgid requires this. - ScriptSock ${mainCfg.stateDir}/cgisock + ScriptSock ${runtimeDir}/cgisock ''} <IfModule prefork.c> @@ -327,16 +256,12 @@ let Group ${mainCfg.group} ${let - load = {name, path}: "LoadModule ${name}_module ${path}\n"; - allModules = - concatMap (svc: svc.extraModulesPre) allSubservices - ++ map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules - ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; } - ++ optional enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; } - ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } - ++ concatMap (svc: svc.extraModules) allSubservices - ++ extraForeignModules; - in concatMapStrings load (unique allModules) + mkModule = module: + if isString module then { name = module; path = "${httpd}/modules/mod_${module}.so"; } + else if isAttrs module then { inherit (module) name path; } + else throw "Expecting either a string or attribute set including a name and path."; + in + concatMapStringsSep "\n" (module: "LoadModule ${module.name}_module ${module.path}") (unique (map mkModule modules)) } AddHandler type-map var @@ -385,17 +310,10 @@ let } ''; - - enablePHP = mainCfg.enablePHP || any (svc: svc.enablePHP) allSubservices; - - enablePerl = mainCfg.enablePerl || any (svc: svc.enablePerl) allSubservices; - - # Generate the PHP configuration file. Should probably be factored # out into a separate module. phpIni = pkgs.runCommand "php.ini" - { options = concatStringsSep "\n" - ([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices)); + { options = mainCfg.phpOptions; preferLocalBuild = true; } '' @@ -408,6 +326,11 @@ in { + imports = [ + (mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") + (mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.") + ]; + ###### interface options = { @@ -453,7 +376,12 @@ in extraModules = mkOption { type = types.listOf types.unspecified; default = []; - example = literalExample ''[ "proxy_connect" { name = "php5"; path = "''${pkgs.php}/modules/libphp5.so"; } ]''; + example = literalExample '' + [ + "proxy_connect" + { name = "jk"; path = "''${pkgs.tomcat_connectors}/modules/mod_jk.so"; } + ] + ''; description = '' Additional Apache modules to be used. These can be specified as a string in the case of modules distributed @@ -500,16 +428,6 @@ in ''; }; - stateDir = mkOption { - type = types.path; - default = "/run/httpd"; - description = '' - Directory for Apache's transient runtime state (such as PID - files). It is created automatically. Note that the default, - <filename>/run/httpd</filename>, is deleted at boot time. - ''; - }; - virtualHosts = mkOption { type = types.listOf (types.submodule ( { options = import ./per-server-options.nix { @@ -637,8 +555,6 @@ in message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } ]; - warnings = map (cfg: "apache-httpd's extraSubservices option is deprecated. Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (lib.filter (cfg: cfg.extraSubservices != []) allHosts); - users.users = optionalAttrs (mainCfg.user == "wwwrun") (singleton { name = "wwwrun"; group = mainCfg.group; @@ -651,7 +567,7 @@ in gid = config.ids.gids.wwwrun; }); - environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices; + environment.systemPackages = [httpd]; services.httpd.phpOptions = '' @@ -666,6 +582,28 @@ in date.timezone = "${config.time.timeZone}" ''; + services.httpd.extraModules = mkBefore [ + # HTTP authentication mechanisms: basic and digest. + "auth_basic" "auth_digest" + + # Authentication: is the user who he claims to be? + "authn_file" "authn_dbm" "authn_anon" + + # Authorization: is the user allowed access? + "authz_user" "authz_groupfile" "authz_host" + + # Other modules. + "ext_filter" "include" "env" "mime_magic" + "cern_meta" "expires" "headers" "usertrack" "setenvif" + "dav" "status" "asis" "info" "dav_fs" + "vhost_alias" "imagemap" "actions" "speling" + "proxy" "proxy_http" + "cache" "cache_disk" + + # For compatibility with old configurations, the new module mod_access_compat is provided. + "access_compat" + ]; + systemd.services.httpd = { description = "Apache HTTPD"; @@ -674,22 +612,14 @@ in path = [ httpd pkgs.coreutils pkgs.gnugrep ] - ++ optional enablePHP pkgs.system-sendmail # Needed for PHP's mail() function. - ++ concatMap (svc: svc.extraServerPath) allSubservices; + ++ optional mainCfg.enablePHP pkgs.system-sendmail; # Needed for PHP's mail() function. environment = - optionalAttrs enablePHP { PHPRC = phpIni; } - // optionalAttrs mainCfg.enableMellon { LD_LIBRARY_PATH = "${pkgs.xmlsec}/lib"; } - // (listToAttrs (concatMap (svc: svc.globalEnvVars) allSubservices)); + optionalAttrs mainCfg.enablePHP { PHPRC = phpIni; } + // optionalAttrs mainCfg.enableMellon { LD_LIBRARY_PATH = "${pkgs.xmlsec}/lib"; }; preStart = '' - mkdir -m 0750 -p ${mainCfg.stateDir} - [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir} - - mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" - [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" - mkdir -m 0700 -p ${mainCfg.logDir} # Get rid of old semaphores. These tend to accumulate across @@ -698,21 +628,18 @@ in for i in $(${pkgs.utillinux}/bin/ipcs -s | grep ' ${mainCfg.user} ' | cut -f2 -d ' '); do ${pkgs.utillinux}/bin/ipcrm -s $i done - - # Run the startup hooks for the subservices. - for i in ${toString (map (svn: svn.startupScript) allSubservices)}; do - echo Running Apache startup hook $i... - $i - done ''; serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}"; serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop"; serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful"; + serviceConfig.Group = mainCfg.group; serviceConfig.Type = "forking"; - serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid"; + serviceConfig.PIDFile = "${runtimeDir}/httpd.pid"; serviceConfig.Restart = "always"; serviceConfig.RestartSec = "5s"; + serviceConfig.RuntimeDirectory = "httpd httpd/runtime"; + serviceConfig.RuntimeDirectoryMode = "0750"; }; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix index 9d747549c27..c36207d5460 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix @@ -133,12 +133,6 @@ with lib; ''; }; - extraSubservices = mkOption { - type = types.listOf types.unspecified; - default = []; - description = "Extra subservices to enable in the webserver."; - }; - enableUserDir = mkOption { type = types.bool; default = false; diff --git a/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix b/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix index a6c4cbea122..1812f225b74 100644 --- a/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix @@ -102,7 +102,10 @@ with lib; environment.systemPackages = [ pkgs.hitch ]; - users.users.hitch.group = "hitch"; + users.users.hitch = { + group = "hitch"; + isSystemUser = true; + }; users.groups.hitch = {}; }; } diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix index aeb9b1dd79e..2b3749d8a74 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix @@ -1,4 +1,4 @@ -# This file defines the options that can be used both for the Apache +# This file defines the options that can be used both for the Nginx # main server configuration, and for the virtual hosts. (The latter # has additional options that affect the web server as a whole, like # the user/group to run under.) @@ -92,4 +92,3 @@ with lib; }; }; } - diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix index 15b933c984a..7e488f33a41 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -1,4 +1,4 @@ -# This file defines the options that can be used both for the Apache +# This file defines the options that can be used both for the Nginx # main server configuration, and for the virtual hosts. (The latter # has additional options that affect the web server as a whole, like # the user/group to run under.) diff --git a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix index 4ab7e3f0c0a..7698f8c3a26 100644 --- a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix @@ -31,7 +31,7 @@ let ''; passAsFile = [ "nixDefaults" "phpOptions" ]; } '' - cat $phpPackage/etc/php.ini $nixDefaultsPath $phpOptionsPath > $out + cat ${poolOpts.phpPackage}/etc/php.ini $nixDefaultsPath $phpOptionsPath > $out ''; poolOpts = { name, ... }: @@ -69,8 +69,6 @@ let phpOptions = mkOption { type = types.lines; - default = cfg.phpOptions; - defaultText = "config.services.phpfpm.phpOptions"; description = '' "Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool." ''; @@ -137,6 +135,7 @@ let config = { socket = if poolOpts.listen == "" then "${runtimeDir}/${name}.sock" else poolOpts.listen; group = mkDefault poolOpts.user; + phpOptions = mkBefore cfg.phpOptions; settings = mapAttrs (name: mkDefault){ listen = poolOpts.socket; @@ -263,6 +262,7 @@ in { in { Slice = "phpfpm.slice"; PrivateDevices = true; + PrivateTmp = true; ProtectSystem = "full"; ProtectHome = true; # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work diff --git a/nixpkgs/nixos/modules/services/web-servers/traefik.nix b/nixpkgs/nixos/modules/services/web-servers/traefik.nix index 8de7df0d446..5b0fc467ea4 100644 --- a/nixpkgs/nixos/modules/services/web-servers/traefik.nix +++ b/nixpkgs/nixos/modules/services/web-servers/traefik.nix @@ -117,6 +117,7 @@ in { group = "traefik"; home = cfg.dataDir; createHome = true; + isSystemUser = true; }; users.groups.traefik = {}; diff --git a/nixpkgs/nixos/modules/services/web-servers/ttyd.nix b/nixpkgs/nixos/modules/services/web-servers/ttyd.nix new file mode 100644 index 00000000000..01a01d97a23 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/ttyd.nix @@ -0,0 +1,196 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.ttyd; + + # Command line arguments for the ttyd daemon + args = [ "--port" (toString cfg.port) ] + ++ optionals (cfg.socket != null) [ "--interface" cfg.socket ] + ++ optionals (cfg.interface != null) [ "--interface" cfg.interface ] + ++ [ "--signal" (toString cfg.signal) ] + ++ (concatLists (mapAttrsToList (_k: _v: [ "--client-option" "${_k}=${_v}" ]) cfg.clientOptions)) + ++ [ "--terminal-type" cfg.terminalType ] + ++ optionals cfg.checkOrigin [ "--check-origin" ] + ++ [ "--max-clients" (toString cfg.maxClients) ] + ++ optionals (cfg.indexFile != null) [ "--index" cfg.indexFile ] + ++ optionals cfg.enableIPv6 [ "--ipv6" ] + ++ optionals cfg.enableSSL [ "--ssl-cert" cfg.certFile + "--ssl-key" cfg.keyFile + "--ssl-ca" cfg.caFile ] + ++ [ "--debug" (toString cfg.logLevel) ]; + +in + +{ + + ###### interface + + options = { + services.ttyd = { + enable = mkEnableOption "ttyd daemon"; + + port = mkOption { + type = types.int; + default = 7681; + description = "Port to listen on (use 0 for random port)"; + }; + + socket = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/run/ttyd.sock"; + description = "UNIX domain socket path to bind."; + }; + + interface = mkOption { + type = types.nullOr types.str; + default = null; + example = "eth0"; + description = "Network interface to bind."; + }; + + username = mkOption { + type = types.nullOr types.str; + default = null; + description = "Username for basic authentication."; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + apply = value: if value == null then null else toString value; + description = '' + File containing the password to use for basic authentication. + For insecurely putting the password in the globally readable store use + <literal>pkgs.writeText "ttydpw" "MyPassword"</literal>. + ''; + }; + + signal = mkOption { + type = types.ints.u8; + default = 1; + description = "Signal to send to the command on session close."; + }; + + clientOptions = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample ''{ + fontSize = "16"; + fontFamily = "Fira Code"; + + }''; + description = '' + Attribute set of client options for xtermjs. + <link xlink:href="https://xtermjs.org/docs/api/terminal/interfaces/iterminaloptions/"/> + ''; + }; + + terminalType = mkOption { + type = types.str; + default = "xterm-256color"; + description = "Terminal type to report."; + }; + + checkOrigin = mkOption { + type = types.bool; + default = false; + description = "Whether to allow a websocket connection from a different origin."; + }; + + maxClients = mkOption { + type = types.int; + default = 0; + description = "Maximum clients to support (0, no limit)"; + }; + + indexFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Custom index.html path"; + }; + + enableIPv6 = mkOption { + type = types.bool; + default = false; + description = "Whether or not to enable IPv6 support."; + }; + + enableSSL = mkOption { + type = types.bool; + default = false; + description = "Whether or not to enable SSL (https) support."; + }; + + certFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "SSL certificate file path."; + }; + + keyFile = mkOption { + type = types.nullOr types.path; + default = null; + apply = value: if value == null then null else toString value; + description = '' + SSL key file path. + For insecurely putting the keyFile in the globally readable store use + <literal>pkgs.writeText "ttydKeyFile" "SSLKEY"</literal>. + ''; + }; + + caFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "SSL CA file path for client certificate verification."; + }; + + logLevel = mkOption { + type = types.int; + default = 7; + description = "Set log level."; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + assertions = + [ { assertion = cfg.enableSSL + -> cfg.certFile != null && cfg.keyFile != null && cfg.caFile != null; + message = "SSL is enabled for ttyd, but no certFile, keyFile or caFile has been specefied."; } + { assertion = ! (cfg.interface != null && cfg.socket != null); + message = "Cannot set both interface and socket for ttyd."; } + { assertion = (cfg.username != null) == (cfg.passwordFile != null); + message = "Need to set both username and passwordFile for ttyd"; } + ]; + + systemd.services.ttyd = { + description = "ttyd Web Server Daemon"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + # Runs login which needs to be run as root + # login: Cannot possibly work without effective root + User = "root"; + }; + + script = if cfg.passwordFile != null then '' + PASSWORD=$(cat ${escapeShellArg cfg.passwordFile}) + ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ + --credential ${escapeShellArg cfg.username}:"$PASSWORD" \ + ${pkgs.shadow}/bin/login + '' + else '' + ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ + ${pkgs.shadow}/bin/login + ''; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix index a4a9d370d64..32f6d475b34 100644 --- a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix @@ -116,6 +116,7 @@ in { users.users = optionalAttrs (cfg.user == "unit") (singleton { name = "unit"; group = cfg.group; + isSystemUser = true; }); users.groups = optionalAttrs (cfg.group == "unit") (singleton { diff --git a/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix b/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix index 63f967185c2..01fe3d12917 100644 --- a/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix @@ -15,8 +15,8 @@ in package = mkOption { type = types.package; - default = pkgs.varnish5; - defaultText = "pkgs.varnish5"; + default = pkgs.varnish; + defaultText = "pkgs.varnish"; description = '' The package to use ''; @@ -48,7 +48,7 @@ in extraModules = mkOption { type = types.listOf types.package; default = []; - example = literalExample "[ pkgs.varnish5Packages.geoip ]"; + example = literalExample "[ pkgs.varnishPackages.geoip ]"; description = " Varnish modules (except 'std'). "; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix index dfb84113e13..671a959cdde 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix @@ -18,7 +18,7 @@ in # determines the default: later modules (if enabled) are preferred. # E.g., if Plasma 5 is enabled, it supersedes xterm. imports = [ - ./none.nix ./xterm.nix ./xfce.nix ./xfce4-14.nix ./plasma5.nix ./lumina.nix + ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix ./mate.nix ./pantheon.nix ./surf-display.nix ]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix index 5ad31e5b9d0..6725595e1cf 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -184,6 +184,13 @@ in enableGnomeKeyring = true; }; + systemd.packages = with pkgs.gnome3; [ + gnome-flashback + ] ++ (map + (wm: gnome-flashback.mkSystemdTargetForWm { + inherit (wm) wmName; + }) cfg.flashback.customSessions); + services.dbus.packages = [ pkgs.gnome3.gnome-screensaver ]; @@ -217,6 +224,12 @@ in services.xserver.updateDbusEnvironment = true; + # gnome has a custom alert theme but it still + # inherits from the freedesktop theme. + environment.systemPackages = with pkgs; [ + sound-theme-freedesktop + ]; + # Needed for themes and backgrounds environment.pathsToLink = [ "/share" # TODO: https://github.com/NixOS/nixpkgs/issues/47173 @@ -265,6 +278,26 @@ in source-sans-pro ]; + ## Enable soft realtime scheduling, only supported on wayland ## + + security.wrappers.".gnome-shell-wrapped" = { + source = "${pkgs.gnome3.gnome-shell}/bin/.gnome-shell-wrapped"; + capabilities = "cap_sys_nice=ep"; + }; + + systemd.user.services.gnome-shell-wayland = let + gnomeShellRT = with pkgs.gnome3; pkgs.runCommand "gnome-shell-rt" {} '' + mkdir -p $out/bin/ + cp ${gnome-shell}/bin/gnome-shell $out/bin + sed -i "s@${gnome-shell}/bin/@${config.security.wrapperDir}/@" $out/bin/gnome-shell + ''; + in { + # Note we need to clear ExecStart before overriding it + serviceConfig.ExecStart = ["" "${gnomeShellRT}/bin/gnome-shell"]; + # Do not use the default environment, it provides a broken PATH + environment = mkForce {}; + }; + # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-32/elements/core/meta-gnome-core-shell.bst environment.systemPackages = with pkgs.gnome3; [ adwaita-icon-theme @@ -276,7 +309,7 @@ in gnome-shell gnome-shell-extensions gnome-themes-extra - gnome-user-docs + pkgs.gnome-user-docs pkgs.orca pkgs.glib # for gsettings pkgs.gnome-menus diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix index b6fb7218da6..da8bdcb78c4 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -27,20 +27,13 @@ in example = "vlc"; description = "Phonon audio backend to install."; }; - - enableQt4Support = mkOption { - type = types.bool; - default = true; - description = '' - Enable support for Qt 4-based applications. Particularly, install a - default backend for Phonon. - ''; - }; - }; }; + imports = [ + (mkRemovedOptionModule [ "services" "xserver" "desktopManager" "plasma5" "enableQt4Support" ] "Phonon no longer supports Qt 4.") + ]; config = mkMerge [ (mkIf cfg.enable { @@ -173,9 +166,7 @@ in # Phonon audio backend ++ lib.optional (cfg.phononBackend == "gstreamer") libsForQt5.phonon-backend-gstreamer - ++ lib.optional (cfg.phononBackend == "gstreamer" && cfg.enableQt4Support) pkgs.phonon-backend-gstreamer ++ lib.optional (cfg.phononBackend == "vlc") libsForQt5.phonon-backend-vlc - ++ lib.optional (cfg.phononBackend == "vlc" && cfg.enableQt4Support) pkgs.phonon-backend-vlc # Optional hardware support features ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt ] @@ -232,7 +223,6 @@ in security.pam.services.kdm.enableKwallet = true; security.pam.services.lightdm.enableKwallet = true; security.pam.services.sddm.enableKwallet = true; - security.pam.services.slim.enableKwallet = true; xdg.portal.enable = true; xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-kde ]; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix index 6965c6d2646..0b70ad5f29c 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -7,6 +7,32 @@ let in { + + imports = [ + # added 2019-08-18 + # needed to preserve some semblance of UI familarity + # with original XFCE module + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "extraSessionCommands" ] + [ "services" "xserver" "displayManager" "sessionCommands" ]) + + # added 2019-11-04 + # xfce4-14 module removed and promoted to xfce. + # Needed for configs that used xfce4-14 module to migrate to this one. + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "enable" ] + [ "services" "xserver" "desktopManager" "xfce" "enable" ]) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "noDesktop" ] + [ "services" "xserver" "desktopManager" "xfce" "noDesktop" ]) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce4-14" "enableXfwm" ] + [ "services" "xserver" "desktopManager" "xfce" "enableXfwm" ]) + (mkRenamedOptionModule + [ "services" "xserver" "desktopManager" "xfce" "extraSessionCommands" ] + [ "services" "xserver" "displayManager" "sessionCommands" ]) + ]; + options = { services.xserver.desktopManager.xfce = { enable = mkOption { @@ -30,14 +56,6 @@ in description = "Don't install XFCE desktop components (xfdesktop, panel and notification daemon)."; }; - extraSessionCommands = mkOption { - default = ""; - type = types.lines; - description = '' - Shell commands executed just before XFCE is started. - ''; - }; - enableXfwm = mkOption { type = types.bool; default = true; @@ -48,76 +66,101 @@ in config = mkIf cfg.enable { environment.systemPackages = with pkgs.xfce // pkgs; [ - # Get GTK themes and gtk-update-icon-cache - gtk2.out + glib # for gsettings + gtk3.out # gtk-update-icon-cache - # Supplies some abstract icons such as: - # utilities-terminal, accessories-text-editor + gnome3.gnome-themes-extra gnome3.adwaita-icon-theme - hicolor-icon-theme tango-icon-theme xfce4-icon-theme + desktop-file-utils + shared-mime-info # for update-mime-database + + # For a polkit authentication agent + polkit_gnome + # Needed by Xfce's xinitrc script - # TODO: replace with command -v - which + xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ exo garcon - gtk-xfce-engine libxfce4ui - tumbler xfconf mousepad + parole ristretto xfce4-appfinder xfce4-screenshooter xfce4-session xfce4-settings + xfce4-taskmanager xfce4-terminal (thunar.override { thunarPlugins = cfg.thunarPlugins; }) - thunar-volman # TODO: drop - ] ++ (if config.hardware.pulseaudio.enable - then [ xfce4-mixer-pulse xfce4-volumed-pulse ] - else [ xfce4-mixer xfce4-volumed ]) - # TODO: NetworkManager doesn't belong here - ++ optionals config.networking.networkmanager.enable [ networkmanagerapplet ] - ++ optionals config.powerManagement.enable [ xfce4-power-manager ] - ++ optionals cfg.enableXfwm [ xfwm4 ] - ++ optionals (!cfg.noDesktop) [ - xfce4-panel + ] # TODO: NetworkManager doesn't belong here + ++ optional config.networking.networkmanager.enable networkmanagerapplet + ++ optional config.powerManagement.enable xfce4-power-manager + ++ optionals config.hardware.pulseaudio.enable [ + pavucontrol + # volume up/down keys support: + # xfce4-pulseaudio-plugin includes all the functionalities of xfce4-volumed-pulse + # but can only be used with xfce4-panel, so for no-desktop usage we still include + # xfce4-volumed-pulse + (if cfg.noDesktop then xfce4-volumed-pulse else xfce4-pulseaudio-plugin) + ] ++ optionals cfg.enableXfwm [ + xfwm4 + xfwm4-themes + ] ++ optionals (!cfg.noDesktop) [ xfce4-notifyd + xfce4-panel xfdesktop ]; environment.pathsToLink = [ "/share/xfce4" - "/share/themes" - "/share/gtksourceview-2.0" + "/lib/xfce4" + "/share/gtksourceview-3.0" + "/share/gtksourceview-4.0" ]; - services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; - services.xserver.desktopManager.session = [{ name = "xfce"; bgSupport = true; start = '' - ${cfg.extraSessionCommands} - - ${pkgs.runtimeShell} ${pkgs.xfce.xinitrc} & + ${pkgs.runtimeShell} ${pkgs.xfce.xfce4-session.xinitrc} & waitPID=$! ''; }]; services.xserver.updateDbusEnvironment = true; + services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; # Enable helpful DBus services. services.udisks2.enable = true; + security.polkit.enable = true; + services.accounts-daemon.enable = true; services.upower.enable = config.powerManagement.enable; + services.gnome3.glib-networking.enable = true; services.gvfs.enable = true; services.gvfs.package = pkgs.xfce.gvfs; + services.tumbler.enable = true; + services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); + services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager + + # Enable default programs + programs.dconf.enable = true; + + # Shell integration for VTE terminals + programs.bash.vteIntegration = mkDefault true; + programs.zsh.vteIntegration = mkDefault true; + + # Systemd services + systemd.packages = with pkgs.xfce; [ + (thunar.override { thunarPlugins = cfg.thunarPlugins; }) + ] ++ optional (!cfg.noDesktop) xfce4-notifyd; + }; } diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce4-14.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce4-14.nix deleted file mode 100644 index ffc99172e79..00000000000 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/xfce4-14.nix +++ /dev/null @@ -1,152 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.xserver.desktopManager.xfce4-14; -in - -{ - # added 2019-08-18 - # needed to preserve some semblance of UI familarity - # with original XFCE module - imports = [ - (mkRenamedOptionModule - [ "services" "xserver" "desktopManager" "xfce4-14" "extraSessionCommands" ] - [ "services" "xserver" "displayManager" "sessionCommands" ]) - ]; - - options = { - services.xserver.desktopManager.xfce4-14 = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable the Xfce desktop environment."; - }; - - # TODO: support thunar plugins - # thunarPlugins = mkOption { - # default = []; - # type = types.listOf types.package; - # example = literalExample "[ pkgs.xfce4-14.thunar-archive-plugin ]"; - # description = '' - # A list of plugin that should be installed with Thunar. - # ''; - # }; - - noDesktop = mkOption { - type = types.bool; - default = false; - description = "Don't install XFCE desktop components (xfdesktop, panel and notification daemon)."; - }; - - enableXfwm = mkOption { - type = types.bool; - default = true; - description = "Enable the XFWM (default) window manager."; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = with pkgs.xfce4-14 // pkgs; [ - glib # for gsettings - gtk3.out # gtk-update-icon-cache - - gnome3.gnome-themes-extra - gnome3.adwaita-icon-theme - hicolor-icon-theme - tango-icon-theme - xfce4-icon-theme - - desktop-file-utils - shared-mime-info # for update-mime-database - - # For a polkit authentication agent - polkit_gnome - - # Needed by Xfce's xinitrc script - xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/ - - exo - garcon - libxfce4ui - xfconf - - mousepad - parole - ristretto - xfce4-appfinder - xfce4-screenshooter - xfce4-session - xfce4-settings - xfce4-taskmanager - xfce4-terminal - - # TODO: resync patch for plugins - #(thunar.override { thunarPlugins = cfg.thunarPlugins; }) - thunar - ] # TODO: NetworkManager doesn't belong here - ++ optional config.networking.networkmanager.enable networkmanagerapplet - ++ optional config.powerManagement.enable xfce4-power-manager - ++ optionals config.hardware.pulseaudio.enable [ - pavucontrol - # volume up/down keys support: - # xfce4-pulseaudio-plugin includes all the functionalities of xfce4-volumed-pulse - # but can only be used with xfce4-panel, so for no-desktop usage we still include - # xfce4-volumed-pulse - (if cfg.noDesktop then xfce4-volumed-pulse else xfce4-pulseaudio-plugin) - ] ++ optionals cfg.enableXfwm [ - xfwm4 - xfwm4-themes - ] ++ optionals (!cfg.noDesktop) [ - xfce4-notifyd - xfce4-panel - xfdesktop - ]; - - environment.pathsToLink = [ - "/share/xfce4" - "/lib/xfce4" - "/share/gtksourceview-3.0" - "/share/gtksourceview-4.0" - ]; - - services.xserver.desktopManager.session = [{ - name = "xfce4-14"; - bgSupport = true; - start = '' - ${pkgs.runtimeShell} ${pkgs.xfce4-14.xinitrc} & - waitPID=$! - ''; - }]; - - services.xserver.updateDbusEnvironment = true; - services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; - - # Enable helpful DBus services. - services.udisks2.enable = true; - security.polkit.enable = true; - services.accounts-daemon.enable = true; - services.upower.enable = config.powerManagement.enable; - services.gnome3.glib-networking.enable = true; - services.gvfs.enable = true; - services.gvfs.package = pkgs.xfce.gvfs; - services.tumbler.enable = true; - services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); - services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager - - # Enable default programs - programs.dconf.enable = true; - - # Shell integration for VTE terminals - programs.bash.vteIntegration = mkDefault true; - programs.zsh.vteIntegration = mkDefault true; - - # Systemd services - systemd.packages = with pkgs.xfce4-14; [ - thunar - ] ++ optional (!cfg.noDesktop) xfce4-notifyd; - - }; -} diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix index bf6b048654b..b66856fd4d4 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/default.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/default.nix @@ -1,9 +1,9 @@ # This module declares the options to define a *display manager*, the -# program responsible for handling X logins (such as xdm, gdb, or -# SLiM). The display manager allows the user to select a *session -# type*. When the user logs in, the display manager starts the +# program responsible for handling X logins (such as LightDM, GDM, or SDDM). +# The display manager allows the user to select a *session +# type*. When the user logs in, the display manager starts the # *session script* ("xsession" below) to launch the selected session -# type. The session type defines two things: the *desktop manager* +# type. The session type defines two things: the *desktop manager* # (e.g., KDE, Gnome or a plain xterm), and optionally the *window # manager* (e.g. kwin or twm). @@ -196,7 +196,6 @@ let fi '') cfg.displayManager.extraSessionFilePackages} - ${concatMapStrings (pkg: '' if test -d ${pkg}/share/wayland-sessions; then mkdir -p "$out/share/wayland-sessions" @@ -322,7 +321,7 @@ in execCmd = mkOption { type = types.str; example = literalExample '' - "''${pkgs.slim}/bin/slim" + "''${pkgs.lightdm}/bin/lightdm" ''; description = "Command to start the display manager."; }; @@ -330,7 +329,6 @@ in environment = mkOption { type = types.attrsOf types.unspecified; default = {}; - example = { SLIM_CFGFILE = "/etc/slim.conf"; }; description = "Additional environment variables needed by the display manager."; }; diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix index e5990aec4b9..912ec5bd38e 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix @@ -31,6 +31,44 @@ let load-module module-position-event-sounds ''; + dmDefault = config.services.xserver.desktopManager.default; + wmDefault = config.services.xserver.windowManager.default; + hasDefaultUserSession = dmDefault != "none" || wmDefault != "none"; + defaultSessionName = dmDefault + optionalString (wmDefault != "none") ("+" + wmDefault); + + setSessionScript = pkgs.python3.pkgs.buildPythonApplication { + name = "set-session"; + + format = "other"; + + src = ./set-session.py; + + dontUnpack = true; + + strictDeps = false; + + nativeBuildInputs = with pkgs; [ + wrapGAppsHook + gobject-introspection + ]; + + buildInputs = with pkgs; [ + accountsservice + glib + ]; + + propagatedBuildInputs = with pkgs.python3.pkgs; [ + pygobject3 + ordered-set + ]; + + installPhase = '' + mkdir -p $out/bin + cp $src $out/bin/set-session + chmod +x $out/bin/set-session + ''; + }; + in { @@ -88,11 +126,21 @@ in wayland = mkOption { default = true; description = '' - Allow GDM run on Wayland instead of Xserver + Allow GDM to run on Wayland instead of Xserver. + Note to enable Wayland with Nvidia you need to + enable the <option>nvidiaWayland</option>. ''; type = types.bool; }; + nvidiaWayland = mkOption { + default = false; + description = '' + Whether to allow wayland to be used with the proprietary + NVidia graphics driver. + ''; + }; + autoSuspend = mkOption { default = true; description = '' @@ -156,6 +204,8 @@ in cat - > /run/gdm/.config/gnome-initial-setup-done <<- EOF yes EOF + '' + optionalString hasDefaultUserSession '' + ${setSessionScript}/bin/set-session ${defaultSessionName} ''; }; @@ -197,6 +247,19 @@ in services.dbus.packages = [ gdm ]; + # We duplicate upstream's udev rules manually to make wayland with nvidia configurable + services.udev.extraRules = '' + # disable Wayland on Cirrus chipsets + ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-disable-wayland" + # disable Wayland on Hi1710 chipsets + ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-disable-wayland" + ${optionalString (!cfg.gdm.nvidiaWayland) '' + DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-disable-wayland" + ''} + # disable Wayland when modesetting is disabled + IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-disable-wayland" + ''; + systemd.user.services.dbus.wantedBy = [ "default.target" ]; programs.dconf.profiles.gdm = diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix b/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix index 8847acb0c60..899dd8665a2 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/sddm.nix @@ -14,7 +14,7 @@ let xserverWrapper = pkgs.writeScript "xserver-wrapper" '' #!/bin/sh ${concatMapStrings (n: "export ${n}=\"${getAttr n xEnv}\"\n") (attrNames xEnv)} - exec systemd-cat ${dmcfg.xserverBin} ${toString dmcfg.xserverArgs} "$@" + exec systemd-cat -t xserver-wrapper ${dmcfg.xserverBin} ${toString dmcfg.xserverArgs} "$@" ''; Xsetup = pkgs.writeScript "Xsetup" '' diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/set-session.py b/nixpkgs/nixos/modules/services/x11/display-managers/set-session.py new file mode 100755 index 00000000000..0cca80af44e --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/display-managers/set-session.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python + +import gi, argparse, os, logging, sys + +gi.require_version("AccountsService", "1.0") +from gi.repository import AccountsService, GLib +from ordered_set import OrderedSet + + +def get_session_file(session): + system_data_dirs = GLib.get_system_data_dirs() + + session_dirs = OrderedSet( + os.path.join(data_dir, session) + for data_dir in system_data_dirs + for session in {"wayland-sessions", "xsessions"} + ) + + session_files = OrderedSet( + os.path.join(dir, session + ".desktop") + for dir in session_dirs + if os.path.exists(os.path.join(dir, session + ".desktop")) + ) + + # Deal with duplicate wayland-sessions and xsessions. + # Needed for the situation in gnome-session, where there's + # a xsession named the same as a wayland session. + if any(map(is_session_wayland, session_files)): + session_files = OrderedSet( + session for session in session_files if is_session_wayland(session) + ) + else: + session_files = OrderedSet( + session for session in session_files if is_session_xsession(session) + ) + + if len(session_files) == 0: + logging.warning("No session files are found.") + sys.exit(0) + else: + return session_files[0] + + +def is_session_xsession(session_file): + return "/xsessions/" in session_file + + +def is_session_wayland(session_file): + return "/wayland-sessions/" in session_file + + +def main(): + parser = argparse.ArgumentParser( + description="Set session type for all normal users." + ) + parser.add_argument("session", help="Name of session to set.") + + args = parser.parse_args() + + session = getattr(args, "session") + session_file = get_session_file(session) + + user_manager = AccountsService.UserManager.get_default() + users = user_manager.list_users() + + for user in users: + if user.is_system_account(): + continue + else: + if is_session_wayland(session_file): + logging.debug( + f"Setting session name: {session}, as we found the existing wayland-session: {session_file}" + ) + user.set_session(session) + elif is_session_xsession(session_file): + logging.debug( + f"Setting session name: {session}, as we found the existing xsession: {session_file}" + ) + user.set_x_session(session) + else: + logging.error(f"Couldn't figure out session type for {session_file}") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/nixpkgs/nixos/modules/services/x11/display-managers/slim.nix b/nixpkgs/nixos/modules/services/x11/display-managers/slim.nix index 124660a43f0..4b0948a5b7a 100644 --- a/nixpkgs/nixos/modules/services/x11/display-managers/slim.nix +++ b/nixpkgs/nixos/modules/services/x11/display-managers/slim.nix @@ -2,155 +2,15 @@ with lib; -let - - dmcfg = config.services.xserver.displayManager; - - cfg = dmcfg.slim; - - slimConfig = pkgs.writeText "slim.cfg" - '' - xauth_path ${dmcfg.xauthBin} - default_xserver ${dmcfg.xserverBin} - xserver_arguments ${toString dmcfg.xserverArgs} - sessiondir ${dmcfg.session.desktops}/share/xsessions - login_cmd exec ${pkgs.runtimeShell} ${dmcfg.session.wrapper} "%session" - halt_cmd ${config.systemd.package}/sbin/shutdown -h now - reboot_cmd ${config.systemd.package}/sbin/shutdown -r now - logfile /dev/stderr - ${optionalString (cfg.defaultUser != null) ("default_user " + cfg.defaultUser)} - ${optionalString (cfg.defaultUser != null) ("focus_password yes")} - ${optionalString cfg.autoLogin "auto_login yes"} - ${optionalString (cfg.consoleCmd != null) "console_cmd ${cfg.consoleCmd}"} - ${cfg.extraConfig} - ''; - - # Unpack the SLiM theme, or use the default. - slimThemesDir = - let - unpackedTheme = pkgs.runCommand "slim-theme" { preferLocalBuild = true; } - '' - mkdir -p $out - cd $out - unpackFile ${cfg.theme} - ln -s * default - ''; - in if cfg.theme == null then "${pkgs.slim}/share/slim/themes" else unpackedTheme; - -in - { - - ###### interface - - options = { - - services.xserver.displayManager.slim = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable SLiM as the display manager. - ''; - }; - - theme = mkOption { - type = types.nullOr types.path; - default = pkgs.fetchurl { - url = "https://github.com/jagajaga/nixos-slim-theme/archive/2.0.tar.gz"; - sha256 = "0lldizhigx7bjhxkipii87y432hlf5wdvamnfxrryf9z7zkfypc8"; - }; - defaultText = ''pkgs.fetchurl { - url = "https://github.com/jagajaga/nixos-slim-theme/archive/2.0.tar.gz"; - sha256 = "0lldizhigx7bjhxkipii87y432hlf5wdvamnfxrryf9z7zkfypc8"; - }''; - example = literalExample '' - pkgs.fetchurl { - url = "mirror://sourceforge/slim.berlios/slim-wave.tar.gz"; - sha256 = "0ndr419i5myzcylvxb89m9grl2xyq6fbnyc3lkd711mzlmnnfxdy"; - } - ''; - description = '' - The theme for the SLiM login manager. If not specified, SLiM's - default theme is used. See <link - xlink:href='http://slim.berlios.de/themes01.php'/> for a - collection of themes. TODO: berlios shut down. - ''; - }; - - defaultUser = mkOption { - type = types.nullOr types.str; - default = null; - example = "login"; - description = '' - The default user to load. If you put a username here you - get it automatically loaded into the username field, and - the focus is placed on the password. - ''; - }; - - autoLogin = mkOption { - type = types.bool; - default = false; - description = '' - Automatically log in as the default user. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Extra configuration options for SLiM login manager. Do not - add options that can be configured directly. - ''; - }; - - consoleCmd = mkOption { - type = types.nullOr types.str; - default = '' - ${pkgs.xterm}/bin/xterm -C -fg white -bg black +sb -T "Console login" -e ${pkgs.shadow}/bin/login - ''; - defaultText = '' - ''${pkgs.xterm}/bin/xterm -C -fg white -bg black +sb -T "Console login" -e ''${pkgs.shadow}/bin/login - ''; - description = '' - The command to run when "console" is given as the username. - ''; - }; - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - services.xserver.displayManager.job = - { environment = - { SLIM_CFGFILE = slimConfig; - SLIM_THEMESDIR = slimThemesDir; - }; - execCmd = "exec ${pkgs.slim}/bin/slim"; - }; - - services.xserver.displayManager.sessionCommands = - '' - # Export the config/themes for slimlock. - export SLIM_THEMESDIR=${slimThemesDir} - ''; - - # Allow null passwords so that the user can login as root on the - # installation CD. - security.pam.services.slim = { allowNullPassword = true; startSession = true; }; - - # Allow slimlock to work. - security.pam.services.slimlock = {}; - - environment.systemPackages = [ pkgs.slim ]; - - }; - + # added 2019-11-11 + imports = [ + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "slim" ] '' + The SLIM project is abandoned and their last release was in 2013. + Because of this it poses a security risk to your system. + Other issues include it not fully supporting systemd and logind sessions. + Please use a different display manager such as LightDM, SDDM, or GDM. + You can also use the startx module which uses Xinitrc. + '') + ]; } diff --git a/nixpkgs/nixos/modules/services/x11/hardware/digimend.nix b/nixpkgs/nixos/modules/services/x11/hardware/digimend.nix new file mode 100644 index 00000000000..a9f5640905a --- /dev/null +++ b/nixpkgs/nixos/modules/services/x11/hardware/digimend.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.xserver.digimend; + + pkg = config.boot.kernelPackages.digimend; + +in + +{ + + options = { + + services.xserver.digimend = { + + enable = mkOption { + default = false; + description = '' + Whether to enable the digimend drivers for Huion/XP-Pen/etc. tablets. + ''; + }; + + }; + + }; + + + config = mkIf cfg.enable { + + # digimend drivers use xsetwacom and wacom X11 drivers + services.xserver.wacom.enable = true; + + boot.extraModulePackages = [ pkg ]; + + environment.etc."X11/xorg.conf.d/50-digimend.conf".source = + "${pkg}/usr/share/X11/xorg.conf.d/50-digimend.conf"; + + }; + +} diff --git a/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix b/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix index bd289976532..71065dfc26b 100644 --- a/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix +++ b/nixpkgs/nixos/modules/services/x11/hardware/libinput.nix @@ -122,7 +122,7 @@ in { description = '' Specify the scrolling method: <literal>twofinger</literal>, <literal>edge</literal>, - or <literal>none</literal> + <literal>button</literal>, or <literal>none</literal> ''; }; @@ -209,12 +209,12 @@ in { services.xserver.config = '' - # Automatically enable the libinput driver for all touchpads. + # General libinput configuration. + # See CONFIGURATION DETAILS section of man:libinput(4). Section "InputClass" Identifier "libinputConfiguration" - MatchIsTouchpad "on" + MatchDriver "libinput" ${optionalString (cfg.dev != null) ''MatchDevicePath "${cfg.dev}"''} - Driver "libinput" Option "AccelProfile" "${cfg.accelProfile}" ${optionalString (cfg.accelSpeed != null) ''Option "AccelSpeed" "${cfg.accelSpeed}"''} ${optionalString (cfg.buttonMapping != null) ''Option "ButtonMapping" "${cfg.buttonMapping}"''} diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix b/nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix index 0e131412276..30c59b88f82 100644 --- a/nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix +++ b/nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix @@ -86,7 +86,7 @@ in ${xmonadBin} waitPID=$! '' else '' - ${xmonad}/bin/xmonad & + systemd-cat -t xmonad ${xmonad}/bin/xmonad & waitPID=$! ''; }]; diff --git a/nixpkgs/nixos/modules/services/x11/xserver.nix b/nixpkgs/nixos/modules/services/x11/xserver.nix index a8406544a72..70f01dbdbf5 100644 --- a/nixpkgs/nixos/modules/services/x11/xserver.nix +++ b/nixpkgs/nixos/modules/services/x11/xserver.nix @@ -557,7 +557,6 @@ in default = !( dmconf.auto.enable || dmconf.gdm.enable || dmconf.sddm.enable - || dmconf.slim.enable || dmconf.xpra.enable ); in mkIf (default) true; diff --git a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl index 641cf9faadc..12a80a12d19 100644 --- a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl @@ -214,7 +214,17 @@ while (my ($unit, $state) = each %{$activePrev}) { # Reload the changed mount unit to force a remount. $unitsToReload{$unit} = 1; recordUnit($reloadListFile, $unit); - } elsif ($unit =~ /\.socket$/ || $unit =~ /\.path$/ || $unit =~ /\.slice$/) { + } elsif ($unit =~ /\.socket$/) { + my $unitInfo = parseUnit($newUnitFile); + # If a socket unit has been changed, the corresponding + # service unit has to be stopped before the socket can + # be restarted. The service will be started again on demand. + my $serviceUnit = $unitInfo->{'Unit'} // "$baseName.service"; + $unitsToStop{$serviceUnit} = 1; + $unitsToStop{$unit} = 1; + $unitsToStart{$unit} = 1; + recordUnit($startListFile, $unit); + } elsif ($unit =~ /\.path$/ || $unit =~ /\.slice$/) { # FIXME: do something? } else { my $unitInfo = parseUnit($newUnitFile); diff --git a/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix b/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix index e13f0421d38..9a4db84f7b7 100644 --- a/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix @@ -47,8 +47,8 @@ let grub = f grub; grubTarget = f (grub.grubTarget or ""); shell = "${pkgs.runtimeShell}"; - fullName = (builtins.parseDrvName realGrub.name).name; - fullVersion = (builtins.parseDrvName realGrub.name).version; + fullName = lib.getName realGrub; + fullVersion = lib.getVersion realGrub; grubEfi = f grubEfi; grubTargetEfi = if cfg.efiSupport && (cfg.version == 2) then f (grubEfi.grubTarget or "") else ""; bootPath = args.path; diff --git a/nixpkgs/nixos/modules/system/boot/networkd.nix b/nixpkgs/nixos/modules/system/boot/networkd.nix index f2060e21509..226769f1059 100644 --- a/nixpkgs/nixos/modules/system/boot/networkd.nix +++ b/nixpkgs/nixos/modules/system/boot/networkd.nix @@ -10,7 +10,7 @@ let checkLink = checkUnitConfig "Link" [ (assertOnlyFields [ - "Description" "Alias" "MACAddressPolicy" "MACAddress" "NamePolicy" "OriginalName" + "Description" "Alias" "MACAddressPolicy" "MACAddress" "NamePolicy" "Name" "OriginalName" "MTUBytes" "BitsPerSecond" "Duplex" "AutoNegotiation" "WakeOnLan" "Port" "TCPSegmentationOffload" "TCP6SegmentationOffload" "GenericSegmentationOffload" "GenericReceiveOffload" "LargeReceiveOffload" "RxChannels" "TxChannels" @@ -187,7 +187,7 @@ let # Note: For DHCP the values both, none, v4, v6 are deprecated (assertValueOneOf "DHCP" ["yes" "no" "ipv4" "ipv6" "both" "none" "v4" "v6"]) (assertValueOneOf "DHCPServer" boolValues) - (assertValueOneOf "LinkLocalAddressing" ["yes" "no" "ipv4" "ipv6"]) + (assertValueOneOf "LinkLocalAddressing" ["yes" "no" "ipv4" "ipv6" "ipv4-fallback" "fallback"]) (assertValueOneOf "IPv4LLRoute" boolValues) (assertValueOneOf "LLMNR" ["yes" "resolve" "no"]) (assertValueOneOf "MulticastDNS" ["yes" "resolve" "no"]) @@ -201,7 +201,7 @@ let (assertValueOneOf "IPv6AcceptRA" boolValues) (assertValueOneOf "IPv4ProxyARP" boolValues) (assertValueOneOf "IPv6ProxyNDP" boolValues) - (assertValueOneOf "IPv6PrefixDelegation" boolValues) + (assertValueOneOf "IPv6PrefixDelegation" (boolValues ++ [ "dhcpv6" "static" ])) (assertValueOneOf "ActiveSlave" boolValues) (assertValueOneOf "PrimarySlave" boolValues) (assertValueOneOf "ConfigureWithoutCarrier" boolValues) @@ -924,6 +924,8 @@ in config = mkIf config.systemd.network.enable { + users.users.systemd-network.group = "systemd-network"; + systemd.additionalUpstreamSystemUnits = [ "systemd-networkd.service" "systemd-networkd-wait-online.service" ]; diff --git a/nixpkgs/nixos/modules/system/boot/plymouth.nix b/nixpkgs/nixos/modules/system/boot/plymouth.nix index adca3c3f66e..23fce22366d 100644 --- a/nixpkgs/nixos/modules/system/boot/plymouth.nix +++ b/nixpkgs/nixos/modules/system/boot/plymouth.nix @@ -25,6 +25,7 @@ let [Daemon] ShowDelay=0 Theme=${cfg.theme} + ${cfg.extraConfig} ''; in @@ -65,6 +66,15 @@ in ''; }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Literal string to append to <literal>configFile</literal> + and the config file generated by the plymouth module. + ''; + }; + }; }; diff --git a/nixpkgs/nixos/modules/system/boot/resolved.nix b/nixpkgs/nixos/modules/system/boot/resolved.nix index 3ea96f8e464..da61c64faf8 100644 --- a/nixpkgs/nixos/modules/system/boot/resolved.nix +++ b/nixpkgs/nixos/modules/system/boot/resolved.nix @@ -136,6 +136,8 @@ in } ]; + users.users.resolved.group = "systemd-resolve"; + systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" ]; diff --git a/nixpkgs/nixos/modules/system/boot/systemd-unit-options.nix b/nixpkgs/nixos/modules/system/boot/systemd-unit-options.nix index c1f2c98afcd..bee21f1a8f3 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd-unit-options.nix @@ -24,7 +24,7 @@ in rec { in if isList (head defs'') then concatLists defs'' - else mergeOneOption loc defs'; + else mergeEqualOption loc defs'; }; sharedOptions = { diff --git a/nixpkgs/nixos/modules/system/boot/systemd.nix b/nixpkgs/nixos/modules/system/boot/systemd.nix index 33b350902a1..9e3c6149f92 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd.nix @@ -63,6 +63,7 @@ let "systemd-logind.service" "autovt@.service" "systemd-user-sessions.service" + "dbus-org.freedesktop.import1.service" "dbus-org.freedesktop.machine1.service" "user@.service" "user-runtime-dir@.service" @@ -145,6 +146,7 @@ let "user.slice" "machine.slice" "machines.target" + "systemd-importd.service" "systemd-machined.service" "systemd-nspawn@.service" diff --git a/nixpkgs/nixos/modules/system/boot/timesyncd.nix b/nixpkgs/nixos/modules/system/boot/timesyncd.nix index 8282cdd6f3a..9e2f36ca01f 100644 --- a/nixpkgs/nixos/modules/system/boot/timesyncd.nix +++ b/nixpkgs/nixos/modules/system/boot/timesyncd.nix @@ -20,6 +20,18 @@ with lib; The set of NTP servers from which to synchronise. ''; }; + extraConfig = mkOption { + default = ""; + type = types.lines; + example = '' + PollIntervalMaxSec=180 + ''; + description = '' + Extra config options for systemd-timesyncd. See + <link xlink:href="https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html"> + timesyncd.conf(5)</link> for available options. + ''; + }; }; }; @@ -35,9 +47,13 @@ with lib; environment.etc."systemd/timesyncd.conf".text = '' [Time] NTP=${concatStringsSep " " config.services.timesyncd.servers} + ${config.services.timesyncd.extraConfig} ''; - users.users.systemd-timesync.uid = config.ids.uids.systemd-timesync; + users.users.systemd-timesync = { + uid = config.ids.uids.systemd-timesync; + group = "systemd-timesync"; + }; users.groups.systemd-timesync.gid = config.ids.gids.systemd-timesync; system.activationScripts.systemd-timesyncd-migration = mkIf (versionOlder config.system.stateVersion "19.09") '' diff --git a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix index 863072e33dc..9ffa1089ee6 100644 --- a/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixpkgs/nixos/modules/tasks/network-interfaces-systemd.nix @@ -31,7 +31,7 @@ in message = "networking.defaultGatewayWindowSize is not supported by networkd."; } { assertion = cfg.vswitches == {}; - message = "networking.vswichtes are not supported by networkd."; + message = "networking.vswitches are not supported by networkd."; } { assertion = cfg.defaultGateway == null || cfg.defaultGateway.interface == null; message = "networking.defaultGateway.interface is not supported by networkd."; @@ -76,15 +76,6 @@ in }; in mkMerge [ { enable = true; - networks."99-main" = (genericNetwork mkDefault) // { - # We keep the "broken" behaviour of applying this to all interfaces. - # In general we want to get rid of this workaround but there hasn't - # been any work on that. - # See the following issues for details: - # - https://github.com/NixOS/nixpkgs/issues/18962 - # - https://github.com/NixOS/nixpkgs/issues/61629 - matchConfig = mkDefault { Name = "*"; }; - }; } (mkMerge (forEach interfaces (i: { netdevs = mkIf i.virtual ({ diff --git a/nixpkgs/nixos/modules/testing/test-instrumentation.nix b/nixpkgs/nixos/modules/testing/test-instrumentation.nix index 1a11d9ce7c2..1baeab53b0c 100644 --- a/nixpkgs/nixos/modules/testing/test-instrumentation.nix +++ b/nixpkgs/nixos/modules/testing/test-instrumentation.nix @@ -15,7 +15,7 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; # # One particular example are the boot tests where we want instrumentation # within the images but not other stuff like setting up 9p filesystems. - options.virtualisation.qemu.program = mkOption { type = types.path; }; + options.virtualisation.qemu = { }; config = { diff --git a/nixpkgs/nixos/modules/virtualisation/amazon-image.nix b/nixpkgs/nixos/modules/virtualisation/amazon-image.nix index aadfc5add35..20d48add712 100644 --- a/nixpkgs/nixos/modules/virtualisation/amazon-image.nix +++ b/nixpkgs/nixos/modules/virtualisation/amazon-image.nix @@ -135,6 +135,9 @@ in services.openssh.enable = true; services.openssh.permitRootLogin = "prohibit-password"; + # Creates symlinks for block device names. + services.udev.packages = [ pkgs.ec2-utils ]; + # Force getting the hostname from EC2. networking.hostName = mkDefault ""; diff --git a/nixpkgs/nixos/modules/virtualisation/containers.nix b/nixpkgs/nixos/modules/virtualisation/containers.nix index 691ee2c136e..09678ce9ea7 100644 --- a/nixpkgs/nixos/modules/virtualisation/containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/containers.nix @@ -149,7 +149,7 @@ let --setenv PATH="$PATH" \ ${optionalString cfg.ephemeral "--ephemeral"} \ ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then - ''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else "" + ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"'' else "" } \ ${if cfg.tmpfs != null && cfg.tmpfs != [] then ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' else "" diff --git a/nixpkgs/nixos/modules/virtualisation/digital-ocean-config.nix b/nixpkgs/nixos/modules/virtualisation/digital-ocean-config.nix new file mode 100644 index 00000000000..88cb0cd450e --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/digital-ocean-config.nix @@ -0,0 +1,197 @@ +{ config, pkgs, lib, modulesPath, ... }: +with lib; +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/virtualisation/digital-ocean-init.nix") + ]; + options.virtualisation.digitalOcean = with types; { + setRootPassword = mkOption { + type = bool; + default = false; + example = true; + description = "Whether to set the root password from the Digital Ocean metadata"; + }; + setSshKeys = mkOption { + type = bool; + default = true; + example = true; + description = "Whether to fetch ssh keys from Digital Ocean"; + }; + seedEntropy = mkOption { + type = bool; + default = true; + example = true; + description = "Whether to run the kernel RNG entropy seeding script from the Digital Ocean vendor data"; + }; + }; + config = + let + cfg = config.virtualisation.digitalOcean; + hostName = config.networking.hostName; + doMetadataFile = "/run/do-metadata/v1.json"; + in mkMerge [{ + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + boot = { + growPartition = true; + kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; + initrd.kernelModules = [ "virtio_scsi" ]; + kernelModules = [ "virtio_pci" "virtio_net" ]; + loader = { + grub.device = "/dev/vda"; + timeout = 0; + grub.configurationLimit = 0; + }; + }; + services.openssh = { + enable = mkDefault true; + passwordAuthentication = mkDefault false; + }; + services.do-agent.enable = mkDefault true; + networking = { + hostName = mkDefault ""; # use Digital Ocean metadata server + }; + + /* Check for and wait for the metadata server to become reachable. + * This serves as a dependency for all the other metadata services. */ + systemd.services.digitalocean-metadata = { + path = [ pkgs.curl ]; + description = "Get host metadata provided by Digitalocean"; + script = '' + set -eu + DO_DELAY_ATTEMPTS=0 + while ! curl -fsSL -o $RUNTIME_DIRECTORY/v1.json http://169.254.169.254/metadata/v1.json; do + DO_DELAY_ATTEMPTS=$((DO_DELAY_ATTEMPTS + 1)) + if (( $DO_DELAY_ATTEMPTS >= $DO_DELAY_ATTEMPTS_MAX )); then + echo "giving up" + exit 1 + fi + + echo "metadata unavailable, trying again in 1s..." + sleep 1 + done + chmod 600 $RUNTIME_DIRECTORY/v1.json + ''; + environment = { + DO_DELAY_ATTEMPTS_MAX = "10"; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + RuntimeDirectory = "do-metadata"; + RuntimeDirectoryPreserve = "yes"; + }; + unitConfig = { + ConditionPathExists = "!${doMetadataFile}"; + After = [ "network-pre.target" ] ++ + optional config.networking.dhcpcd.enable "dhcpcd.service" ++ + optional config.systemd.network.enable "systemd-networkd.service"; + }; + }; + + /* Fetch the root password from the digital ocean metadata. + * There is no specific route for this, so we use jq to get + * it from the One Big JSON metadata blob */ + systemd.services.digitalocean-set-root-password = mkIf cfg.setRootPassword { + path = [ pkgs.shadow pkgs.jq ]; + description = "Set root password provided by Digitalocean"; + wantedBy = [ "multi-user.target" ]; + script = '' + set -eo pipefail + ROOT_PASSWORD=$(jq -er '.auth_key' ${doMetadataFile}) + echo "root:$ROOT_PASSWORD" | chpasswd + mkdir -p /etc/do-metadata/set-root-password + ''; + unitConfig = { + ConditionPathExists = "!/etc/do-metadata/set-root-password"; + Before = optional config.services.openssh.enable "sshd.service"; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + /* Set the hostname from Digital Ocean, unless the user configured it in + * the NixOS configuration. The cached metadata file isn't used here + * because the hostname is a mutable part of the droplet. */ + systemd.services.digitalocean-set-hostname = mkIf (hostName == "") { + path = [ pkgs.curl pkgs.nettools ]; + description = "Set hostname provided by Digitalocean"; + wantedBy = [ "network.target" ]; + script = '' + set -e + DIGITALOCEAN_HOSTNAME=$(curl -fsSL http://169.254.169.254/metadata/v1/hostname) + hostname "$DIGITALOCEAN_HOSTNAME" + if [[ ! -e /etc/hostname || -w /etc/hostname ]]; then + printf "%s\n" "$DIGITALOCEAN_HOSTNAME" > /etc/hostname + fi + ''; + unitConfig = { + Before = [ "network.target" ]; + After = [ "digitalocean-metadata.service" ]; + Wants = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + /* Fetch the ssh keys for root from Digital Ocean */ + systemd.services.digitalocean-ssh-keys = mkIf cfg.setSshKeys { + description = "Set root ssh keys provided by Digital Ocean"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.jq ]; + script = '' + set -e + mkdir -m 0700 -p /root/.ssh + jq -er '.public_keys[]' ${doMetadataFile} > /root/.ssh/authorized_keys + chmod 600 /root/.ssh/authorized_keys + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + unitConfig = { + ConditionPathExists = "!/root/.ssh/authorized_keys"; + Before = optional config.services.openssh.enable "sshd.service"; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + }; + + /* Initialize the RNG by running the entropy-seed script from the + * Digital Ocean metadata + */ + systemd.services.digitalocean-entropy-seed = mkIf cfg.seedEntropy { + description = "Run the kernel RNG entropy seeding script from the Digital Ocean vendor data"; + wantedBy = [ "network.target" ]; + path = [ pkgs.jq pkgs.mpack ]; + script = '' + set -eo pipefail + TEMPDIR=$(mktemp -d) + jq -er '.vendor_data' ${doMetadataFile} | munpack -tC $TEMPDIR + ENTROPY_SEED=$(grep -rl "DigitalOcean Entropy Seed script" $TEMPDIR) + ${pkgs.runtimeShell} $ENTROPY_SEED + rm -rf $TEMPDIR + ''; + unitConfig = { + Before = [ "network.target" ]; + After = [ "digitalocean-metadata.service" ]; + Requires = [ "digitalocean-metadata.service" ]; + }; + serviceConfig = { + Type = "oneshot"; + }; + }; + + } + ]; + meta.maintainers = with maintainers; [ arianvp eamsden ]; +} + diff --git a/nixpkgs/nixos/modules/virtualisation/digital-ocean-image.nix b/nixpkgs/nixos/modules/virtualisation/digital-ocean-image.nix new file mode 100644 index 00000000000..b582e235d43 --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/digital-ocean-image.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.virtualisation.digitalOceanImage; +in +{ + + imports = [ ./digital-ocean-config.nix ]; + + options = { + virtualisation.digitalOceanImage.diskSize = mkOption { + type = with types; int; + default = 4096; + description = '' + Size of disk image. Unit is MB. + ''; + }; + + virtualisation.digitalOceanImage.configFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + A path to a configuration file which will be placed at + <literal>/etc/nixos/configuration.nix</literal> and be used when switching + to a new configuration. If set to <literal>null</literal>, a default + configuration is used that imports + <literal>(modulesPath + "/virtualisation/digital-ocean-config.nix")</literal>. + ''; + }; + + virtualisation.digitalOceanImage.compressionMethod = mkOption { + type = types.enum [ "gzip" "bzip2" ]; + default = "gzip"; + example = "bzip2"; + description = '' + Disk image compression method. Choose bzip2 to generate smaller images that + take longer to generate but will consume less metered storage space on your + Digital Ocean account. + ''; + }; + }; + + #### implementation + config = { + + system.build.digitalOceanImage = import ../../lib/make-disk-image.nix { + name = "digital-ocean-image"; + format = "qcow2"; + postVM = let + compress = { + "gzip" = "${pkgs.gzip}/bin/gzip"; + "bzip2" = "${pkgs.bzip2}/bin/bzip2"; + }.${cfg.compressionMethod}; + in '' + ${compress} $diskImage + ''; + configFile = if cfg.configFile == null + then config.virtualisation.digitalOcean.defaultConfigFile + else cfg.configFile; + inherit (cfg) diskSize; + inherit config lib pkgs; + }; + + }; + + meta.maintainers = with maintainers; [ arianvp eamsden ]; + +} diff --git a/nixpkgs/nixos/modules/virtualisation/digital-ocean-init.nix b/nixpkgs/nixos/modules/virtualisation/digital-ocean-init.nix new file mode 100644 index 00000000000..02f4de009fa --- /dev/null +++ b/nixpkgs/nixos/modules/virtualisation/digital-ocean-init.nix @@ -0,0 +1,95 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.virtualisation.digitalOcean; + defaultConfigFile = pkgs.writeText "digitalocean-configuration.nix" '' + { modulesPath, lib, ... }: + { + imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ + (modulesPath + "/virtualisation/digital-ocean-config.nix") + ]; + } + ''; +in { + options.virtualisation.digitalOcean.rebuildFromUserData = mkOption { + type = types.bool; + default = true; + example = true; + description = "Whether to reconfigure the system from Digital Ocean user data"; + }; + options.virtualisation.digitalOcean.defaultConfigFile = mkOption { + type = types.path; + default = defaultConfigFile; + defaultText = '' + The default configuration imports user-data if applicable and + <literal>(modulesPath + "/virtualisation/digital-ocean-config.nix")</literal>. + ''; + description = '' + A path to a configuration file which will be placed at + <literal>/etc/nixos/configuration.nix</literal> and be used when switching to + a new configuration. + ''; + }; + + config = { + systemd.services.digitalocean-init = mkIf cfg.rebuildFromUserData { + description = "Reconfigure the system from Digital Ocean userdata on startup"; + wantedBy = [ "network-online.target" ]; + unitConfig = { + ConditionPathExists = "!/etc/nixos/do-userdata.nix"; + After = [ "digitalocean-metadata.service" "network-online.target" ]; + Requires = [ "digitalocean-metadata.service" ]; + X-StopOnRemoval = false; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + restartIfChanged = false; + path = [ pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.systemd config.nix.package config.system.build.nixos-rebuild ]; + environment = { + HOME = "/root"; + NIX_PATH = concatStringsSep ":" [ + "/nix/var/nix/profiles/per-user/root/channels/nixos" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; + }; + script = '' + set -e + echo "attempting to fetch configuration from Digital Ocean user data..." + userData=$(mktemp) + if jq -er '.user_data' /run/do-metadata/v1.json > $userData; then + # If the user-data looks like it could be a nix expression, + # copy it over. Also, look for a magic three-hash comment and set + # that as the channel. + if nix-instantiate --parse $userData > /dev/null; then + channels="$(grep '^###' "$userData" | sed 's|###\s*||')" + printf "%s" "$channels" | while read channel; do + echo "writing channel: $channel" + done + + if [[ -n "$channels" ]]; then + printf "%s" "$channels" > /root/.nix-channels + nix-channel --update + fi + + echo "setting configuration from Digital Ocean user data" + cp "$userData" /etc/nixos/do-userdata.nix + if [[ ! -e /etc/nixos/configuration.nix ]]; then + install -m0644 ${cfg.defaultConfigFile} /etc/nixos/configuration.nix + fi + else + echo "user data does not appear to be a Nix expression; ignoring" + exit + fi + + nixos-rebuild switch + else + echo "no user data is available" + fi + ''; + }; + }; + meta.maintainers = with maintainers; [ arianvp eamsden ]; +} diff --git a/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix b/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix index f640bb21b13..3b4e55d39d7 100644 --- a/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix +++ b/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix @@ -291,5 +291,21 @@ let self = { "19.03".sa-east-1.hvm-ebs = "ami-0c6a43c6e0ad1f4e2"; "19.03".ap-south-1.hvm-ebs = "ami-0303deb1b5890f878"; - latest = self."19.03"; + # 19.09.981.205691b7cbe + "19.09".eu-west-1.hvm-ebs = "ami-0ebd3156e21e9642f"; + "19.09".eu-west-2.hvm-ebs = "ami-02a2b5480a79084b7"; + "19.09".eu-west-3.hvm-ebs = "ami-09aa175c7588734f7"; + "19.09".eu-central-1.hvm-ebs = "ami-00a7fafd7e237a330"; + "19.09".us-east-1.hvm-ebs = "ami-00a8eeaf232a74f84"; + "19.09".us-east-2.hvm-ebs = "ami-093efd3a57a1e03a8"; + "19.09".us-west-1.hvm-ebs = "ami-0913e9a2b677fac30"; + "19.09".us-west-2.hvm-ebs = "ami-02d9a19f77b47882a"; + "19.09".ca-central-1.hvm-ebs = "ami-0627dd3f7b3627a29"; + "19.09".ap-southeast-1.hvm-ebs = "ami-083614e4d08f2164d"; + "19.09".ap-southeast-2.hvm-ebs = "ami-0048c704185ded6dc"; + "19.09".ap-northeast-1.hvm-ebs = "ami-0329e7fc2d7f60bd0"; + "19.09".ap-northeast-2.hvm-ebs = "ami-03d4ae7d0b5fc364f"; + "19.09".ap-south-1.hvm-ebs = "ami-0b599690b35aeef23"; + + latest = self."19.09"; }; in self diff --git a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix index 16b79d86919..9bdea78296f 100644 --- a/nixpkgs/nixos/modules/virtualisation/libvirtd.nix +++ b/nixpkgs/nixos/modules/virtualisation/libvirtd.nix @@ -146,7 +146,8 @@ in { # this file is expected in /etc/qemu and not sysconfdir (/var/lib) etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: "allow ${e}") cfg.allowedBridges; - systemPackages = with pkgs; [ libvirt libressl.nc cfg.qemuPackage ]; + systemPackages = with pkgs; [ libvirt libressl.nc iptables cfg.qemuPackage ]; + etc.ethertypes.source = "${pkgs.iptables}/etc/ethertypes"; }; boot.kernelModules = [ "tun" ]; diff --git a/nixpkgs/nixos/modules/virtualisation/openvswitch.nix b/nixpkgs/nixos/modules/virtualisation/openvswitch.nix index edec3740230..6b8ad83661f 100644 --- a/nixpkgs/nixos/modules/virtualisation/openvswitch.nix +++ b/nixpkgs/nixos/modules/virtualisation/openvswitch.nix @@ -42,6 +42,9 @@ in { default = false; description = '' Whether to start racoon service for openvswitch. + Supported only if openvswitch version is less than 2.6.0. + Use <literal>virtualisation.vswitch.package = pkgs.openvswitch-lts</literal> + for a version that supports ipsec over GRE. ''; }; }; @@ -89,6 +92,13 @@ in { "${cfg.package}/share/openvswitch/vswitch.ovsschema" fi chmod -R +w /var/db/openvswitch + if ${cfg.package}/bin/ovsdb-tool needs-conversion /var/db/openvswitch/conf.db | grep -q "yes" + then + echo "Performing database upgrade" + ${cfg.package}/bin/ovsdb-tool convert /var/db/openvswitch/conf.db + else + echo "Database already up to date" + fi ''; serviceConfig = { ExecStart = @@ -133,7 +143,7 @@ in { }; } - (mkIf cfg.ipsec { + (mkIf (cfg.ipsec && (versionOlder cfg.package.version "2.6.0")) { services.racoon.enable = true; services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf"; @@ -172,5 +182,4 @@ in { ''; }; })])); - } diff --git a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix index ed3431554be..31d332e9f07 100644 --- a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix @@ -23,24 +23,56 @@ let cfg = config.virtualisation; - qemuGraphics = lib.optionalString (!cfg.graphics) "-nographic"; - consoles = lib.concatMapStringsSep " " (c: "console=${c}") cfg.qemu.consoles; - # XXX: This is very ugly and in the future we really should use attribute - # sets to build ALL of the QEMU flags instead of this mixed mess of Nix - # expressions and shell script stuff. - mkDiskIfaceDriveFlag = idx: driveArgs: let - inherit (cfg.qemu) diskInterface; - # The drive identifier created by incrementing the index by one using the - # shell. - drvId = "drive$((${idx} + 1))"; - # NOTE: DO NOT shell escape, because this may contain shell variables. - commonArgs = "index=${idx},id=${drvId},${driveArgs}"; - isSCSI = diskInterface == "scsi"; - devArgs = "${diskInterface}-hd,drive=${drvId}"; - args = "-drive ${commonArgs},if=none -device lsi53c895a -device ${devArgs}"; - in if isSCSI then args else "-drive ${commonArgs},if=${diskInterface}"; + driveOpts = { ... }: { + + options = { + + file = mkOption { + type = types.str; + description = "The file image used for this drive."; + }; + + driveExtraOpts = mkOption { + type = types.attrsOf types.str; + default = {}; + description = "Extra options passed to drive flag."; + }; + + deviceExtraOpts = mkOption { + type = types.attrsOf types.str; + default = {}; + description = "Extra options passed to device flag."; + }; + + }; + + }; + + driveCmdline = idx: { file, driveExtraOpts, deviceExtraOpts, ... }: + let + drvId = "drive${toString idx}"; + mkKeyValue = generators.mkKeyValueDefault {} "="; + mkOpts = opts: concatStringsSep "," (mapAttrsToList mkKeyValue opts); + driveOpts = mkOpts (driveExtraOpts // { + index = idx; + id = drvId; + "if" = "none"; + inherit file; + }); + deviceOpts = mkOpts (deviceExtraOpts // { + drive = drvId; + }); + device = + if cfg.qemu.diskInterface == "scsi" then + "-device lsi53c895a -device scsi-hd,${deviceOpts}" + else + "-device virtio-blk-pci,${deviceOpts}"; + in + "-drive ${driveOpts} ${device}"; + + drivesCmdLine = drives: concatStringsSep " " (imap1 driveCmdline drives); # Shell script to start the VM. startVM = @@ -77,13 +109,11 @@ let ''} cd $TMPDIR - idx=2 - extraDisks="" + idx=0 ${flip concatMapStrings cfg.emptyDiskImages (size: '' if ! test -e "empty$idx.qcow2"; then ${qemu}/bin/qemu-img create -f qcow2 "empty$idx.qcow2" "${toString size}M" fi - extraDisks="$extraDisks ${mkDiskIfaceDriveFlag "$idx" "file=$(pwd)/empty$idx.qcow2,werror=report"}" idx=$((idx + 1)) '')} @@ -97,21 +127,7 @@ let -virtfs local,path=/nix/store,security_model=none,mount_tag=store \ -virtfs local,path=$TMPDIR/xchg,security_model=none,mount_tag=xchg \ -virtfs local,path=''${SHARED_DIR:-$TMPDIR/xchg},security_model=none,mount_tag=shared \ - ${if cfg.useBootLoader then '' - ${mkDiskIfaceDriveFlag "0" "file=$NIX_DISK_IMAGE,cache=writeback,werror=report"} \ - ${mkDiskIfaceDriveFlag "1" "file=$TMPDIR/disk.img,media=disk"} \ - ${if cfg.useEFIBoot then '' - -pflash $TMPDIR/bios.bin \ - '' else '' - ''} - '' else '' - ${mkDiskIfaceDriveFlag "0" "file=$NIX_DISK_IMAGE,cache=writeback,werror=report"} \ - -kernel ${config.system.build.toplevel}/kernel \ - -initrd ${config.system.build.toplevel}/initrd \ - -append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${consoles} $QEMU_KERNEL_PARAMS" \ - ''} \ - $extraDisks \ - ${qemuGraphics} \ + ${drivesCmdLine config.virtualisation.qemu.drives} \ ${toString config.virtualisation.qemu.options} \ $QEMU_OPTS \ "$@" @@ -367,6 +383,12 @@ in ''; }; + drives = + mkOption { + type = types.listOf (types.submodule driveOpts); + description = "Drives passed to qemu."; + }; + diskInterface = mkOption { default = "virtio"; @@ -476,8 +498,49 @@ in # FIXME: Consolidate this one day. virtualisation.qemu.options = mkMerge [ - (mkIf (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ "-vga std" "-usb" "-device usb-tablet,bus=usb-bus.0" ]) - (mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ "-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet" ]) + (mkIf (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ + "-vga std" "-usb" "-device usb-tablet,bus=usb-bus.0" + ]) + (mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ + "-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet" + ]) + (mkIf (!cfg.useBootLoader) [ + "-kernel ${config.system.build.toplevel}/kernel" + "-initrd ${config.system.build.toplevel}/initrd" + ''-append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${consoles} $QEMU_KERNEL_PARAMS"'' + ]) + (mkIf cfg.useEFIBoot [ + "-pflash $TMPDIR/bios.bin" + ]) + (mkIf (!cfg.graphics) [ + "-nographic" + ]) + ]; + + virtualisation.qemu.drives = mkMerge [ + (mkIf cfg.useBootLoader [ + { + file = "$NIX_DISK_IMAGE"; + driveExtraOpts.cache = "writeback"; + driveExtraOpts.werror = "report"; + } + { + file = "$TMPDIR/disk.img"; + driveExtraOpts.media = "disk"; + deviceExtraOpts.bootindex = "1"; + } + ]) + (mkIf (!cfg.useBootLoader) [ + { + file = "$NIX_DISK_IMAGE"; + driveExtraOpts.cache = "writeback"; + driveExtraOpts.werror = "report"; + } + ]) + (imap0 (idx: _: { + file = "$(pwd)/empty${toString idx}.qcow2"; + driveExtraOpts.werror = "report"; + }) cfg.emptyDiskImages) ]; # Mount the host filesystem via 9P, and bind-mount the Nix store @@ -557,7 +620,7 @@ in # Wireless won't work in the VM. networking.wireless.enable = mkVMOverride false; - networking.connman.enable = mkVMOverride false; + services.connman.enable = mkVMOverride false; # Speed up booting by not waiting for ARP. networking.dhcpcd.extraConfig = "noarp"; diff --git a/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix b/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix index 6081d4153a6..ddb0a7bda4f 100644 --- a/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix @@ -149,5 +149,12 @@ in # Make sure NetworkManager won't assume this interface being up # means we have internet access. networking.networkmanager.unmanaged = ["vboxnet0"]; - })]); + }) (mkIf config.networking.useNetworkd { + systemd.network.networks."40-vboxnet0".extraConfig = '' + [Link] + RequiredForOnline=no + ''; + }) + +]); } diff --git a/nixpkgs/nixos/release-combined.nix b/nixpkgs/nixos/release-combined.nix index 9e2109d88b5..678ce3c2880 100644 --- a/nixpkgs/nixos/release-combined.nix +++ b/nixpkgs/nixos/release-combined.nix @@ -63,8 +63,7 @@ in rec { #(all nixos.tests.containers) (all nixos.tests.containers-imperative) - (all nixos.tests.containers-ipv4) - (all nixos.tests.containers-ipv6) + (all nixos.tests.containers-ip) nixos.tests.chromium.x86_64-linux or [] (all nixos.tests.firefox) (all nixos.tests.firewall) @@ -133,11 +132,9 @@ in rec { (all nixos.tests.proxy) (all nixos.tests.sddm.default) (all nixos.tests.simple) - (all nixos.tests.slim) (all nixos.tests.switchTest) (all nixos.tests.udisks2) (all nixos.tests.xfce) - (all nixos.tests.xfce4-14) nixpkgs.tarball (all allSupportedNixpkgs.emacs) diff --git a/nixpkgs/nixos/release-small.nix b/nixpkgs/nixos/release-small.nix index 84af457801a..74c16e990f3 100644 --- a/nixpkgs/nixos/release-small.nix +++ b/nixpkgs/nixos/release-small.nix @@ -32,8 +32,7 @@ in rec { tests = { inherit (nixos'.tests) containers-imperative - containers-ipv4 - containers-ipv6 + containers-ip firewall ipv6 login diff --git a/nixpkgs/nixos/tests/acme.nix b/nixpkgs/nixos/tests/acme.nix index 8cfdea4a16e..6bd315ff1ea 100644 --- a/nixpkgs/nixos/tests/acme.nix +++ b/nixpkgs/nixos/tests/acme.nix @@ -1,6 +1,6 @@ let commonConfig = ./common/letsencrypt/common.nix; -in import ./make-test.nix { +in import ./make-test-python.nix { name = "acme"; nodes = rec { @@ -12,8 +12,11 @@ in import ./make-test.nix { networking.extraHosts = '' ${config.networking.primaryIPAddress} standalone.com ''; - security.acme.certs."standalone.com" = { - webroot = "/var/lib/acme/acme-challenges"; + security.acme = { + server = "https://acme-v02.api.letsencrypt.org/dir"; + certs."standalone.com" = { + webroot = "/var/lib/acme/acme-challenges"; + }; }; systemd.targets."acme-finished-standalone.com" = {}; systemd.services."acme-standalone.com" = { @@ -54,6 +57,8 @@ in import ./make-test.nix { ''; }; + security.acme.server = "https://acme-v02.api.letsencrypt.org/dir"; + nesting.clone = [ ({pkgs, ...}: { @@ -80,36 +85,49 @@ in import ./make-test.nix { client = commonConfig; }; - testScript = {nodes, ...}: + testScript = {nodes, ...}: let newServerSystem = nodes.webserver2.config.system.build.toplevel; switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test"; in - # Note, waitForUnit does not work for oneshot services that do not have RemainAfterExit=true, + # Note, wait_for_unit does not work for oneshot services that do not have RemainAfterExit=true, # this is because a oneshot goes from inactive => activating => inactive, and never # reaches the active state. To work around this, we create some mock target units which # get pulled in by the oneshot units. The target units linger after activation, and hence we # can use them to probe that a oneshot fired. It is a bit ugly, but it is the best we can do '' - $client->waitForUnit("default.target"); - $letsencrypt->waitForUnit("default.target"); - $letsencrypt->waitForUnit("boulder.service"); - - subtest "can request certificate with HTTPS-01 challenge", sub { - $acmeStandalone->waitForUnit("default.target"); - $acmeStandalone->succeed("systemctl start acme-standalone.com.service"); - $acmeStandalone->waitForUnit("acme-finished-standalone.com.target"); - }; + client.start() + letsencrypt.start() + acmeStandalone.start() - subtest "Can request certificate for nginx service", sub { - $webserver->waitForUnit("acme-finished-a.example.com.target"); - $client->succeed('curl https://a.example.com/ | grep -qF "hello world"'); - }; + letsencrypt.wait_for_unit("default.target") + letsencrypt.wait_for_unit("pebble.service") - subtest "Can add another certificate for nginx service", sub { - $webserver->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test"); - $webserver->waitForUnit("acme-finished-b.example.com.target"); - $client->succeed('curl https://b.example.com/ | grep -qF "hello world"'); - }; + with subtest("can request certificate with HTTPS-01 challenge"): + acmeStandalone.wait_for_unit("default.target") + acmeStandalone.succeed("systemctl start acme-standalone.com.service") + acmeStandalone.wait_for_unit("acme-finished-standalone.com.target") + + client.wait_for_unit("default.target") + + client.succeed("curl https://acme-v02.api.letsencrypt.org:15000/roots/0 > /tmp/ca.crt") + client.succeed( + "curl https://acme-v02.api.letsencrypt.org:15000/intermediate-keys/0 >> /tmp/ca.crt" + ) + + with subtest("Can request certificate for nginx service"): + webserver.wait_for_unit("acme-finished-a.example.com.target") + client.succeed( + "curl --cacert /tmp/ca.crt https://a.example.com/ | grep -qF 'hello world'" + ) + + with subtest("Can add another certificate for nginx service"): + webserver.succeed( + "/run/current-system/fine-tune/child-1/bin/switch-to-configuration test" + ) + webserver.wait_for_unit("acme-finished-b.example.com.target") + client.succeed( + "curl --cacert /tmp/ca.crt https://b.example.com/ | grep -qF 'hello world'" + ) ''; } diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index e94c9712cbf..df65ef249e8 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -28,7 +28,7 @@ in babeld = handleTest ./babeld.nix {}; bcachefs = handleTestOn ["x86_64-linux"] ./bcachefs.nix {}; # linux-4.18.2018.10.12 is unsupported on aarch64 beanstalkd = handleTest ./beanstalkd.nix {}; - beegfs = handleTestOn ["x86_64-linux"] ./beegfs.nix {}; # beegfs is unsupported on aarch64 + bees = handleTest ./bees.nix {}; bind = handleTest ./bind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; #blivet = handleTest ./blivet.nix {}; # broken since 2017-07024 @@ -39,7 +39,8 @@ in caddy = handleTest ./caddy.nix {}; cadvisor = handleTestOn ["x86_64-linux"] ./cadvisor.nix {}; cassandra = handleTest ./cassandra.nix {}; - ceph = handleTestOn ["x86_64-linux"] ./ceph.nix {}; + ceph-single-node = handleTestOn ["x86_64-linux"] ./ceph-single-node.nix {}; + ceph-multi-node = handleTestOn ["x86_64-linux"] ./ceph-multi-node.nix {}; certmgr = handleTest ./certmgr.nix {}; cfssl = handleTestOn ["x86_64-linux"] ./cfssl.nix {}; chromium = (handleTestOn ["x86_64-linux"] ./chromium.nix {}).stable or {}; @@ -47,14 +48,12 @@ in clickhouse = handleTest ./clickhouse.nix {}; cloud-init = handleTest ./cloud-init.nix {}; codimd = handleTest ./codimd.nix {}; - colord = handleTest ./colord.nix {}; containers-bridge = handleTest ./containers-bridge.nix {}; containers-ephemeral = handleTest ./containers-ephemeral.nix {}; containers-extra_veth = handleTest ./containers-extra_veth.nix {}; containers-hosts = handleTest ./containers-hosts.nix {}; containers-imperative = handleTest ./containers-imperative.nix {}; - containers-ipv4 = handleTest ./containers-ipv4.nix {}; - containers-ipv6 = handleTest ./containers-ipv6.nix {}; + containers-ip = handleTest ./containers-ip.nix {}; containers-macvlans = handleTest ./containers-macvlans.nix {}; containers-physical_interfaces = handleTest ./containers-physical_interfaces.nix {}; containers-restart_networking = handleTest ./containers-restart_networking.nix {}; @@ -81,31 +80,26 @@ in env = handleTest ./env.nix {}; etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {}; etcd-cluster = handleTestOn ["x86_64-linux"] ./etcd-cluster.nix {}; + fancontrol = handleTest ./fancontrol.nix {}; ferm = handleTest ./ferm.nix {}; firefox = handleTest ./firefox.nix {}; firewall = handleTest ./firewall.nix {}; fish = handleTest ./fish.nix {}; flannel = handleTestOn ["x86_64-linux"] ./flannel.nix {}; - flatpak = handleTest ./flatpak.nix {}; - flatpak-builder = handleTest ./flatpak-builder.nix {}; fluentd = handleTest ./fluentd.nix {}; fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {}; fsck = handleTest ./fsck.nix {}; - fwupd = handleTestOn ["x86_64-linux"] ./fwupd.nix {}; # libsmbios is unsupported on aarch64 - gdk-pixbuf = handleTest ./gdk-pixbuf.nix {}; + gotify-server = handleTest ./gotify-server.nix {}; gitea = handleTest ./gitea.nix {}; gitlab = handleTest ./gitlab.nix {}; gitolite = handleTest ./gitolite.nix {}; - gjs = handleTest ./gjs.nix {}; - glib-networking = handleTest ./glib-networking.nix {}; glusterfs = handleTest ./glusterfs.nix {}; gnome3-xorg = handleTest ./gnome3-xorg.nix {}; gnome3 = handleTest ./gnome3.nix {}; - gnome-photos = handleTest ./gnome-photos.nix {}; + installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {}); gocd-agent = handleTest ./gocd-agent.nix {}; gocd-server = handleTest ./gocd-server.nix {}; google-oslogin = handleTest ./google-oslogin {}; - graphene = handleTest ./graphene.nix {}; grafana = handleTest ./grafana.nix {}; graphite = handleTest ./graphite.nix {}; graylog = handleTest ./graylog.nix {}; @@ -132,7 +126,6 @@ in jackett = handleTest ./jackett.nix {}; jellyfin = handleTest ./jellyfin.nix {}; jenkins = handleTest ./jenkins.nix {}; - jormungandr = handleTest ./jormungandr.nix {}; kafka = handleTest ./kafka.nix {}; kerberos = handleTest ./kerberos/default.nix {}; kernel-latest = handleTest ./kernel-latest.nix {}; @@ -147,16 +140,17 @@ in latestKernel.login = handleTest ./login.nix { latestKernel = true; }; ldap = handleTest ./ldap.nix {}; leaps = handleTest ./leaps.nix {}; - libgdata = handleTest ./libgdata.nix {}; - libxmlb = handleTest ./libxmlb.nix {}; lidarr = handleTest ./lidarr.nix {}; lightdm = handleTest ./lightdm.nix {}; limesurvey = handleTest ./limesurvey.nix {}; login = handleTest ./login.nix {}; loki = handleTest ./loki.nix {}; #logstash = handleTest ./logstash.nix {}; + lorri = handleTest ./lorri/default.nix {}; + magnetico = handleTest ./magnetico.nix {}; mailcatcher = handleTest ./mailcatcher.nix {}; mathics = handleTest ./mathics.nix {}; + matomo = handleTest ./matomo.nix {}; matrix-synapse = handleTest ./matrix-synapse.nix {}; mediawiki = handleTest ./mediawiki.nix {}; memcached = handleTest ./memcached.nix {}; @@ -166,6 +160,7 @@ in minio = handleTest ./minio.nix {}; minidlna = handleTest ./minidlna.nix {}; misc = handleTest ./misc.nix {}; + moinmoin = handleTest ./moinmoin.nix {}; mongodb = handleTest ./mongodb.nix {}; moodle = handleTest ./moodle.nix {}; morty = handleTest ./morty.nix {}; @@ -201,16 +196,16 @@ in novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {}; nsd = handleTest ./nsd.nix {}; nzbget = handleTest ./nzbget.nix {}; + openarena = handleTest ./openarena.nix {}; openldap = handleTest ./openldap.nix {}; opensmtpd = handleTest ./opensmtpd.nix {}; openssh = handleTest ./openssh.nix {}; # openstack-image-userdata doesn't work in a sandbox as the simulated openstack instance needs network access #openstack-image-userdata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).userdata or {}; openstack-image-metadata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).metadata or {}; + orangefs = handleTest ./orangefs.nix {}; os-prober = handleTestOn ["x86_64-linux"] ./os-prober.nix {}; - osquery = handleTest ./osquery.nix {}; osrm-backend = handleTest ./osrm-backend.nix {}; - ostree = handleTest ./ostree.nix {}; overlayfs = handleTest ./overlayfs.nix {}; packagekit = handleTest ./packagekit.nix {}; pam-oath-login = handleTest ./pam-oath-login.nix {}; @@ -236,7 +231,6 @@ in prosodyMysql = handleTest ./xmpp/prosody-mysql.nix {}; proxy = handleTest ./proxy.nix {}; quagga = handleTest ./quagga.nix {}; - quake3 = handleTest ./quake3.nix {}; rabbitmq = handleTest ./rabbitmq.nix {}; radarr = handleTest ./radarr.nix {}; radicale = handleTest ./radicale.nix {}; @@ -250,9 +244,9 @@ in rxe = handleTest ./rxe.nix {}; samba = handleTest ./samba.nix {}; sddm = handleTest ./sddm.nix {}; + shiori = handleTest ./shiori.nix {}; signal-desktop = handleTest ./signal-desktop.nix {}; simple = handleTest ./simple.nix {}; - slim = handleTest ./slim.nix {}; slurm = handleTest ./slurm.nix {}; smokeping = handleTest ./smokeping.nix {}; snapper = handleTest ./snapper.nix {}; @@ -267,6 +261,7 @@ in systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {}; + systemd-nspawn = handleTest ./systemd-nspawn.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; @@ -274,7 +269,9 @@ in tinydns = handleTest ./tinydns.nix {}; tor = handleTest ./tor.nix {}; transmission = handleTest ./transmission.nix {}; + trac = handleTest ./trac.nix {}; trezord = handleTest ./trezord.nix {}; + trickster = handleTest ./trickster.nix {}; udisks2 = handleTest ./udisks2.nix {}; upnp = handleTest ./upnp.nix {}; uwsgi = handleTest ./uwsgi.nix {}; @@ -282,14 +279,14 @@ in virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; wireguard = handleTest ./wireguard {}; wireguard-generated = handleTest ./wireguard/generated.nix {}; + wireguard-namespaces = handleTest ./wireguard/namespaces.nix {}; wordpress = handleTest ./wordpress.nix {}; xautolock = handleTest ./xautolock.nix {}; - xdg-desktop-portal = handleTest ./xdg-desktop-portal.nix {}; xfce = handleTest ./xfce.nix {}; - xfce4-14 = handleTest ./xfce4-14.nix {}; xmonad = handleTest ./xmonad.nix {}; xrdp = handleTest ./xrdp.nix {}; xss-lock = handleTest ./xss-lock.nix {}; yabar = handleTest ./yabar.nix {}; + yggdrasil = handleTest ./yggdrasil.nix {}; zookeeper = handleTest ./zookeeper.nix {}; } diff --git a/nixpkgs/nixos/tests/ammonite.nix b/nixpkgs/nixos/tests/ammonite.nix index fedfde233e8..1955e42be5f 100644 --- a/nixpkgs/nixos/tests/ammonite.nix +++ b/nixpkgs/nixos/tests/ammonite.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "ammonite"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -13,8 +13,8 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $amm->succeed("amm -c 'val foo = 21; println(foo * 2)' | grep 42") + amm.succeed("amm -c 'val foo = 21; println(foo * 2)' | grep 42") ''; }) diff --git a/nixpkgs/nixos/tests/atd.nix b/nixpkgs/nixos/tests/atd.nix index 25db7279924..c3abe5c253d 100644 --- a/nixpkgs/nixos/tests/atd.nix +++ b/nixpkgs/nixos/tests/atd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "atd"; @@ -14,18 +14,18 @@ import ./make-test.nix ({ pkgs, ... }: # "at" has a resolution of 1 minute testScript = '' - startAll; + start_all() - $machine->waitForUnit('atd.service'); # wait for atd to start - $machine->fail("test -f ~root/at-1"); - $machine->fail("test -f ~alice/at-1"); + machine.wait_for_unit("atd.service") # wait for atd to start + machine.fail("test -f ~root/at-1") + machine.fail("test -f ~alice/at-1") - $machine->succeed("echo 'touch ~root/at-1' | at now+1min"); - $machine->succeed("su - alice -c \"echo 'touch at-1' | at now+1min\""); + machine.succeed("echo 'touch ~root/at-1' | at now+1min") + machine.succeed("su - alice -c \"echo 'touch at-1' | at now+1min\"") - $machine->succeed("sleep 1.5m"); + machine.succeed("sleep 1.5m") - $machine->succeed("test -f ~root/at-1"); - $machine->succeed("test -f ~alice/at-1"); + machine.succeed("test -f ~root/at-1") + machine.succeed("test -f ~alice/at-1") ''; }) diff --git a/nixpkgs/nixos/tests/automysqlbackup.nix b/nixpkgs/nixos/tests/automysqlbackup.nix index ada104a34de..224b93862fb 100644 --- a/nixpkgs/nixos/tests/automysqlbackup.nix +++ b/nixpkgs/nixos/tests/automysqlbackup.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "automysqlbackup"; @@ -15,20 +15,24 @@ import ./make-test.nix ({ pkgs, lib, ... }: }; testScript = '' - startAll; + start_all() # Need to have mysql started so that it can be populated with data. - $machine->waitForUnit("mysql.service"); - - # Wait for testdb to be fully populated (5 rows). - $machine->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); - - # Do a backup and wait for it to start - $machine->startJob("automysqlbackup.service"); - $machine->waitForJob("automysqlbackup.service"); - - # wait for backup file and check that data appears in backup - $machine->waitForFile("/var/backup/mysql/daily/testdb"); - $machine->succeed("${pkgs.gzip}/bin/zcat /var/backup/mysql/daily/testdb/daily_testdb_*.sql.gz | grep hello"); + machine.wait_for_unit("mysql.service") + + with subtest("Wait for testdb to be fully populated (5 rows)."): + machine.wait_until_succeeds( + "mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5" + ) + + with subtest("Do a backup and wait for it to start"): + machine.start_job("automysqlbackup.service") + machine.wait_for_job("automysqlbackup.service") + + with subtest("wait for backup file and check that data appears in backup"): + machine.wait_for_file("/var/backup/mysql/daily/testdb") + machine.succeed( + "${pkgs.gzip}/bin/zcat /var/backup/mysql/daily/testdb/daily_testdb_*.sql.gz | grep hello" + ) ''; }) diff --git a/nixpkgs/nixos/tests/avahi.nix b/nixpkgs/nixos/tests/avahi.nix index ae4f54d5266..fe027c14d5a 100644 --- a/nixpkgs/nixos/tests/avahi.nix +++ b/nixpkgs/nixos/tests/avahi.nix @@ -1,5 +1,5 @@ # Test whether `avahi-daemon' and `libnss-mdns' work as expected. -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "avahi"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco ]; @@ -23,45 +23,45 @@ import ./make-test.nix ({ pkgs, ... } : { two = cfg; }; - testScript = - '' startAll; + testScript = '' + start_all() - # mDNS. - $one->waitForUnit("network.target"); - $two->waitForUnit("network.target"); + # mDNS. + one.wait_for_unit("network.target") + two.wait_for_unit("network.target") - $one->succeed("avahi-resolve-host-name one.local | tee out >&2"); - $one->succeed("test \"`cut -f1 < out`\" = one.local"); - $one->succeed("avahi-resolve-host-name two.local | tee out >&2"); - $one->succeed("test \"`cut -f1 < out`\" = two.local"); + one.succeed("avahi-resolve-host-name one.local | tee out >&2") + one.succeed('test "`cut -f1 < out`" = one.local') + one.succeed("avahi-resolve-host-name two.local | tee out >&2") + one.succeed('test "`cut -f1 < out`" = two.local') - $two->succeed("avahi-resolve-host-name one.local | tee out >&2"); - $two->succeed("test \"`cut -f1 < out`\" = one.local"); - $two->succeed("avahi-resolve-host-name two.local | tee out >&2"); - $two->succeed("test \"`cut -f1 < out`\" = two.local"); + two.succeed("avahi-resolve-host-name one.local | tee out >&2") + two.succeed('test "`cut -f1 < out`" = one.local') + two.succeed("avahi-resolve-host-name two.local | tee out >&2") + two.succeed('test "`cut -f1 < out`" = two.local') - # Basic DNS-SD. - $one->succeed("avahi-browse -r -t _workstation._tcp | tee out >&2"); - $one->succeed("test `wc -l < out` -gt 0"); - $two->succeed("avahi-browse -r -t _workstation._tcp | tee out >&2"); - $two->succeed("test `wc -l < out` -gt 0"); + # Basic DNS-SD. + one.succeed("avahi-browse -r -t _workstation._tcp | tee out >&2") + one.succeed("test `wc -l < out` -gt 0") + two.succeed("avahi-browse -r -t _workstation._tcp | tee out >&2") + two.succeed("test `wc -l < out` -gt 0") - # More DNS-SD. - $one->execute("avahi-publish -s \"This is a test\" _test._tcp 123 one=1 &"); - $one->sleep(5); - $two->succeed("avahi-browse -r -t _test._tcp | tee out >&2"); - $two->succeed("test `wc -l < out` -gt 0"); + # More DNS-SD. + one.execute('avahi-publish -s "This is a test" _test._tcp 123 one=1 &') + one.sleep(5) + two.succeed("avahi-browse -r -t _test._tcp | tee out >&2") + two.succeed("test `wc -l < out` -gt 0") - # NSS-mDNS. - $one->succeed("getent hosts one.local >&2"); - $one->succeed("getent hosts two.local >&2"); - $two->succeed("getent hosts one.local >&2"); - $two->succeed("getent hosts two.local >&2"); + # NSS-mDNS. + one.succeed("getent hosts one.local >&2") + one.succeed("getent hosts two.local >&2") + two.succeed("getent hosts one.local >&2") + two.succeed("getent hosts two.local >&2") - # extra service definitions - $one->succeed("avahi-browse -r -t _ssh._tcp | tee out >&2"); - $one->succeed("test `wc -l < out` -gt 0"); - $two->succeed("avahi-browse -r -t _ssh._tcp | tee out >&2"); - $two->succeed("test `wc -l < out` -gt 0"); - ''; + # extra service definitions + one.succeed("avahi-browse -r -t _ssh._tcp | tee out >&2") + one.succeed("test `wc -l < out` -gt 0") + two.succeed("avahi-browse -r -t _ssh._tcp | tee out >&2") + two.succeed("test `wc -l < out` -gt 0") + ''; }) diff --git a/nixpkgs/nixos/tests/babeld.nix b/nixpkgs/nixos/tests/babeld.nix index 5242cf395d7..fafa788ba57 100644 --- a/nixpkgs/nixos/tests/babeld.nix +++ b/nixpkgs/nixos/tests/babeld.nix @@ -1,5 +1,5 @@ -import ./make-test.nix ({ pkgs, lib, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ...} : { name = "babeld"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ hexa ]; @@ -21,7 +21,7 @@ import ./make-test.nix ({ pkgs, lib, ...} : { }; }; - localRouter = { pkgs, lib, ... }: + local_router = { pkgs, lib, ... }: { virtualisation.vlans = [ 10 20 ]; @@ -70,7 +70,7 @@ import ./make-test.nix ({ pkgs, lib, ...} : { ''; }; }; - remoteRouter = { pkgs, lib, ... }: + remote_router = { pkgs, lib, ... }: { virtualisation.vlans = [ 20 30 ]; @@ -124,25 +124,25 @@ import ./make-test.nix ({ pkgs, lib, ...} : { testScript = '' - startAll; + start_all() - $client->waitForUnit("network-online.target"); - $localRouter->waitForUnit("network-online.target"); - $remoteRouter->waitForUnit("network-online.target"); + client.wait_for_unit("network-online.target") + local_router.wait_for_unit("network-online.target") + remote_router.wait_for_unit("network-online.target") - $localRouter->waitForUnit("babeld.service"); - $remoteRouter->waitForUnit("babeld.service"); + local_router.wait_for_unit("babeld.service") + remote_router.wait_for_unit("babeld.service") - $localRouter->waitUntilSucceeds("ip route get 192.168.30.1"); - $localRouter->waitUntilSucceeds("ip route get 2001:db8:30::1"); + local_router.wait_until_succeeds("ip route get 192.168.30.1") + local_router.wait_until_succeeds("ip route get 2001:db8:30::1") - $remoteRouter->waitUntilSucceeds("ip route get 192.168.10.1"); - $remoteRouter->waitUntilSucceeds("ip route get 2001:db8:10::1"); + remote_router.wait_until_succeeds("ip route get 192.168.10.1") + remote_router.wait_until_succeeds("ip route get 2001:db8:10::1") - $client->succeed("ping -c1 192.168.30.1"); - $client->succeed("ping -c1 2001:db8:30::1"); + client.succeed("ping -c1 192.168.30.1") + client.succeed("ping -c1 2001:db8:30::1") - $remoteRouter->succeed("ping -c1 192.168.10.2"); - $remoteRouter->succeed("ping -c1 2001:db8:10::2"); + remote_router.succeed("ping -c1 192.168.10.2") + remote_router.succeed("ping -c1 2001:db8:10::2") ''; }) diff --git a/nixpkgs/nixos/tests/bcachefs.nix b/nixpkgs/nixos/tests/bcachefs.nix index 658676ef0ab..0541e580322 100644 --- a/nixpkgs/nixos/tests/bcachefs.nix +++ b/nixpkgs/nixos/tests/bcachefs.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "bcachefs"; meta.maintainers = with pkgs.stdenv.lib.maintainers; [ chiiruno ]; @@ -10,29 +10,25 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - $machine->succeed("modprobe bcachefs"); - $machine->succeed("bcachefs version"); - $machine->succeed("ls /dev"); + machine.succeed("modprobe bcachefs") + machine.succeed("bcachefs version") + machine.succeed("ls /dev") - $machine->succeed( - "mkdir /tmp/mnt", - - "udevadm settle", - "parted --script /dev/vdb mklabel msdos", - "parted --script /dev/vdb -- mkpart primary 1024M -1s", - "udevadm settle", - - # Due to #32279, we cannot use encryption for this test yet - # "echo password | bcachefs format --encrypted /dev/vdb1", - # "echo password | bcachefs unlock /dev/vdb1", - "bcachefs format /dev/vdb1", - "mount -t bcachefs /dev/vdb1 /tmp/mnt", - "udevadm settle", - - "bcachefs fs usage /tmp/mnt", - - "umount /tmp/mnt", - "udevadm settle" - ); + machine.succeed( + "mkdir /tmp/mnt", + "udevadm settle", + "parted --script /dev/vdb mklabel msdos", + "parted --script /dev/vdb -- mkpart primary 1024M -1s", + "udevadm settle", + # Due to #32279, we cannot use encryption for this test yet + # "echo password | bcachefs format --encrypted /dev/vdb1", + # "echo password | bcachefs unlock /dev/vdb1", + "bcachefs format /dev/vdb1", + "mount -t bcachefs /dev/vdb1 /tmp/mnt", + "udevadm settle", + "bcachefs fs usage /tmp/mnt", + "umount /tmp/mnt", + "udevadm settle", + ) ''; }) diff --git a/nixpkgs/nixos/tests/beanstalkd.nix b/nixpkgs/nixos/tests/beanstalkd.nix index fa2fbc2c92a..4f4a454fb47 100644 --- a/nixpkgs/nixos/tests/beanstalkd.nix +++ b/nixpkgs/nixos/tests/beanstalkd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let pythonEnv = pkgs.python3.withPackages (p: [p.beanstalkc]); @@ -34,12 +34,16 @@ in }; testScript = '' - startAll; + start_all() - $machine->waitForUnit('beanstalkd.service'); + machine.wait_for_unit("beanstalkd.service") - $machine->succeed("${produce}"); - $machine->succeed("${consume}") eq "this is a job\n" or die; - $machine->succeed("${consume}") eq "this is another job\n" or die; + machine.succeed("${produce}") + assert "this is a job\n" == machine.succeed( + "${consume}" + ) + assert "this is another job\n" == machine.succeed( + "${consume}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/beegfs.nix b/nixpkgs/nixos/tests/beegfs.nix deleted file mode 100644 index 3465272f559..00000000000 --- a/nixpkgs/nixos/tests/beegfs.nix +++ /dev/null @@ -1,115 +0,0 @@ -import ./make-test.nix ({ ... } : - -let - connAuthFile="beegfs/auth-def.key"; - - client = { pkgs, ... } : { - networking.firewall.enable = false; - services.beegfsEnable = true; - services.beegfs.default = { - mgmtdHost = "mgmt"; - connAuthFile = "/etc/${connAuthFile}"; - client = { - mount = false; - enable = true; - }; - }; - - fileSystems = pkgs.lib.mkVMOverride # FIXME: this should be creatd by the module - [ { mountPoint = "/beegfs"; - device = "default"; - fsType = "beegfs"; - options = [ "cfgFile=/etc/beegfs/client-default.conf" "_netdev" ]; - } - ]; - - environment.etc.${connAuthFile} = { - enable = true; - text = "ThisIsALousySecret"; - mode = "0600"; - }; - }; - - - server = service : { pkgs, ... } : { - networking.firewall.enable = false; - boot.initrd.postDeviceCommands = '' - ${pkgs.e2fsprogs}/bin/mkfs.ext4 -L data /dev/vdb - ''; - - virtualisation.emptyDiskImages = [ 4096 ]; - - fileSystems = pkgs.lib.mkVMOverride - [ { mountPoint = "/data"; - device = "/dev/disk/by-label/data"; - fsType = "ext4"; - } - ]; - - environment.systemPackages = with pkgs; [ beegfs ]; - environment.etc.${connAuthFile} = { - enable = true; - text = "ThisIsALousySecret"; - mode = "0600"; - }; - - services.beegfsEnable = true; - services.beegfs.default = { - mgmtdHost = "mgmt"; - connAuthFile = "/etc/${connAuthFile}"; - ${service} = { - enable = true; - storeDir = "/data"; - }; - }; - }; - -in -{ - name = "beegfs"; - - nodes = { - meta = server "meta"; - mgmt = server "mgmtd"; - storage1 = server "storage"; - storage2 = server "storage"; - client1 = client; - client2 = client; - }; - - testScript = '' - # Initalize the data directories - $mgmt->waitForUnit("default.target"); - $mgmt->succeed("beegfs-setup-mgmtd -C -f -p /data"); - $mgmt->succeed("systemctl start beegfs-mgmtd-default"); - - $meta->waitForUnit("default.target"); - $meta->succeed("beegfs-setup-meta -C -f -s 1 -p /data"); - $meta->succeed("systemctl start beegfs-meta-default"); - - $storage1->waitForUnit("default.target"); - $storage1->succeed("beegfs-setup-storage -C -f -s 1 -i 1 -p /data"); - $storage1->succeed("systemctl start beegfs-storage-default"); - - $storage2->waitForUnit("default.target"); - $storage2->succeed("beegfs-setup-storage -C -f -s 2 -i 2 -p /data"); - $storage2->succeed("systemctl start beegfs-storage-default"); - - # - - # Basic test - $client1->waitForUnit("beegfs.mount"); - $client1->succeed("beegfs-check-servers-default"); - $client1->succeed("echo test > /beegfs/test"); - $client2->waitForUnit("beegfs.mount"); - $client2->succeed("test -e /beegfs/test"); - $client2->succeed("cat /beegfs/test | grep test"); - - # test raid0/stripping - $client1->succeed("dd if=/dev/urandom bs=1M count=10 of=/beegfs/striped"); - $client2->succeed("cat /beegfs/striped > /dev/null"); - - # check if fs is still healthy - $client1->succeed("beegfs-fsck-default --checkfs"); - ''; -}) diff --git a/nixpkgs/nixos/tests/bees.nix b/nixpkgs/nixos/tests/bees.nix index 6f68c2f834f..6e6a9c3446b 100644 --- a/nixpkgs/nixos/tests/bees.nix +++ b/nixpkgs/nixos/tests/bees.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "bees"; @@ -29,27 +29,34 @@ import ./make-test.nix ({ lib, ... }: testScript = let - withRetry = content: maxTests: sleepTime: '' - max_tests=${lib.escapeShellArg maxTests}; sleep_time=${lib.escapeShellArg sleepTime}; for ((i=0; i<max_tests; i++)); do ${content} && exit 0; sleep "$sleep_time"; done; exit 1; + someContentIsShared = loc: pkgs.writeShellScript "some-content-is-shared" '' + [[ $(btrfs fi du -s --raw ${lib.escapeShellArg loc}/dedup-me-{1,2} | awk 'BEGIN { count=0; } NR>1 && $3 == 0 { count++ } END { print count }') -eq 0 ]] ''; - someContentIsShared = loc: ''[[ $(btrfs fi du -s --raw ${lib.escapeShellArg loc}/dedup-me-{1,2} | awk 'BEGIN { count=0; } NR>1 && $3 == 0 { count++ } END { print count }') -eq 0 ]]''; in '' # shut down the instance started by systemd at boot, so we can test our test procedure - $machine->succeed("systemctl stop beesd\@aux1.service"); + machine.succeed("systemctl stop beesd@aux1.service") - $machine->succeed("dd if=/dev/urandom of=/aux1/dedup-me-1 bs=1M count=8"); - $machine->succeed("cp --reflink=never /aux1/dedup-me-1 /aux1/dedup-me-2"); - $machine->succeed("cp --reflink=never /aux1/* /aux2/"); - $machine->succeed("sync"); - $machine->fail(q(${someContentIsShared "/aux1"})); - $machine->fail(q(${someContentIsShared "/aux2"})); - $machine->succeed("systemctl start beesd\@aux1.service"); + machine.succeed( + "dd if=/dev/urandom of=/aux1/dedup-me-1 bs=1M count=8", + "cp --reflink=never /aux1/dedup-me-1 /aux1/dedup-me-2", + "cp --reflink=never /aux1/* /aux2/", + "sync", + ) + machine.fail( + "${someContentIsShared "/aux1"}", + "${someContentIsShared "/aux2"}", + ) + machine.succeed("systemctl start beesd@aux1.service") # assert that "Set Shared" column is nonzero - $machine->succeed(q(${withRetry (someContentIsShared "/aux1") 20 2})); - $machine->fail(q(${someContentIsShared "/aux2"})); + machine.wait_until_succeeds( + "${someContentIsShared "/aux1"}", + ) + machine.fail("${someContentIsShared "/aux2"}") # assert that 16MB hash table size requested was honored - $machine->succeed(q([[ $(stat -c %s /aux1/.beeshome/beeshash.dat) = $(( 16 * 1024 * 1024)) ]])) + machine.succeed( + "[[ $(stat -c %s /aux1/.beeshome/beeshash.dat) = $(( 16 * 1024 * 1024)) ]]" + ) ''; }) diff --git a/nixpkgs/nixos/tests/bind.nix b/nixpkgs/nixos/tests/bind.nix index 1f8c1dc7be4..09917b15a8e 100644 --- a/nixpkgs/nixos/tests/bind.nix +++ b/nixpkgs/nixos/tests/bind.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "bind"; machine = { pkgs, lib, ... }: { @@ -20,8 +20,8 @@ import ./make-test.nix { }; testScript = '' - $machine->waitForUnit('bind.service'); - $machine->waitForOpenPort(53); - $machine->succeed('host 192.168.0.1 127.0.0.1 | grep -qF ns.example.org'); + machine.wait_for_unit("bind.service") + machine.wait_for_open_port(53) + machine.succeed("host 192.168.0.1 127.0.0.1 | grep -qF ns.example.org") ''; } diff --git a/nixpkgs/nixos/tests/bittorrent.nix b/nixpkgs/nixos/tests/bittorrent.nix index 3b1169a1b7f..e5be652c711 100644 --- a/nixpkgs/nixos/tests/bittorrent.nix +++ b/nixpkgs/nixos/tests/bittorrent.nix @@ -6,7 +6,7 @@ # which only works if the first client successfully uses the UPnP-IGD # protocol to poke a hole in the NAT. -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let @@ -108,42 +108,56 @@ in testScript = { nodes, ... }: '' - startAll; + start_all() # Wait for network and miniupnpd. - $router->waitForUnit("network-online.target"); - $router->waitForUnit("miniupnpd"); + router.wait_for_unit("network-online.target") + router.wait_for_unit("miniupnpd") # Create the torrent. - $tracker->succeed("mkdir /tmp/data"); - $tracker->succeed("cp ${file} /tmp/data/test.tar.bz2"); - $tracker->succeed("transmission-create /tmp/data/test.tar.bz2 --private --tracker http://${externalTrackerAddress}:6969/announce --outfile /tmp/test.torrent"); - $tracker->succeed("chmod 644 /tmp/test.torrent"); + tracker.succeed("mkdir /tmp/data") + tracker.succeed( + "cp ${file} /tmp/data/test.tar.bz2" + ) + tracker.succeed( + "transmission-create /tmp/data/test.tar.bz2 --private --tracker http://${externalTrackerAddress}:6969/announce --outfile /tmp/test.torrent" + ) + tracker.succeed("chmod 644 /tmp/test.torrent") # Start the tracker. !!! use a less crappy tracker - $tracker->waitForUnit("network-online.target"); - $tracker->waitForUnit("opentracker.service"); - $tracker->waitForOpenPort(6969); + tracker.wait_for_unit("network-online.target") + tracker.wait_for_unit("opentracker.service") + tracker.wait_for_open_port(6969) # Start the initial seeder. - $tracker->succeed("transmission-remote --add /tmp/test.torrent --no-portmap --no-dht --download-dir /tmp/data"); + tracker.succeed( + "transmission-remote --add /tmp/test.torrent --no-portmap --no-dht --download-dir /tmp/data" + ) # Now we should be able to download from the client behind the NAT. - $tracker->waitForUnit("httpd"); - $client1->waitForUnit("network-online.target"); - $client1->succeed("transmission-remote --add http://${externalTrackerAddress}/test.torrent --download-dir /tmp >&2 &"); - $client1->waitForFile("/tmp/test.tar.bz2"); - $client1->succeed("cmp /tmp/test.tar.bz2 ${file}"); + tracker.wait_for_unit("httpd") + client1.wait_for_unit("network-online.target") + client1.succeed( + "transmission-remote --add http://${externalTrackerAddress}/test.torrent --download-dir /tmp >&2 &" + ) + client1.wait_for_file("/tmp/test.tar.bz2") + client1.succeed( + "cmp /tmp/test.tar.bz2 ${file}" + ) # Bring down the initial seeder. - # $tracker->stopJob("transmission"); + # tracker.stop_job("transmission") # Now download from the second client. This can only succeed if # the first client created a NAT hole in the router. - $client2->waitForUnit("network-online.target"); - $client2->succeed("transmission-remote --add http://${externalTrackerAddress}/test.torrent --no-portmap --no-dht --download-dir /tmp >&2 &"); - $client2->waitForFile("/tmp/test.tar.bz2"); - $client2->succeed("cmp /tmp/test.tar.bz2 ${file}"); + client2.wait_for_unit("network-online.target") + client2.succeed( + "transmission-remote --add http://${externalTrackerAddress}/test.torrent --no-portmap --no-dht --download-dir /tmp >&2 &" + ) + client2.wait_for_file("/tmp/test.tar.bz2") + client2.succeed( + "cmp /tmp/test.tar.bz2 ${file}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/boot-stage1.nix b/nixpkgs/nixos/tests/boot-stage1.nix index b2e74bff6fc..cfb2ccb8285 100644 --- a/nixpkgs/nixos/tests/boot-stage1.nix +++ b/nixpkgs/nixos/tests/boot-stage1.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "boot-stage1"; machine = { config, pkgs, lib, ... }: { @@ -150,12 +150,12 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - $machine->waitForUnit("multi-user.target"); - $machine->succeed('test -s /run/canary2.pid'); - $machine->fail('pgrep -a canary1'); - $machine->fail('kill -0 $(< /run/canary2.pid)'); - $machine->succeed('pgrep -a -f \'^@canary3$\'''); - $machine->succeed('pgrep -a -f \'^kcanary$\'''); + machine.wait_for_unit("multi-user.target") + machine.succeed("test -s /run/canary2.pid") + machine.fail("pgrep -a canary1") + machine.fail("kill -0 $(< /run/canary2.pid)") + machine.succeed('pgrep -a -f "^@canary3$"') + machine.succeed('pgrep -a -f "^kcanary$"') ''; meta.maintainers = with pkgs.stdenv.lib.maintainers; [ aszlig ]; diff --git a/nixpkgs/nixos/tests/boot.nix b/nixpkgs/nixos/tests/boot.nix index 57d8006d7ac..c5040f3b31f 100644 --- a/nixpkgs/nixos/tests/boot.nix +++ b/nixpkgs/nixos/tests/boot.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let @@ -17,11 +17,11 @@ let ]; }).config.system.build.isoImage; - perlAttrs = params: "{ ${concatStringsSep ", " (mapAttrsToList (name: param: "${name} => ${builtins.toJSON param}") params)} }"; + pythonDict = params: "\n {\n ${concatStringsSep ",\n " (mapAttrsToList (name: param: "\"${name}\": \"${param}\"") params)},\n }\n"; makeBootTest = name: extraConfig: let - machineConfig = perlAttrs ({ qemuFlags = "-m 768"; } // extraConfig); + machineConfig = pythonDict ({ qemuFlags = "-m 768"; } // extraConfig); in makeTest { inherit iso; @@ -29,16 +29,16 @@ let nodes = { }; testScript = '' - my $machine = createMachine(${machineConfig}); - $machine->start; - $machine->waitForUnit("multi-user.target"); - $machine->succeed("nix verify -r --no-trust /run/current-system"); + machine = create_machine(${machineConfig}) + machine.start() + machine.wait_for_unit("multi-user.target") + machine.succeed("nix verify -r --no-trust /run/current-system") - # Test whether the channel got installed correctly. - $machine->succeed("nix-instantiate --dry-run '<nixpkgs>' -A hello"); - $machine->succeed("nix-env --dry-run -iA nixos.procps"); + with subtest("Check whether the channel got installed correctly"): + machine.succeed("nix-instantiate --dry-run '<nixpkgs>' -A hello") + machine.succeed("nix-env --dry-run -iA nixos.procps") - $machine->shutdown; + machine.shutdown() ''; }; @@ -60,7 +60,7 @@ let config.system.build.netbootIpxeScript ]; }; - machineConfig = perlAttrs ({ + machineConfig = pythonDict ({ qemuFlags = "-boot order=n -m 2000"; netBackendArgs = "tftp=${ipxeBootDir},bootfile=netboot.ipxe"; } // extraConfig); @@ -68,12 +68,11 @@ let makeTest { name = "boot-netboot-" + name; nodes = { }; - testScript = - '' - my $machine = createMachine(${machineConfig}); - $machine->start; - $machine->waitForUnit("multi-user.target"); - $machine->shutdown; + testScript = '' + machine = create_machine(${machineConfig}) + machine.start() + machine.wait_for_unit("multi-user.target") + machine.shutdown() ''; }; in { diff --git a/nixpkgs/nixos/tests/borgbackup.nix b/nixpkgs/nixos/tests/borgbackup.nix index 165f64b0d6d..d97471e293e 100644 --- a/nixpkgs/nixos/tests/borgbackup.nix +++ b/nixpkgs/nixos/tests/borgbackup.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let passphrase = "supersecret"; @@ -106,60 +106,70 @@ in { }; testScript = '' - startAll; - - $client->fail('test -d "${remoteRepo}"'); - - $client->succeed("cp ${privateKey} /root/id_ed25519"); - $client->succeed("chmod 0600 /root/id_ed25519"); - $client->succeed("cp ${privateKeyAppendOnly} /root/id_ed25519.appendOnly"); - $client->succeed("chmod 0600 /root/id_ed25519.appendOnly"); - - $client->succeed("mkdir -p ${dataDir}"); - $client->succeed("touch ${dataDir}/${excludeFile}"); - $client->succeed("echo '${keepFileData}' > ${dataDir}/${keepFile}"); - - subtest "local", sub { - my $borg = "BORG_PASSPHRASE='${passphrase}' borg"; - $client->systemctl("start --wait borgbackup-job-local"); - $client->fail("systemctl is-failed borgbackup-job-local"); - # Make sure exactly one archive has been created - $client->succeed("c=\$($borg list '${localRepo}' | wc -l) && [[ \$c == '1' ]]"); - # Make sure excludeFile has been excluded - $client->fail("$borg list '${localRepo}::${archiveName}' | grep -qF '${excludeFile}'"); - # Make sure keepFile has the correct content - $client->succeed("$borg extract '${localRepo}::${archiveName}'"); - $client->succeed('c=$(cat ${dataDir}/${keepFile}) && [[ "$c" == "${keepFileData}" ]]'); - # Make sure the same is true when using `borg mount` - $client->succeed("mkdir -p /mnt/borg && $borg mount '${localRepo}::${archiveName}' /mnt/borg"); - $client->succeed('c=$(cat /mnt/borg/${dataDir}/${keepFile}) && [[ "$c" == "${keepFileData}" ]]'); - }; - - subtest "remote", sub { - my $borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519' borg"; - $server->waitForUnit("sshd.service"); - $client->waitForUnit("network.target"); - $client->systemctl("start --wait borgbackup-job-remote"); - $client->fail("systemctl is-failed borgbackup-job-remote"); - - # Make sure we can't access repos other than the specified one - $client->fail("$borg list borg\@server:wrong"); - - #TODO: Make sure that data is actually deleted - }; - - subtest "remoteAppendOnly", sub { - my $borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly' borg"; - $server->waitForUnit("sshd.service"); - $client->waitForUnit("network.target"); - $client->systemctl("start --wait borgbackup-job-remoteAppendOnly"); - $client->fail("systemctl is-failed borgbackup-job-remoteAppendOnly"); - - # Make sure we can't access repos other than the specified one - $client->fail("$borg list borg\@server:wrong"); - - #TODO: Make sure that data is not actually deleted - }; - + start_all() + + client.fail('test -d "${remoteRepo}"') + + client.succeed( + "cp ${privateKey} /root/id_ed25519" + ) + client.succeed("chmod 0600 /root/id_ed25519") + client.succeed( + "cp ${privateKeyAppendOnly} /root/id_ed25519.appendOnly" + ) + client.succeed("chmod 0600 /root/id_ed25519.appendOnly") + + client.succeed("mkdir -p ${dataDir}") + client.succeed("touch ${dataDir}/${excludeFile}") + client.succeed("echo '${keepFileData}' > ${dataDir}/${keepFile}") + + with subtest("local"): + borg = "BORG_PASSPHRASE='${passphrase}' borg" + client.systemctl("start --wait borgbackup-job-local") + client.fail("systemctl is-failed borgbackup-job-local") + # Make sure exactly one archive has been created + assert int(client.succeed("{} list '${localRepo}' | wc -l".format(borg))) > 0 + # Make sure excludeFile has been excluded + client.fail( + "{} list '${localRepo}::${archiveName}' | grep -qF '${excludeFile}'".format(borg) + ) + # Make sure keepFile has the correct content + client.succeed("{} extract '${localRepo}::${archiveName}'".format(borg)) + assert "${keepFileData}" in client.succeed("cat ${dataDir}/${keepFile}") + # Make sure the same is true when using `borg mount` + client.succeed( + "mkdir -p /mnt/borg && {} mount '${localRepo}::${archiveName}' /mnt/borg".format( + borg + ) + ) + assert "${keepFileData}" in client.succeed( + "cat /mnt/borg/${dataDir}/${keepFile}" + ) + + with subtest("remote"): + borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519' borg" + server.wait_for_unit("sshd.service") + client.wait_for_unit("network.target") + client.systemctl("start --wait borgbackup-job-remote") + client.fail("systemctl is-failed borgbackup-job-remote") + + # Make sure we can't access repos other than the specified one + client.fail("{} list borg\@server:wrong".format(borg)) + + # TODO: Make sure that data is actually deleted + + with subtest("remoteAppendOnly"): + borg = ( + "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly' borg" + ) + server.wait_for_unit("sshd.service") + client.wait_for_unit("network.target") + client.systemctl("start --wait borgbackup-job-remoteAppendOnly") + client.fail("systemctl is-failed borgbackup-job-remoteAppendOnly") + + # Make sure we can't access repos other than the specified one + client.fail("{} list borg\@server:wrong".format(borg)) + + # TODO: Make sure that data is not actually deleted ''; }) diff --git a/nixpkgs/nixos/tests/caddy.nix b/nixpkgs/nixos/tests/caddy.nix index ab9d2fbf4d1..fc10df0c79b 100644 --- a/nixpkgs/nixos/tests/caddy.nix +++ b/nixpkgs/nixos/tests/caddy.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "caddy"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ xfix ]; @@ -50,33 +50,38 @@ import ./make-test.nix ({ pkgs, ... }: { etagSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-1"; justReloadSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-2"; in '' - my $url = 'http://localhost/example.html'; - $webserver->waitForUnit("caddy"); - $webserver->waitForOpenPort("80"); + url = "http://localhost/example.html" + webserver.wait_for_unit("caddy") + webserver.wait_for_open_port("80") - sub checkEtag { - my $etag = $webserver->succeed( - 'curl -v '.$url.' 2>&1 | sed -n -e "s/^< [Ee][Tt][Aa][Gg]: *//p"' - ); - $etag =~ s/\r?\n$//; - my $httpCode = $webserver->succeed( - 'curl -w "%{http_code}" -X HEAD -H \'If-None-Match: '.$etag.'\' '.$url - ); - die "HTTP code is not 304" unless $httpCode == 304; - return $etag; - } - subtest "check ETag if serving Nix store paths", sub { - my $oldEtag = checkEtag; - $webserver->succeed("${etagSystem}/bin/switch-to-configuration test >&2"); - $webserver->sleep(1); # race condition - my $newEtag = checkEtag; - die "Old ETag $oldEtag is the same as $newEtag" if $oldEtag eq $newEtag; - }; + def check_etag(url): + etag = webserver.succeed( + "curl -v '{}' 2>&1 | sed -n -e \"s/^< [Ee][Tt][Aa][Gg]: *//p\"".format(url) + ) + etag = etag.replace("\r\n", " ") + http_code = webserver.succeed( + "curl -w \"%{{http_code}}\" -X HEAD -H 'If-None-Match: {}' {}".format(etag, url) + ) + assert int(http_code) == 304, "HTTP code is not 304" + return etag - subtest "config is reloaded on nixos-rebuild switch", sub { - $webserver->succeed("${justReloadSystem}/bin/switch-to-configuration test >&2"); - $webserver->waitForOpenPort("8080"); - }; + + with subtest("check ETag if serving Nix store paths"): + old_etag = check_etag(url) + webserver.succeed( + "${etagSystem}/bin/switch-to-configuration test >&2" + ) + webserver.sleep(1) + new_etag = check_etag(url) + assert old_etag != new_etag, "Old ETag {} is the same as {}".format( + old_etag, new_etag + ) + + with subtest("config is reloaded on nixos-rebuild switch"): + webserver.succeed( + "${justReloadSystem}/bin/switch-to-configuration test >&2" + ) + webserver.wait_for_open_port("8080") ''; }) diff --git a/nixpkgs/nixos/tests/cadvisor.nix b/nixpkgs/nixos/tests/cadvisor.nix index e60bae4b700..60c04f14780 100644 --- a/nixpkgs/nixos/tests/cadvisor.nix +++ b/nixpkgs/nixos/tests/cadvisor.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "cadvisor"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ offline ]; @@ -16,20 +16,19 @@ import ./make-test.nix ({ pkgs, ... } : { }; }; - testScript = - '' - startAll; - $machine->waitForUnit("cadvisor.service"); - $machine->succeed("curl http://localhost:8080/containers/"); + testScript = '' + start_all() + machine.wait_for_unit("cadvisor.service") + machine.succeed("curl http://localhost:8080/containers/") - $influxdb->waitForUnit("influxdb.service"); + influxdb.wait_for_unit("influxdb.service") # create influxdb database - $influxdb->succeed(q~ - curl -XPOST http://localhost:8086/query --data-urlencode "q=CREATE DATABASE root" - ~); + influxdb.succeed( + 'curl -XPOST http://localhost:8086/query --data-urlencode "q=CREATE DATABASE root"' + ) - $influxdb->waitForUnit("cadvisor.service"); - $influxdb->succeed("curl http://localhost:8080/containers/"); + influxdb.wait_for_unit("cadvisor.service") + influxdb.succeed("curl http://localhost:8080/containers/") ''; }) diff --git a/nixpkgs/nixos/tests/cassandra.nix b/nixpkgs/nixos/tests/cassandra.nix index c55733c9be7..05607956a9d 100644 --- a/nixpkgs/nixos/tests/cassandra.nix +++ b/nixpkgs/nixos/tests/cassandra.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let # Change this to test a different version of Cassandra: testPackage = pkgs.cassandra; @@ -9,13 +9,16 @@ let jmxRolesFile = ./cassandra-jmx-roles; jmxAuthArgs = "-u ${(builtins.elemAt jmxRoles 0).username} -pw ${(builtins.elemAt jmxRoles 0).password}"; jmxPort = 7200; # Non-standard port so it doesn't accidentally work + jmxPortStr = toString jmxPort; - # Would usually be assigned to 512M + # Would usually be assigned to 512M. + # Set it to a different value, so that we can check whether our config + # actually changes it. numMaxHeapSize = "400"; getHeapLimitCommand = '' - nodetool info -p ${toString jmxPort} | grep "^Heap Memory" | awk \'{print $NF}\' + nodetool info -p ${jmxPortStr} | grep "^Heap Memory" | awk '{print $NF}' ''; - checkHeapLimitCommand = '' + checkHeapLimitCommand = pkgs.writeShellScript "check-heap-limit.sh" '' [ 1 -eq "$(echo "$(${getHeapLimitCommand}) < ${numMaxHeapSize}" | ${pkgs.bc}/bin/bc)" ] ''; @@ -44,7 +47,10 @@ let }; in { - name = "cassandra-ci"; + name = "cassandra"; + meta = { + maintainers = with lib.maintainers; [ johnazoidberg ]; + }; nodes = { cass0 = nodeCfg "192.168.1.1" {}; @@ -52,66 +58,74 @@ in cass2 = nodeCfg "192.168.1.3" { jvmOpts = [ "-Dcassandra.replace_address=cass1" ]; }; }; - testScript = let - jmxPortS = toString jmxPort; - in '' + testScript = '' # Check configuration - subtest "Timers exist", sub { - $cass0->succeed("systemctl list-timers | grep cassandra-full-repair.timer"); - $cass0->succeed("systemctl list-timers | grep cassandra-incremental-repair.timer"); - }; - subtest "Can connect via cqlsh", sub { - $cass0->waitForUnit("cassandra.service"); - $cass0->waitUntilSucceeds("nc -z cass0 9042"); - $cass0->succeed("echo 'show version;' | cqlsh cass0"); - }; - subtest "Nodetool is operational", sub { - $cass0->waitForUnit("cassandra.service"); - $cass0->waitUntilSucceeds("nc -z localhost ${jmxPortS}"); - $cass0->succeed("nodetool status -p ${jmxPortS} --resolve-ip | egrep '^UN[[:space:]]+cass0'"); - }; - subtest "Cluster name was set", sub { - $cass0->waitForUnit("cassandra.service"); - $cass0->waitUntilSucceeds("nc -z localhost ${jmxPortS}"); - $cass0->waitUntilSucceeds("nodetool describecluster -p ${jmxPortS} | grep 'Name: ${clusterName}'"); - }; - subtest "Heap limit set correctly", sub { - # Nodetool takes a while until it can display info - $cass0->waitUntilSucceeds('nodetool info -p ${jmxPortS}'); - $cass0->succeed('${checkHeapLimitCommand}'); - }; + with subtest("Timers exist"): + cass0.succeed("systemctl list-timers | grep cassandra-full-repair.timer") + cass0.succeed("systemctl list-timers | grep cassandra-incremental-repair.timer") + + with subtest("Can connect via cqlsh"): + cass0.wait_for_unit("cassandra.service") + cass0.wait_until_succeeds("nc -z cass0 9042") + cass0.succeed("echo 'show version;' | cqlsh cass0") + + with subtest("Nodetool is operational"): + cass0.wait_for_unit("cassandra.service") + cass0.wait_until_succeeds("nc -z localhost ${jmxPortStr}") + cass0.succeed("nodetool status -p ${jmxPortStr} --resolve-ip | egrep '^UN[[:space:]]+cass0'") + + with subtest("Cluster name was set"): + cass0.wait_for_unit("cassandra.service") + cass0.wait_until_succeeds("nc -z localhost ${jmxPortStr}") + cass0.wait_until_succeeds( + "nodetool describecluster -p ${jmxPortStr} | grep 'Name: ${clusterName}'" + ) + + with subtest("Heap limit set correctly"): + # Nodetool takes a while until it can display info + cass0.wait_until_succeeds("nodetool info -p ${jmxPortStr}") + cass0.succeed("${checkHeapLimitCommand}") # Check cluster interaction - subtest "Bring up cluster", sub { - $cass1->waitForUnit("cassandra.service"); - $cass1->waitUntilSucceeds("nodetool -p ${jmxPortS} ${jmxAuthArgs} status | egrep -c '^UN' | grep 2"); - $cass0->succeed("nodetool status -p ${jmxPortS} --resolve-ip | egrep '^UN[[:space:]]+cass1'"); - }; + with subtest("Bring up cluster"): + cass1.wait_for_unit("cassandra.service") + cass1.wait_until_succeeds( + "nodetool -p ${jmxPortStr} ${jmxAuthArgs} status | egrep -c '^UN' | grep 2" + ) + cass0.succeed("nodetool status -p ${jmxPortStr} --resolve-ip | egrep '^UN[[:space:]]+cass1'") '' + lib.optionalString testRemoteAuth '' - subtest "Remote authenticated jmx", sub { - # Doesn't work if not enabled - $cass0->waitUntilSucceeds("nc -z localhost ${jmxPortS}"); - $cass1->fail("nc -z 192.168.1.1 ${toString jmxPort}"); - $cass1->fail("nodetool -p ${jmxPortS} -h 192.168.1.1 status"); + with subtest("Remote authenticated jmx"): + # Doesn't work if not enabled + cass0.wait_until_succeeds("nc -z localhost ${jmxPortStr}") + cass1.fail("nc -z 192.168.1.1 ${jmxPortStr}") + cass1.fail("nodetool -p ${jmxPortStr} -h 192.168.1.1 status") - # Works if enabled - $cass1->waitUntilSucceeds("nc -z localhost ${toString jmxPort}"); - $cass0->succeed("nodetool -p ${jmxPortS} -h 192.168.1.2 ${jmxAuthArgs} status"); - }; + # Works if enabled + cass1.wait_until_succeeds("nc -z localhost ${jmxPortStr}") + cass0.succeed("nodetool -p ${jmxPortStr} -h 192.168.1.2 ${jmxAuthArgs} status") '' + '' - subtest "Break and fix node", sub { - $cass1->block; - $cass0->waitUntilSucceeds("nodetool status -p ${jmxPortS} --resolve-ip | egrep -c '^DN[[:space:]]+cass1'"); - $cass0->succeed("nodetool status -p ${jmxPortS} | egrep -c '^UN' | grep 1"); - $cass1->unblock; - $cass1->waitUntilSucceeds("nodetool -p ${jmxPortS} ${jmxAuthArgs} status | egrep -c '^UN' | grep 2"); - $cass0->succeed("nodetool status -p ${jmxPortS} | egrep -c '^UN' | grep 2"); - }; - subtest "Replace crashed node", sub { - $cass1->crash; - $cass2->waitForUnit("cassandra.service"); - $cass0->waitUntilFails("nodetool status -p ${jmxPortS} --resolve-ip | egrep '^UN[[:space:]]+cass1'"); - $cass0->waitUntilSucceeds("nodetool status -p ${jmxPortS} --resolve-ip | egrep '^UN[[:space:]]+cass2'"); - }; + with subtest("Break and fix node"): + cass1.block() + cass0.wait_until_succeeds( + "nodetool status -p ${jmxPortStr} --resolve-ip | egrep -c '^DN[[:space:]]+cass1'" + ) + cass0.succeed("nodetool status -p ${jmxPortStr} | egrep -c '^UN' | grep 1") + cass1.unblock() + cass1.wait_until_succeeds( + "nodetool -p ${jmxPortStr} ${jmxAuthArgs} status | egrep -c '^UN' | grep 2" + ) + cass0.succeed("nodetool status -p ${jmxPortStr} | egrep -c '^UN' | grep 2") + + with subtest("Replace crashed node"): + cass1.block() # .crash() waits until it's fully shutdown + cass2.start() + cass0.wait_until_fails( + "nodetool status -p ${jmxPortStr} --resolve-ip | egrep '^UN[[:space:]]+cass1'" + ) + + cass2.wait_for_unit("cassandra.service") + cass0.wait_until_succeeds( + "nodetool status -p ${jmxPortStr} --resolve-ip | egrep '^UN[[:space:]]+cass2'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/ceph-multi-node.nix b/nixpkgs/nixos/tests/ceph-multi-node.nix new file mode 100644 index 00000000000..52a0b5caf23 --- /dev/null +++ b/nixpkgs/nixos/tests/ceph-multi-node.nix @@ -0,0 +1,225 @@ +import ./make-test-python.nix ({pkgs, lib, ...}: + +let + cfg = { + clusterId = "066ae264-2a5d-4729-8001-6ad265f50b03"; + monA = { + name = "a"; + ip = "192.168.1.1"; + }; + osd0 = { + name = "0"; + ip = "192.168.1.2"; + key = "AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg=="; + uuid = "55ba2294-3e24-478f-bee0-9dca4c231dd9"; + }; + osd1 = { + name = "1"; + ip = "192.168.1.3"; + key = "AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ=="; + uuid = "5e97a838-85b6-43b0-8950-cb56d554d1e5"; + }; + }; + generateCephConfig = { daemonConfig }: { + enable = true; + global = { + fsid = cfg.clusterId; + monHost = cfg.monA.ip; + monInitialMembers = cfg.monA.name; + }; + } // daemonConfig; + + generateHost = { pkgs, cephConfig, networkConfig, ... }: { + virtualisation = { + memorySize = 512; + emptyDiskImages = [ 20480 ]; + vlans = [ 1 ]; + }; + + networking = networkConfig; + + environment.systemPackages = with pkgs; [ + bash + sudo + ceph + xfsprogs + netcat-openbsd + ]; + + boot.kernelModules = [ "xfs" ]; + + services.ceph = cephConfig; + }; + + networkMonA = { + dhcpcd.enable = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = cfg.monA.ip; prefixLength = 24; } + ]; + firewall = { + allowedTCPPorts = [ 6789 3300 ]; + allowedTCPPortRanges = [ { from = 6800; to = 7300; } ]; + }; + }; + cephConfigMonA = generateCephConfig { daemonConfig = { + mon = { + enable = true; + daemons = [ cfg.monA.name ]; + }; + mgr = { + enable = true; + daemons = [ cfg.monA.name ]; + }; + }; }; + + networkOsd0 = { + dhcpcd.enable = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = cfg.osd0.ip; prefixLength = 24; } + ]; + firewall = { + allowedTCPPortRanges = [ { from = 6800; to = 7300; } ]; + }; + }; + cephConfigOsd0 = generateCephConfig { daemonConfig = { + osd = { + enable = true; + daemons = [ cfg.osd0.name ]; + }; + }; }; + + networkOsd1 = { + dhcpcd.enable = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = cfg.osd1.ip; prefixLength = 24; } + ]; + firewall = { + allowedTCPPortRanges = [ { from = 6800; to = 7300; } ]; + }; + }; + cephConfigOsd1 = generateCephConfig { daemonConfig = { + osd = { + enable = true; + daemons = [ cfg.osd1.name ]; + }; + }; }; + + # Following deployment is based on the manual deployment described here: + # https://docs.ceph.com/docs/master/install/manual-deployment/ + # For other ways to deploy a ceph cluster, look at the documentation at + # https://docs.ceph.com/docs/master/ + testscript = { ... }: '' + start_all() + + monA.wait_for_unit("network.target") + osd0.wait_for_unit("network.target") + osd1.wait_for_unit("network.target") + + # Bootstrap ceph-mon daemon + monA.succeed( + "sudo -u ceph ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'", + "sudo -u ceph ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'", + "sudo -u ceph ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring", + "monmaptool --create --add ${cfg.monA.name} ${cfg.monA.ip} --fsid ${cfg.clusterId} /tmp/monmap", + "sudo -u ceph ceph-mon --mkfs -i ${cfg.monA.name} --monmap /tmp/monmap --keyring /tmp/ceph.mon.keyring", + "sudo -u ceph mkdir -p /var/lib/ceph/mgr/ceph-${cfg.monA.name}/", + "sudo -u ceph touch /var/lib/ceph/mon/ceph-${cfg.monA.name}/done", + "systemctl start ceph-mon-${cfg.monA.name}", + ) + monA.wait_for_unit("ceph-mon-${cfg.monA.name}") + monA.succeed("ceph mon enable-msgr2") + + # Can't check ceph status until a mon is up + monA.succeed("ceph -s | grep 'mon: 1 daemons'") + + # Start the ceph-mgr daemon, it has no deps and hardly any setup + monA.succeed( + "ceph auth get-or-create mgr.${cfg.monA.name} mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/ceph-${cfg.monA.name}/keyring", + "systemctl start ceph-mgr-${cfg.monA.name}", + ) + monA.wait_for_unit("ceph-mgr-a") + monA.wait_until_succeeds("ceph -s | grep 'quorum ${cfg.monA.name}'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + + # Send the admin keyring to the OSD machines + monA.succeed("cp /etc/ceph/ceph.client.admin.keyring /tmp/shared") + osd0.succeed("cp /tmp/shared/ceph.client.admin.keyring /etc/ceph") + osd1.succeed("cp /tmp/shared/ceph.client.admin.keyring /etc/ceph") + + # Bootstrap both OSDs + osd0.succeed( + "mkfs.xfs /dev/vdb", + "mkdir -p /var/lib/ceph/osd/ceph-${cfg.osd0.name}", + "mount /dev/vdb /var/lib/ceph/osd/ceph-${cfg.osd0.name}", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-${cfg.osd0.name}/keyring --name osd.${cfg.osd0.name} --add-key ${cfg.osd0.key}", + 'echo \'{"cephx_secret": "${cfg.osd0.key}"}\' | ceph osd new ${cfg.osd0.uuid} -i -', + ) + osd1.succeed( + "mkfs.xfs /dev/vdb", + "mkdir -p /var/lib/ceph/osd/ceph-${cfg.osd1.name}", + "mount /dev/vdb /var/lib/ceph/osd/ceph-${cfg.osd1.name}", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-${cfg.osd1.name}/keyring --name osd.${cfg.osd1.name} --add-key ${cfg.osd1.key}", + 'echo \'{"cephx_secret": "${cfg.osd1.key}"}\' | ceph osd new ${cfg.osd1.uuid} -i -', + ) + + # Initialize the OSDs with regular filestore + osd0.succeed( + "ceph-osd -i ${cfg.osd0.name} --mkfs --osd-uuid ${cfg.osd0.uuid}", + "chown -R ceph:ceph /var/lib/ceph/osd", + "systemctl start ceph-osd-${cfg.osd0.name}", + ) + osd1.succeed( + "ceph-osd -i ${cfg.osd1.name} --mkfs --osd-uuid ${cfg.osd1.uuid}", + "chown -R ceph:ceph /var/lib/ceph/osd", + "systemctl start ceph-osd-${cfg.osd1.name}", + ) + monA.wait_until_succeeds("ceph osd stat | grep -e '2 osds: 2 up[^,]*, 2 in'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + + monA.succeed( + "ceph osd pool create multi-node-test 100 100", + "ceph osd pool ls | grep 'multi-node-test'", + "ceph osd pool rename multi-node-test multi-node-other-test", + "ceph osd pool ls | grep 'multi-node-other-test'", + ) + monA.wait_until_succeeds("ceph -s | grep '1 pools, 100 pgs'") + monA.succeed("ceph osd pool set multi-node-other-test size 2") + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + monA.wait_until_succeeds("ceph -s | grep '100 active+clean'") + monA.fail( + "ceph osd pool ls | grep 'multi-node-test'", + "ceph osd pool delete multi-node-other-test multi-node-other-test --yes-i-really-really-mean-it", + ) + + # Shut down ceph on all machines in a very unpolite way + monA.crash() + osd0.crash() + osd1.crash() + + # Start it up + osd0.start() + osd1.start() + monA.start() + + # Ensure the cluster comes back up again + monA.succeed("ceph -s | grep 'mon: 1 daemons'") + monA.wait_until_succeeds("ceph -s | grep 'quorum ${cfg.monA.name}'") + monA.wait_until_succeeds("ceph osd stat | grep -e '2 osds: 2 up[^,]*, 2 in'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + ''; +in { + name = "basic-multi-node-ceph-cluster"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lejonet ]; + }; + + nodes = { + monA = generateHost { pkgs = pkgs; cephConfig = cephConfigMonA; networkConfig = networkMonA; }; + osd0 = generateHost { pkgs = pkgs; cephConfig = cephConfigOsd0; networkConfig = networkOsd0; }; + osd1 = generateHost { pkgs = pkgs; cephConfig = cephConfigOsd1; networkConfig = networkOsd1; }; + }; + + testScript = testscript; +}) diff --git a/nixpkgs/nixos/tests/ceph-single-node.nix b/nixpkgs/nixos/tests/ceph-single-node.nix new file mode 100644 index 00000000000..da92a73e14d --- /dev/null +++ b/nixpkgs/nixos/tests/ceph-single-node.nix @@ -0,0 +1,183 @@ +import ./make-test-python.nix ({pkgs, lib, ...}: + +let + cfg = { + clusterId = "066ae264-2a5d-4729-8001-6ad265f50b03"; + monA = { + name = "a"; + ip = "192.168.1.1"; + }; + osd0 = { + name = "0"; + key = "AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg=="; + uuid = "55ba2294-3e24-478f-bee0-9dca4c231dd9"; + }; + osd1 = { + name = "1"; + key = "AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ=="; + uuid = "5e97a838-85b6-43b0-8950-cb56d554d1e5"; + }; + }; + generateCephConfig = { daemonConfig }: { + enable = true; + global = { + fsid = cfg.clusterId; + monHost = cfg.monA.ip; + monInitialMembers = cfg.monA.name; + }; + } // daemonConfig; + + generateHost = { pkgs, cephConfig, networkConfig, ... }: { + virtualisation = { + memorySize = 512; + emptyDiskImages = [ 20480 20480 ]; + vlans = [ 1 ]; + }; + + networking = networkConfig; + + environment.systemPackages = with pkgs; [ + bash + sudo + ceph + xfsprogs + ]; + + boot.kernelModules = [ "xfs" ]; + + services.ceph = cephConfig; + }; + + networkMonA = { + dhcpcd.enable = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = cfg.monA.ip; prefixLength = 24; } + ]; + }; + cephConfigMonA = generateCephConfig { daemonConfig = { + mon = { + enable = true; + daemons = [ cfg.monA.name ]; + }; + mgr = { + enable = true; + daemons = [ cfg.monA.name ]; + }; + osd = { + enable = true; + daemons = [ cfg.osd0.name cfg.osd1.name ]; + }; + }; }; + + # Following deployment is based on the manual deployment described here: + # https://docs.ceph.com/docs/master/install/manual-deployment/ + # For other ways to deploy a ceph cluster, look at the documentation at + # https://docs.ceph.com/docs/master/ + testscript = { ... }: '' + start_all() + + monA.wait_for_unit("network.target") + + # Bootstrap ceph-mon daemon + monA.succeed( + "sudo -u ceph ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'", + "sudo -u ceph ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'", + "sudo -u ceph ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring", + "monmaptool --create --add ${cfg.monA.name} ${cfg.monA.ip} --fsid ${cfg.clusterId} /tmp/monmap", + "sudo -u ceph ceph-mon --mkfs -i ${cfg.monA.name} --monmap /tmp/monmap --keyring /tmp/ceph.mon.keyring", + "sudo -u ceph touch /var/lib/ceph/mon/ceph-${cfg.monA.name}/done", + "systemctl start ceph-mon-${cfg.monA.name}", + ) + monA.wait_for_unit("ceph-mon-${cfg.monA.name}") + monA.succeed("ceph mon enable-msgr2") + + # Can't check ceph status until a mon is up + monA.succeed("ceph -s | grep 'mon: 1 daemons'") + + # Start the ceph-mgr daemon, after copying in the keyring + monA.succeed( + "sudo -u ceph mkdir -p /var/lib/ceph/mgr/ceph-${cfg.monA.name}/", + "ceph auth get-or-create mgr.${cfg.monA.name} mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/ceph-${cfg.monA.name}/keyring", + "systemctl start ceph-mgr-${cfg.monA.name}", + ) + monA.wait_for_unit("ceph-mgr-a") + monA.wait_until_succeeds("ceph -s | grep 'quorum ${cfg.monA.name}'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + + # Bootstrap both OSDs + monA.succeed( + "mkfs.xfs /dev/vdb", + "mkfs.xfs /dev/vdc", + "mkdir -p /var/lib/ceph/osd/ceph-${cfg.osd0.name}", + "mount /dev/vdb /var/lib/ceph/osd/ceph-${cfg.osd0.name}", + "mkdir -p /var/lib/ceph/osd/ceph-${cfg.osd1.name}", + "mount /dev/vdc /var/lib/ceph/osd/ceph-${cfg.osd1.name}", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-${cfg.osd0.name}/keyring --name osd.${cfg.osd0.name} --add-key ${cfg.osd0.key}", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-${cfg.osd1.name}/keyring --name osd.${cfg.osd1.name} --add-key ${cfg.osd1.key}", + 'echo \'{"cephx_secret": "${cfg.osd0.key}"}\' | ceph osd new ${cfg.osd0.uuid} -i -', + 'echo \'{"cephx_secret": "${cfg.osd1.key}"}\' | ceph osd new ${cfg.osd1.uuid} -i -', + ) + + # Initialize the OSDs with regular filestore + monA.succeed( + "ceph-osd -i ${cfg.osd0.name} --mkfs --osd-uuid ${cfg.osd0.uuid}", + "ceph-osd -i ${cfg.osd1.name} --mkfs --osd-uuid ${cfg.osd1.uuid}", + "chown -R ceph:ceph /var/lib/ceph/osd", + "systemctl start ceph-osd-${cfg.osd0.name}", + "systemctl start ceph-osd-${cfg.osd1.name}", + ) + monA.wait_until_succeeds("ceph osd stat | grep -e '2 osds: 2 up[^,]*, 2 in'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + + monA.succeed( + "ceph osd pool create single-node-test 100 100", + "ceph osd pool ls | grep 'single-node-test'", + "ceph osd pool rename single-node-test single-node-other-test", + "ceph osd pool ls | grep 'single-node-other-test'", + ) + monA.wait_until_succeeds("ceph -s | grep '1 pools, 100 pgs'") + monA.succeed( + "ceph osd getcrushmap -o crush", + "crushtool -d crush -o decrushed", + "sed 's/step chooseleaf firstn 0 type host/step chooseleaf firstn 0 type osd/' decrushed > modcrush", + "crushtool -c modcrush -o recrushed", + "ceph osd setcrushmap -i recrushed", + "ceph osd pool set single-node-other-test size 2", + ) + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + monA.wait_until_succeeds("ceph -s | grep '100 active+clean'") + monA.fail( + "ceph osd pool ls | grep 'multi-node-test'", + "ceph osd pool delete single-node-other-test single-node-other-test --yes-i-really-really-mean-it", + ) + + # Shut down ceph by stopping ceph.target. + monA.succeed("systemctl stop ceph.target") + + # Start it up + monA.succeed("systemctl start ceph.target") + monA.wait_for_unit("ceph-mon-${cfg.monA.name}") + monA.wait_for_unit("ceph-mgr-${cfg.monA.name}") + monA.wait_for_unit("ceph-osd-${cfg.osd0.name}") + monA.wait_for_unit("ceph-osd-${cfg.osd1.name}") + + # Ensure the cluster comes back up again + monA.succeed("ceph -s | grep 'mon: 1 daemons'") + monA.wait_until_succeeds("ceph -s | grep 'quorum ${cfg.monA.name}'") + monA.wait_until_succeeds("ceph osd stat | grep -e '2 osds: 2 up[^,]*, 2 in'") + monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") + ''; +in { + name = "basic-single-node-ceph-cluster"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lejonet johanot ]; + }; + + nodes = { + monA = generateHost { pkgs = pkgs; cephConfig = cephConfigMonA; networkConfig = networkMonA; }; + }; + + testScript = testscript; +}) diff --git a/nixpkgs/nixos/tests/ceph.nix b/nixpkgs/nixos/tests/ceph.nix deleted file mode 100644 index 57120ff978f..00000000000 --- a/nixpkgs/nixos/tests/ceph.nix +++ /dev/null @@ -1,161 +0,0 @@ -import ./make-test.nix ({pkgs, lib, ...}: { - name = "All-in-one-basic-ceph-cluster"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ johanot lejonet ]; - }; - - nodes = { - aio = { pkgs, ... }: { - virtualisation = { - memorySize = 1536; - emptyDiskImages = [ 20480 20480 ]; - vlans = [ 1 ]; - }; - - networking = { - useDHCP = false; - interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ - { address = "192.168.1.1"; prefixLength = 24; } - ]; - }; - - environment.systemPackages = with pkgs; [ - bash - sudo - ceph - xfsprogs - ]; - - boot.kernelModules = [ "xfs" ]; - - services.ceph.enable = true; - services.ceph.global = { - fsid = "066ae264-2a5d-4729-8001-6ad265f50b03"; - monInitialMembers = "aio"; - monHost = "192.168.1.1"; - }; - - services.ceph.mon = { - enable = true; - daemons = [ "aio" ]; - }; - - services.ceph.mgr = { - enable = true; - daemons = [ "aio" ]; - }; - - services.ceph.osd = { - enable = true; - daemons = [ "0" "1" ]; - }; - - # So that we don't have to battle systemd when bootstraping - systemd.targets.ceph.wantedBy = lib.mkForce []; - }; - }; - - testScript = { ... }: '' - startAll; - - $aio->waitForUnit("network.target"); - - # Create the ceph-related directories - $aio->mustSucceed( - "mkdir -p /var/lib/ceph/mgr/ceph-aio", - "mkdir -p /var/lib/ceph/mon/ceph-aio", - "mkdir -p /var/lib/ceph/osd/ceph-{0,1}", - "chown ceph:ceph -R /var/lib/ceph/", - "mkdir -p /etc/ceph", - "chown ceph:ceph -R /etc/ceph" - ); - - # Bootstrap ceph-mon daemon - $aio->mustSucceed( - "sudo -u ceph ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'", - "sudo -u ceph ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'", - "sudo -u ceph ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring", - "monmaptool --create --add aio 192.168.1.1 --fsid 066ae264-2a5d-4729-8001-6ad265f50b03 /tmp/monmap", - "sudo -u ceph ceph-mon --mkfs -i aio --monmap /tmp/monmap --keyring /tmp/ceph.mon.keyring", - "sudo -u ceph touch /var/lib/ceph/mon/ceph-aio/done", - "systemctl start ceph-mon-aio" - ); - $aio->waitForUnit("ceph-mon-aio"); - $aio->mustSucceed("ceph mon enable-msgr2"); - - # Can't check ceph status until a mon is up - $aio->succeed("ceph -s | grep 'mon: 1 daemons'"); - - # Start the ceph-mgr daemon, it has no deps and hardly any setup - $aio->mustSucceed( - "ceph auth get-or-create mgr.aio mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/ceph-aio/keyring", - "systemctl start ceph-mgr-aio" - ); - $aio->waitForUnit("ceph-mgr-aio"); - $aio->waitUntilSucceeds("ceph -s | grep 'quorum aio'"); - $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active,'"); - - # Bootstrap both OSDs - $aio->mustSucceed( - "mkfs.xfs /dev/vdb", - "mkfs.xfs /dev/vdc", - "mount /dev/vdb /var/lib/ceph/osd/ceph-0", - "mount /dev/vdc /var/lib/ceph/osd/ceph-1", - "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-0/keyring --name osd.0 --add-key AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg==", - "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-1/keyring --name osd.1 --add-key AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ==", - "echo '{\"cephx_secret\": \"AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg==\"}' | ceph osd new 55ba2294-3e24-478f-bee0-9dca4c231dd9 -i -", - "echo '{\"cephx_secret\": \"AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ==\"}' | ceph osd new 5e97a838-85b6-43b0-8950-cb56d554d1e5 -i -" - ); - - # Initialize the OSDs with regular filestore - $aio->mustSucceed( - "ceph-osd -i 0 --mkfs --osd-uuid 55ba2294-3e24-478f-bee0-9dca4c231dd9", - "ceph-osd -i 1 --mkfs --osd-uuid 5e97a838-85b6-43b0-8950-cb56d554d1e5", - "chown -R ceph:ceph /var/lib/ceph/osd", - "systemctl start ceph-osd-0", - "systemctl start ceph-osd-1" - ); - - $aio->waitUntilSucceeds("ceph osd stat | grep -e '2 osds: 2 up[^,]*, 2 in'"); - $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active,'"); - $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); - - $aio->mustSucceed( - "ceph osd pool create aio-test 100 100", - "ceph osd pool ls | grep 'aio-test'", - "ceph osd pool rename aio-test aio-other-test", - "ceph osd pool ls | grep 'aio-other-test'", - "ceph -s | grep '1 pools, 100 pgs'", - "ceph osd getcrushmap -o crush", - "crushtool -d crush -o decrushed", - "sed 's/step chooseleaf firstn 0 type host/step chooseleaf firstn 0 type osd/' decrushed > modcrush", - "crushtool -c modcrush -o recrushed", - "ceph osd setcrushmap -i recrushed", - "ceph osd pool set aio-other-test size 2" - ); - $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); - $aio->waitUntilSucceeds("ceph -s | grep '100 active+clean'"); - $aio->mustFail( - "ceph osd pool ls | grep 'aio-test'", - "ceph osd pool delete aio-other-test aio-other-test --yes-i-really-really-mean-it" - ); - - # As we disable the target in the config, we still want to test that it works as intended - $aio->mustSucceed( - "systemctl stop ceph-osd-0", - "systemctl stop ceph-osd-1", - "systemctl stop ceph-mgr-aio", - "systemctl stop ceph-mon-aio" - ); - $aio->succeed("systemctl start ceph.target"); - $aio->waitForUnit("ceph-mon-aio"); - $aio->waitForUnit("ceph-mgr-aio"); - $aio->waitForUnit("ceph-osd-0"); - $aio->waitForUnit("ceph-osd-1"); - $aio->succeed("ceph -s | grep 'mon: 1 daemons'"); - $aio->waitUntilSucceeds("ceph -s | grep 'quorum aio'"); - $aio->waitUntilSucceeds("ceph osd stat | grep -e '2 osds: 2 up[^,]*, 2 in'"); - $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active,'"); - $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/certmgr.nix b/nixpkgs/nixos/tests/certmgr.nix index fe67833808c..cb69f35e862 100644 --- a/nixpkgs/nixos/tests/certmgr.nix +++ b/nixpkgs/nixos/tests/certmgr.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; let mkSpec = { host, service ? null, action }: { inherit action; @@ -123,17 +123,17 @@ in ))); }; testScript = '' - $machine->waitForUnit('cfssl.service'); - $machine->waitUntilSucceeds('ls /tmp/decl.example.org-ca.pem'); - $machine->waitUntilSucceeds('ls /tmp/decl.example.org-key.pem'); - $machine->waitUntilSucceeds('ls /tmp/decl.example.org-cert.pem'); - $machine->waitUntilSucceeds('ls /tmp/imp.example.org-ca.pem'); - $machine->waitUntilSucceeds('ls /tmp/imp.example.org-key.pem'); - $machine->waitUntilSucceeds('ls /tmp/imp.example.org-cert.pem'); - $machine->waitForUnit('nginx.service'); - $machine->succeed('[ "1" -lt "$(journalctl -u nginx | grep "Starting Nginx" | wc -l)" ]'); - $machine->succeed('curl --cacert /tmp/imp.example.org-ca.pem https://imp.example.org'); - $machine->succeed('curl --cacert /tmp/decl.example.org-ca.pem https://decl.example.org'); + machine.wait_for_unit("cfssl.service") + machine.wait_until_succeeds("ls /tmp/decl.example.org-ca.pem") + machine.wait_until_succeeds("ls /tmp/decl.example.org-key.pem") + machine.wait_until_succeeds("ls /tmp/decl.example.org-cert.pem") + machine.wait_until_succeeds("ls /tmp/imp.example.org-ca.pem") + machine.wait_until_succeeds("ls /tmp/imp.example.org-key.pem") + machine.wait_until_succeeds("ls /tmp/imp.example.org-cert.pem") + machine.wait_for_unit("nginx.service") + assert 1 < int(machine.succeed('journalctl -u nginx | grep "Starting Nginx" | wc -l')) + machine.succeed("curl --cacert /tmp/imp.example.org-ca.pem https://imp.example.org") + machine.succeed("curl --cacert /tmp/decl.example.org-ca.pem https://decl.example.org") ''; }; @@ -143,8 +143,8 @@ in test = mkSpec { host = "command.example.org"; action = "touch /tmp/command.executed"; }; }; testScript = '' - $machine->waitForUnit('cfssl.service'); - $machine->waitUntilSucceeds('stat /tmp/command.executed'); + machine.wait_for_unit("cfssl.service") + machine.wait_until_succeeds("stat /tmp/command.executed") ''; }; diff --git a/nixpkgs/nixos/tests/cfssl.nix b/nixpkgs/nixos/tests/cfssl.nix index 513ed8c4574..e291fc285fb 100644 --- a/nixpkgs/nixos/tests/cfssl.nix +++ b/nixpkgs/nixos/tests/cfssl.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "cfssl"; machine = { config, lib, pkgs, ... }: @@ -60,8 +60,8 @@ import ./make-test.nix ({ pkgs, ...} : { }); in '' - $machine->waitForUnit('cfssl.service'); - $machine->waitUntilSucceeds('${cfsslrequest}'); - $machine->succeed('ls /tmp/certificate-key.pem'); + machine.wait_for_unit("cfssl.service") + machine.wait_until_succeeds("${cfsslrequest}") + machine.succeed("ls /tmp/certificate-key.pem") ''; }) diff --git a/nixpkgs/nixos/tests/cjdns.nix b/nixpkgs/nixos/tests/cjdns.nix index 6660eecf05b..d72236d415d 100644 --- a/nixpkgs/nixos/tests/cjdns.nix +++ b/nixpkgs/nixos/tests/cjdns.nix @@ -17,7 +17,7 @@ let in -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "cjdns"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ehmry ]; @@ -83,36 +83,39 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - startAll; + import re - $alice->waitForUnit("cjdns.service"); - $bob->waitForUnit("cjdns.service"); - $carol->waitForUnit("cjdns.service"); + start_all() - sub cjdnsIp { - my ($machine) = @_; - my $ip = (split /[ \/]+/, $machine->succeed("ip -o -6 addr show dev tun0"))[3]; - $machine->log("has ip $ip"); - return $ip; - } + alice.wait_for_unit("cjdns.service") + bob.wait_for_unit("cjdns.service") + carol.wait_for_unit("cjdns.service") - my $aliceIp6 = cjdnsIp $alice; - my $bobIp6 = cjdnsIp $bob; - my $carolIp6 = cjdnsIp $carol; + + def cjdns_ip(machine): + res = machine.succeed("ip -o -6 addr show dev tun0") + ip = re.split("\s+|/", res)[3] + machine.log("has ip {}".format(ip)) + return ip + + + alice_ip6 = cjdns_ip(alice) + bob_ip6 = cjdns_ip(bob) + carol_ip6 = cjdns_ip(carol) # ping a few times each to let the routing table establish itself - $alice->succeed("ping -c 4 $carolIp6"); - $bob->succeed("ping -c 4 $carolIp6"); + alice.succeed("ping -c 4 {}".format(carol_ip6)) + bob.succeed("ping -c 4 {}".format(carol_ip6)) - $carol->succeed("ping -c 4 $aliceIp6"); - $carol->succeed("ping -c 4 $bobIp6"); + carol.succeed("ping -c 4 {}".format(alice_ip6)) + carol.succeed("ping -c 4 {}".format(bob_ip6)) - $alice->succeed("ping -c 4 $bobIp6"); - $bob->succeed("ping -c 4 $aliceIp6"); + alice.succeed("ping -c 4 {}".format(bob_ip6)) + bob.succeed("ping -c 4 {}".format(alice_ip6)) - $alice->waitForUnit("httpd.service"); + alice.wait_for_unit("httpd.service") - $bob->succeed("curl --fail -g http://[$aliceIp6]"); + bob.succeed("curl --fail -g http://[{}]".format(alice_ip6)) ''; }) diff --git a/nixpkgs/nixos/tests/clickhouse.nix b/nixpkgs/nixos/tests/clickhouse.nix index 7d835069ec4..2d8a7cf7aa9 100644 --- a/nixpkgs/nixos/tests/clickhouse.nix +++ b/nixpkgs/nixos/tests/clickhouse.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "clickhouse"; meta.maintainers = with pkgs.stdenv.lib.maintainers; [ ma27 ]; @@ -14,12 +14,18 @@ import ./make-test.nix ({ pkgs, ... }: { selectQuery = pkgs.writeText "select.sql" "SELECT * from `demo`"; in '' - $machine->start(); - $machine->waitForUnit("clickhouse.service"); - $machine->waitForOpenPort(9000); + machine.start() + machine.wait_for_unit("clickhouse.service") + machine.wait_for_open_port(9000) - $machine->succeed("cat ${tableDDL} | clickhouse-client"); - $machine->succeed("cat ${insertQuery} | clickhouse-client"); - $machine->succeed("cat ${selectQuery} | clickhouse-client | grep foo"); + machine.succeed( + "cat ${tableDDL} | clickhouse-client" + ) + machine.succeed( + "cat ${insertQuery} | clickhouse-client" + ) + machine.succeed( + "cat ${selectQuery} | clickhouse-client | grep foo" + ) ''; }) diff --git a/nixpkgs/nixos/tests/cloud-init.nix b/nixpkgs/nixos/tests/cloud-init.nix index 516d29c9036..aafa6e24e84 100644 --- a/nixpkgs/nixos/tests/cloud-init.nix +++ b/nixpkgs/nixos/tests/cloud-init.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let @@ -30,6 +30,7 @@ let ''; }; in makeTest { + name = "cloud-init"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ lewo ]; }; @@ -40,10 +41,12 @@ in makeTest { services.cloud-init.enable = true; }; testScript = '' - $machine->start; - $machine->waitForUnit("cloud-init.service"); - $machine->succeed("cat /tmp/cloudinit-write-file | grep -q 'cloudinit'"); + machine.start() + machine.wait_for_unit("cloud-init.service") + machine.succeed("cat /tmp/cloudinit-write-file | grep -q 'cloudinit'") - $machine->waitUntilSucceeds("cat /root/.ssh/authorized_keys | grep -q 'should be a key!'"); + machine.wait_until_succeeds( + "cat /root/.ssh/authorized_keys | grep -q 'should be a key!'" + ) ''; } diff --git a/nixpkgs/nixos/tests/codimd.nix b/nixpkgs/nixos/tests/codimd.nix index 562f6f24f99..b1acbf4a832 100644 --- a/nixpkgs/nixos/tests/codimd.nix +++ b/nixpkgs/nixos/tests/codimd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "codimd"; @@ -35,20 +35,18 @@ import ./make-test.nix ({ pkgs, lib, ... }: }; testScript = '' - startAll(); + start_all() - subtest "CodiMD sqlite", sub { - $codimdSqlite->waitForUnit("codimd.service"); - $codimdSqlite->waitForOpenPort(3000); - $codimdSqlite->waitUntilSucceeds("curl -sSf http://localhost:3000/new"); - }; + with subtest("CodiMD sqlite"): + codimdSqlite.wait_for_unit("codimd.service") + codimdSqlite.wait_for_open_port(3000) + codimdSqlite.wait_until_succeeds("curl -sSf http://localhost:3000/new") - subtest "CodiMD postgres", sub { - $codimdPostgres->waitForUnit("postgresql.service"); - $codimdPostgres->waitForUnit("codimd.service"); - $codimdPostgres->waitForOpenPort(5432); - $codimdPostgres->waitForOpenPort(3000); - $codimdPostgres->waitUntilSucceeds("curl -sSf http://localhost:3000/new"); - }; + with subtest("CodiMD postgres"): + codimdPostgres.wait_for_unit("postgresql.service") + codimdPostgres.wait_for_unit("codimd.service") + codimdPostgres.wait_for_open_port(5432) + codimdPostgres.wait_for_open_port(3000) + codimdPostgres.wait_until_succeeds("curl -sSf http://localhost:3000/new") ''; }) diff --git a/nixpkgs/nixos/tests/colord.nix b/nixpkgs/nixos/tests/colord.nix deleted file mode 100644 index ce38aaca4bf..00000000000 --- a/nixpkgs/nixos/tests/colord.nix +++ /dev/null @@ -1,18 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "colord"; - - meta = { - maintainers = pkgs.colord.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.colord.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/common/letsencrypt/common.nix b/nixpkgs/nixos/tests/common/letsencrypt/common.nix index 798a749f7f9..c530de817bf 100644 --- a/nixpkgs/nixos/tests/common/letsencrypt/common.nix +++ b/nixpkgs/nixos/tests/common/letsencrypt/common.nix @@ -1,27 +1,9 @@ -{ lib, nodes, ... }: { +{ lib, nodes, pkgs, ... }: let + letsencrypt-ca = nodes.letsencrypt.config.test-support.letsencrypt.caCert; +in { networking.nameservers = [ nodes.letsencrypt.config.networking.primaryIPAddress ]; - nixpkgs.overlays = lib.singleton (self: super: { - cacert = super.cacert.overrideDerivation (drv: { - installPhase = (drv.installPhase or "") + '' - cat "${nodes.letsencrypt.config.test-support.letsencrypt.caCert}" \ - >> "$out/etc/ssl/certs/ca-bundle.crt" - ''; - }); - - # Override certifi so that it accepts fake certificate for Let's Encrypt - # Need to override the attribute used by simp_le, which is python3Packages - python3Packages = (super.python3.override { - packageOverrides = lib.const (pysuper: { - certifi = pysuper.certifi.overridePythonAttrs (attrs: { - postPatch = (attrs.postPatch or "") + '' - cat "${self.cacert}/etc/ssl/certs/ca-bundle.crt" \ - > certifi/cacert.pem - ''; - }); - }); - }).pkgs; - }); + security.pki.certificateFiles = [ letsencrypt-ca ]; } diff --git a/nixpkgs/nixos/tests/common/letsencrypt/default.nix b/nixpkgs/nixos/tests/common/letsencrypt/default.nix index 58d87c64e34..110a2520971 100644 --- a/nixpkgs/nixos/tests/common/letsencrypt/default.nix +++ b/nixpkgs/nixos/tests/common/letsencrypt/default.nix @@ -1,6 +1,3 @@ -# Fully pluggable module to have Letsencrypt's Boulder ACME service running in -# a test environment. -# # The certificate for the ACME service is exported as: # # config.test-support.letsencrypt.caCert @@ -54,277 +51,35 @@ # that it has to be started _before_ the ACME service. { config, pkgs, lib, ... }: -let - softhsm = pkgs.stdenv.mkDerivation rec { - pname = "softhsm"; - version = "1.3.8"; - - src = pkgs.fetchurl { - url = "https://dist.opendnssec.org/source/${pname}-${version}.tar.gz"; - sha256 = "0flmnpkgp65ym7w3qyg78d3fbmvq3aznmi66rgd420n33shf7aif"; - }; - - configureFlags = [ "--with-botan=${pkgs.botan}" ]; - buildInputs = [ pkgs.sqlite ]; - }; - - pkcs11-proxy = pkgs.stdenv.mkDerivation { - name = "pkcs11-proxy"; - - src = pkgs.fetchFromGitHub { - owner = "SUNET"; - repo = "pkcs11-proxy"; - rev = "944684f78bca0c8da6cabe3fa273fed3db44a890"; - sha256 = "1nxgd29y9wmifm11pjcdpd2y293p0dgi0x5ycis55miy97n0f5zy"; - }; - - postPatch = "patchShebangs mksyscalls.sh"; - - nativeBuildInputs = [ pkgs.cmake ]; - buildInputs = [ pkgs.openssl pkgs.libseccomp ]; - }; - - mkGoDep = { goPackagePath, url ? "https://${goPackagePath}", rev, sha256 }: { - inherit goPackagePath; - src = pkgs.fetchgit { inherit url rev sha256; }; - }; - - goose = let - owner = "liamstask"; - repo = "goose"; - rev = "8488cc47d90c8a502b1c41a462a6d9cc8ee0a895"; - version = "20150116"; - - in pkgs.buildGoPackage rec { - name = "${repo}-${version}"; - - src = pkgs.fetchFromBitbucket { - name = "${name}-src"; - inherit rev owner repo; - sha256 = "1jy0pscxjnxjdg3hj111w21g8079rq9ah2ix5ycxxhbbi3f0wdhs"; - }; - - goPackagePath = "bitbucket.org/${owner}/${repo}"; - subPackages = [ "cmd/goose" ]; - extraSrcs = map mkGoDep [ - { goPackagePath = "github.com/go-sql-driver/mysql"; - rev = "2e00b5cd70399450106cec6431c2e2ce3cae5034"; - sha256 = "085g48jq9hzmlcxg122n0c4pi41sc1nn2qpx1vrl2jfa8crsppa5"; - } - { goPackagePath = "github.com/kylelemons/go-gypsy"; - rev = "08cad365cd28a7fba23bb1e57aa43c5e18ad8bb8"; - sha256 = "1djv7nii3hy451n5jlslk0dblqzb1hia1cbqpdwhnps1g8hqjy8q"; - } - { goPackagePath = "github.com/lib/pq"; - rev = "ba5d4f7a35561e22fbdf7a39aa0070f4d460cfc0"; - sha256 = "1mfbqw9g00bk24bfmf53wri5c2wqmgl0qh4sh1qv2da13a7cwwg3"; - } - { goPackagePath = "github.com/mattn/go-sqlite3"; - rev = "2acfafad5870400156f6fceb12852c281cbba4d5"; - sha256 = "1rpgil3w4hh1cibidskv1js898hwz83ps06gh0hm3mym7ki8d5h7"; - } - { goPackagePath = "github.com/ziutek/mymysql"; - rev = "0582bcf675f52c0c2045c027fd135bd726048f45"; - sha256 = "0bkc9x8sgqbzgdimsmsnhb0qrzlzfv33fgajmmjxl4hcb21qz3rf"; - } - { goPackagePath = "golang.org/x/net"; - url = "https://go.googlesource.com/net"; - rev = "10c134ea0df15f7e34d789338c7a2d76cc7a3ab9"; - sha256 = "14cbr2shl08gyg85n5gj7nbjhrhhgrd52h073qd14j97qcxsakcz"; - } - ]; - }; - - boulder = let - owner = "letsencrypt"; - repo = "boulder"; - rev = "9c6a1f2adc4c26d925588f5ae366cfd4efb7813a"; - version = "20180129"; - - in pkgs.buildGoPackage rec { - name = "${repo}-${version}"; - - src = pkgs.fetchFromGitHub { - name = "${name}-src"; - inherit rev owner repo; - sha256 = "09kszswrifm9rc6idfaq0p1mz5w21as2qbc8gd5pphrq9cf9pn55"; - }; - - postPatch = '' - # compat for go < 1.8 - sed -i -e 's/time\.Until(\([^)]\+\))/\1.Sub(time.Now())/' \ - test/ocsp/helper/helper.go - - find test -type f -exec sed -i -e '/libpkcs11-proxy.so/ { - s,/usr/local,${pkcs11-proxy}, - }' {} + - - sed -i -r \ - -e '/^def +install/a \ return True' \ - -e 's,exec \./bin/,,' \ - test/startservers.py - - cat ${lib.escapeShellArg snakeOilCerts.ca.key} > test/test-ca.key - cat ${lib.escapeShellArg snakeOilCerts.ca.cert} > test/test-ca.pem - ''; - - # Until vendored pkcs11 is go 1.9 compatible - preBuild = '' - rm -r go/src/github.com/letsencrypt/boulder/vendor/github.com/miekg/pkcs11 - ''; - - # XXX: Temporarily brought back putting the source code in the output, - # since e95f17e2720e67e2eabd59d7754c814d3e27a0b2 was removing that from - # buildGoPackage. - preInstall = '' - mkdir -p $out - pushd "$NIX_BUILD_TOP/go" - while read f; do - echo "$f" | grep -q '^./\(src\|pkg/[^/]*\)/${goPackagePath}' \ - || continue - mkdir -p "$(dirname "$out/share/go/$f")" - cp "$NIX_BUILD_TOP/go/$f" "$out/share/go/$f" - done < <(find . -type f) - popd - ''; - - extraSrcs = map mkGoDep [ - { goPackagePath = "github.com/miekg/pkcs11"; - rev = "6dbd569b952ec150d1425722dbbe80f2c6193f83"; - sha256 = "1m8g6fx7df6hf6q6zsbyw1icjmm52dmsx28rgb0h930wagvngfwb"; - } - ]; - - goPackagePath = "github.com/${owner}/${repo}"; - buildInputs = [ pkgs.libtool ]; - }; - - boulderSource = "${boulder.out}/share/go/src/${boulder.goPackagePath}"; - - softHsmConf = pkgs.writeText "softhsm.conf" '' - 0:/var/lib/softhsm/slot0.db - 1:/var/lib/softhsm/slot1.db - ''; +let snakeOilCerts = import ./snakeoil-certs.nix; - wfeDomain = "acme-v01.api.letsencrypt.org"; + wfeDomain = "acme-v02.api.letsencrypt.org"; wfeCertFile = snakeOilCerts.${wfeDomain}.cert; wfeKeyFile = snakeOilCerts.${wfeDomain}.key; siteDomain = "letsencrypt.org"; siteCertFile = snakeOilCerts.${siteDomain}.cert; siteKeyFile = snakeOilCerts.${siteDomain}.key; - - # Retrieved via: - # curl -s -I https://acme-v01.api.letsencrypt.org/terms \ - # | sed -ne 's/^[Ll]ocation: *//p' - tosUrl = "https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf"; - tosPath = builtins.head (builtins.match "https?://[^/]+(.*)" tosUrl); - - tosFile = pkgs.fetchurl { - url = tosUrl; - sha256 = "0yvyckqzj0b1xi61sypcha82nanizzlm8yqy828h2jbza7cxi26c"; - }; - + pebble = pkgs.pebble; resolver = let message = "You need to define a resolver for the letsencrypt test module."; firstNS = lib.head config.networking.nameservers; in if config.networking.nameservers == [] then throw message else firstNS; - cfgDir = pkgs.stdenv.mkDerivation { - name = "boulder-config"; - src = "${boulderSource}/test/config"; - nativeBuildInputs = [ pkgs.jq ]; - phases = [ "unpackPhase" "patchPhase" "installPhase" ]; - postPatch = '' - sed -i -e 's/5002/80/' -e 's/5002/443/' va.json - sed -i -e '/listenAddress/s/:4000/:80/' wfe.json - sed -i -r \ - -e ${lib.escapeShellArg "s,http://boulder:4000/terms/v1,${tosUrl},g"} \ - -e 's,http://(boulder|127\.0\.0\.1):4000,https://${wfeDomain},g' \ - -e '/dnsResolver/s/127\.0\.0\.1:8053/${resolver}:53/' \ - *.json - if grep 4000 *.json; then exit 1; fi - - # Change all ports from 1909X to 909X, because the 1909X range of ports is - # allocated by startservers.py in order to intercept gRPC communication. - sed -i -e 's/\<1\(909[0-9]\)\>/\1/' *.json - - # Patch out all additional issuer certs - jq '. + {ca: (.ca + {Issuers: - [.ca.Issuers[] | select(.CertFile == "test/test-ca.pem")] - })}' ca.json > tmp - mv tmp ca.json - ''; - installPhase = "cp -r . \"$out\""; - }; - - components = { - gsb-test-srv.args = "-apikey my-voice-is-my-passport"; - gsb-test-srv.waitForPort = 6000; - gsb-test-srv.first = true; - boulder-sa.args = "--config ${cfgDir}/sa.json"; - boulder-wfe.args = "--config ${cfgDir}/wfe.json"; - boulder-ra.args = "--config ${cfgDir}/ra.json"; - boulder-ca.args = "--config ${cfgDir}/ca.json"; - boulder-va.args = "--config ${cfgDir}/va.json"; - boulder-publisher.args = "--config ${cfgDir}/publisher.json"; - boulder-publisher.waitForPort = 9091; - ocsp-updater.args = "--config ${cfgDir}/ocsp-updater.json"; - ocsp-updater.after = [ "boulder-publisher" ]; - ocsp-responder.args = "--config ${cfgDir}/ocsp-responder.json"; - ct-test-srv = {}; - mail-test-srv.args = let - key = "${boulderSource}/test/mail-test-srv/minica-key.pem"; - crt = "${boulderSource}/test/mail-test-srv/minica.pem"; - in - "--closeFirst 5 --cert ${crt} --key ${key}"; + pebbleConf.pebble = { + listenAddress = "0.0.0.0:443"; + managementListenAddress = "0.0.0.0:15000"; + certificate = snakeOilCerts.${wfeDomain}.cert; + privateKey = snakeOilCerts.${wfeDomain}.key; + httpPort = 80; + tlsPort = 443; + ocspResponderURL = "http://0.0.0.0:4002"; }; - commonPath = [ softhsm pkgs.mariadb goose boulder ]; - - mkServices = a: b: with lib; listToAttrs (concatLists (mapAttrsToList a b)); - - componentServices = mkServices (name: attrs: let - mkSrvName = n: "boulder-${n}.service"; - firsts = lib.filterAttrs (lib.const (c: c.first or false)) components; - firstServices = map mkSrvName (lib.attrNames firsts); - firstServicesNoSelf = lib.remove "boulder-${name}.service" firstServices; - additionalAfter = firstServicesNoSelf ++ map mkSrvName (attrs.after or []); - needsPort = attrs ? waitForPort; - inits = map (n: "boulder-init-${n}.service") [ "mysql" "softhsm" ]; - portWaiter = { - name = "boulder-${name}"; - value = { - description = "Wait For Port ${toString attrs.waitForPort} (${name})"; - after = [ "boulder-real-${name}.service" "bind.service" ]; - requires = [ "boulder-real-${name}.service" ]; - requiredBy = [ "boulder.service" ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - script = let - netcat = "${pkgs.libressl.nc}/bin/nc"; - portCheck = "${netcat} -z 127.0.0.1 ${toString attrs.waitForPort}"; - in "while ! ${portCheck}; do :; done"; - }; - }; - in lib.optional needsPort portWaiter ++ lib.singleton { - name = if needsPort then "boulder-real-${name}" else "boulder-${name}"; - value = { - description = "Boulder ACME Component (${name})"; - after = inits ++ additionalAfter; - requires = inits; - requiredBy = [ "boulder.service" ]; - path = commonPath; - environment.GORACE = "halt_on_error=1"; - environment.SOFTHSM_CONF = softHsmConf; - environment.PKCS11_PROXY_SOCKET = "tcp://127.0.0.1:5657"; - serviceConfig.WorkingDirectory = boulderSource; - serviceConfig.ExecStart = "${boulder}/bin/${name} ${attrs.args or ""}"; - serviceConfig.Restart = "on-failure"; - }; - }) components; + pebbleConfFile = pkgs.writeText "pebble.conf" (builtins.toJSON pebbleConf); + pebbleDataDir = "/root/pebble"; in { imports = [ ../resolver.nix ]; @@ -352,94 +107,29 @@ in { networking.firewall.enable = false; networking.extraHosts = '' - 127.0.0.1 ${toString [ - "sa.boulder" "ra.boulder" "wfe.boulder" "ca.boulder" "va.boulder" - "publisher.boulder" "ocsp-updater.boulder" "admin-revoker.boulder" - "boulder" "boulder-mysql" wfeDomain - ]} + 127.0.0.1 ${wfeDomain} ${config.networking.primaryIPAddress} ${wfeDomain} ${siteDomain} ''; - services.mysql.enable = true; - services.mysql.package = pkgs.mariadb; - - services.nginx.enable = true; - services.nginx.recommendedProxySettings = true; - # This fixes the test on i686 - services.nginx.commonHttpConfig = '' - server_names_hash_bucket_size 64; - ''; - services.nginx.virtualHosts.${wfeDomain} = { - onlySSL = true; - enableACME = false; - sslCertificate = wfeCertFile; - sslCertificateKey = wfeKeyFile; - locations."/".proxyPass = "http://127.0.0.1:80"; - }; - services.nginx.virtualHosts.${siteDomain} = { - onlySSL = true; - enableACME = false; - sslCertificate = siteCertFile; - sslCertificateKey = siteKeyFile; - locations."= ${tosPath}".alias = tosFile; - }; - systemd.services = { - pkcs11-daemon = { - description = "PKCS11 Daemon"; - after = [ "boulder-init-softhsm.service" ]; - before = map (n: "${n}.service") (lib.attrNames componentServices); - wantedBy = [ "multi-user.target" ]; - environment.SOFTHSM_CONF = softHsmConf; - environment.PKCS11_DAEMON_SOCKET = "tcp://127.0.0.1:5657"; - serviceConfig.ExecStart = let - softhsmLib = "${softhsm}/lib/softhsm/libsofthsm.so"; - in "${pkcs11-proxy}/bin/pkcs11-daemon ${softhsmLib}"; - }; - - boulder-init-mysql = { - description = "Boulder ACME Init (MySQL)"; - after = [ "mysql.service" ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - serviceConfig.WorkingDirectory = boulderSource; - path = commonPath; - script = "${pkgs.bash}/bin/sh test/create_db.sh"; - }; - - boulder-init-softhsm = { - description = "Boulder ACME Init (SoftHSM)"; - environment.SOFTHSM_CONF = softHsmConf; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - serviceConfig.WorkingDirectory = boulderSource; - preStart = "mkdir -p /var/lib/softhsm"; - path = commonPath; + pebble = { + enable = true; + description = "Pebble ACME server"; + requires = [ ]; + wantedBy = [ "network.target" ]; + preStart = '' + mkdir ${pebbleDataDir} + ''; script = '' - softhsm --slot 0 --init-token \ - --label intermediate --pin 5678 --so-pin 1234 - softhsm --slot 0 --import test/test-ca.key \ - --label intermediate_key --pin 5678 --id FB - softhsm --slot 1 --init-token \ - --label root --pin 5678 --so-pin 1234 - softhsm --slot 1 --import test/test-root.key \ - --label root_key --pin 5678 --id FA + cd ${pebbleDataDir} + ${pebble}/bin/pebble -config ${pebbleConfFile} ''; + serviceConfig = { + # Required to bind on privileged ports. + User = "root"; + Group = "root"; + }; }; - - boulder = { - description = "Boulder ACME Server"; - after = map (n: "${n}.service") (lib.attrNames componentServices); - wantedBy = [ "multi-user.target" ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - script = let - ports = lib.range 8000 8005 ++ lib.singleton 80; - netcat = "${pkgs.libressl.nc}/bin/nc"; - mkPortCheck = port: "${netcat} -z 127.0.0.1 ${toString port}"; - checks = "(${lib.concatMapStringsSep " && " mkPortCheck ports})"; - in "while ! ${checks}; do :; done"; - }; - } // componentServices; + }; }; } diff --git a/nixpkgs/nixos/tests/common/letsencrypt/mkcerts.nix b/nixpkgs/nixos/tests/common/letsencrypt/mkcerts.nix index 3b4a589e414..e7ac2bae46b 100644 --- a/nixpkgs/nixos/tests/common/letsencrypt/mkcerts.nix +++ b/nixpkgs/nixos/tests/common/letsencrypt/mkcerts.nix @@ -1,7 +1,7 @@ { pkgs ? import <nixpkgs> {} , lib ? pkgs.lib -, domains ? [ "acme-v01.api.letsencrypt.org" "letsencrypt.org" ] +, domains ? [ "acme-v02.api.letsencrypt.org" "letsencrypt.org" ] }: pkgs.runCommand "letsencrypt-snakeoil-ca" { diff --git a/nixpkgs/nixos/tests/common/letsencrypt/snakeoil-certs.nix b/nixpkgs/nixos/tests/common/letsencrypt/snakeoil-certs.nix index c3d29ab8f16..ca4f71ae688 100644 --- a/nixpkgs/nixos/tests/common/letsencrypt/snakeoil-certs.nix +++ b/nixpkgs/nixos/tests/common/letsencrypt/snakeoil-certs.nix @@ -2,252 +2,253 @@ { ca.key = builtins.toFile "ca.key" '' -----BEGIN PRIVATE KEY----- - MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDfdVxC/4HwhuzD - 9or9CDDu3TBQE5lirJI5KYmfMZtfgdzEjgOzmR9AVSkn2rQeCqzM5m+YCzPO+2y7 - 0Fdk7vDORi1OdhYfUQIW6/TZ27xEjx4t82j9i705yUqTJZKjMbD830geXImJ6VGj - Nv/WisTHmwBspWKefYQPN68ZvYNCn0d5rYJg9uROZPJHSI0MYj9iERWIPN+xhZoS - xN74ILJ0rEOQfx2GHDhTr99vZYAFqbAIfh35fYulRWarUSekI+rDxa83FD8q9cMg - OP84KkLep2dRXXTbUWErGUOpHP55M9M7ws0RVNdl9PUSbDgChl7yYlHCde3261q/ - zGp5dMV/t/jXXNUgRurvXc4gUKKjS4Sffvg0XVnPs3sMlZ4JNmycK9klgISVmbTK - VcjRRJv8Bva2NQVsJ9TIryV0QEk94DucgsC3LbhQfQdmnWVcEdzwrZHNpk9az5mn - w42RuvZW9L19T7xpIrdLSHaOis4VEquZjkWIhfIz0DVMeXtYEQmwqFG23Ww0utcp - mCW4FPvpyYs5GAPmGWfrlMxsLD/7eteot3AheC+56ZBoVBnI8FFvIX2qci+gfVDu - CjvDmbyS/0NvxLGqvSC1GUPmWP3TR5Fb1H8Rp+39zJHRmH+qYWlhcv6p7FlY2/6d - 9Rkw8WKRTSCB7yeUdNNPiPopk6N4NwIDAQABAoICAQCzV0ei5dntpvwjEp3eElLj - glYiDnjOPt5kTjgLsg6XCmyau7ewzrXMNgz/1YE1ky+4i0EI8AS2nAdafQ2HDlXp - 11zJWfDLVYKtztYGe1qQU6TPEEo1I4/M7waRLliP7XO0n6cL5wzjyIQi0CNolprz - 8CzZBasutGHmrLQ1nmnYcGk2+NBo7f2yBUaFe27of3mLRVbYrrKBkU5kveiNkABp - r0/SipKxbbivQbm7d+TVpqiHSGDaOa54CEksOcfs7n6efOvw8qj326KtG9GJzDE6 - 7XP4U19UHe40XuR0t7Zso/FmRyO6QzNUutJt5LjXHezZ75razTcdMyr0QCU8MUHH - jXZxQCsbt+9AmdxUMBm1SMNVBdHYM8oiNHynlgsEj9eM6jxDEss/Uc3FeKoHl+XL - L6m28guIB8NivqjVzZcwhxvdiQCzYxjyqMC+/eX7aaK4NIlX2QRMoDL6mJ58Bz/8 - V2Qxp2UNVwKJFWAmpgXC+sq6XV/TP3HkOvd0OK82Nid2QxEvfE/EmOhU63qAjgUR - QnteLEcJ3MkGGurs05pYBDE7ejKVz6uu2tHahFMOv+yanGP2gfivnT9a323/nTqH - oR5ffMEI1u/ufpWU7sWXZfL/mH1L47x87k+9wwXHCPeSigcy+hFI7t1+rYsdCmz9 - V6QtmxZHMLanwzh5R0ipcQKCAQEA8kuZIz9JyYP6L+5qmIUxiWESihVlRCSKIqLB - fJ5sQ06aDBV2sqS4XnoWsHuJWUd39rulks8cg8WIQu8oJwVkFI9EpARt/+a1fRP0 - Ncc9qiBdP6VctQGgKfe5KyOfMzIBUl3zj2cAmU6q+CW1OgdhnEl4QhgBe5XQGquZ - Alrd2P2jhJbMO3sNFgzTy7xPEr3KqUy+L4gtRnGOegKIh8EllmsyMRO4eIrZV2z3 - XI+S2ZLyUn3WHYkaJqvUFrbfekgBBmbk5Ead6ImlsLsBla6MolKrVYV1kN6KT+Y+ - plcxNpWY8bnWfw5058OWPLPa9LPfReu9rxAeGT2ZLmAhSkjGxQKCAQEA7BkBzT3m - SIzop9RKl5VzYbVysCYDjFU9KYMW5kBIw5ghSMnRmU7kXIZUkc6C1L/v9cTNFFLw - ZSF4vCHLdYLmDysW2d4DU8fS4qdlDlco5A00g8T1FS7nD9CzdkVN/oix6ujw7RuI - 7pE1K3JELUYFBc8AZ7mIGGbddeCwnM+NdPIlhWzk5s4x4/r31cdk0gzor0kE4e+d - 5m0s1T4O/Iak6rc0MGDeTejZQg04p1eAJFYQ6OY23tJhH/kO8CMYnQ4fidfCkf8v - 85v4EC1MCorFR7J65uSj8MiaL7LTXPvLAkgFls1c3ijQ2tJ8qXvqmfo0by33T1OF - ZGyaOP9/1WQSywKCAQB47m6CfyYO5EZNAgxGD8SHsuGT9dXTSwF/BAjacB/NAEA2 - 48eYpko3LWyBrUcCPn+LsGCVg7XRtxepgMBjqXcoI9G4o1VbsgTHZtwus0D91qV0 - DM7WsPcFu1S6SU8+OCkcuTPFUT2lRvRiYj+vtNttK+ZP5rdmvYFermLyH/Q2R3ID - zVgmH+aKKODVASneSsgJ8/nAs5EVZbwc/YKzbx2Zk+s7P4KE95g+4G4dzrMW0RcN - QS1LFJDu2DhFFgU4fRO15Ek9/lj2JS2DpfLGiJY8tlI5nyDsq4YRFvQSBdbUTZpG - m+CJDegffSlRJtuT4ur/dQf5hmvfYTVBRk2XS/eZAoIBAB143a22PWnvFRfmO02C - 3X1j/iYZCLZa6aCl+ZTSj4LDGdyRPPXrUDxwlFwDMHfIYfcHEyanV9T4Aa9SdKh9 - p6RbF6YovbeWqS+b/9RzcupM77JHQuTbDwL9ZXmtGxhcDgGqBHFEz6ogPEfpIrOY - GwZnmcBY+7E4HgsZ+lII4rqng6GNP2HEeZvg91Eba+2AqQdAkTh3Bfn+xOr1rT8+ - u5WFOyGS5g1JtN0280yIcrmWeNPp8Q2Nq4wnNgMqDmeEnNFDOsmo1l6NqMC0NtrW - CdxyXj82aXSkRgMQSqw/zk7BmNkDV8VvyOqX/fHWQynnfuYmEco4Pd2UZQgadOW5 - cVMCggEBANGz1fC+QQaangUzsVNOJwg2+CsUFYlAKYA3pRKZPIyMob2CBXk3Oln/ - YqOq6j373kG2AX74EZT07JFn28F27JF3r+zpyS/TYrfZyO1lz/5ZejPtDTmqBiVd - qa2coaPKwCOz64s77A9KSPyvpvyuTfRVa8UoArHcrQsPXMHgEhnFRsbxgmdP582A - kfYfoJBSse6dQtS9ZnREJtyWJlBNIBvsuKwzicuIgtE3oCBcIUZpEa6rBSN7Om2d - ex8ejCcS7qpHeULYspXbm5ZcwE4glKlQbJDTKaJ9mjiMdvuNFUZnv1BdMQ3Tb8zf - Gvfq54FbDuB10XP8JdLrsy9Z6GEsmoE= + MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDQ0b23I1srJZwR + 2MMdvSJK5pcwLfrXU+4gEZEnWNyT8yeVweya+8vmNNOlvK3zxf+ZiY/7aQ0RZJMO + h2+VdlgHmr2QKhQTf1HwfZA/06FolD3/DcS+DMJMSTVr179/XLndeVVZUqU7tjvB + AWKSIS8H2hSF1UOPi9gBDR8MwCP6Qgj8WYhbkt9q47/lO96qAmm6U1F+Q7RYM9ZQ + IWI81N0Ms5wJocg7n6S19iV66ePh7APapZFYup61gFGWfahmA217ELIZd56n8yjO + F0epb9sC0XpYCDRrYKBWLqPiv+6wvdZtZvALItyIv08ZwXlBkFg3LbAAhPnf0Vxz + pYysQmyyyzkgy252n+Sie0kx+B4qm6fOkpfgYlPSVTb2dXx/be/SE08u0a9FO0fZ + pkByWEZJUUwngsJgLUa7MorQf3avxozfC25XqvzbieZfSXlA7mOUclZbC/WUFpyj + MlyJU2eCQ8wSwsPXl91oxcYlOkuVLgd41gr9pGXQSuKIkrgbfkftjg2tDC+7g7O8 + qrdF42FjbZjIx/74AasmsGh4GTQtiSkvEnTstioC6aCV44DlJWbBIMvkyawubjUl + Ppij0H66Y9Q4tEc/ktc7oGQfqqluyLb43TeobTPHALsNeAYb39rMtBo5DDCUc81s + fuDMhMr/oYXKrFstUsg5AY6mJaRG0QIDAQABAoICAF5ZVfmoPOoKzTB3GvmV2iez + dj4rmDmwT1gn98iqasdiRtFwVGJWQHNcDQDGdmY9YNZThD2Y4nGoWpVm9jC2zuFo + thusF3QTw8cARKvCCBzDVhumce1YwHVNYpi+W2TFValOyBRathN7rBXxdUMHQUOv + 8jPh/uudyNP4xL2zFs5dBchW/7g4bT/TdYGyglGYU4L/YEPHfXWYvk1oOAW6O8Ig + aPElKt5drEMW2yplATSzua4RvtEzSMBDIRn43pxxEgdXrNC67nF9+ULc2+Efi/oD + Ad9CncSiXO9zlVK/W655p6e4qd6uOqyCm8/MTegkuub7eplRe8D3zGjoNN4kCQ4S + rckVvIDDb6vZk7PKx9F7GWIqaG/YvFFFKO1MrAZg7SguFA6PtGOYAFocT03P6KXT + l2SnZQWKyxUAlh4tOBGlRFgGCx/krRIKbgNYn/qk/ezcRl8c7GpOPh+b7Icoq7u3 + l4tIVBBHqS8uGgtyi+YwuJeht2MV1aEcSkykKLh2ipp8tb6spORJUkhjawDjvxeQ + GztN30Xh2riTXYZ0HExVTtJa8jyvFyp/97ptPIJXaVt2A2KIS3sBFHKnpY+/OrQg + uUauYgi13WFHsKOxZL9GYGk7Ujd8bw4CEcJFxKY7bhpGVI6Du7NRkUDWN0+0yusI + 2szCJ7+ZqJkrc1+GrI/RAoIBAQDseAEggOLYZkpU2Pht15ZbxjM9ayT2ANq1+RTu + LjJx4gv2/o/XJCfMZCL0b9TJqtYeH+N6G9oDRJ99VIhUPedhWSYdj9Qj+rPd++TS + bp+MoSjmfUfxLTDrmFHL7ppquAE65aDy3B5c+OCb0I4X6CILUf0LynBzgl4kdrzN + U6BG3Mt0RiGPojlPV82B9ZUF/09YAz7BIz9X3KMhze1Gps5OeGuUnc9O2IAJYkrj + ur9H2YlNS4w+IjRLAXSXUqC8bqPZp6WTo1G/rlyAkIRXCGN90uk5JQvXoj9immFO + WaylbdcNG3YcGutreYeZL/UIWF6zCdc6pYG0cCBJS6S/RN7FAoIBAQDiERrLuUbV + 3fx/a8uMeZop6hXtQpF7jlFxqUmza7QSvBuwks4QVJF+qMSiSvKDkCKqZD4qVf4N + TMxEj5vNR0PbnmDshyKJNGVjEauKJSb65CFDUcL1eR/A/oJvxiIdN1Z4cPrpnRux + /zIfPuYfYHpdz52buxxmlD7bfwYmVKVpnzjB9z0I1CasZ5uqB0Z8H0OLyUu8S4ju + RfkKBDMgVl2q96i8ZvX4C1b7XuimIUqv4WHq5+ejcYirgrYtUbBIaDU3/LORcJdy + /K76L1/up70RTDUYYm/HKaRy+vMTpUsZJ7Qbh0hrvQkUvNQ1HXjprW2AePIYi33N + h3mb1ulqw4idAoIBAQCsn0YjVjNDShkFK4bfmLv4rw2Ezoyi0SjYIsb2wN6uaBfX + 7SlQIuKywH8L9f9eYMoCH8FNyLs0G4paUbVb2fzpAc1jUzXINiHL8TCvtXXfkV5s + NBSqqRTHR+CegMZVFZJATpVZ9PptYHmHBY5VQW5o2SdizhudFxRmhg95zIx6boBP + l0q0sfYoR66MKpzpTeG8HFJZZ8O7/iNQcCXAp9B/VEUkrrdBlaaSMyD8cb1lVBZ5 + SKdOTGXkQ2G7feQ86n/OSiYDSvxIc56vc9BIQKVwmuEKiFLGzXh8ILrcGXaBJVgS + B3QHPFeTk5o7Z9j2iJxJEuv9sginkhrfpsrTnhEJAoIBACkrUkTtjd/e2F/gIqaH + crLVZX7a06G7rktTuA9LuvR6e1Rxt8Mzk3eMhprDqVyaQCXlsYiGNoj3hm+p84az + xsDVG/OXPIveFeSv0ByNXYbtSr12w1lu4ICGGP0ACTBm5oFymc83hFarEdas3r2y + FTbGW36D2c04jCXvARCz85fDnlN8kgnskMpu5+NUBdsO2n83fmphGyPBbHQNhb4K + 3G4JQhplab/tWL7YbufqQi67jdh4uS+Duo75c/HW4ZKeH6r9gzomVf5j0/3N6NuO + gpkG1tiE/LQ5ejBSUTgvrvh6yYsF3QN53pB/PuoZXu63Xay62ePsa1GlrVjbD5EY + 4OUCggEAJFr7F7AQLMJTAxHFLCsZZ0ZZ+tXYclBC4eHPkZ6sD5jvL3KIpW3Q7jXk + oIoD/XEX4B+Qe5M3jQJ/Y5ZJETHcgfcHZbDpCKN2WHQgldQbAJiFd4GY1OegdVsr + 7TC8jh3Q2eYjzL8u4z7LSNI6aQSv1eWE7S1Q5j/sX/YYDR4W3CBMeIUpqoDWpn87 + czbIRyA/4L0Y/HLpg/ZCbvtJZbsQwYXhyqfbjlm4BRQ6JiC5uEBKvuDRUXToBJta + JU8XMm+Ae5Ogrw7P6hg68dWpagfjb7UZ7Zxv+VDsbrU6KsDcyGCAwrrRZou/6KUG + Eq4OVTSu/s8gmY94tgbjeOaLUPEPmg== -----END PRIVATE KEY----- ''; ca.cert = builtins.toFile "ca.cert" '' -----BEGIN CERTIFICATE----- - MIIFATCCAumgAwIBAgIJANydi4uFZr0LMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV - BAMMC1NuYWtlb2lsIENBMCAXDTE4MDcxMjAwMjIxNloYDzIxMTgwNjE4MDAyMjE2 - WjAWMRQwEgYDVQQDDAtTbmFrZW9pbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIP - ADCCAgoCggIBAN91XEL/gfCG7MP2iv0IMO7dMFATmWKskjkpiZ8xm1+B3MSOA7OZ - H0BVKSfatB4KrMzmb5gLM877bLvQV2Tu8M5GLU52Fh9RAhbr9NnbvESPHi3zaP2L - vTnJSpMlkqMxsPzfSB5ciYnpUaM2/9aKxMebAGylYp59hA83rxm9g0KfR3mtgmD2 - 5E5k8kdIjQxiP2IRFYg837GFmhLE3vggsnSsQ5B/HYYcOFOv329lgAWpsAh+Hfl9 - i6VFZqtRJ6Qj6sPFrzcUPyr1wyA4/zgqQt6nZ1FddNtRYSsZQ6kc/nkz0zvCzRFU - 12X09RJsOAKGXvJiUcJ17fbrWr/Manl0xX+3+Ndc1SBG6u9dziBQoqNLhJ9++DRd - Wc+zewyVngk2bJwr2SWAhJWZtMpVyNFEm/wG9rY1BWwn1MivJXRAST3gO5yCwLct - uFB9B2adZVwR3PCtkc2mT1rPmafDjZG69lb0vX1PvGkit0tIdo6KzhUSq5mORYiF - 8jPQNUx5e1gRCbCoUbbdbDS61ymYJbgU++nJizkYA+YZZ+uUzGwsP/t616i3cCF4 - L7npkGhUGcjwUW8hfapyL6B9UO4KO8OZvJL/Q2/Esaq9ILUZQ+ZY/dNHkVvUfxGn - 7f3MkdGYf6phaWFy/qnsWVjb/p31GTDxYpFNIIHvJ5R000+I+imTo3g3AgMBAAGj - UDBOMB0GA1UdDgQWBBQ3vPWzjLmu5krbSpfhBAht9KL3czAfBgNVHSMEGDAWgBQ3 - vPWzjLmu5krbSpfhBAht9KL3czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA - A4ICAQDF9HyC1ZFN3Ob+JA9Dj5+Rcobi7JIA5F8uW3Q92LfPoVaUGEkBrwJSiTFX - 47zvP/ySBJIpZ9rzHMbJ+1L+eJgczF1uQ91inthCKo1THTPo5TgBrpJj0YAIunsj - 9eH1tBnfWFYdVIDZoTSiwPtgIvglpyuK/eJXEe+FRzubhtdc9w1Hlzox1sd0TQuy - Pl9KFHg7BlFZfCPig1mkB8pfwjBDgVhv5DKJ9cJXh3R5zSoiyuS2b+qYSvw8YTHq - 0WNKWUthb7BVAYE3OmcbOHgUAUjtJ6EIGIB9z/SoLe90CofXLXFR5dppuVLKCMBA - kgL4luBIu7t8mcnN2yzobvcGHy8RVY6F5abCCy6gackLzjOzvH1SYOxP8yN74aKB - ANgcqdWspb8JYoU8lEbA8dhBVrsgBf7XeJlrZvMdcUENlJ2PI0JWr9WvlRAM9rYY - EY1alJqBCp6530Ggd6/f0V64cEqptejUdmN9L0zboxKjQf4LjpUNraGvg8tw/xkY - 4dT1U2HlVnhOyBVkx/tE6zIK/RU16oMqwpjCdfbK/TuWCNc/emJz5PMlp81zm83+ - dExpWwuV4rt6OQbZ/GSatNLJXOw+pkLjaEhnHgrsgI+HqAUXg3ByKol+1e76wN51 - k1ZKpB6mk4kejySGPYBHiJwED0IyXu9gUfalSczXFO4ySAvhCg== + MIIFDzCCAvegAwIBAgIUU9rbCLTuvaI6gjSsFsJJjfLWIX8wDQYJKoZIhvcNAQEL + BQAwFjEUMBIGA1UEAwwLU25ha2VvaWwgQ0EwIBcNMTkxMDE4MDc1NDEyWhgPMjEx + OTA5MjQwNzU0MTJaMBYxFDASBgNVBAMMC1NuYWtlb2lsIENBMIICIjANBgkqhkiG + 9w0BAQEFAAOCAg8AMIICCgKCAgEA0NG9tyNbKyWcEdjDHb0iSuaXMC3611PuIBGR + J1jck/MnlcHsmvvL5jTTpbyt88X/mYmP+2kNEWSTDodvlXZYB5q9kCoUE39R8H2Q + P9OhaJQ9/w3EvgzCTEk1a9e/f1y53XlVWVKlO7Y7wQFikiEvB9oUhdVDj4vYAQ0f + DMAj+kII/FmIW5LfauO/5TveqgJpulNRfkO0WDPWUCFiPNTdDLOcCaHIO5+ktfYl + eunj4ewD2qWRWLqetYBRln2oZgNtexCyGXeep/MozhdHqW/bAtF6WAg0a2CgVi6j + 4r/usL3WbWbwCyLciL9PGcF5QZBYNy2wAIT539Fcc6WMrEJssss5IMtudp/kontJ + MfgeKpunzpKX4GJT0lU29nV8f23v0hNPLtGvRTtH2aZAclhGSVFMJ4LCYC1GuzKK + 0H92r8aM3wtuV6r824nmX0l5QO5jlHJWWwv1lBacozJciVNngkPMEsLD15fdaMXG + JTpLlS4HeNYK/aRl0EriiJK4G35H7Y4NrQwvu4OzvKq3ReNhY22YyMf++AGrJrBo + eBk0LYkpLxJ07LYqAumgleOA5SVmwSDL5MmsLm41JT6Yo9B+umPUOLRHP5LXO6Bk + H6qpbsi2+N03qG0zxwC7DXgGG9/azLQaOQwwlHPNbH7gzITK/6GFyqxbLVLIOQGO + piWkRtECAwEAAaNTMFEwHQYDVR0OBBYEFAZcEiVphGxBT4OWXbM6lKu96dvbMB8G + A1UdIwQYMBaAFAZcEiVphGxBT4OWXbM6lKu96dvbMA8GA1UdEwEB/wQFMAMBAf8w + DQYJKoZIhvcNAQELBQADggIBAGJ5Jnxq1IQ++IRYxCE7r7BqzzF+HTx0EWKkSOmt + eSPqeOdhC26hJlclgGZXAF/Xosmn8vkSQMHhj/jr4HI0VF9IyvDUJm8AKsnOgu/7 + DUey3lEUdOtJpTG9NyTOcrzxToMJ+hWlFLZKxx2dk4FLIvTLjmo1VHM97Bat7XYW + IrL9RRIZ25V+eCYtlR7XYjceGFQ0rCdp8SFIQwC6C/AH2tV3b1AJFsND9PcoLu7c + //fH+WUQCcD/N0grdC/QCX7AFWzd4rKQ8gjfND4TSYFTSDwW10Mud4kAVhY2P1sY + Y3ZpnxWrCHbIZMbszlbMyD+cjsCBnNvOtYGm7pDut/371rllVcB/uOWYWMCtKPoj + 0elPrwNMrK+P+wceNBCRQO+9gwzB589F2morFTtsob/qtpAygW8Sfl8M+iLWXeYS + c3LBLnj0TpgXKRWg7wgIWKSZx9v6pgy70U0qvkjNS1XseUCPf7hfAbxT3xF+37Dw + zZRwF4WAWqdnJoOey21mgc+a2DQzqtykA6KfHgCqNFfDbQXPXvNy25DDThbk+paX + G2M2EWtr+Nv9s/zm7Xv/pOXlgMFavaj+ikqZ4wfJf6c/sMOdZJtMA4TsYtAJgbc8 + ts+0eymTq4v5S8/fW51Lbjw6hc1Kcm8k7NbHSi9sEjBfxFLTZNQ5eb4NGr9Od3sU + kgwJ -----END CERTIFICATE----- ''; - "acme-v01.api.letsencrypt.org".key = builtins.toFile "acme-v01.api.letsencrypt.org.key" '' + "acme-v02.api.letsencrypt.org".key = builtins.toFile "acme-v02.api.letsencrypt.org.key" '' -----BEGIN RSA PRIVATE KEY----- - MIIJKQIBAAKCAgEAvG+sL4q0VkgSClBTn4NkPiUrtXx5oLyZ+CCM1jrQx/xotUt5 - X2S4/7vMnAK/yRLsR7R2PhXO8CZPqJ7B6OfAgaDTgvipJkZYPZQSMP3KOinM3WJL - ssqKh7/HOxZIf0iyUXewrnX5eTAo/CLsUnhBjBD7E99nmQz/leLWSl82sSYDkO3n - Uk3/1qJZA8iddb4uH0IEQWcNKev3WoQQzwiVrXBiftlRQOJy5JJXm5m8229MCpMA - 1AUWmpdu6sl3/gFFdsDhUFq/a7LFrVyaUCMRIHg9szAB7ZFkixr9umQs8jKwuo98 - 3JHB11h2SirwgfIzHHmyhaWhCt22ucTwEXGhq63LtrzZvLsfP8Ql5S+AuqGTH0v8 - meuc784leAjulBZjkpuIFwDnVv9+YeUEbqJeo1hSHrILddora3nkH4E2dJWmLpqp - iPr++GRi+BNgYKW/BQLTJ7C6v+vUs+kdPgYJH5z7oP6f0YZkT0Wkubp/UEz7UV2d - fjz57d77DYx5rFWGYzJriWR/xltgL1zDpjwjwG1FDpRqwlyYbBFpjQhxI+X0aT98 - m6fCzBDQHDb/+JgvsjTHh6OZatahFAwzFIEfrceDv1BG8sBWIaZGhLzYiWQxafl8 - oXbWv1T6I1jpsTlCdCSkWzaJb4ZjxI9Ga1ynVu8F16+GR2a71wKWu7UbZQsCAwEA - AQKCAgBYvrs4FLoD3KNqahRIDqhaQEVKjtn1Yn2dBy9tAXwsg2qI34fE7nnWLwsY - +o56U0gmKQ57BOhV36Uqg8JNP0BBjI2wpA19simCrsa2fgAMznzmUpHWHV+KuT5K - TJ9OGt2oUpdKQtOASLc0r/neiTZNkf29iTyQLzf7zj4f/qGSYpXRXsnP0F5KJmGH - z6agujWckQnSB4eCk9gFsCb+akubyE8K8Kw8w6lajrVl2czBB7SnUj5UnCTeH62k - M8goP08Is6QppON8BFDm6bLfRPSe9yIPzu9JhGz2unp+mwkz872Zz1P9yUOieM4U - 9g4ZFQkPQx1ZpfynUm3pJZ/uhzadBabnIvMe/1qwDAEDifh/WzEM76/2kBpQkHtS - qcjwjAElfWnP8aBr1Pj42/cVJy3dbDqb0OawFHx/8xSO2CkY4Gq2h3OYv1XpPv3g - S9qqKhvuaT+aD0YjKhP4FYc2vvQSJwdZL8vqOyma8JGmc+r7jakIPCyOx3oPVqnS - L2P7DuJ1FcGIZyYOU3UUSzKndDU9fVC8YoLWvHDlwm4RK9UPtdsBY8mEu6BlaAwL - zEQG+fbcFnEkHPiJeAohYUCHiqCihLt0pqGwZi+QrudPQE6C47YijGZWJu4VVLjB - B2L9iDQKsN4FnBJ9egJIwWBLX3XXQfjC43UGm1A5sBvD+ScsCQKCAQEA7GxU7/SW - 4YJ+wBXrp7Z3vzlc5mTT5U4L2muWZLhIjT/jmpHpZ4c9a5DY/K9OYcu8XJ+7kx2B - N40cU3ZkT2ZbB5/BUCEmi3Wzy3R/KZshHDzvvSZHcXJqVBtv+HGJgR5ssFqAw8c6 - gJtDls+JE9Sz+nhLk0ZZ4658vbTQfG1lmtzrbC3Kz2xK8RPTdOU5Or7fayeaEKEW - ECBJPE41ME2UTdB/E85vyYoee0MBijjAs19QKqvoNbyrsZ5bihcIDYsrvjCmkdW1 - 20IUrSF3ZYJ9bb+CxHeRyNqwvRxPYSkzdMjZHx+xEAvJgw51QqmIi2QQf/qB+ych - cSbE/0Jhx4QbDQKCAQEAzAoenEOgmZvUegFUu8C6gWeibMjl3Y9SikQ4CoQO/zWr - aoCr5BpbzbtOffwnPfgk9wCGvXf6smOdrLUP1K2QAhBr/vJh7ih2MonvpYr5HPP7 - maVARR66IgtxXP2ER2I9+9p2OQdecGRP2fUn2KCDQIASHSSY/VjBb8LLJgryC/DS - r2b0+m1e2qXfNWt/BYTQZhD/8B/jl/2pl/jI2ne3rkeiwEm7lqZaDt3Q8gC+qoP5 - /IdG1Gob7UTMCbICWy1aGuzRYUmbpg0Vq4DAV1RtgBySB5oNq5PMBHYpOxedM2nM - NxHvf0u6wsxVULwQ4IfWUqUTspjxDmIgogSzmOGadwKCAQEA558if4tynjBImUtg - egirvG4oc5doeQhDWJN63eYlPizPgUleD41RQSbBTp04/1qoiV38WJ7ZT2Ex1Rry - H0+58vgyXZx8tLh1kufpBQv0HkQc44SzDZP4U7olspMZEaSK+yNPb36p9AEo8IEW - XJVQVhywffK4cfUqRHj2oFBU8KlrA6rBPQFtUk4IJkfED6ecHtDHgW8vvFDFLw23 - 0kDPAIU5WmAu6JYmUsBMq+v57kF8urF8Z9kVpIfuSpVR0GL+UfA74DgtWEefFhbp - cEutMm4jYPN7ofmOmVc49Yl13f4/qNxVjdDedUUe4FZTbax09cyotzOY8c/3w9R3 - Ew57qQKCAQAa5jqi30eM+L5KV2KUXhQ4ezEupk2np/15vQSmXkKb4rd2kwAWUmNH - /Cmc8mE6CjzVU3xv/iFO41MmMbikkT0rCH80XUAL5cmvX//4ExpEduX0m5SdiC+B - zYBkggeuYYVKbsKnQhFxP8hHM8rNBFxJZJj+vpRs0gaudT/TBB5k9JrSBQDHAyQ+ - Lx/+Ku3UDG5tBlC3l3ypzQdOwb25D49nqooKT64rbkLxMs0ZGoAIet26LRtpZZPI - 9AjyPkWRP6lhY1c3PD0I5zC0K4Uv/jFxclLOLcEfnZyH+gv1fmd7H7eMixDH93Pn - uoiE3EZdU4st2hV+tisRel5S/cuvnA6BAoIBAQDJISK8H0hwYp+J4/WUv/WLtrm4 - Mhmn8ItdEPAyCljycU6oLHJy4fgmmfRHeoO1i3jb87ks2GghegFBbJNzugfoGxIM - dLWIV+uFXWs24fMJ/J6lqN1JtAj7HjvqkXp061X+MdIJ0DsACygzFfJOjv+Ij77Q - Q1OBTSPfb0EWFNOuIJr9i2TwdN9eW/2ZMo1bPuwe4ttPEIBssfIC02dn2KD1RTqM - 1l+L97vVFk7CoSJZf5rLeysLVyUeGdDcoEcRA6fKhfB/55h+iqrZNvySX1HrR6on - PQcxDRPJD7f9rMsTzVl3DOxzvXAU3lIcZtPZps97IwXceAAh2e1kZNNv/cxj + MIIJKQIBAAKCAgEApny0WhfDwEXe6WDTCw8qBuMAPDr88pj6kbhQWfzAW2c0TggJ + Etjs9dktENeTpSl14nnLVMiSYIJPYY3KbOIFQH1qDaOuQ7NaOhj9CdMTm5r9bl+C + YAyqLIMQ9AAZDhUcQjOy3moiL7ClFHlkFYuEzZBO9DF7hJpfUFIs0Idg50mNoZh/ + K/fb4P2skNjfCjjomTRUmZHxT6G00ImSTtSaYbN/WHut1xXwJvOoT1nlEA/PghKm + JJ9ZuRMSddUJmjL+sT09L8LVkK8CKeHi4r58DHM0D0u8owIFV9qsXd5UvZHaNgvQ + 4OAWGukMX+TxRuqkUZkaj84vnNL+ttEMl4jedw0ImzNtCOYehDyTPRkfng5PLWMS + vWbwyP8jDd2578mSbx5BF7ypYX366+vknjIFyZ5WezcC1pscIHxLoEwuhuf+knN+ + kFkLOHeYbqQrU6mxSnu9q0hnNvGUkTP0a/1aLOGRfQ5C/pxpE/Rebi8qfM/OJFd4 + mSxGL93JUTXWAItiIeBnQpIne65/Ska9dWynOEfIb0okdet3kfmNHz3zc17dZ5g4 + AdOSCgHAlQgFt/Qd8W6xXUe4C5Mfv2ctxRrfQhDwtB6rMByPwzImnciC2h3vCwD3 + vS/vjUyWICyhZyi2LZDUQz+sCKBXCYYcYh8ThFO40j5x1OnYMq7XQvyl8QkCAwEA + AQKCAgBSAfdssWwRF9m3p6QNPIj9H3AMOxpB/azffqTFzsSJwYp4LWkayZPfffy+ + 4RGvN38D8e6ActP3ifjEGu3tOGBR5fUJhujeHEiDea+a2Ug9S9kuNwmnelWQ23bM + Wgf9cdSbn4+qEymHyEFolmsAWdsuzri1fHJVXR06GWBNz4GiLA8B3HY4GD1M1Gfe + aZVkGagpXyeVBdiR2xuP5VQWVI8/NQWzdiipW/sRlNABVkyI3uDeN4VzYLL3gTeE + p021kQz4DSxIjHZacHpmWwhBnIbKMy0fo7TlrqcnIWXqTwv63Q9Zs/RN8NOyqb0Y + t1NKFWafcwUsdOnrG9uv/cVwF1FNE8puydaOi8rL1zAeK89JH8NRQ02wohR9w8qy + b2tB6DyGMtuqBt8Il6GA16ZoEuaXeayvlsvDEmG1cS9ZwBvfgrVPAmlm2AYdIf5B + RHIJu4BJC6Nn2ehVLqxx1QDhog3SOnAsCmcfg5g/fCwxcVMLIhODFoiKYGeMitDG + Q4e5JKcOg+RR8PT/n4eY4rUDBGtsR+Nw8S2DWgXmSufyfDtKCjZB4IuLWPS29tNh + zF6iYfoiTWzrSs/yqPSKIFpv+PWZwkKSvjdxia6lSBYYEON4W2QICEtiEs+SvcG4 + 0eIqWM+rRmPnJyMfGqX6GCs3rHDQB2VNJPBCYPQalJ/KwZumAQKCAQEA0ezM6qPJ + 1JM/fddgeQ50h0T9TRXVUTCISxXza+l4NuFt1NdqUOdHsGtbL1JR4GaQUG8qD1/P + R39YgnQEQimxpmYLCZkobkwPxTZm9oiMXpcJrlN4PB5evaWShRSv3mgigpt3Wzml + Td+2R9RoA/hvF/wEyIvaWznYOyugBC7GXs20dNnZDULhUapeQu7r6JvgmxBOby7S + 0FbhGplBiSDETzZURqzH/GMJKaJtNgyyVf3Hbg4mZAQDWoBRr+8HxsNbDkxP6e91 + QrPHy2VZFiaTmJfoxRhyMTn7/JZaLJaUHDOniOsdMj/V7vMCgpfBqh5vR8bKzuPy + ZINggpcFPp1IYQKCAQEAywc7AQoktMBCru/3vzBqUveXbR3RKzNyZCTH5CMm3UNH + zmblFgqF2nxzNil21GqAXzSwZk5FyHbkeD3yvEZm+bXzsZTDNokAwoiTgyrr2tf8 + GLMlCHHl5euIh1xHuyg/oKajVGOoXUXK8piqiDpQKd3Zwc6u2oyQlh+gYTPKh+7i + ilipkYawoE6teb6JUGpvU+d27INgNhB2oDEXY3pG2PbV+wv229ykSZxh1sJUdDwT + a8eTg+3pCGXtOZiJoQTFwKUlD2WYTGqS4Gx6dIJco5k+ZikGNST1JGE64Jl4MZdI + rtyvpcYblh5Q14sJGvp4kWYS9tjEM8pA+4Z9th3JqQKCAQEAkidH0+UM1A9gmQCm + jiHeR39ky5Jz3f7oJT63J15479yrVxBTWNhtNQrJhXzOvGkr+JQsuF+ANMsYmFql + zFqy8KMC9D/JwmD6adeif+o5sHF/r/s1LsYGOAtao4TvnOzrefs7ciwERt+GTSQ4 + 9uq0jgJMYkPcVr9DKI8K7V6ThdW52dECKRVzQiRXVEp7vIsqKUuFECuNYrfaKWai + FhLWGkA9FKee5L0e1/naB1N3ph72Bk2btO6GVzAXr2HADEZe0umWiczJ2xLH+3go + Oh/JiufYi8ClYFh6dDVJutlrbOcZsV3gCegfzikqijmWABcIavSgpsJVNF2zh7gV + Uq62gQKCAQAdO2FHeQpn6/at8WceY/4rC/MFhvGC4tlpidIuCtGhsfo4wZ/iWImF + N73u4nF1jBAHpTJwyHxLrLKgjWrRqOFSutvniZ/BzmAJolh63kcvL0Hg3IpMePm8 + 7PivZJ3/WIAwxU1m7SJkq5PY8ho7mwnHvWWI/hU26l42/z68QBS9FawQd0uS5G2x + 5yIbEU/8ABcfYYhB7XiA0EYEMo1HiWeB/ag5iTN13ILbBmUf4sL+KVgygH3A1RRk + XSiWzluij2lZn22ClgIjnoSfQ38uH0bvVzUgyG9YX4XcQxOTGwWvPjT82FGB8NAw + ARVqs14QQFfzt1qrp/I38rsAfBDFk+xhAoIBAQCEKNk/oJcy9t/jMIbLcn6z3aCc + Fn8GBPSXtFj0t6weN5lHof+cggw4owMFWQQyAXxo/K6NnKNydMPZ5qjtLsHNpbpQ + aT1Or0/1YR1bJ8Lo82B4QM++7F761GWQPvE/tyrfPkfkWl92ITIpmnlw4wycRlkq + 9anI2fnj1nIZwixzE2peb6PcsZU2HOs9uZ5RRd9wia696I7IpNibs4O4J2WTm4va + +NeYif3V2g9qwgT0Va0c9/Jlg3b58R0vA8j/VCU5I0TyXpkB3Xapx+pvEdZ3viUL + mXZaVotmWjgBXGDtd2VQg2ZiAMXHn3RzXSgV4Z+A/XacRs75h9bNw0ZJYrz1 -----END RSA PRIVATE KEY----- ''; - "acme-v01.api.letsencrypt.org".cert = builtins.toFile "acme-v01.api.letsencrypt.org.cert" '' + "acme-v02.api.letsencrypt.org".cert = builtins.toFile "acme-v02.api.letsencrypt.org.cert" '' -----BEGIN CERTIFICATE----- MIIEtDCCApwCAgKaMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC1NuYWtlb2ls - IENBMCAXDTE4MDcxMjAwMjIxN1oYDzIxMTgwNjE4MDAyMjE3WjAnMSUwIwYDVQQD - DBxhY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnMIICIjANBgkqhkiG9w0BAQEF - AAOCAg8AMIICCgKCAgEAvG+sL4q0VkgSClBTn4NkPiUrtXx5oLyZ+CCM1jrQx/xo - tUt5X2S4/7vMnAK/yRLsR7R2PhXO8CZPqJ7B6OfAgaDTgvipJkZYPZQSMP3KOinM - 3WJLssqKh7/HOxZIf0iyUXewrnX5eTAo/CLsUnhBjBD7E99nmQz/leLWSl82sSYD - kO3nUk3/1qJZA8iddb4uH0IEQWcNKev3WoQQzwiVrXBiftlRQOJy5JJXm5m8229M - CpMA1AUWmpdu6sl3/gFFdsDhUFq/a7LFrVyaUCMRIHg9szAB7ZFkixr9umQs8jKw - uo983JHB11h2SirwgfIzHHmyhaWhCt22ucTwEXGhq63LtrzZvLsfP8Ql5S+AuqGT - H0v8meuc784leAjulBZjkpuIFwDnVv9+YeUEbqJeo1hSHrILddora3nkH4E2dJWm - LpqpiPr++GRi+BNgYKW/BQLTJ7C6v+vUs+kdPgYJH5z7oP6f0YZkT0Wkubp/UEz7 - UV2dfjz57d77DYx5rFWGYzJriWR/xltgL1zDpjwjwG1FDpRqwlyYbBFpjQhxI+X0 - aT98m6fCzBDQHDb/+JgvsjTHh6OZatahFAwzFIEfrceDv1BG8sBWIaZGhLzYiWQx - afl8oXbWv1T6I1jpsTlCdCSkWzaJb4ZjxI9Ga1ynVu8F16+GR2a71wKWu7UbZQsC - AwEAATANBgkqhkiG9w0BAQsFAAOCAgEAzeGlFMz1Bo+bbpZDQ60HLdw7qDp3SPJi - x5LYG860yzbh9ghvyc59MIm5E6vB140LRJAs+Xo6VdVSTC4jUA2kI9k1BQsbZKds - XT0RqA7HkqcLS3t3JWFkkKbCshMGZTSZ//hpbaUG1qEAfUfmZw1lAxqSa0kqavbP - awf7k8qHbqcj7WORCdH7fjKAjntEQwIpl1GEkAdCSghOJz2/o9aWmiGZt27OM/sG - MLSrcmL3QBElCjOxg14P8rnsmZ+VEp6MO93otoJ4dJL7fN7vTIh5ThbS384at/4l - 4KK/y7XctUzAtWzhnodjk/NSgrrGX2kseOGOWEM1sZc9xtinHH2tpOMqtLVOkgHD - Lul+TArqgqeoOdEM/9OL64kgOrO/JzxBq+egLUi4wgAul2wmtecKZK1dkwYZHeqW - 74i55yeBp+TTomnPr0ZBns6xKFYldJVzC34OB+2YVDxe8y9XtWtuQOxFw0LQHhNb - zy5aBverWzZFwiIIjJoVHTQq848uKBJec0YILfMinS1Wjif4xqW/IMfi+GFS0oka - sKCGNE/8ur9u/Jm6cbto3f2dtV8/vkhiITQgwzM2jalyuVJ9jyPxG7EvbTvZORgw - pRvBRTd4/eE7I1L+UDe6x8EjR/MrqfF9FWVGOZo4vPTyNbrSWYBh6s9kYy56ds1l - IRxst1BXEfI= + IENBMCAXDTE5MTAxODA3NTQxM1oYDzIxMTkwOTI0MDc1NDEzWjAnMSUwIwYDVQQD + DBxhY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnMIICIjANBgkqhkiG9w0BAQEF + AAOCAg8AMIICCgKCAgEApny0WhfDwEXe6WDTCw8qBuMAPDr88pj6kbhQWfzAW2c0 + TggJEtjs9dktENeTpSl14nnLVMiSYIJPYY3KbOIFQH1qDaOuQ7NaOhj9CdMTm5r9 + bl+CYAyqLIMQ9AAZDhUcQjOy3moiL7ClFHlkFYuEzZBO9DF7hJpfUFIs0Idg50mN + oZh/K/fb4P2skNjfCjjomTRUmZHxT6G00ImSTtSaYbN/WHut1xXwJvOoT1nlEA/P + ghKmJJ9ZuRMSddUJmjL+sT09L8LVkK8CKeHi4r58DHM0D0u8owIFV9qsXd5UvZHa + NgvQ4OAWGukMX+TxRuqkUZkaj84vnNL+ttEMl4jedw0ImzNtCOYehDyTPRkfng5P + LWMSvWbwyP8jDd2578mSbx5BF7ypYX366+vknjIFyZ5WezcC1pscIHxLoEwuhuf+ + knN+kFkLOHeYbqQrU6mxSnu9q0hnNvGUkTP0a/1aLOGRfQ5C/pxpE/Rebi8qfM/O + JFd4mSxGL93JUTXWAItiIeBnQpIne65/Ska9dWynOEfIb0okdet3kfmNHz3zc17d + Z5g4AdOSCgHAlQgFt/Qd8W6xXUe4C5Mfv2ctxRrfQhDwtB6rMByPwzImnciC2h3v + CwD3vS/vjUyWICyhZyi2LZDUQz+sCKBXCYYcYh8ThFO40j5x1OnYMq7XQvyl8QkC + AwEAATANBgkqhkiG9w0BAQsFAAOCAgEAkx0GLPuCvKSLTHxVLh5tP4jxSGG/zN37 + PeZLu3QJTdRdRc8bgeOGXAVEVFbqOLTNTsuY1mvpiv2V6wxR6nns+PIHeLY/UOdc + mOreKPtMU2dWPp3ybec2Jwii6PhAXZJ26AKintmug1psMw7662crR3SCnn85/CvW + 192vhr5gM1PqLBIlbsX0tAqxAwBe1YkxBb9vCq8NVghJlKme49xnwGULMTGs15MW + hIPx6sW93zwrGiTsDImH49ILGF+NcX1AgAq90nG0j/l5zhDgXGJglX+K1xP99X1R + de3I4uoufPa5q+Pjmhy7muL+o4Qt0D0Vm86RqqjTkNPsr7gAJtt66A7TJrYiIoKn + GTIBsgM6egeFLLYQsT0ap/59HJismO2Pjx4Jk/jHOkC8TJsXQNRq1Km76VMBnuc0 + 2CMoD9pb38GjUUH94D4hJK4Ls/gJMF3ftKUyR8Sr/LjE6qU6Yj+ZpeEQP4kW9ANq + Lv9KSNDQQpRTL4LwGLTGomksLTQEekge7/q4J2TQRZNYJ/mxnrBKRcv9EAMgBMXq + Q+7GHtKDv9tJVlMfG/MRD3CMuuSRiT3OVbvMMkFzsPkqxYAP1CqE/JGvh67TzKI+ + MUfXKehA6TKuxrTVqCtoFIfGaqA9IWyoRTtugYq/xssB9ESeEYGeaM1A9Yueqz+h + KkBZO00jHSE= -----END CERTIFICATE----- ''; "letsencrypt.org".key = builtins.toFile "letsencrypt.org.key" '' -----BEGIN RSA PRIVATE KEY----- - MIIJKAIBAAKCAgEAwPvhlwemgPi6919sSD7Pz6l6CRfU1G/fDc0AvsMN/nTmiGND - pqn9ef1CA+RtLtOuPc1LLyEovcfu75/V+6KSgO4k19E2CrFCFwjEOWDGF4DgclT3 - 751WGmFJgzPEfZfhbOrmQfQau86KxAtNZVp9FxcKbuLyQ/sNNxfNMB+7IHbVhwvz - VcndHpYZEP6kdnwvNLP22bouX5q3avxWStln01uZ0BfUm4XwxaUNIU7t0Dv56FK9 - C9hW9AZae0do0BJBWRF7xSwLeDJqn9uZz+sX0X/tIaaSQSBuZySj0He5ZKzdUO0t - px2xTS2Brl3Y2BOJaOE98HubWvdKoslLt4X2rVrMxGa86SmFzcyDL1RSowcP/ruy - y555l7pepL5s4cmMgRBBXj5tXhqUTVOn5WO+JClLk+rtvtAT4rogJmMqEKmMw2t7 - LNy1W9ri/378QG/i3AGaLIL/7GsPbuRO51Sdti4QMVe2zNFze72mzNmj1SXokWy7 - +ZvjUMp55oEjRRsTPUZdNOEHJWy6Os2znuqL7ZpIHCxBG8FKnkCViXRJqAA8bzcE - hR+pLamLIOHlv4kdzJ6phHkSvK68qvbRReUmOjJgSupVBI9jhK+fHay/UWR4zfJQ - ed99H8ZOoiXlrLCVs+VPDynUUKrzF1nYyolNzi/NS4e4AbnfWgyC5JKRpjUCAwEA - AQKCAgB0fNYL+zM3MGxy+2d6KGf6GnuuV3NBlBGY3ACyJT0iNmAdPYXNaVi2tPeP - L+fz1xSa+3uBhEt6Wt/QRrO8g8JZDuawWvl69MpG6yS+2bpY35MbkExkl50sqULd - bncRtIb+3r+EWht099RtR8E9B6TwNhk3G8hO3pB4i+ZwQQcMLo7vSHhmdUYCu2mA - B6UwW/+GmYbMoARz8wj6DDzuS1LPksBCis/r3KqcMue9Dk6gXkOYR7ETIFBEVj1x - ooYS6qIFaHdEajS2JgCUY9LxXR/wdn6lzE0GANSDb+tt34bJzUp+Gdxvvo2SX4Ci - xsUokIpmA2gG7CW3gAPORSFuMu/VYZtvt+owNYlODXRPuGi/eLDknFRB/S4Nx0J0 - WZZq5uTgJdQainyKYtDZALia5X4cc5I2hNetCorG9jNZIsSunbIAG+htx2FI3eqK - jwOUiHE8SCZ6YdXoDQjg2w+g8jeB23eqkPyzunpZphYiKay7VFeLwQEMC2a791ln - +MbHhhpRAc1uAoU2reB2fxKyaPlOfAWVMgUOGlgpVOuEVeMoc1CwjajaFztGG7fI - 8EHNoyAftCdXnTaLZk2KZnnIDHHzFXR62TE1GJFD1fdI1pHAloCbgA4h+Dtwm1Uu - iAEEfvVU/E5wbtAzv6pY32+OKX5kyHAbM5/e918B8ZxmHG1J9QKCAQEA6FwxsRG3 - 526NnZak540yboht5kV12BNBChjmARv/XgZ7o1VsfwjaosErMvasUBcHDEYOC/oE - ZgPAyrMVsYm0xe/5FSIFLJVeYXTr0rmCNhVtBCHx3IS94BCXreNnz0qoEWnb5E09 - Z1O42D0yGcLXklg6QaJfb7EdHh03F3dSVMHyDR3JlAQHRINeuP6LlQpbvRD3adH5 - QWr2M3k+Stuq2OJdG7eUS1dreCxRShLuDjDhiZekdl/TB3LM0prOaWrKBrryN2g6 - mjiasH6I5zRD3LQP5zg57Thb8afHqA4Fb85Frt6ltfFlPTIoxXZ5drVhmRWfXXnQ - POnj8T+w4zVjvwKCAQEA1J4ivyFkCL0JTSY3/PtwAQvBBj3GazzU6P+urWeH74Vh - WK17Ae40iOUHGyy80Db/fVY4VLQTpxvAeG91Gj5Nd/AucXJgOrisabcEz6N/xUs5 - sjJNgXuNKTAgjYBu0bqLXxgZj43zT8JhA6KW7RuYU0PtHMRragz4RbK9NWDaVvJb - xSR5QoVLS00PerUa0SfupEYKCrlSTP6FOM5YNkCuSMt7X6/m9cR0WwVINKvUQBiT - ObrN+KeBmF9awpQQnQOq/GbCl3kf6VyPQqYFhdrWSg52w33c2tBVYrtHJpeXGcin - akw4KKcj4rdU2qxMuuRiD5paagshbLdGsYMTbSzjCwKCAQEAh89DGAyUIcfDLAWd - st0bSfGh0oJsw3NVg3JUFPfpRWqiny/Rr1pcd95RwoLc6h7bdrgHg8aJBZtR9ue/ - WTp0l3CQdGKjBZD0TiAJqevViIjzZAP3Gn3XgPwRu4f75/Pp0eu+o2zl49vSYUk7 - XEU+vIGm4y/leiHaM/y9c5DBZVrKgBIV/NZx7QCfv56/tMgOIK6m/YnFlw/OgP1v - hE9qR0PfSdD98x9QaDf290WjMFYvrL0eWjXd4S+fOcVTude55z8jTXE1N2i4OUpr - +D7bH0d7OBjr+pQDYXZAQyCW2ueEYRYvYu2Jz7/ehrOdgN25AsHZmMgXB1NpcFta - pyJQfwKCAQByoPMwworRH0GVg4Zp8RFYrwKZH9MK29gZ6kc9m/Sw0OND0PvhdZCD - QZ8MKpl9VDl4VHS4TgHOdWrWQ5kJ1g8kG6yeY0C4R/pEYHTKkWaAcucfSHl61qar - TxQt1dFpZz5evXqCZ9CG7tApCo5+NQNx2MxMVyVmHqn3wb66uYXdnHqXlet+Tqji - ZyByUpOrsfC6RjyBvZo+gnZGwxDR5xtPiczxML+/PvRQYk+kfgNHrzgoxqrnZT+8 - a6ReBT/TtzeHLsu4qIfo44slLqcJnIstkBC9ouzgV7PBMCDTEKVZNFH2QDOCz2HM - iHTKFFyl4h1wNhKK24dguor1hyqBENMzAoIBAAQvQHwRWIVlfCMRI170Ls8AXB9Z - MMdZJ37bh6kmJpkV3+HB1ZkKwofHKR9h/3xLt5iYXzqT+/zA4EAsFFs1A93+tkzh - yPrN5iTSJicophZSlA4ObX1hMkgshvl7ZB1fRM5WyiszBOfm8W7eAxaK8nY2oAoP - tI7rioo6CFBNMCGbOl4gEX6YJ4OsVSm+efCRSDDw+3HW8H2YgqufBzAULk1Jcj5t - ZvraXpC5qZ92VtsH0cGA1ovNDAmoOV4AAvtZVpLQsXwaphad/Fbn/ItGrrluvvFC - HuldRzYtl/AQtoirK86LTY3aAmcwVFuiYvDQMzjzkJvVMmRCFZBcUIaz2oI= + MIIJKgIBAAKCAgEA9dpdPEyzD3/BBds7tA/51s+WmLFyWuFrq4yMd2R+vi5gvK7n + lLNVKhYgiTmK2Um+UEpGucJqZHcTSZA1Bz4S/8ND/AI9I6EmwvBinY5/PubxEALk + 9YiDA+IzH8ZGFM8wXg7fMbbJAsyv+SHAtr2jmCsggrpuD5fgzs2p+F2q0+oVoeFw + MAOUdAf2jNtNLEj2Q6MiR5Xq+wFOcRtXlNlXWIX3NrmubO/xOpDNpsyjyYC5Ld+W + 06MS5bTHSdv56AkUg2PugMChj15TOddEJIK8zPXFTlMYye9SKwjhNUZovfe4xXCa + Tj2nmzrcuMKLz+S3sKQeTWjiRcY3w4zTlAbhtGXDjXjhMObrHoWM8e3cTL4NJMvt + tNStXficxbeTbIiYu+7dtF0q+iWaZqexc6PdAaIpFZ0XSw+i5iLdQZmBwzY7NLlH + pQupfh6ze0qDUVZAMDubo4JKUTBzH6QTuhHx+uUm7Lc8YdNArn7o/vMZDQym1Eia + xKxZuCGaqFvq8ZK4nBVsHfcXbhF/XD2HMid3t7ImbREVu9qnc+En+acU/SJaaL3r + jMW6HLVMr6+vQrCzYkvLzKYpoUm9D1Kcn6d8Ofxl2iCaY9CkMr5/6J1p1wcTdcN7 + IVQ/DFBeTDauyWbyZkO/lPoZoakWyXOx9S9tgClzhFmNgRkZv9wN+QguNDcCAwEA + AQKCAgEA0ndlacGfaJ1NeN39dmBW2XZMzdrassJXkjx34528gsLhPaXdyobbWXQn + 1lHUc7+VlNaBRXUR73+gm1FAlDqnuRxIjuy7ukyzCh8PzSG3/PlnVPWlXCzJPAHh + EkqCpD3agirpF34LBsKDwxsKB2bBLft9kWxX3DGA2olmAKDvJQs4CaUcjX4DEHHg + tyTmJAsyByUYq3/D8a1koZ9ukpadF8NXpxm+ILQoJqLf6vM1I8N2w7atP/BStSLV + mH0gq2tajEB4ZPCDXmC5jsKiKz9gsXWUu0CX8AdYqE6pvRnRgQ8Ytq1265QMb+8s + FV82oXqDZkyZRFuNmX3fLyDX39kkTcVS37S56Gzk4EzDWE/u2RXCAPeWla2zUFYI + hg8X4ZAwbZRODtK2cZTuCZEILM/iKmtSgHC+aQhp18EUAefa7WGrRD4AvbTxH4VF + ek60bwISBk5Mhf39MwqIiQxGOFmfLsQReZvzH4jI5zfDXf/0yZ/1SdGeu6+Walt0 + V81Ua/DB6zshHpeSP74HMuJHZ4DOQfcV/ndyzvoP84pAjenSx6O034OwQTkpoMI/ + f/2rK8kdzYSL4f//kFMuRLqmAwOmAFYB2oMo0/YaIoQ4vgTHDKTSxj5mbno56GdT + huMAVMKskaCSVbyMB/xyQG7senLItVv+HafVk6ChMUbkIjv9zgECggEBAP+ux1RG + cETGjK2U3CRoHGxR7FwaX6hkSokG+aFdVLer+WUrZmR8Ccvh2ALpm8K1G6TTk/5X + ZeVX4+1VFYDeTHMN8g20usS5mw3v2GF3fGxGLe4q56l4/4kKMZOrSBuWH4niiIKD + 0QogdzWkpQJ93nMbZxZ5lk+lRZVf3qSm6nzyP468ndrfI57Ov5OUIWZ7KhTUH9IK + 8/urUk+lEvyzQmNTlt5ZZXRz7cR01K8chx1zevVAyynzSuGjTysaBN7LTT0v3yVu + 96yKNsxJvuIz2+4qSjhbnN4jH+feN0VsdF3+Qkru0lBmLVgJl4X67XFaAKMDU9yv + 3alS53Pkol+Dy1cCggEBAPYodofHC1ydoOmCvUAq4oJNtyI4iIOY/ch3sxVhkNyi + KBscQqbay/DiXFiNl+NsemzB1PrHzvCaqKcBKw537XzeKqUgYuVLkFGubf9bDhXi + wSRcYbU/oNTgiTgXPW8wH60uIoLaiNi1/YjO2zh4GEY/kFqSuD54Y91iFmcC75bv + OjCNugnRdpRjOFhaeNx75tdverR37w3APVZuBSv3bJlMPCtaf+fEAKxJxeqCs3Oq + rtsw2TQ4TqfE8/w9qPCVv3bQbMbO48SwjxAz47qH2h3qGu3Ov8badeARe+Ou7nuI + U13gPuPOhPXIQP/MYOyamPJdFyng1b8vyNsfjOcWMiECggEAEkMgl6NkV3U7DRbp + 1mvdQ9tiH33+wR9Qt5LY966b43aUHKbJ7Hlzla1u6V5YMsMO02oNUwhZDdWGQShn + ncnC+iDP3iy/flenfIpaETQgnfcxRqan31H2Joqk2eBNCTNi001r5K6XmrqQ6TL2 + WkQ1RFF7vn42vz+VxcKQO4B0lTIUWhSczcpMWAZ6ZocZD6HScqRoFW+U16/39Bpd + TdFb944742vNNFEndXXGzy8hc3gRGz1ihX+MJKuuduyn1mX9AVbPAHR5mkhQ+6x0 + xuFfXxaEMJxSiwdFOyGDHyFM+n2zrHh8ayOxL22X9gjjNspv6zTMo6GoGnUCdSOq + eVoHhwKCAQEAot5O3rOB/vuEljwcv7IgQJrvCsNg/8FgWR1p7kGpuXHJG3btWrz1 + pyH+e9DjqGQD9KWjJ3LAp02NPUJ2nJIZHj9Y8/yjspb2nDTPLt+uSCjKJibBt0ys + O219HRGzYjfzHYCi8PVrCggQAk7rmUdMuF4iQutE4ICDgtz9eZbls3YBiFKdvxVK + Yg/sHflucmPAbtah13prPyvs6ZzN6zNANYXNYdn1OwHieBwvyWRFG8jY/MorTHPd + BwA3drPNbbGHBzQMZNZKub8gSVYr3SU52gUlYCclmIq+50xqLlF2FWIz1q8irVPd + gUnIR/eQQbxgaivRwbGze1ZAjUsozVVQQQKCAQEA9uAKU3O06bEUGj+L0G+7R7r/ + bi2DNi2kLJ7jyq+n0OqcHEQ1zFK4LAPaXY0yMYXieUzhivMGLSNDiubGO2/KxkFF + REXUFgYWZYMwrKsUuscybB64cQDwzD0oXrhvEa2PHecdG6AZ63iLcHaaDzyCPID/ + wtljekLO2jbJ5esXZd016lykFfUd/K4KP1DGyI2Dkq6q0gTc/Y36gDAcPhIWtzna + UujYCe3a8DWCElH4geKXaB5ABbV1eJ8Lch599lXJ9Hszem6QNosFsPaHDCcqLS9H + yy2WA6CY2LVU7kONN+O0kxs2fVbxIkI+d/LZyX/yIGlkXcAzL07llIlrTAYebQ== -----END RSA PRIVATE KEY----- ''; "letsencrypt.org".cert = builtins.toFile "letsencrypt.org.cert" '' -----BEGIN CERTIFICATE----- MIIEpzCCAo8CAgKaMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC1NuYWtlb2ls - IENBMCAXDTE4MDcxMjAwMjIxOVoYDzIxMTgwNjE4MDAyMjE5WjAaMRgwFgYDVQQD + IENBMCAXDTE5MTAxODA3NTQxNVoYDzIxMTkwOTI0MDc1NDE1WjAaMRgwFgYDVQQD DA9sZXRzZW5jcnlwdC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC - AQDA++GXB6aA+Lr3X2xIPs/PqXoJF9TUb98NzQC+ww3+dOaIY0Omqf15/UID5G0u - 0649zUsvISi9x+7vn9X7opKA7iTX0TYKsUIXCMQ5YMYXgOByVPfvnVYaYUmDM8R9 - l+Fs6uZB9Bq7zorEC01lWn0XFwpu4vJD+w03F80wH7sgdtWHC/NVyd0elhkQ/qR2 - fC80s/bZui5fmrdq/FZK2WfTW5nQF9SbhfDFpQ0hTu3QO/noUr0L2Fb0Blp7R2jQ - EkFZEXvFLAt4Mmqf25nP6xfRf+0hppJBIG5nJKPQd7lkrN1Q7S2nHbFNLYGuXdjY - E4lo4T3we5ta90qiyUu3hfatWszEZrzpKYXNzIMvVFKjBw/+u7LLnnmXul6kvmzh - yYyBEEFePm1eGpRNU6flY74kKUuT6u2+0BPiuiAmYyoQqYzDa3ss3LVb2uL/fvxA - b+LcAZosgv/saw9u5E7nVJ22LhAxV7bM0XN7vabM2aPVJeiRbLv5m+NQynnmgSNF - GxM9Rl004QclbLo6zbOe6ovtmkgcLEEbwUqeQJWJdEmoADxvNwSFH6ktqYsg4eW/ - iR3MnqmEeRK8rryq9tFF5SY6MmBK6lUEj2OEr58drL9RZHjN8lB5330fxk6iJeWs - sJWz5U8PKdRQqvMXWdjKiU3OL81Lh7gBud9aDILkkpGmNQIDAQABMA0GCSqGSIb3 - DQEBCwUAA4ICAQAkx3jcryukAuYP7PQxMy3LElOl65ZFVqxDtTDlr7DvAkWJzVCb - g08L6Tu+K0rKh2RbG/PqS0+8/jBgc4IwSOPfDDAX+sinfj0kwXG34WMzB0G3fQzU - 2BMplJDOaBcNqHG8pLP1BG+9HAtR/RHe9p2Jw8LG2qmZs6uemPT/nCTNoyIL4oxh - UncjETV4ayCHDKD1XA7/icgddYsnfLQHWuIMuCrmQCHo0uQAd7qVHfUWZ+gcsZx0 - jTNCcaI8OTS2S65Bjaq2HaM7GMcUYNUD2vSyNQeQbha4ZeyZ9bPyFzznPMmrPXQe - MJdkbJ009RQIG9As79En4m+l+/6zrdx4DNdROqaL6YNiSebWMnuFHpMW/rCnhrT/ - HYadijHOiJJGj9tWSdC4XJs7fvZW3crMPUYxpOvl01xW2ZlgaekILi1FAjSMQVoV - NhWstdGCKJdthJqLL5MtNdfgihKcmgkJqKFXTkPv7sgAQCopu6X+S+srCgn856Lv - 21haRWZa8Ml+E0L/ticT8Fd8Luysc6K9TJ4mT8ENC5ywvgDlEkwBD3yvINXm5lg1 - xOIxv/Ye5gFk1knuM7OzpUFBrXUHdVVxflCUqNAhFPbcXwjgEQ+A+S5B0vI6Ohue - ZnR/wuiou6Y+Yzh8XfqL/3H18mGDdjyMXI1B6l4Judk000UVyr46cnI7mw== + AQD12l08TLMPf8EF2zu0D/nWz5aYsXJa4WurjIx3ZH6+LmC8rueUs1UqFiCJOYrZ + Sb5QSka5wmpkdxNJkDUHPhL/w0P8Aj0joSbC8GKdjn8+5vEQAuT1iIMD4jMfxkYU + zzBeDt8xtskCzK/5IcC2vaOYKyCCum4Pl+DOzan4XarT6hWh4XAwA5R0B/aM200s + SPZDoyJHler7AU5xG1eU2VdYhfc2ua5s7/E6kM2mzKPJgLkt35bToxLltMdJ2/no + CRSDY+6AwKGPXlM510QkgrzM9cVOUxjJ71IrCOE1Rmi997jFcJpOPaebOty4wovP + 5LewpB5NaOJFxjfDjNOUBuG0ZcONeOEw5usehYzx7dxMvg0ky+201K1d+JzFt5Ns + iJi77t20XSr6JZpmp7Fzo90BoikVnRdLD6LmIt1BmYHDNjs0uUelC6l+HrN7SoNR + VkAwO5ujgkpRMHMfpBO6EfH65Sbstzxh00Cufuj+8xkNDKbUSJrErFm4IZqoW+rx + kricFWwd9xduEX9cPYcyJ3e3siZtERW72qdz4Sf5pxT9IlpoveuMxboctUyvr69C + sLNiS8vMpimhSb0PUpyfp3w5/GXaIJpj0KQyvn/onWnXBxN1w3shVD8MUF5MNq7J + ZvJmQ7+U+hmhqRbJc7H1L22AKXOEWY2BGRm/3A35CC40NwIDAQABMA0GCSqGSIb3 + DQEBCwUAA4ICAQBbJwE+qc0j6JGHWe0TGjv1viJU3WuyJkMRi+ejx0p/k7Ntp5An + 2wLC7b/lVP/Nh+PKY/iXWn/BErv2MUo4POc1g8svgxsmMMh5KGGieIfGs7xT+JMH + dzZZM+pUpIB5fEO5JfjiOEOKDdAvRSs0mTAVYZEokGkXSNWyylvEaA16mHtMgPjo + Lm75d0O66RfJDdd/hTl8umGpF7kEGW1qYk2QmuPr7AqOa8na7olL5fMPh6Q7yRqx + GIS9JKQ0fWl8Ngk09WfwUN/kEMcp9Jl5iunNRkbpUJIM/lHFkSA7yOFFL+dVWzd4 + 2r+ddJXTFzW8Rwt65l8SV2MEhijEamKva3mqKLIRWxDsfFVT1T04LWFtnzMW4Z29 + UHF9Pi7XSyKz0Y/Lz31mNTkjJYbOvbnwok8lc3wFWHc+lummZk8IkCq8xfqzwmwX + Ow6EV+Q6VaQpOHumQZ12pBBLtL8DyDhWaRUgVy2vYpwYsMYa5BFMcKCynjlSewo9 + G2hNoW45cQZP1qHltRR9Xad7SaP7iTETDCiR7AWOqSpDipSh9eMfVW97ZbSfz+vl + xl8PZEZMTRIIRVXsPP+E8gtDUhUQp2+Vcz8r6q71qslXM09xl/501uaNjCc3hH2R + iw2N77Lho1F3FrBbHdML3RYHZI55eC9iQw6R4S+R4b+iWLJoHzHrW61itg== -----END CERTIFICATE----- ''; } diff --git a/nixpkgs/nixos/tests/containers-bridge.nix b/nixpkgs/nixos/tests/containers-bridge.nix index 38db64eb793..2c8e8fa5370 100644 --- a/nixpkgs/nixos/tests/containers-bridge.nix +++ b/nixpkgs/nixos/tests/containers-bridge.nix @@ -7,7 +7,7 @@ let containerIp6 = "fc00::2/7"; in -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-bridge"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ aristid aszlig eelco kampfschlaefer ]; @@ -61,43 +61,42 @@ import ./make-test.nix ({ pkgs, ...} : { virtualisation.pathsInNixDB = [ pkgs.stdenv ]; }; - testScript = - '' - $machine->waitForUnit("default.target"); - $machine->succeed("nixos-container list") =~ /webserver/ or die; - - # Start the webserver container. - $machine->succeed("nixos-container status webserver") =~ /up/ or die; - - # Check if bridges exist inside containers - $machine->succeed("nixos-container run webserver -- ip link show eth0"); - $machine->succeed("nixos-container run web-noip -- ip link show eth0"); - - "${containerIp}" =~ /([^\/]+)\/([0-9+])/; - my $ip = $1; - chomp $ip; - $machine->succeed("ping -n -c 1 $ip"); - $machine->succeed("curl --fail http://$ip/ > /dev/null"); - - "${containerIp6}" =~ /([^\/]+)\/([0-9+])/; - my $ip6 = $1; - chomp $ip6; - $machine->succeed("ping -n -c 1 $ip6"); - $machine->succeed("curl --fail http://[$ip6]/ > /dev/null"); - - # Check that nixos-container show-ip works in case of an ipv4 address with - # subnetmask in CIDR notation. - my $result = $machine->succeed("nixos-container show-ip webserver"); - chomp $result; - $result eq $ip or die; - - # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); - $machine->fail("curl --fail --connect-timeout 2 http://[$ip6]/ > /dev/null"); - - # Destroying a declarative container should fail. - $machine->fail("nixos-container destroy webserver"); - ''; - + testScript = '' + machine.wait_for_unit("default.target") + assert "webserver" in machine.succeed("nixos-container list") + + with subtest("Start the webserver container"): + assert "up" in machine.succeed("nixos-container status webserver") + + with subtest("Bridges exist inside containers"): + machine.succeed( + "nixos-container run webserver -- ip link show eth0", + "nixos-container run web-noip -- ip link show eth0", + ) + + ip = "${containerIp}".split("/")[0] + machine.succeed(f"ping -n -c 1 {ip}") + machine.succeed(f"curl --fail http://{ip}/ > /dev/null") + + ip6 = "${containerIp6}".split("/")[0] + machine.succeed(f"ping -n -c 1 {ip6}") + machine.succeed(f"curl --fail http://[{ip6}]/ > /dev/null") + + with subtest( + "nixos-container show-ip works in case of an ipv4 address " + + "with subnetmask in CIDR notation." + ): + result = machine.succeed("nixos-container show-ip webserver").rstrip() + assert result == ip + + with subtest("Stop the container"): + machine.succeed("nixos-container stop webserver") + machine.fail( + f"curl --fail --connect-timeout 2 http://{ip}/ > /dev/null", + f"curl --fail --connect-timeout 2 http://[{ip6}]/ > /dev/null", + ) + + # Destroying a declarative container should fail. + machine.fail("nixos-container destroy webserver") + ''; }) diff --git a/nixpkgs/nixos/tests/containers-ephemeral.nix b/nixpkgs/nixos/tests/containers-ephemeral.nix index 1ef8717d9a0..692554ac0ba 100644 --- a/nixpkgs/nixos/tests/containers-ephemeral.nix +++ b/nixpkgs/nixos/tests/containers-ephemeral.nix @@ -1,6 +1,6 @@ # Test for NixOS' container support. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-ephemeral"; machine = { pkgs, ... }: { @@ -16,10 +16,10 @@ import ./make-test.nix ({ pkgs, ...} : { services.nginx = { enable = true; virtualHosts.localhost = { - root = (pkgs.runCommand "localhost" {} '' + root = pkgs.runCommand "localhost" {} '' mkdir "$out" echo hello world > "$out/index.html" - ''); + ''; }; }; networking.firewall.allowedTCPPorts = [ 80 ]; @@ -28,29 +28,27 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - $machine->succeed("nixos-container list") =~ /webserver/ or die; + assert "webserver" in machine.succeed("nixos-container list") - # Start the webserver container. - $machine->succeed("nixos-container start webserver"); + machine.succeed("nixos-container start webserver") - # Check that container got its own root folder - $machine->succeed("ls /run/containers/webserver"); + with subtest("Container got its own root folder"): + machine.succeed("ls /run/containers/webserver") - # Check that container persistent directory is not created - $machine->fail("ls /var/lib/containers/webserver"); + with subtest("Container persistent directory is not created"): + machine.fail("ls /var/lib/containers/webserver") # Since "start" returns after the container has reached # multi-user.target, we should now be able to access it. - my $ip = $machine->succeed("nixos-container show-ip webserver"); - chomp $ip; - $machine->succeed("ping -n -c1 $ip"); - $machine->succeed("curl --fail http://$ip/ > /dev/null"); + ip = machine.succeed("nixos-container show-ip webserver").rstrip() + machine.succeed(f"ping -n -c1 {ip}") + machine.succeed(f"curl --fail http://{ip}/ > /dev/null") - # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); + with subtest("Stop the container"): + machine.succeed("nixos-container stop webserver") + machine.fail(f"curl --fail --connect-timeout 2 http://{ip}/ > /dev/null") - # Check that container's root folder was removed - $machine->fail("ls /run/containers/webserver"); + with subtest("Container's root folder was removed"): + machine.fail("ls /run/containers/webserver") ''; }) diff --git a/nixpkgs/nixos/tests/containers-hosts.nix b/nixpkgs/nixos/tests/containers-hosts.nix index 8cf298c6225..d6fb4a761ee 100644 --- a/nixpkgs/nixos/tests/containers-hosts.nix +++ b/nixpkgs/nixos/tests/containers-hosts.nix @@ -1,6 +1,6 @@ # Test for NixOS' container support. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-hosts"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ montag451 ]; @@ -42,11 +42,11 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - $machine->waitForUnit("default.target"); + start_all() + machine.wait_for_unit("default.target") - # Ping the containers using the entries added in /etc/hosts - $machine->succeed("ping -n -c 1 simple.containers"); - $machine->succeed("ping -n -c 1 netmask.containers"); + with subtest("Ping the containers using the entries added in /etc/hosts"): + for host in "simple.containers", "netmask.containers": + machine.succeed(f"ping -n -c 1 {host}") ''; }) diff --git a/nixpkgs/nixos/tests/containers-imperative.nix b/nixpkgs/nixos/tests/containers-imperative.nix index 2e7e4b2f1d6..61df74042cb 100644 --- a/nixpkgs/nixos/tests/containers-imperative.nix +++ b/nixpkgs/nixos/tests/containers-imperative.nix @@ -1,6 +1,6 @@ # Test for NixOS' container support. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-imperative"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ aristid aszlig eelco kampfschlaefer ]; @@ -36,95 +36,99 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = let - tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" '' - { - systemd.tmpfiles.rules = [ "d /foo - - - - -" ]; - systemd.services.foo = { - serviceConfig.Type = "oneshot"; - script = "ls -al /foo"; - wantedBy = [ "multi-user.target" ]; - }; - } - ''; in - '' - # Make sure we have a NixOS tree (required by ‘nixos-container create’). - $machine->succeed("PAGER=cat nix-env -qa -A nixos.hello >&2"); - - # Create some containers imperatively. - my $id1 = $machine->succeed("nixos-container create foo --ensure-unique-name"); - chomp $id1; - $machine->log("created container $id1"); - - my $id2 = $machine->succeed("nixos-container create foo --ensure-unique-name"); - chomp $id2; - $machine->log("created container $id2"); - - die if $id1 eq $id2; - - # Put the root of $id2 into a bind mount. - $machine->succeed( - "mv /var/lib/containers/$id2 /id2-bindmount", - "mount --bind /id2-bindmount /var/lib/containers/$id1" - ); - - my $ip1 = $machine->succeed("nixos-container show-ip $id1"); - chomp $ip1; - my $ip2 = $machine->succeed("nixos-container show-ip $id2"); - chomp $ip2; - die if $ip1 eq $ip2; - - # Create a directory and a file we can later check if it still exists - # after destruction of the container. - $machine->succeed( - "mkdir /nested-bindmount", - "echo important data > /nested-bindmount/dummy", - ); - - # Create a directory with a dummy file and bind-mount it into both - # containers. - foreach ($id1, $id2) { - my $importantPath = "/var/lib/containers/$_/very/important/data"; - $machine->succeed( - "mkdir -p $importantPath", - "mount --bind /nested-bindmount $importantPath" - ); - } - - # Start one of them. - $machine->succeed("nixos-container start $id1"); - - # Execute commands via the root shell. - $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die; - - # Execute a nix command via the root shell. (regression test for #40355) - $machine->succeed("nixos-container run $id1 -- nix-instantiate -E 'derivation { name = \"empty\"; builder = \"false\"; system = \"false\"; }'"); - - # Stop and start (regression test for #4989) - $machine->succeed("nixos-container stop $id1"); - $machine->succeed("nixos-container start $id1"); - - # Ensure tmpfiles are present - $machine->log("creating container tmpfiles"); - $machine->succeed("nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}"); - $machine->log("created, starting…"); - $machine->succeed("nixos-container start tmpfiles"); - $machine->log("done starting, investigating…"); - $machine->succeed("echo \$(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;"); - $machine->succeed("nixos-container destroy tmpfiles"); - - # Execute commands via the root shell. - $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die; - - # Destroy the containers. - $machine->succeed("nixos-container destroy $id1"); - $machine->succeed("nixos-container destroy $id2"); - - $machine->succeed( - # Check whether destruction of any container has killed important data - "grep -qF 'important data' /nested-bindmount/dummy", - # Ensure that the container path is gone - "test ! -e /var/lib/containers/$id1" - ); + tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" '' + { + systemd.tmpfiles.rules = [ "d /foo - - - - -" ]; + systemd.services.foo = { + serviceConfig.Type = "oneshot"; + script = "ls -al /foo"; + wantedBy = [ "multi-user.target" ]; + }; + } + ''; + in '' + with subtest("Make sure we have a NixOS tree (required by ‘nixos-container create’)"): + machine.succeed("PAGER=cat nix-env -qa -A nixos.hello >&2") + + id1, id2 = None, None + + with subtest("Create some containers imperatively"): + id1 = machine.succeed("nixos-container create foo --ensure-unique-name").rstrip() + machine.log(f"created container {id1}") + + id2 = machine.succeed("nixos-container create foo --ensure-unique-name").rstrip() + machine.log(f"created container {id2}") + + assert id1 != id2 + + with subtest(f"Put the root of {id2} into a bind mount"): + machine.succeed( + f"mv /var/lib/containers/{id2} /id2-bindmount", + f"mount --bind /id2-bindmount /var/lib/containers/{id1}", + ) + + ip1 = machine.succeed(f"nixos-container show-ip {id1}").rstrip() + ip2 = machine.succeed(f"nixos-container show-ip {id2}").rstrip() + assert ip1 != ip2 + + with subtest( + "Create a directory and a file we can later check if it still exists " + + "after destruction of the container" + ): + machine.succeed("mkdir /nested-bindmount") + machine.succeed("echo important data > /nested-bindmount/dummy") + + with subtest( + "Create a directory with a dummy file and bind-mount it into both containers." + ): + for id in id1, id2: + important_path = f"/var/lib/containers/{id}/very/important/data" + machine.succeed( + f"mkdir -p {important_path}", + f"mount --bind /nested-bindmount {important_path}", + ) + + with subtest("Start one of them"): + machine.succeed(f"nixos-container start {id1}") + + with subtest("Execute commands via the root shell"): + assert "Linux" in machine.succeed(f"nixos-container run {id1} -- uname") + + with subtest("Execute a nix command via the root shell. (regression test for #40355)"): + machine.succeed( + f"nixos-container run {id1} -- nix-instantiate -E " + + '\'derivation { name = "empty"; builder = "false"; system = "false"; }\' ' + ) + + with subtest("Stop and start (regression test for #4989)"): + machine.succeed(f"nixos-container stop {id1}") + machine.succeed(f"nixos-container start {id1}") + + with subtest("tmpfiles are present"): + machine.log("creating container tmpfiles") + machine.succeed( + "nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}" + ) + machine.log("created, starting…") + machine.succeed("nixos-container start tmpfiles") + machine.log("done starting, investigating…") + machine.succeed( + "echo $(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;" + ) + machine.succeed("nixos-container destroy tmpfiles") + + with subtest("Execute commands via the root shell"): + assert "Linux" in machine.succeed(f"nixos-container run {id1} -- uname") + + with subtest("Destroy the containers"): + for id in id1, id2: + machine.succeed(f"nixos-container destroy {id}") + + with subtest("Check whether destruction of any container has killed important data"): + machine.succeed("grep -qF 'important data' /nested-bindmount/dummy") + + with subtest("Ensure that the container path is gone"): + print(machine.succeed("ls -lsa /var/lib/containers")) + machine.succeed(f"test ! -e /var/lib/containers/{id1}") ''; - }) diff --git a/nixpkgs/nixos/tests/containers-ip.nix b/nixpkgs/nixos/tests/containers-ip.nix new file mode 100644 index 00000000000..8583a08c625 --- /dev/null +++ b/nixpkgs/nixos/tests/containers-ip.nix @@ -0,0 +1,77 @@ +# Test for NixOS' container support. + +let + webserverFor = hostAddress: localAddress: { + inherit hostAddress localAddress; + privateNetwork = true; + config = { + services.httpd = { + enable = true; + adminAddr = "foo@example.org"; + }; + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + }; + +in import ./make-test-python.nix ({ pkgs, ...} : { + name = "containers-ipv4-ipv6"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ aristid aszlig eelco kampfschlaefer ]; + }; + + machine = + { pkgs, ... }: { + imports = [ ../modules/installer/cd-dvd/channel.nix ]; + virtualisation = { + writableStore = true; + memorySize = 768; + }; + + containers.webserver4 = webserverFor "10.231.136.1" "10.231.136.2"; + containers.webserver6 = webserverFor "fc00::2" "fc00::1"; + virtualisation.pathsInNixDB = [ pkgs.stdenv ]; + }; + + testScript = { nodes, ... }: '' + import time + + + def curl_host(ip): + # put [] around ipv6 addresses for curl + host = ip if ":" not in ip else f"[{ip}]" + return f"curl --fail --connect-timeout 2 http://{host}/ > /dev/null" + + + def get_ip(container): + # need to distinguish because show-ip won't work for ipv6 + if container == "webserver4": + ip = machine.succeed(f"nixos-container show-ip {container}").rstrip() + assert ip == "${nodes.machine.config.containers.webserver4.localAddress}" + return ip + return "${nodes.machine.config.containers.webserver6.localAddress}" + + + for container in "webserver4", "webserver6": + assert container in machine.succeed("nixos-container list") + + with subtest(f"Start container {container}"): + machine.succeed(f"nixos-container start {container}") + # wait 2s for container to start and network to be up + time.sleep(2) + + # Since "start" returns after the container has reached + # multi-user.target, we should now be able to access it. + + ip = get_ip(container) + with subtest(f"{container} reacts to pings and HTTP requests"): + machine.succeed(f"ping -n -c1 {ip}") + machine.succeed(curl_host(ip)) + + with subtest(f"Stop container {container}"): + machine.succeed(f"nixos-container stop {container}") + machine.fail(curl_host(ip)) + + # Destroying a declarative container should fail. + machine.fail(f"nixos-container destroy {container}") + ''; +}) diff --git a/nixpkgs/nixos/tests/containers-ipv4.nix b/nixpkgs/nixos/tests/containers-ipv4.nix deleted file mode 100644 index ace68ff2df8..00000000000 --- a/nixpkgs/nixos/tests/containers-ipv4.nix +++ /dev/null @@ -1,55 +0,0 @@ -# Test for NixOS' container support. - -import ./make-test.nix ({ pkgs, ...} : { - name = "containers-ipv4"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ aristid aszlig eelco kampfschlaefer ]; - }; - - machine = - { pkgs, ... }: - { imports = [ ../modules/installer/cd-dvd/channel.nix ]; - virtualisation.writableStore = true; - virtualisation.memorySize = 768; - - containers.webserver = - { privateNetwork = true; - hostAddress = "10.231.136.1"; - localAddress = "10.231.136.2"; - config = - { services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - networking.firewall.allowedTCPPorts = [ 80 ]; - system.stateVersion = "18.03"; - }; - }; - - virtualisation.pathsInNixDB = [ pkgs.stdenv ]; - }; - - testScript = - '' - $machine->succeed("nixos-container list") =~ /webserver/ or die; - - # Start the webserver container. - $machine->succeed("nixos-container start webserver"); - - # wait two seconds for the container to start and the network to be up - sleep 2; - - # Since "start" returns after the container has reached - # multi-user.target, we should now be able to access it. - my $ip = $machine->succeed("nixos-container show-ip webserver"); - chomp $ip; - $machine->succeed("ping -n -c1 $ip"); - $machine->succeed("curl --fail http://$ip/ > /dev/null"); - - # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); - - # Destroying a declarative container should fail. - $machine->fail("nixos-container destroy webserver"); - ''; - -}) diff --git a/nixpkgs/nixos/tests/containers-ipv6.nix b/nixpkgs/nixos/tests/containers-ipv6.nix deleted file mode 100644 index a9499d192bd..00000000000 --- a/nixpkgs/nixos/tests/containers-ipv6.nix +++ /dev/null @@ -1,60 +0,0 @@ -# Test for NixOS' container support. - -let - hostIp = "fc00::2"; - localIp = "fc00::1"; -in - -import ./make-test.nix ({ pkgs, ...} : { - name = "containers-ipv6"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ aristid aszlig eelco kampfschlaefer ]; - }; - - machine = - { pkgs, ... }: - { imports = [ ../modules/installer/cd-dvd/channel.nix ]; - virtualisation.writableStore = true; - virtualisation.memorySize = 768; - - containers.webserver = - { privateNetwork = true; - hostAddress6 = hostIp; - localAddress6 = localIp; - config = - { services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - networking.firewall.allowedTCPPorts = [ 80 ]; - }; - }; - - virtualisation.pathsInNixDB = [ pkgs.stdenv ]; - }; - - testScript = - '' - $machine->waitForUnit("default.target"); - $machine->succeed("nixos-container list") =~ /webserver/ or die; - - # Start the webserver container. - $machine->succeed("nixos-container start webserver"); - - # wait two seconds for the container to start and the network to be up - sleep 2; - - # Since "start" returns after the container has reached - # multi-user.target, we should now be able to access it. - my $ip = "${localIp}"; - chomp $ip; - $machine->succeed("ping -n -c 1 $ip"); - $machine->succeed("curl --fail http://[$ip]/ > /dev/null"); - - # Stop the container. - $machine->succeed("nixos-container stop webserver"); - $machine->fail("curl --fail --connect-timeout 2 http://[$ip]/ > /dev/null"); - - # Destroying a declarative container should fail. - $machine->fail("nixos-container destroy webserver"); - ''; - -}) diff --git a/nixpkgs/nixos/tests/containers-reloadable.nix b/nixpkgs/nixos/tests/containers-reloadable.nix index f41dea91b1e..35aff91e85b 100644 --- a/nixpkgs/nixos/tests/containers-reloadable.nix +++ b/nixpkgs/nixos/tests/containers-reloadable.nix @@ -1,7 +1,7 @@ -import ./make-test.nix ({ pkgs, lib, ...} : +import ./make-test-python.nix ({ pkgs, lib, ...} : let client_base = { - + containers.test1 = { autoStart = true; config = { @@ -48,18 +48,25 @@ in { c1System = nodes.client_c1.config.system.build.toplevel; c2System = nodes.client_c2.config.system.build.toplevel; in '' - $client->start(); - $client->waitForUnit("default.target"); - $client->succeed("[[ \$(nixos-container run test1 cat /etc/check) == client_base ]] >&2"); + client.start() + client.wait_for_unit("default.target") + + assert "client_base" in client.succeed("nixos-container run test1 cat /etc/check") - $client->succeed("${c1System}/bin/switch-to-configuration test >&2"); - $client->succeed("[[ \$(nixos-container run test1 cat /etc/check) == client_c1 ]] >&2"); - $client->succeed("systemctl status httpd -M test1 >&2"); + with subtest("httpd is available after activating config1"): + client.succeed( + "${c1System}/bin/switch-to-configuration test >&2", + "[[ $(nixos-container run test1 cat /etc/check) == client_c1 ]] >&2", + "systemctl status httpd -M test1 >&2", + ) - $client->succeed("${c2System}/bin/switch-to-configuration test >&2"); - $client->succeed("[[ \$(nixos-container run test1 cat /etc/check) == client_c2 ]] >&2"); - $client->fail("systemctl status httpd -M test1 >&2"); - $client->succeed("systemctl status nginx -M test1 >&2"); + with subtest("httpd is not available any longer after switching to config2"): + client.succeed( + "${c2System}/bin/switch-to-configuration test >&2", + "[[ $(nixos-container run test1 cat /etc/check) == client_c2 ]] >&2", + "systemctl status nginx -M test1 >&2", + ) + client.fail("systemctl status httpd -M test1 >&2") ''; }) diff --git a/nixpkgs/nixos/tests/containers-tmpfs.nix b/nixpkgs/nixos/tests/containers-tmpfs.nix index e29fe6bbf03..171e8f01c7b 100644 --- a/nixpkgs/nixos/tests/containers-tmpfs.nix +++ b/nixpkgs/nixos/tests/containers-tmpfs.nix @@ -1,6 +1,6 @@ # Test for NixOS' container support. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "containers-tmpfs"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ kampka ]; @@ -31,49 +31,63 @@ import ./make-test.nix ({ pkgs, ...} : { virtualisation.pathsInNixDB = [ pkgs.stdenv ]; }; - testScript = - '' - $machine->waitForUnit("default.target"); - $machine->succeed("nixos-container list") =~ /tmpfs/ or die; - - # Start the tmpfs container. - #$machine->succeed("nixos-container status tmpfs") =~ /up/ or die; - - # Verify that /var is mounted as a tmpfs - #$machine->succeed("nixos-container run tmpfs -- systemctl status var.mount --no-pager 2>/dev/null") =~ /What: tmpfs/ or die; - $machine->succeed("nixos-container run tmpfs -- mountpoint -q /var 2>/dev/null"); - - # Verify that /var/log is mounted as a tmpfs - $machine->succeed("nixos-container run tmpfs -- systemctl status var-log.mount --no-pager 2>/dev/null") =~ /What: tmpfs/ or die; - $machine->succeed("nixos-container run tmpfs -- mountpoint -q /var/log 2>/dev/null"); - - # Verify that /some/random/path is mounted as a tmpfs - $machine->succeed("nixos-container run tmpfs -- systemctl status some-random-path.mount --no-pager 2>/dev/null") =~ /What: tmpfs/ or die; - $machine->succeed("nixos-container run tmpfs -- mountpoint -q /some/random/path 2>/dev/null"); - - # Verify that files created in the container in a non-tmpfs directory are visible on the host. - # This establishes legitimacy for the following tests - $machine->succeed("nixos-container run tmpfs -- touch /root/test.file 2>/dev/null"); - $machine->succeed("nixos-container run tmpfs -- ls -l /root | grep -q test.file 2>/dev/null"); - $machine->succeed("test -e /var/lib/containers/tmpfs/root/test.file"); - - - # Verify that /some/random/path is writable and that files created there - # are not in the hosts container dir but in the tmpfs - $machine->succeed("nixos-container run tmpfs -- touch /some/random/path/test.file 2>/dev/null"); - $machine->succeed("nixos-container run tmpfs -- test -e /some/random/path/test.file 2>/dev/null"); - - $machine->fail("test -e /var/lib/containers/tmpfs/some/random/path/test.file"); - - # Verify that files created in the hosts container dir in a path where a tmpfs file system has been mounted - # are not visible to the container as the do not exist in the tmpfs - $machine->succeed("touch /var/lib/containers/tmpfs/var/test.file"); - - $machine->succeed("test -e /var/lib/containers/tmpfs/var/test.file"); - $machine->succeed("ls -l /var/lib/containers/tmpfs/var/ | grep -q test.file 2>/dev/null"); - - $machine->fail("nixos-container run tmpfs -- ls -l /var | grep -q test.file 2>/dev/null"); - + testScript = '' + machine.wait_for_unit("default.target") + assert "tmpfs" in machine.succeed("nixos-container list") + + with subtest("tmpfs container is up"): + assert "up" in machine.succeed("nixos-container status tmpfs") + + + def tmpfs_cmd(command): + return f"nixos-container run tmpfs -- {command} 2>/dev/null" + + + with subtest("/var is mounted as a tmpfs"): + machine.succeed(tmpfs_cmd("mountpoint -q /var")) + + with subtest("/var/log is mounted as a tmpfs"): + assert "What: tmpfs" in machine.succeed( + tmpfs_cmd("systemctl status var-log.mount --no-pager") + ) + machine.succeed(tmpfs_cmd("mountpoint -q /var/log")) + + with subtest("/some/random/path is mounted as a tmpfs"): + assert "What: tmpfs" in machine.succeed( + tmpfs_cmd("systemctl status some-random-path.mount --no-pager") + ) + machine.succeed(tmpfs_cmd("mountpoint -q /some/random/path")) + + with subtest( + "files created in the container in a non-tmpfs directory are visible on the host." + ): + # This establishes legitimacy for the following tests + machine.succeed( + tmpfs_cmd("touch /root/test.file"), + tmpfs_cmd("ls -l /root | grep -q test.file"), + "test -e /var/lib/containers/tmpfs/root/test.file", + ) + + with subtest( + "/some/random/path is writable and that files created there are not " + + "in the hosts container dir but in the tmpfs" + ): + machine.succeed( + tmpfs_cmd("touch /some/random/path/test.file"), + tmpfs_cmd("test -e /some/random/path/test.file"), + ) + machine.fail("test -e /var/lib/containers/tmpfs/some/random/path/test.file") + + with subtest( + "files created in the hosts container dir in a path where a tmpfs " + + "file system has been mounted are not visible to the container as " + + "the do not exist in the tmpfs" + ): + machine.succeed( + "touch /var/lib/containers/tmpfs/var/test.file", + "test -e /var/lib/containers/tmpfs/var/test.file", + "ls -l /var/lib/containers/tmpfs/var/ | grep -q test.file 2>/dev/null", + ) + machine.fail(tmpfs_cmd("ls -l /var | grep -q test.file")) ''; - }) diff --git a/nixpkgs/nixos/tests/couchdb.nix b/nixpkgs/nixos/tests/couchdb.nix index 48ea48eebbb..10e95701acd 100644 --- a/nixpkgs/nixos/tests/couchdb.nix +++ b/nixpkgs/nixos/tests/couchdb.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ...}: +import ./make-test-python.nix ({ pkgs, lib, ...}: with lib; @@ -35,22 +35,42 @@ with lib; fi ''; in '' - startAll; - - $couchdb1->waitForUnit("couchdb.service"); - $couchdb1->waitUntilSucceeds("${curlJqCheck "GET" "" ".couchdb" "Welcome"}"); - $couchdb1->waitUntilSucceeds("${curlJqCheck "GET" "_all_dbs" ". | length" "2"}"); - $couchdb1->succeed("${curlJqCheck "PUT" "foo" ".ok" "true"}"); - $couchdb1->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "3"}"); - $couchdb1->succeed("${curlJqCheck "DELETE" "foo" ".ok" "true"}"); - $couchdb1->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "2"}"); - - $couchdb2->waitForUnit("couchdb.service"); - $couchdb2->waitUntilSucceeds("${curlJqCheck "GET" "" ".couchdb" "Welcome"}"); - $couchdb2->waitUntilSucceeds("${curlJqCheck "GET" "_all_dbs" ". | length" "0"}"); - $couchdb2->succeed("${curlJqCheck "PUT" "foo" ".ok" "true"}"); - $couchdb2->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "1"}"); - $couchdb2->succeed("${curlJqCheck "DELETE" "foo" ".ok" "true"}"); - $couchdb2->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "0"}"); + start_all() + + couchdb1.wait_for_unit("couchdb.service") + couchdb1.wait_until_succeeds( + "${curlJqCheck "GET" "" ".couchdb" "Welcome"}" + ) + couchdb1.wait_until_succeeds( + "${curlJqCheck "GET" "_all_dbs" ". | length" "2"}" + ) + couchdb1.succeed("${curlJqCheck "PUT" "foo" ".ok" "true"}") + couchdb1.succeed( + "${curlJqCheck "GET" "_all_dbs" ". | length" "3"}" + ) + couchdb1.succeed( + "${curlJqCheck "DELETE" "foo" ".ok" "true"}" + ) + couchdb1.succeed( + "${curlJqCheck "GET" "_all_dbs" ". | length" "2"}" + ) + + couchdb2.wait_for_unit("couchdb.service") + couchdb2.wait_until_succeeds( + "${curlJqCheck "GET" "" ".couchdb" "Welcome"}" + ) + couchdb2.wait_until_succeeds( + "${curlJqCheck "GET" "_all_dbs" ". | length" "0"}" + ) + couchdb2.succeed("${curlJqCheck "PUT" "foo" ".ok" "true"}") + couchdb2.succeed( + "${curlJqCheck "GET" "_all_dbs" ". | length" "1"}" + ) + couchdb2.succeed( + "${curlJqCheck "DELETE" "foo" ".ok" "true"}" + ) + couchdb2.succeed( + "${curlJqCheck "GET" "_all_dbs" ". | length" "0"}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/deluge.nix b/nixpkgs/nixos/tests/deluge.nix index b58030409b5..37689c3d913 100644 --- a/nixpkgs/nixos/tests/deluge.nix +++ b/nixpkgs/nixos/tests/deluge.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "deluge"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ flokli ]; @@ -45,18 +45,20 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $simple->waitForUnit("deluged"); - $simple->waitForUnit("delugeweb"); - $simple->waitForOpenPort("8112"); - $declarative->waitForUnit("network.target"); - $declarative->waitUntilSucceeds("curl --fail http://simple:8112"); + simple.wait_for_unit("deluged") + simple.wait_for_unit("delugeweb") + simple.wait_for_open_port("8112") + declarative.wait_for_unit("network.target") + declarative.wait_until_succeeds("curl --fail http://simple:8112") - $declarative->waitForUnit("deluged"); - $declarative->waitForUnit("delugeweb"); - $declarative->waitUntilSucceeds("curl --fail http://declarative:3142"); - $declarative->succeed("deluge-console 'help' | grep -q 'rm - Remove a torrent'"); - $declarative->succeed("deluge-console 'connect 127.0.0.1:58846 andrew password; help' | grep -q 'rm - Remove a torrent'"); + declarative.wait_for_unit("deluged") + declarative.wait_for_unit("delugeweb") + declarative.wait_until_succeeds("curl --fail http://declarative:3142") + declarative.succeed("deluge-console 'help' | grep -q 'rm - Remove a torrent'") + declarative.succeed( + "deluge-console 'connect 127.0.0.1:58846 andrew password; help' | grep -q 'rm - Remove a torrent'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/dnscrypt-proxy.nix b/nixpkgs/nixos/tests/dnscrypt-proxy.nix index 13bc9d3d916..98153d5c904 100644 --- a/nixpkgs/nixos/tests/dnscrypt-proxy.nix +++ b/nixpkgs/nixos/tests/dnscrypt-proxy.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "dnscrypt-proxy"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ joachifm ]; @@ -23,11 +23,13 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - $client->waitForUnit("dnsmasq"); + client.wait_for_unit("dnsmasq") # The daemon is socket activated; sending a single ping should activate it. - $client->fail("systemctl is-active dnscrypt-proxy"); - $client->execute("${pkgs.iputils}/bin/ping -c1 example.com"); - $client->waitUntilSucceeds("systemctl is-active dnscrypt-proxy"); + client.fail("systemctl is-active dnscrypt-proxy") + client.execute( + "${pkgs.iputils}/bin/ping -c1 example.com" + ) + client.wait_until_succeeds("systemctl is-active dnscrypt-proxy") ''; }) diff --git a/nixpkgs/nixos/tests/docker-edge.nix b/nixpkgs/nixos/tests/docker-edge.nix index b306c149be9..96de885a554 100644 --- a/nixpkgs/nixos/tests/docker-edge.nix +++ b/nixpkgs/nixos/tests/docker-edge.nix @@ -1,6 +1,6 @@ # This test runs docker and checks if simple container starts -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "docker"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus offline ]; @@ -31,17 +31,19 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $docker->waitForUnit("sockets.target"); - $docker->succeed("tar cv --files-from /dev/null | docker import - scratchimg"); - $docker->succeed("docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"); - $docker->succeed("docker ps | grep sleeping"); - $docker->succeed("sudo -u hasprivs docker ps"); - $docker->fail("sudo -u noprivs docker ps"); - $docker->succeed("docker stop sleeping"); + docker.wait_for_unit("sockets.target") + docker.succeed("tar cv --files-from /dev/null | docker import - scratchimg") + docker.succeed( + "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + docker.succeed("docker ps | grep sleeping") + docker.succeed("sudo -u hasprivs docker ps") + docker.fail("sudo -u noprivs docker ps") + docker.succeed("docker stop sleeping") # Must match version twice to ensure client and server versions are correct - $docker->succeed('[ $(docker version | grep ${pkgs.docker-edge.version} | wc -l) = "2" ]'); + docker.succeed('[ $(docker version | grep ${pkgs.docker-edge.version} | wc -l) = "2" ]') ''; }) diff --git a/nixpkgs/nixos/tests/docker-registry.nix b/nixpkgs/nixos/tests/docker-registry.nix index 8936421072a..2928fd8141a 100644 --- a/nixpkgs/nixos/tests/docker-registry.nix +++ b/nixpkgs/nixos/tests/docker-registry.nix @@ -1,6 +1,6 @@ # This test runs docker-registry and check if it works -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "docker-registry"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ globin ma27 ironpinguin ]; @@ -28,36 +28,34 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - $client1->start(); - $client1->waitForUnit("docker.service"); - $client1->succeed("tar cv --files-from /dev/null | docker import - scratch"); - $client1->succeed("docker tag scratch registry:8080/scratch"); - - $registry->start(); - $registry->waitForUnit("docker-registry.service"); - $registry->waitForOpenPort("8080"); - $client1->succeed("docker push registry:8080/scratch"); - - $client2->start(); - $client2->waitForUnit("docker.service"); - $client2->succeed("docker pull registry:8080/scratch"); - $client2->succeed("docker images | grep scratch"); - - $client2->succeed( - 'curl -fsS -X DELETE registry:8080/v2/scratch/manifests/$(curl -fsS -I -H"Accept: application/vnd.docker.distribution.manifest.v2+json" registry:8080/v2/scratch/manifests/latest | grep Docker-Content-Digest | sed -e \'s/Docker-Content-Digest: //\' | tr -d \'\r\')' - ); - - $registry->systemctl("start docker-registry-garbage-collect.service"); - $registry->waitUntilFails("systemctl status docker-registry-garbage-collect.service"); - $registry->waitForUnit("docker-registry.service"); - - $registry->fail( - 'ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data' - ); - - $client1->succeed("docker push registry:8080/scratch"); - $registry->succeed( - 'ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data' - ); + client1.start() + client1.wait_for_unit("docker.service") + client1.succeed("tar cv --files-from /dev/null | docker import - scratch") + client1.succeed("docker tag scratch registry:8080/scratch") + + registry.start() + registry.wait_for_unit("docker-registry.service") + registry.wait_for_open_port("8080") + client1.succeed("docker push registry:8080/scratch") + + client2.start() + client2.wait_for_unit("docker.service") + client2.succeed("docker pull registry:8080/scratch") + client2.succeed("docker images | grep scratch") + + client2.succeed( + "curl -fsS -X DELETE registry:8080/v2/scratch/manifests/$(curl -fsS -I -H\"Accept: application/vnd.docker.distribution.manifest.v2+json\" registry:8080/v2/scratch/manifests/latest | grep Docker-Content-Digest | sed -e 's/Docker-Content-Digest: //' | tr -d '\\r')" + ) + + registry.systemctl("start docker-registry-garbage-collect.service") + registry.wait_until_fails("systemctl status docker-registry-garbage-collect.service") + registry.wait_for_unit("docker-registry.service") + + registry.fail("ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data") + + client1.succeed("docker push registry:8080/scratch") + registry.succeed( + "ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data" + ) ''; }) diff --git a/nixpkgs/nixos/tests/docker.nix b/nixpkgs/nixos/tests/docker.nix index d67b2f8743d..8fda7c1395e 100644 --- a/nixpkgs/nixos/tests/docker.nix +++ b/nixpkgs/nixos/tests/docker.nix @@ -1,6 +1,6 @@ # This test runs docker and checks if simple container starts -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "docker"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus offline ]; @@ -31,17 +31,19 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $docker->waitForUnit("sockets.target"); - $docker->succeed("tar cv --files-from /dev/null | docker import - scratchimg"); - $docker->succeed("docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"); - $docker->succeed("docker ps | grep sleeping"); - $docker->succeed("sudo -u hasprivs docker ps"); - $docker->fail("sudo -u noprivs docker ps"); - $docker->succeed("docker stop sleeping"); + docker.wait_for_unit("sockets.target") + docker.succeed("tar cv --files-from /dev/null | docker import - scratchimg") + docker.succeed( + "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + docker.succeed("docker ps | grep sleeping") + docker.succeed("sudo -u hasprivs docker ps") + docker.fail("sudo -u noprivs docker ps") + docker.succeed("docker stop sleeping") # Must match version twice to ensure client and server versions are correct - $docker->succeed('[ $(docker version | grep ${pkgs.docker.version} | wc -l) = "2" ]'); + docker.succeed('[ $(docker version | grep ${pkgs.docker.version} | wc -l) = "2" ]') ''; }) diff --git a/nixpkgs/nixos/tests/documize.nix b/nixpkgs/nixos/tests/documize.nix index 8b852a4f779..3be20a780d3 100644 --- a/nixpkgs/nixos/tests/documize.nix +++ b/nixpkgs/nixos/tests/documize.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ...} : { name = "documize"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ma27 ]; @@ -29,30 +29,34 @@ import ./make-test.nix ({ pkgs, lib, ...} : { }; testScript = '' - startAll; - - $machine->waitForUnit("documize-server.service"); - $machine->waitForOpenPort(3000); - - my $dbhash = $machine->succeed("curl -f localhost:3000 " - . " | grep 'property=\"dbhash' " - . " | grep -Po 'content=\"\\K[^\"]*'" - ); - - chomp($dbhash); - - $machine->succeed("curl -X POST " - . "--data 'dbname=documize' " - . "--data 'dbhash=$dbhash' " - . "--data 'title=NixOS' " - . "--data 'message=Docs' " - . "--data 'firstname=John' " - . "--data 'lastname=Doe' " - . "--data 'email=john.doe\@nixos.org' " - . "--data 'password=verysafe' " - . "-f localhost:3000/api/setup" - ); - - $machine->succeed('test "$(curl -f localhost:3000/api/public/meta | jq ".title" | xargs echo)" = "NixOS"'); + start_all() + + machine.wait_for_unit("documize-server.service") + machine.wait_for_open_port(3000) + + dbhash = machine.succeed( + "curl -f localhost:3000 | grep 'property=\"dbhash' | grep -Po 'content=\"\\K[^\"]*'" + ) + + dbhash = dbhash.strip() + + machine.succeed( + ( + "curl -X POST" + " --data 'dbname=documize'" + " --data 'dbhash={}'" + " --data 'title=NixOS'" + " --data 'message=Docs'" + " --data 'firstname=John'" + " --data 'lastname=Doe'" + " --data 'email=john.doe@nixos.org'" + " --data 'password=verysafe'" + " -f localhost:3000/api/setup" + ).format(dbhash) + ) + + machine.succeed( + 'test "$(curl -f localhost:3000/api/public/meta | jq ".title" | xargs echo)" = "NixOS"' + ) ''; }) diff --git a/nixpkgs/nixos/tests/dovecot.nix b/nixpkgs/nixos/tests/dovecot.nix index 156079d1d58..c19850f418b 100644 --- a/nixpkgs/nixos/tests/dovecot.nix +++ b/nixpkgs/nixos/tests/dovecot.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "dovecot"; machine = { pkgs, ... }: { @@ -66,12 +66,12 @@ import ./make-test.nix { }; testScript = '' - $machine->waitForUnit('postfix.service'); - $machine->waitForUnit('dovecot2.service'); - $machine->succeed('send-testmail'); - $machine->succeed('send-lda'); - $machine->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]'); - $machine->succeed('test-imap'); - $machine->succeed('test-pop'); + machine.wait_for_unit("postfix.service") + machine.wait_for_unit("dovecot2.service") + machine.succeed("send-testmail") + machine.succeed("send-lda") + machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]') + machine.succeed("test-imap") + machine.succeed("test-pop") ''; } diff --git a/nixpkgs/nixos/tests/emacs-daemon.nix b/nixpkgs/nixos/tests/emacs-daemon.nix index 3594e35e343..b89d9b1bde6 100644 --- a/nixpkgs/nixos/tests/emacs-daemon.nix +++ b/nixpkgs/nixos/tests/emacs-daemon.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "emacs-daemon"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ]; @@ -21,25 +21,28 @@ import ./make-test.nix ({ pkgs, ...} : { environment.variables.TEST_SYSTEM_VARIABLE = "system variable"; }; - testScript = - '' - $machine->waitForUnit("multi-user.target"); + testScript = '' + machine.wait_for_unit("multi-user.target") # checks that the EDITOR environment variable is set - $machine->succeed("test \$(basename \"\$EDITOR\") = emacseditor"); + machine.succeed('test $(basename "$EDITOR") = emacseditor') # waits for the emacs service to be ready - $machine->waitUntilSucceeds("systemctl --user status emacs.service | grep 'Active: active'"); + machine.wait_until_succeeds( + "systemctl --user status emacs.service | grep 'Active: active'" + ) # connects to the daemon - $machine->succeed("emacsclient --create-frame \$EDITOR &"); + machine.succeed("emacsclient --create-frame $EDITOR &") # checks that Emacs shows the edited filename - $machine->waitForText("emacseditor"); + machine.wait_for_text("emacseditor") # makes sure environment variables are accessible from Emacs - $machine->succeed("emacsclient --eval '(getenv \"TEST_SYSTEM_VARIABLE\")'") =~ /system variable/ or die; + machine.succeed( + "emacsclient --eval '(getenv \"TEST_SYSTEM_VARIABLE\")' | grep -q 'system variable'" + ) - $machine->screenshot("emacsclient"); + machine.screenshot("emacsclient") ''; }) diff --git a/nixpkgs/nixos/tests/etcd-cluster.nix b/nixpkgs/nixos/tests/etcd-cluster.nix index 43fde7d5920..19c5d915823 100644 --- a/nixpkgs/nixos/tests/etcd-cluster.nix +++ b/nixpkgs/nixos/tests/etcd-cluster.nix @@ -1,6 +1,6 @@ # This test runs simple etcd cluster -import ./make-test.nix ({ pkgs, ... } : let +import ./make-test-python.nix ({ pkgs, ... } : let runWithOpenSSL = file: cmd: pkgs.runCommand file { buildInputs = [ pkgs.openssl ]; @@ -129,29 +129,26 @@ in { }; testScript = '' - subtest "should start etcd cluster", sub { - $node1->start(); - $node2->start(); - $node1->waitForUnit("etcd.service"); - $node2->waitForUnit("etcd.service"); - $node2->waitUntilSucceeds("etcdctl cluster-health"); - $node1->succeed("etcdctl set /foo/bar 'Hello world'"); - $node2->succeed("etcdctl get /foo/bar | grep 'Hello world'"); - }; - - subtest "should add another member", sub { - $node1->waitUntilSucceeds("etcdctl member add node3 https://node3:2380"); - $node3->start(); - $node3->waitForUnit("etcd.service"); - $node3->waitUntilSucceeds("etcdctl member list | grep 'node3'"); - $node3->succeed("etcdctl cluster-health"); - }; - - subtest "should survive member crash", sub { - $node3->crash; - $node1->succeed("etcdctl cluster-health"); - $node1->succeed("etcdctl set /foo/bar 'Hello degraded world'"); - $node1->succeed("etcdctl get /foo/bar | grep 'Hello degraded world'"); - }; + with subtest("should start etcd cluster"): + node1.start() + node2.start() + node1.wait_for_unit("etcd.service") + node2.wait_for_unit("etcd.service") + node2.wait_until_succeeds("etcdctl cluster-health") + node1.succeed("etcdctl set /foo/bar 'Hello world'") + node2.succeed("etcdctl get /foo/bar | grep 'Hello world'") + + with subtest("should add another member"): + node1.wait_until_succeeds("etcdctl member add node3 https://node3:2380") + node3.start() + node3.wait_for_unit("etcd.service") + node3.wait_until_succeeds("etcdctl member list | grep 'node3'") + node3.succeed("etcdctl cluster-health") + + with subtest("should survive member crash"): + node3.crash() + node1.succeed("etcdctl cluster-health") + node1.succeed("etcdctl set /foo/bar 'Hello degraded world'") + node1.succeed("etcdctl get /foo/bar | grep 'Hello degraded world'") ''; }) diff --git a/nixpkgs/nixos/tests/etcd.nix b/nixpkgs/nixos/tests/etcd.nix index 6c23b31779b..84272434384 100644 --- a/nixpkgs/nixos/tests/etcd.nix +++ b/nixpkgs/nixos/tests/etcd.nix @@ -1,6 +1,6 @@ # This test runs simple etcd node -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "etcd"; meta = with pkgs.stdenv.lib.maintainers; { @@ -14,14 +14,12 @@ import ./make-test.nix ({ pkgs, ... } : { }; testScript = '' - subtest "should start etcd node", sub { - $node->start(); - $node->waitForUnit("etcd.service"); - }; + with subtest("should start etcd node"): + node.start() + node.wait_for_unit("etcd.service") - subtest "should write and read some values to etcd", sub { - $node->succeed("etcdctl set /foo/bar 'Hello world'"); - $node->succeed("etcdctl get /foo/bar | grep 'Hello world'"); - } + with subtest("should write and read some values to etcd"): + node.succeed("etcdctl set /foo/bar 'Hello world'") + node.succeed("etcdctl get /foo/bar | grep 'Hello world'") ''; }) diff --git a/nixpkgs/nixos/tests/fancontrol.nix b/nixpkgs/nixos/tests/fancontrol.nix new file mode 100644 index 00000000000..356cd57ffa1 --- /dev/null +++ b/nixpkgs/nixos/tests/fancontrol.nix @@ -0,0 +1,28 @@ +import ./make-test-python.nix ({ pkgs, ... } : { + name = "fancontrol"; + + machine = + { ... }: + { hardware.fancontrol.enable = true; + hardware.fancontrol.config = '' + INTERVAL=42 + DEVPATH=hwmon1=devices/platform/dummy + DEVNAME=hwmon1=dummy + FCTEMPS=hwmon1/device/pwm1=hwmon1/device/temp1_input + FCFANS=hwmon1/device/pwm1=hwmon1/device/fan1_input + MINTEMP=hwmon1/device/pwm1=25 + MAXTEMP=hwmon1/device/pwm1=65 + MINSTART=hwmon1/device/pwm1=150 + MINSTOP=hwmon1/device/pwm1=0 + ''; + }; + + # This configuration cannot be valid for the test VM, so it's expected to get an 'outdated' error. + testScript = '' + start_all() + machine.wait_for_unit("fancontrol.service") + machine.wait_until_succeeds( + "journalctl -eu fancontrol | grep 'Configuration appears to be outdated'" + ) + ''; +}) diff --git a/nixpkgs/nixos/tests/firefox.nix b/nixpkgs/nixos/tests/firefox.nix index f5b946a0881..56ddabbae77 100644 --- a/nixpkgs/nixos/tests/firefox.nix +++ b/nixpkgs/nixos/tests/firefox.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "firefox"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco shlevy ]; @@ -11,19 +11,27 @@ import ./make-test.nix ({ pkgs, ... }: { environment.systemPackages = [ pkgs.firefox pkgs.xdotool ]; }; - testScript = - '' - $machine->waitForX; - $machine->execute("xterm -e 'firefox file://${pkgs.valgrind.doc}/share/doc/valgrind/html/index.html' &"); - $machine->waitForWindow(qr/Valgrind/); - $machine->sleep(40); # wait until Firefox has finished loading the page - $machine->execute("xdotool key space"); # do I want to make Firefox the - # default browser? I just want to close the dialog - $machine->sleep(2); # wait until Firefox hides the default browser window - $machine->execute("xdotool key F12"); - $machine->sleep(10); # wait until Firefox draws the developer tool panel - $machine->succeed("xwininfo -root -tree | grep Valgrind"); - $machine->screenshot("screen"); + testScript = '' + machine.wait_for_x() + + with subtest("wait until Firefox has finished loading the Valgrind docs page"): + machine.execute( + "xterm -e 'firefox file://${pkgs.valgrind.doc}/share/doc/valgrind/html/index.html' &" + ) + machine.wait_for_window("Valgrind") + machine.sleep(40) + + with subtest("Close default browser prompt"): + machine.execute("xdotool key space") + + with subtest("Hide default browser window"): + machine.sleep(2) + machine.execute("xdotool key F12") + + with subtest("wait until Firefox draws the developer tool panel"): + machine.sleep(10) + machine.succeed("xwininfo -root -tree | grep Valgrind") + machine.screenshot("screen") ''; }) diff --git a/nixpkgs/nixos/tests/firewall.nix b/nixpkgs/nixos/tests/firewall.nix index fcf758910e0..09a1fef852e 100644 --- a/nixpkgs/nixos/tests/firewall.nix +++ b/nixpkgs/nixos/tests/firewall.nix @@ -1,6 +1,6 @@ # Test the firewall module. -import ./make-test.nix ( { pkgs, ... } : { +import ./make-test-python.nix ( { pkgs, ... } : { name = "firewall"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco ]; @@ -36,30 +36,30 @@ import ./make-test.nix ( { pkgs, ... } : { testScript = { nodes, ... }: let newSystem = nodes.walled2.config.system.build.toplevel; in '' - $walled->start; - $attacker->start; + start_all() - $walled->waitForUnit("firewall"); - $walled->waitForUnit("httpd"); - $attacker->waitForUnit("network.target"); + walled.wait_for_unit("firewall") + walled.wait_for_unit("httpd") + attacker.wait_for_unit("network.target") # Local connections should still work. - $walled->succeed("curl -v http://localhost/ >&2"); + walled.succeed("curl -v http://localhost/ >&2") # Connections to the firewalled machine should fail, but ping should succeed. - $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2"); - $attacker->succeed("ping -c 1 walled >&2"); + attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2") + attacker.succeed("ping -c 1 walled >&2") # Outgoing connections/pings should still work. - $walled->succeed("curl -v http://attacker/ >&2"); - $walled->succeed("ping -c 1 attacker >&2"); + walled.succeed("curl -v http://attacker/ >&2") + walled.succeed("ping -c 1 attacker >&2") # If we stop the firewall, then connections should succeed. - $walled->stopJob("firewall"); - $attacker->succeed("curl -v http://walled/ >&2"); + walled.stop_job("firewall") + attacker.succeed("curl -v http://walled/ >&2") # Check whether activation of a new configuration reloads the firewall. - $walled->succeed("${newSystem}/bin/switch-to-configuration test 2>&1" . - " | grep -qF firewall.service"); + walled.succeed( + "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF firewall.service" + ) ''; }) diff --git a/nixpkgs/nixos/tests/fish.nix b/nixpkgs/nixos/tests/fish.nix index 97c4e8e37ac..68fba428439 100644 --- a/nixpkgs/nixos/tests/fish.nix +++ b/nixpkgs/nixos/tests/fish.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "fish"; machine = @@ -14,8 +14,11 @@ import ./make-test.nix ({ pkgs, ... }: { testScript = '' - $machine->waitForFile("/etc/fish/generated_completions/coreutils.fish"); - $machine->waitForFile("/etc/fish/generated_completions/kill.fish"); - $machine->succeed("fish -ic 'echo \$fish_complete_path' | grep -q '/share/fish/completions /etc/fish/generated_completions /root/.local/share/fish/generated_completions\$'"); + start_all() + machine.wait_for_file("/etc/fish/generated_completions/coreutils.fish") + machine.wait_for_file("/etc/fish/generated_completions/kill.fish") + machine.succeed( + "fish -ic 'echo $fish_complete_path' | grep -q '/share/fish/completions /etc/fish/generated_completions /root/.local/share/fish/generated_completions$'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/flatpak-builder.nix b/nixpkgs/nixos/tests/flatpak-builder.nix deleted file mode 100644 index 49b97e8ca99..00000000000 --- a/nixpkgs/nixos/tests/flatpak-builder.nix +++ /dev/null @@ -1,20 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "flatpak-builder"; - meta = { - maintainers = pkgs.flatpak-builder.meta.maintainers; - }; - - machine = { pkgs, ... }: { - services.flatpak.enable = true; - xdg.portal.enable = true; - environment.systemPackages = with pkgs; [ gnome-desktop-testing flatpak-builder ] ++ flatpak-builder.installedTestsDependencies; - virtualisation.diskSize = 2048; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.flatpak-builder.installedTests}/share' --timeout 3600"); - ''; -}) diff --git a/nixpkgs/nixos/tests/flatpak.nix b/nixpkgs/nixos/tests/flatpak.nix deleted file mode 100644 index b0c61830d05..00000000000 --- a/nixpkgs/nixos/tests/flatpak.nix +++ /dev/null @@ -1,26 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "flatpak"; - meta = { - maintainers = pkgs.flatpak.meta.maintainers; - }; - - machine = { pkgs, ... }: { - imports = [ ./common/x11.nix ]; - services.xserver.desktopManager.gnome3.enable = true; # TODO: figure out minimal environment where the tests work - # common/x11.nix enables the auto display manager (lightdm) - services.xserver.displayManager.gdm.enable = false; - environment.gnome3.excludePackages = pkgs.gnome3.optionalPackages; - services.flatpak.enable = true; - environment.systemPackages = with pkgs; [ gnupg gnome-desktop-testing ostree python2 ]; - virtualisation.memorySize = 2047; - virtualisation.diskSize = 1024; - }; - - testScript = '' - $machine->waitForX(); - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.flatpak.installedTests}/share' --timeout 3600"); - ''; -}) diff --git a/nixpkgs/nixos/tests/fluentd.nix b/nixpkgs/nixos/tests/fluentd.nix index e5c4c3d2163..918f2f87db1 100644 --- a/nixpkgs/nixos/tests/fluentd.nix +++ b/nixpkgs/nixos/tests/fluentd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "fluentd"; machine = { pkgs, ... }: { @@ -33,14 +33,17 @@ import ./make-test.nix ({ pkgs, lib, ... }: { inherit testMessage; }); in '' - $machine->start; - $machine->waitForUnit('fluentd.service'); - $machine->waitForOpenPort(9880); + machine.start() + machine.wait_for_unit("fluentd.service") + machine.wait_for_open_port(9880) - $machine->succeed("curl -fsSL -X POST -H 'Content-type: application/json' -d @${payload} http://localhost:9880/test.tag"); + machine.succeed( + "curl -fsSL -X POST -H 'Content-type: application/json' -d @${payload} http://localhost:9880/test.tag" + ) - $machine->succeed("systemctl stop fluentd"); # blocking flush + # blocking flush + machine.succeed("systemctl stop fluentd") - $machine->succeed("grep '${testMessage}' /tmp/current-log"); + machine.succeed("grep '${testMessage}' /tmp/current-log") ''; }) diff --git a/nixpkgs/nixos/tests/fontconfig-default-fonts.nix b/nixpkgs/nixos/tests/fontconfig-default-fonts.nix index 1991cec9218..68c6ac9e9c8 100644 --- a/nixpkgs/nixos/tests/fontconfig-default-fonts.nix +++ b/nixpkgs/nixos/tests/fontconfig-default-fonts.nix @@ -1,7 +1,12 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: { name = "fontconfig-default-fonts"; + meta.maintainers = with lib.maintainers; [ + jtojnar + worldofpeace + ]; + machine = { config, pkgs, ... }: { fonts.enableDefaultFonts = true; # Background fonts fonts.fonts = with pkgs; [ @@ -20,9 +25,9 @@ import ./make-test.nix ({ lib, ... }: }; testScript = '' - $machine->succeed("fc-match serif | grep '\"Gentium Plus\"'"); - $machine->succeed("fc-match sans-serif | grep '\"Cantarell\"'"); - $machine->succeed("fc-match monospace | grep '\"Source Code Pro\"'"); - $machine->succeed("fc-match emoji | grep '\"Twitter Color Emoji\"'"); + machine.succeed("fc-match serif | grep '\"Gentium Plus\"'") + machine.succeed("fc-match sans-serif | grep '\"Cantarell\"'") + machine.succeed("fc-match monospace | grep '\"Source Code Pro\"'") + machine.succeed("fc-match emoji | grep '\"Twitter Color Emoji\"'") ''; }) diff --git a/nixpkgs/nixos/tests/fsck.nix b/nixpkgs/nixos/tests/fsck.nix index f943bb7f235..e522419fde2 100644 --- a/nixpkgs/nixos/tests/fsck.nix +++ b/nixpkgs/nixos/tests/fsck.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "fsck"; machine = { lib, ... }: { @@ -14,16 +14,18 @@ import ./make-test.nix { }; testScript = '' - $machine->waitForUnit('default.target'); + machine.wait_for_unit("default.target") - subtest "root fs is fsckd", sub { - $machine->succeed('journalctl -b | grep "fsck.ext4.*/dev/vda"'); - }; + with subtest("root fs is fsckd"): + machine.succeed("journalctl -b | grep 'fsck.ext4.*/dev/vda'") - subtest "mnt fs is fsckd", sub { - $machine->succeed('journalctl -b | grep "fsck.*/dev/vdb.*clean"'); - $machine->succeed('grep "Requires=systemd-fsck@dev-vdb.service" /run/systemd/generator/mnt.mount'); - $machine->succeed('grep "After=systemd-fsck@dev-vdb.service" /run/systemd/generator/mnt.mount'); - }; + with subtest("mnt fs is fsckd"): + machine.succeed("journalctl -b | grep 'fsck.*/dev/vdb.*clean'") + machine.succeed( + "grep 'Requires=systemd-fsck@dev-vdb.service' /run/systemd/generator/mnt.mount" + ) + machine.succeed( + "grep 'After=systemd-fsck@dev-vdb.service' /run/systemd/generator/mnt.mount" + ) ''; } diff --git a/nixpkgs/nixos/tests/fwupd.nix b/nixpkgs/nixos/tests/fwupd.nix deleted file mode 100644 index 88dac8ccbcd..00000000000 --- a/nixpkgs/nixos/tests/fwupd.nix +++ /dev/null @@ -1,21 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: { - name = "fwupd"; - - meta = { - maintainers = pkgs.fwupd.meta.maintainers; - }; - - machine = { pkgs, ... }: { - services.fwupd.enable = true; - services.fwupd.blacklistPlugins = []; # don't blacklist test plugin - services.fwupd.enableTestRemote = true; - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - environment.variables.XDG_DATA_DIRS = [ "${pkgs.fwupd.installedTests}/share" ]; - virtualisation.memorySize = 768; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner"); - ''; -}) diff --git a/nixpkgs/nixos/tests/gdk-pixbuf.nix b/nixpkgs/nixos/tests/gdk-pixbuf.nix deleted file mode 100644 index 9a62b593f46..00000000000 --- a/nixpkgs/nixos/tests/gdk-pixbuf.nix +++ /dev/null @@ -1,21 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: { - name = "gdk-pixbuf"; - - meta = { - maintainers = pkgs.gdk-pixbuf.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - environment.variables.XDG_DATA_DIRS = [ "${pkgs.gdk-pixbuf.installedTests}/share" ]; - - # Tests allocate a lot of memory trying to exploit a CVE - # but qemu-system-i386 has a 2047M memory limit - virtualisation.memorySize = if pkgs.stdenv.isi686 then 2047 else 4096; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -t 1800"); # increase timeout to 1800s - ''; -}) diff --git a/nixpkgs/nixos/tests/gitea.nix b/nixpkgs/nixos/tests/gitea.nix index b8ab6dabc8c..ffbc07cfbb2 100644 --- a/nixpkgs/nixos/tests/gitea.nix +++ b/nixpkgs/nixos/tests/gitea.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; { @@ -18,11 +18,11 @@ with pkgs.lib; }; testScript = '' - startAll; + start_all() - $machine->waitForUnit('gitea.service'); - $machine->waitForOpenPort('3000'); - $machine->succeed("curl --fail http://localhost:3000/"); + machine.wait_for_unit("gitea.service") + machine.wait_for_open_port(3000) + machine.succeed("curl --fail http://localhost:3000/") ''; }; @@ -37,11 +37,11 @@ with pkgs.lib; }; testScript = '' - startAll; + start_all() - $machine->waitForUnit('gitea.service'); - $machine->waitForOpenPort('3000'); - $machine->succeed("curl --fail http://localhost:3000/"); + machine.wait_for_unit("gitea.service") + machine.wait_for_open_port(3000) + machine.succeed("curl --fail http://localhost:3000/") ''; }; @@ -56,12 +56,14 @@ with pkgs.lib; }; testScript = '' - startAll; + start_all() - $machine->waitForUnit('gitea.service'); - $machine->waitForOpenPort('3000'); - $machine->succeed("curl --fail http://localhost:3000/"); - $machine->succeed("curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. Please contact your site administrator.'"); + machine.wait_for_unit("gitea.service") + machine.wait_for_open_port(3000) + machine.succeed("curl --fail http://localhost:3000/") + machine.succeed( + "curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. Please contact your site administrator.'" + ) ''; }; } diff --git a/nixpkgs/nixos/tests/gitlab.nix b/nixpkgs/nixos/tests/gitlab.nix index be0b3c8746a..7e4e8bcef92 100644 --- a/nixpkgs/nixos/tests/gitlab.nix +++ b/nixpkgs/nixos/tests/gitlab.nix @@ -3,7 +3,7 @@ let initialRootPassword = "notproduction"; in -import ./make-test.nix ({ pkgs, lib, ...} : with lib; { +import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; { name = "gitlab"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ globin ]; @@ -63,21 +63,35 @@ import ./make-test.nix ({ pkgs, lib, ...} : with lib; { }); in '' - $gitlab->start(); - $gitlab->waitForUnit("gitaly.service"); - $gitlab->waitForUnit("gitlab-workhorse.service"); - $gitlab->waitForUnit("gitlab.service"); - $gitlab->waitForUnit("gitlab-sidekiq.service"); - $gitlab->waitForFile("/var/gitlab/state/tmp/sockets/gitlab.socket"); - $gitlab->waitUntilSucceeds("curl -sSf http://gitlab/users/sign_in"); - $gitlab->succeed("curl -isSf http://gitlab | grep -i location | grep -q http://gitlab/users/sign_in"); - $gitlab->succeed("${pkgs.sudo}/bin/sudo -u gitlab -H gitlab-rake gitlab:check 1>&2"); - $gitlab->succeed("echo \"Authorization: Bearer \$(curl -X POST -H 'Content-Type: application/json' -d @${auth} http://gitlab/oauth/token | ${pkgs.jq}/bin/jq -r '.access_token')\" >/tmp/headers"); - $gitlab->succeed("curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${createProject} http://gitlab/api/v4/projects"); - $gitlab->succeed("curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${putFile} http://gitlab/api/v4/projects/1/repository/files/some-file.txt"); - $gitlab->succeed("curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.gz > /tmp/archive.tar.gz"); - $gitlab->succeed("curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.bz2 > /tmp/archive.tar.bz2"); - $gitlab->succeed("test -s /tmp/archive.tar.gz"); - $gitlab->succeed("test -s /tmp/archive.tar.bz2"); + gitlab.start() + gitlab.wait_for_unit("gitaly.service") + gitlab.wait_for_unit("gitlab-workhorse.service") + gitlab.wait_for_unit("gitlab.service") + gitlab.wait_for_unit("gitlab-sidekiq.service") + gitlab.wait_for_file("/var/gitlab/state/tmp/sockets/gitlab.socket") + gitlab.wait_until_succeeds("curl -sSf http://gitlab/users/sign_in") + gitlab.succeed( + "curl -isSf http://gitlab | grep -i location | grep -q http://gitlab/users/sign_in" + ) + gitlab.succeed( + "${pkgs.sudo}/bin/sudo -u gitlab -H gitlab-rake gitlab:check 1>&2" + ) + gitlab.succeed( + "echo \"Authorization: Bearer \$(curl -X POST -H 'Content-Type: application/json' -d @${auth} http://gitlab/oauth/token | ${pkgs.jq}/bin/jq -r '.access_token')\" >/tmp/headers" + ) + gitlab.succeed( + "curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${createProject} http://gitlab/api/v4/projects" + ) + gitlab.succeed( + "curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${putFile} http://gitlab/api/v4/projects/1/repository/files/some-file.txt" + ) + gitlab.succeed( + "curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.gz > /tmp/archive.tar.gz" + ) + gitlab.succeed( + "curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.bz2 > /tmp/archive.tar.bz2" + ) + gitlab.succeed("test -s /tmp/archive.tar.gz") + gitlab.succeed("test -s /tmp/archive.tar.bz2") ''; }) diff --git a/nixpkgs/nixos/tests/gitolite.nix b/nixpkgs/nixos/tests/gitolite.nix index 690e456ed7c..a928645bd80 100644 --- a/nixpkgs/nixos/tests/gitolite.nix +++ b/nixpkgs/nixos/tests/gitolite.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...}: +import ./make-test-python.nix ({ pkgs, ...}: let adminPrivateKey = pkgs.writeText "id_ed25519" '' @@ -43,7 +43,7 @@ let ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZNonUP1ePHLrvn0W9D2hdN6zWWZYFyJc+QR6pOKQEw bob@client ''; - gitoliteAdminConfSnippet = '' + gitoliteAdminConfSnippet = pkgs.writeText "gitolite-admin-conf-snippet" '' repo alice-project RW+ = alice ''; @@ -85,55 +85,54 @@ in }; testScript = '' - startAll; - - subtest "can setup ssh keys on system", sub { - $client->mustSucceed("mkdir -p ~root/.ssh"); - $client->mustSucceed("cp ${adminPrivateKey} ~root/.ssh/id_ed25519"); - $client->mustSucceed("chmod 600 ~root/.ssh/id_ed25519"); - - $client->mustSucceed("sudo -u alice mkdir -p ~alice/.ssh"); - $client->mustSucceed("sudo -u alice cp ${alicePrivateKey} ~alice/.ssh/id_ed25519"); - $client->mustSucceed("sudo -u alice chmod 600 ~alice/.ssh/id_ed25519"); - - $client->mustSucceed("sudo -u bob mkdir -p ~bob/.ssh"); - $client->mustSucceed("sudo -u bob cp ${bobPrivateKey} ~bob/.ssh/id_ed25519"); - $client->mustSucceed("sudo -u bob chmod 600 ~bob/.ssh/id_ed25519"); - }; - - subtest "gitolite server starts", sub { - $server->waitForUnit("gitolite-init.service"); - $server->waitForUnit("sshd.service"); - $client->mustSucceed('ssh gitolite@server info'); - }; - - subtest "admin can clone and configure gitolite-admin.git", sub { - $client->mustSucceed('git clone gitolite@server:gitolite-admin.git'); - $client->mustSucceed("git config --global user.name 'System Administrator'"); - $client->mustSucceed("git config --global user.email root\@domain.example"); - $client->mustSucceed("cp ${alicePublicKey} gitolite-admin/keydir/alice.pub"); - $client->mustSucceed("cp ${bobPublicKey} gitolite-admin/keydir/bob.pub"); - $client->mustSucceed('(cd gitolite-admin && git add . && git commit -m "Add keys for alice, bob" && git push)'); - $client->mustSucceed("printf '${gitoliteAdminConfSnippet}' >> gitolite-admin/conf/gitolite.conf"); - $client->mustSucceed('(cd gitolite-admin && git add . && git commit -m "Add repo for alice" && git push)'); - }; - - subtest "non-admins cannot clone gitolite-admin.git", sub { - $client->mustFail('sudo -i -u alice git clone gitolite@server:gitolite-admin.git'); - $client->mustFail('sudo -i -u bob git clone gitolite@server:gitolite-admin.git'); - }; - - subtest "non-admins can clone testing.git", sub { - $client->mustSucceed('sudo -i -u alice git clone gitolite@server:testing.git'); - $client->mustSucceed('sudo -i -u bob git clone gitolite@server:testing.git'); - }; - - subtest "alice can clone alice-project.git", sub { - $client->mustSucceed('sudo -i -u alice git clone gitolite@server:alice-project.git'); - }; - - subtest "bob cannot clone alice-project.git", sub { - $client->mustFail('sudo -i -u bob git clone gitolite@server:alice-project.git'); - }; + start_all() + + with subtest("can setup ssh keys on system"): + client.succeed( + "mkdir -p ~root/.ssh", + "cp ${adminPrivateKey} ~root/.ssh/id_ed25519", + "chmod 600 ~root/.ssh/id_ed25519", + ) + client.succeed( + "sudo -u alice mkdir -p ~alice/.ssh", + "sudo -u alice cp ${alicePrivateKey} ~alice/.ssh/id_ed25519", + "sudo -u alice chmod 600 ~alice/.ssh/id_ed25519", + ) + client.succeed( + "sudo -u bob mkdir -p ~bob/.ssh", + "sudo -u bob cp ${bobPrivateKey} ~bob/.ssh/id_ed25519", + "sudo -u bob chmod 600 ~bob/.ssh/id_ed25519", + ) + + with subtest("gitolite server starts"): + server.wait_for_unit("gitolite-init.service") + server.wait_for_unit("sshd.service") + client.succeed("ssh gitolite@server info") + + with subtest("admin can clone and configure gitolite-admin.git"): + client.succeed( + "git clone gitolite@server:gitolite-admin.git", + "git config --global user.name 'System Administrator'", + "git config --global user.email root\@domain.example", + "cp ${alicePublicKey} gitolite-admin/keydir/alice.pub", + "cp ${bobPublicKey} gitolite-admin/keydir/bob.pub", + "(cd gitolite-admin && git add . && git commit -m 'Add keys for alice, bob' && git push)", + "cat ${gitoliteAdminConfSnippet} >> gitolite-admin/conf/gitolite.conf", + "(cd gitolite-admin && git add . && git commit -m 'Add repo for alice' && git push)", + ) + + with subtest("non-admins cannot clone gitolite-admin.git"): + client.fail("sudo -i -u alice git clone gitolite@server:gitolite-admin.git") + client.fail("sudo -i -u bob git clone gitolite@server:gitolite-admin.git") + + with subtest("non-admins can clone testing.git"): + client.succeed("sudo -i -u alice git clone gitolite@server:testing.git") + client.succeed("sudo -i -u bob git clone gitolite@server:testing.git") + + with subtest("alice can clone alice-project.git"): + client.succeed("sudo -i -u alice git clone gitolite@server:alice-project.git") + + with subtest("bob cannot clone alice-project.git"): + client.fail("sudo -i -u bob git clone gitolite@server:alice-project.git") ''; }) diff --git a/nixpkgs/nixos/tests/gjs.nix b/nixpkgs/nixos/tests/gjs.nix deleted file mode 100644 index e6002ef98dd..00000000000 --- a/nixpkgs/nixos/tests/gjs.nix +++ /dev/null @@ -1,19 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: { - name = "gjs"; - - meta = { - maintainers = pkgs.gnome3.gjs.meta.maintainers; - }; - - machine = { pkgs, ... }: { - imports = [ ./common/x11.nix ]; - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - environment.variables.XDG_DATA_DIRS = [ "${pkgs.gnome3.gjs.installedTests}/share" ]; - }; - - testScript = '' - $machine->waitForX; - $machine->succeed("gnome-desktop-testing-runner"); - ''; -}) diff --git a/nixpkgs/nixos/tests/glib-networking.nix b/nixpkgs/nixos/tests/glib-networking.nix deleted file mode 100644 index c0bbb2b3554..00000000000 --- a/nixpkgs/nixos/tests/glib-networking.nix +++ /dev/null @@ -1,17 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "glib-networking"; - meta = { - maintainers = pkgs.glib-networking.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.glib-networking.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/glusterfs.nix b/nixpkgs/nixos/tests/glusterfs.nix index 9fd8bd2ed12..8f9cb8973d5 100644 --- a/nixpkgs/nixos/tests/glusterfs.nix +++ b/nixpkgs/nixos/tests/glusterfs.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ ... } : +import ./make-test-python.nix ({pkgs, lib, ...}: let client = { pkgs, ... } : { @@ -39,27 +39,29 @@ in { }; testScript = '' - $server1->waitForUnit("glusterd.service"); - $server2->waitForUnit("glusterd.service"); + server1.wait_for_unit("glusterd.service") + server2.wait_for_unit("glusterd.service") + + server1.wait_until_succeeds("gluster peer status") + server2.wait_until_succeeds("gluster peer status") # establish initial contact - $server1->succeed("sleep 2"); - $server1->succeed("gluster peer probe server2"); - $server1->succeed("gluster peer probe server1"); + server1.succeed("gluster peer probe server2") + server1.succeed("gluster peer probe server1") - $server1->succeed("gluster peer status | grep Connected"); + server1.succeed("gluster peer status | grep Connected") # create volumes - $server1->succeed("mkdir -p /data/vg0"); - $server2->succeed("mkdir -p /data/vg0"); - $server1->succeed("gluster volume create gv0 server1:/data/vg0 server2:/data/vg0"); - $server1->succeed("gluster volume start gv0"); + server1.succeed("mkdir -p /data/vg0") + server2.succeed("mkdir -p /data/vg0") + server1.succeed("gluster volume create gv0 server1:/data/vg0 server2:/data/vg0") + server1.succeed("gluster volume start gv0") # test clients - $client1->waitForUnit("gluster.mount"); - $client2->waitForUnit("gluster.mount"); + client1.wait_for_unit("gluster.mount") + client2.wait_for_unit("gluster.mount") - $client1->succeed("echo test > /gluster/file1"); - $client2->succeed("grep test /gluster/file1"); + client1.succeed("echo test > /gluster/file1") + client2.succeed("grep test /gluster/file1") ''; }) diff --git a/nixpkgs/nixos/tests/gnome-photos.nix b/nixpkgs/nixos/tests/gnome-photos.nix deleted file mode 100644 index 2ecda1d68ce..00000000000 --- a/nixpkgs/nixos/tests/gnome-photos.nix +++ /dev/null @@ -1,42 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, lib, ... }: - -let - - # gsettings tool with access to gsettings-desktop-schemas - desktop-gsettings = with pkgs; stdenv.mkDerivation { - name = "desktop-gsettings"; - dontUnpack = true; - nativeBuildInputs = [ glib wrapGAppsHook ]; - buildInputs = [ gsettings-desktop-schemas ]; - installPhase = '' - runHook preInstall - mkdir -p $out/bin - ln -s ${glib.bin}/bin/gsettings $out/bin/desktop-gsettings - runHook postInstall - ''; - }; - -in - -{ - name = "gnome-photos"; - meta = { - maintainers = pkgs.gnome-photos.meta.maintainers; - }; - - machine = { pkgs, ... }: { - imports = [ ./common/x11.nix ]; - programs.dconf.enable = true; - services.gnome3.at-spi2-core.enable = true; # needed for dogtail - environment.systemPackages = with pkgs; [ gnome-desktop-testing desktop-gsettings ]; - services.dbus.packages = with pkgs; [ gnome-photos ]; - }; - - testScript = '' - $machine->waitForX; - # dogtail needs accessibility enabled - $machine->succeed("desktop-gsettings set org.gnome.desktop.interface toolkit-accessibility true 2>&1"); - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.gnome-photos.installedTests}/share' 2>&1"); - ''; -}) diff --git a/nixpkgs/nixos/tests/google-oslogin/default.nix b/nixpkgs/nixos/tests/google-oslogin/default.nix index 3b84bba3f98..1977e92e987 100644 --- a/nixpkgs/nixos/tests/google-oslogin/default.nix +++ b/nixpkgs/nixos/tests/google-oslogin/default.nix @@ -1,7 +1,14 @@ -import ../make-test.nix ({ pkgs, ... } : +import ../make-test-python.nix ({ pkgs, ... } : let inherit (import ./../ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; + + # don't check host keys or known hosts, use the snakeoil ssh key + ssh-config = builtins.toFile "ssh.conf" '' + UserKnownHostsFile=/dev/null + StrictHostKeyChecking=no + IdentityFile=~/.ssh/id_snakeoil + ''; in { name = "google-oslogin"; meta = with pkgs.stdenv.lib.maintainers; { @@ -15,38 +22,49 @@ in { client = { ... }: {}; }; testScript = '' - startAll; + start_all() - $server->waitForUnit("mock-google-metadata.service"); - $server->waitForOpenPort(80); + server.wait_for_unit("mock-google-metadata.service") + server.wait_for_open_port(80) # mockserver should return a non-expired ssh key for both mockuser and mockadmin - $server->succeed('${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"'); - $server->succeed('${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"'); + server.succeed( + '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"' + ) + server.succeed( + '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"' + ) - # install snakeoil ssh key on the client - $client->succeed("mkdir -p ~/.ssh"); - $client->succeed("cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil"); - $client->succeed("chmod 600 ~/.ssh/id_snakeoil"); + # install snakeoil ssh key on the client, and provision .ssh/config file + client.succeed("mkdir -p ~/.ssh") + client.succeed( + "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil" + ) + client.succeed("chmod 600 ~/.ssh/id_snakeoil") + client.succeed("cp ${ssh-config} ~/.ssh/config") - $client->waitForUnit("network.target"); - $server->waitForUnit("sshd.service"); + client.wait_for_unit("network.target") + server.wait_for_unit("sshd.service") # we should not be able to connect as non-existing user - $client->fail("ssh -o User=ghost -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'"); + client.fail("ssh ghost@server 'true'") # we should be able to connect as mockuser - $client->succeed("ssh -o User=mockuser -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'"); + client.succeed("ssh mockuser@server 'true'") # but we shouldn't be able to sudo - $client->fail("ssh -o User=mockuser -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"); + client.fail( + "ssh mockuser@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" + ) # we should also be able to log in as mockadmin - $client->succeed("ssh -o User=mockadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'"); + client.succeed("ssh mockadmin@server 'true'") # pam_oslogin_admin.so should now have generated a sudoers file - $server->succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'"); + server.succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'") # and we should be able to sudo - $client->succeed("ssh -o User=mockadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"); + client.succeed( + "ssh mockadmin@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/gotify-server.nix b/nixpkgs/nixos/tests/gotify-server.nix new file mode 100644 index 00000000000..c6e00686aed --- /dev/null +++ b/nixpkgs/nixos/tests/gotify-server.nix @@ -0,0 +1,45 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : { + name = "gotify-server"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ma27 ]; + }; + + machine = { pkgs, ... }: { + environment.systemPackages = [ pkgs.jq ]; + + services.gotify = { + enable = true; + port = 3000; + }; + }; + + testScript = '' + machine.start() + + machine.wait_for_unit("gotify-server.service") + machine.wait_for_open_port(3000) + + token = machine.succeed( + "curl --fail -sS -X POST localhost:3000/application -F name=nixos " + + '-H "Authorization: Basic $(echo -ne "admin:admin" | base64 --wrap 0)" ' + + "| jq .token | xargs echo -n" + ) + + usertoken = machine.succeed( + "curl --fail -sS -X POST localhost:3000/client -F name=nixos " + + '-H "Authorization: Basic $(echo -ne "admin:admin" | base64 --wrap 0)" ' + + "| jq .token | xargs echo -n" + ) + + machine.succeed( + f"curl --fail -sS -X POST 'localhost:3000/message?token={token}' -H 'Accept: application/json' " + + "-F title=Gotify -F message=Works" + ) + + title = machine.succeed( + f"curl --fail -sS 'localhost:3000/message?since=0&token={usertoken}' | jq '.messages|.[0]|.title' | xargs echo -n" + ) + + assert title == "Gotify" + ''; +}) diff --git a/nixpkgs/nixos/tests/grafana.nix b/nixpkgs/nixos/tests/grafana.nix index 7a1b4c8ffbb..4b453ece7f1 100644 --- a/nixpkgs/nixos/tests/grafana.nix +++ b/nixpkgs/nixos/tests/grafana.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, pkgs, ... }: +import ./make-test-python.nix ({ lib, pkgs, ... }: let inherit (lib) mkMerge nameValuePair maintainers; @@ -64,28 +64,34 @@ in { inherit nodes; testScript = '' - startAll(); + start_all() - subtest "Grafana sqlite", sub { - $sqlite->waitForUnit("grafana.service"); - $sqlite->waitForOpenPort(3000); - $sqlite->succeed("curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost"); - }; + with subtest("Successful API query as admin user with sqlite db"): + sqlite.wait_for_unit("grafana.service") + sqlite.wait_for_open_port(3000) + sqlite.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost" + ) + sqlite.shutdown() - subtest "Grafana postgresql", sub { - $postgresql->waitForUnit("grafana.service"); - $postgresql->waitForUnit("postgresql.service"); - $postgresql->waitForOpenPort(3000); - $postgresql->waitForOpenPort(5432); - $postgresql->succeed("curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost"); - }; + with subtest("Successful API query as admin user with postgresql db"): + postgresql.wait_for_unit("grafana.service") + postgresql.wait_for_unit("postgresql.service") + postgresql.wait_for_open_port(3000) + postgresql.wait_for_open_port(5432) + postgresql.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost" + ) + postgresql.shutdown() - subtest "Grafana mysql", sub { - $mysql->waitForUnit("grafana.service"); - $mysql->waitForUnit("mysql.service"); - $mysql->waitForOpenPort(3000); - $mysql->waitForOpenPort(3306); - $mysql->succeed("curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost"); - }; + with subtest("Successful API query as admin user with mysql db"): + mysql.wait_for_unit("grafana.service") + mysql.wait_for_unit("mysql.service") + mysql.wait_for_open_port(3000) + mysql.wait_for_open_port(3306) + mysql.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1:3000/api/org/users | grep -q testadmin\@localhost" + ) + mysql.shutdown() ''; }) diff --git a/nixpkgs/nixos/tests/graphene.nix b/nixpkgs/nixos/tests/graphene.nix deleted file mode 100644 index 5591bcc30c0..00000000000 --- a/nixpkgs/nixos/tests/graphene.nix +++ /dev/null @@ -1,18 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "graphene"; - - meta = { - maintainers = pkgs.graphene.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.graphene.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/graylog.nix b/nixpkgs/nixos/tests/graylog.nix index dc54afd1d26..2d22012fa7c 100644 --- a/nixpkgs/nixos/tests/graylog.nix +++ b/nixpkgs/nixos/tests/graylog.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "graylog"; meta.maintainers = with lib.maintainers; [ ma27 ]; @@ -64,48 +64,52 @@ import ./make-test.nix ({ pkgs, lib, ... }: { facility = "Test"; }); in '' - $machine->start; - $machine->waitForUnit("graylog.service"); - $machine->waitForOpenPort(9000); - $machine->succeed("curl -sSfL http://127.0.0.1:9000/"); + machine.start() + machine.wait_for_unit("graylog.service") + machine.wait_for_open_port(9000) + machine.succeed("curl -sSfL http://127.0.0.1:9000/") - my $session = $machine->succeed("curl -X POST " - . "-sSfL http://127.0.0.1:9000/api/system/sessions " - . "-d \$(cat ${payloads.login}) " - . "-H 'Content-Type: application/json' " - . "-H 'Accept: application/json' " - . "-H 'x-requested-by: cli' " - . "| jq .session_id | xargs echo" - ); + session = machine.succeed( + "curl -X POST " + + "-sSfL http://127.0.0.1:9000/api/system/sessions " + + "-d $(cat ${payloads.login}) " + + "-H 'Content-Type: application/json' " + + "-H 'Accept: application/json' " + + "-H 'x-requested-by: cli' " + + "| jq .session_id | xargs echo" + ).rstrip() - chomp($session); + machine.succeed( + "curl -X POST " + + f"-sSfL http://127.0.0.1:9000/api/system/inputs -u {session}:session " + + '-d $(cat ${payloads.input} | sed -e "s,@node@,$(cat /var/lib/graylog/server/node-id),") ' + + "-H 'Accept: application/json' " + + "-H 'Content-Type: application/json' " + + "-H 'x-requested-by: cli' " + ) - $machine->succeed("curl -X POST " - . "-sSfL http://127.0.0.1:9000/api/system/inputs -u $session:session " - . "-d \$(cat ${payloads.input} | sed -e \"s,\@node\@,\$(cat /var/lib/graylog/server/node-id),\") " - . "-H 'Accept: application/json' " - . "-H 'Content-Type: application/json' " - . "-H 'x-requested-by: cli' " - ); + machine.wait_until_succeeds( + "test \"$(curl -sSfL 'http://127.0.0.1:9000/api/cluster/inputstates' " + + f"-u {session}:session " + + "-H 'Accept: application/json' " + + "-H 'Content-Type: application/json' " + + "-H 'x-requested-by: cli'" + + "| jq 'to_entries[]|.value|.[0]|.state' | xargs echo" + + ')" = "RUNNING"' + ) - $machine->waitUntilSucceeds("test \"\$(curl -sSfL 'http://127.0.0.1:9000/api/cluster/inputstates' " - . "-u $session:session " - . "-H 'Accept: application/json' " - . "-H 'Content-Type: application/json' " - . "-H 'x-requested-by: cli'" - . "| jq 'to_entries[]|.value|.[0]|.state' | xargs echo" - . ")\" = \"RUNNING\"" - ); + machine.succeed( + "echo -n $(cat ${payloads.gelf_message}) | nc -w10 -u 127.0.0.1 12201" + ) - $machine->succeed("echo -n \$(cat ${payloads.gelf_message}) | nc -w10 -u 127.0.0.1 12201"); - - $machine->succeed("test \"\$(curl -X GET " - . "-sSfL 'http://127.0.0.1:9000/api/search/universal/relative?query=*' " - . "-u $session:session " - . "-H 'Accept: application/json' " - . "-H 'Content-Type: application/json' " - . "-H 'x-requested-by: cli'" - . " | jq '.total_results' | xargs echo)\" = \"1\"" - ); + machine.succeed( + 'test "$(curl -X GET ' + + "-sSfL 'http://127.0.0.1:9000/api/search/universal/relative?query=*' " + + f"-u {session}:session " + + "-H 'Accept: application/json' " + + "-H 'Content-Type: application/json' " + + "-H 'x-requested-by: cli'" + + ' | jq \'.total_results\' | xargs echo)" = "1"' + ) ''; }) diff --git a/nixpkgs/nixos/tests/handbrake.nix b/nixpkgs/nixos/tests/handbrake.nix index ae87e1f69a7..e5fb6b269b1 100644 --- a/nixpkgs/nixos/tests/handbrake.nix +++ b/nixpkgs/nixos/tests/handbrake.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let # Download Big Buck Bunny example, licensed under CC Attribution 3.0. testMkv = pkgs.fetchurl { @@ -19,7 +19,13 @@ in { testScript = '' # Test MP4 and MKV transcoding. Since this is a short clip, transcoding typically # only takes a few seconds. - $machine->succeed("HandBrakeCLI -i ${testMkv} -o test.mp4 -e x264 -q 20 -B 160"); - $machine->succeed("HandBrakeCLI -i ${testMkv} -o test.mkv -e x264 -q 20 -B 160"); + start_all() + + machine.succeed( + "HandBrakeCLI -i ${testMkv} -o test.mp4 -e x264 -q 20 -B 160" + ) + machine.succeed( + "HandBrakeCLI -i ${testMkv} -o test.mkv -e x264 -q 20 -B 160" + ) ''; }) diff --git a/nixpkgs/nixos/tests/haproxy.nix b/nixpkgs/nixos/tests/haproxy.nix index 22a83e9d1ea..72e77a68193 100644 --- a/nixpkgs/nixos/tests/haproxy.nix +++ b/nixpkgs/nixos/tests/haproxy.nix @@ -16,6 +16,8 @@ import ./make-test.nix ({ pkgs, ...}: { frontend http bind *:80 mode http + option http-use-htx + http-request use-service prometheus-exporter if { path /metrics } use_backend http_server ''; }; @@ -36,6 +38,6 @@ import ./make-test.nix ({ pkgs, ...}: { $machine->waitForUnit('haproxy.service'); $machine->waitForUnit('httpd.service'); $machine->succeed('curl -k http://localhost:80/index.txt | grep "We are all good!"'); - + $machine->succeed('curl -k http://localhost:80/metrics | grep haproxy_process_pool_allocated_bytes'); ''; }) diff --git a/nixpkgs/nixos/tests/hibernate.nix b/nixpkgs/nixos/tests/hibernate.nix index 274aa7becc8..8251c6e7ef8 100644 --- a/nixpkgs/nixos/tests/hibernate.nix +++ b/nixpkgs/nixos/tests/hibernate.nix @@ -1,6 +1,6 @@ # Test whether hibernation from partition works. -import ./make-test.nix (pkgs: { +import ./make-test-python.nix (pkgs: { name = "hibernate"; nodes = { @@ -28,16 +28,17 @@ import ./make-test.nix (pkgs: { testScript = '' - $machine->waitForUnit("multi-user.target"); - $machine->succeed("mkswap /dev/vdb"); - $machine->succeed("swapon -a"); - $machine->startJob("listener"); - $machine->waitForOpenPort(4444); - $machine->succeed("systemctl hibernate &"); - $machine->waitForShutdown; - $probe->waitForUnit("multi-user.target"); - $machine->start; - $probe->waitUntilSucceeds("echo test | nc machine 4444 -N"); + machine.start() + machine.wait_for_unit("multi-user.target") + machine.succeed("mkswap /dev/vdb") + machine.succeed("swapon -a") + machine.start_job("listener") + machine.wait_for_open_port(4444) + machine.succeed("systemctl hibernate &") + machine.wait_for_shutdown() + probe.wait_for_unit("multi-user.target") + machine.start() + probe.wait_until_succeeds("echo test | nc machine 4444 -N") ''; }) diff --git a/nixpkgs/nixos/tests/hound.nix b/nixpkgs/nixos/tests/hound.nix index cb8e25332c0..27c65abdf27 100644 --- a/nixpkgs/nixos/tests/hound.nix +++ b/nixpkgs/nixos/tests/hound.nix @@ -1,5 +1,5 @@ # Test whether `houndd` indexes nixpkgs -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "hound"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ grahamc ]; @@ -46,13 +46,14 @@ import ./make-test.nix ({ pkgs, ... } : { }; }; - testScript = - '' startAll; + testScript = '' + start_all() - $machine->waitForUnit("network.target"); - $machine->waitForUnit("hound.service"); - $machine->waitForOpenPort(6080); - $machine->waitUntilSucceeds('curl http://127.0.0.1:6080/api/v1/search\?stats\=fosho\&repos\=\*\&rng=%3A20\&q\=hi\&files\=\&i=nope | grep "Filename" | grep "hello"'); - - ''; + machine.wait_for_unit("network.target") + machine.wait_for_unit("hound.service") + machine.wait_for_open_port(6080) + machine.wait_until_succeeds( + "curl http://127.0.0.1:6080/api/v1/search\?stats\=fosho\&repos\=\*\&rng=%3A20\&q\=hi\&files\=\&i=nope | grep 'Filename' | grep 'hello'" + ) + ''; }) diff --git a/nixpkgs/nixos/tests/icingaweb2.nix b/nixpkgs/nixos/tests/icingaweb2.nix index ea1b94c526b..2f65604539c 100644 --- a/nixpkgs/nixos/tests/icingaweb2.nix +++ b/nixpkgs/nixos/tests/icingaweb2.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "icingaweb2"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ das_j ]; @@ -64,8 +64,8 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - startAll(); - $icingaweb2->waitForUnit("multi-user.target"); - $icingaweb2->succeed("curl -sSf http://icingaweb2/authentication/login"); + start_all() + icingaweb2.wait_for_unit("multi-user.target") + icingaweb2.succeed("curl -sSf http://icingaweb2/authentication/login") ''; }) diff --git a/nixpkgs/nixos/tests/iftop.nix b/nixpkgs/nixos/tests/iftop.nix index a4f524ceb27..8a161027c2a 100644 --- a/nixpkgs/nixos/tests/iftop.nix +++ b/nixpkgs/nixos/tests/iftop.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: with lib; @@ -18,17 +18,16 @@ with lib; }; testScript = '' - subtest "machine with iftop enabled", sub { - $withIftop->waitForUnit("default.target"); - # limit to eth1 (eth0 is the test driver's control interface) - # and don't try name lookups - $withIftop->succeed("su -l alice -c 'iftop -t -s 1 -n -i eth1'"); - }; - subtest "machine without iftop", sub { - $withoutIftop->waitForUnit("default.target"); - # check that iftop is there but user alice lacks capabilities - $withoutIftop->succeed("iftop -t -s 1 -n -i eth1"); - $withoutIftop->fail("su -l alice -c 'iftop -t -s 1 -n -i eth1'"); - }; + with subtest("machine with iftop enabled"): + withIftop.wait_for_unit("default.target") + # limit to eth1 (eth0 is the test driver's control interface) + # and don't try name lookups + withIftop.succeed("su -l alice -c 'iftop -t -s 1 -n -i eth1'") + + with subtest("machine without iftop"): + withoutIftop.wait_for_unit("default.target") + # check that iftop is there but user alice lacks capabilitie + withoutIftop.succeed("iftop -t -s 1 -n -i eth1") + withoutIftop.fail("su -l alice -c 'iftop -t -s 1 -n -i eth1'") ''; }) diff --git a/nixpkgs/nixos/tests/incron.nix b/nixpkgs/nixos/tests/incron.nix index e39bbb5f096..b22ee4c9a03 100644 --- a/nixpkgs/nixos/tests/incron.nix +++ b/nixpkgs/nixos/tests/incron.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "incron"; @@ -19,34 +19,34 @@ import ./make-test.nix ({ pkgs, lib, ... }: }; testScript = '' - startAll; + start_all() - $machine->waitForUnit("multi-user.target"); - $machine->waitForUnit("incron.service"); + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("incron.service") - $machine->succeed("test -d /test"); + machine.succeed("test -d /test") # create some activity for incron to monitor - $machine->succeed("touch /test/file"); - $machine->succeed("echo foo >> /test/file"); - $machine->succeed("mv /test/file /root"); - $machine->succeed("mv /root/file /test"); + machine.succeed("touch /test/file") + machine.succeed("echo foo >> /test/file") + machine.succeed("mv /test/file /root") + machine.succeed("mv /root/file /test") - $machine->sleep(1); + machine.sleep(1) # touch /test/file - $machine->succeed("grep '/test/file IN_CREATE' /root/incron.log"); + machine.succeed("grep '/test/file IN_CREATE' /root/incron.log") # echo foo >> /test/file - $machine->succeed("grep '/test/file IN_MODIFY' /root/incron.log"); - $machine->succeed("grep '/test/file IN_CLOSE_WRITE' /root/incron.log"); + machine.succeed("grep '/test/file IN_MODIFY' /root/incron.log") + machine.succeed("grep '/test/file IN_CLOSE_WRITE' /root/incron.log") # mv /test/file /root - $machine->succeed("grep '/test/file IN_MOVED_FROM' /root/incron.log"); + machine.succeed("grep '/test/file IN_MOVED_FROM' /root/incron.log") # mv /root/file /test - $machine->succeed("grep '/test/file IN_MOVED_TO' /root/incron.log"); + machine.succeed("grep '/test/file IN_MOVED_TO' /root/incron.log") # ensure something unexpected is not present - $machine->fail("grep 'IN_OPEN' /root/incron.log"); + machine.fail("grep 'IN_OPEN' /root/incron.log") ''; }) diff --git a/nixpkgs/nixos/tests/influxdb.nix b/nixpkgs/nixos/tests/influxdb.nix index 61201202204..04ef8046101 100644 --- a/nixpkgs/nixos/tests/influxdb.nix +++ b/nixpkgs/nixos/tests/influxdb.nix @@ -1,6 +1,6 @@ # This test runs influxdb and checks if influxdb is up and running -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "influxdb"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ offline ]; @@ -9,25 +9,32 @@ import ./make-test.nix ({ pkgs, ...} : { nodes = { one = { ... }: { services.influxdb.enable = true; + environment.systemPackages = [ pkgs.httpie ]; }; }; testScript = '' - startAll; - - $one->waitForUnit("influxdb.service"); + import shlex + + start_all() + + one.wait_for_unit("influxdb.service") # create database - $one->succeed(q~ - curl -XPOST http://localhost:8086/query --data-urlencode "q=CREATE DATABASE test" - ~); + one.succeed( + "curl -XPOST http://localhost:8086/query --data-urlencode 'q=CREATE DATABASE test'" + ) # write some points and run simple query - $one->succeed(q~ - curl -XPOST 'http://localhost:8086/write?db=test' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000' - ~); - $one->succeed(q~ - curl -GET 'http://localhost:8086/query' --data-urlencode "db=test" --data-urlencode "q=SELECT \"value\" FROM \"cpu_load_short\" WHERE \"region\"='us-west'" | grep "0\.64" - ~); + out = one.succeed( + "curl -XPOST 'http://localhost:8086/write?db=test' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000'" + ) + + qv = "SELECT value FROM cpu_load_short WHERE region='us-west'" + cmd = f'curl -GET "http://localhost:8086/query?db=test" --data-urlencode {shlex.quote("q="+ qv)}' + out = one.succeed(cmd) + + assert "2015-06-11T20:46:02Z" in out + assert "0.64" in out ''; }) diff --git a/nixpkgs/nixos/tests/initrd-network-ssh/default.nix b/nixpkgs/nixos/tests/initrd-network-ssh/default.nix index 796c50c610e..73d9f938e22 100644 --- a/nixpkgs/nixos/tests/initrd-network-ssh/default.nix +++ b/nixpkgs/nixos/tests/initrd-network-ssh/default.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ lib, ... }: +import ../make-test-python.nix ({ lib, ... }: { name = "initrd-network-ssh"; @@ -35,25 +35,31 @@ import ../make-test.nix ({ lib, ... }: client = { config, ... }: { - environment.etc.knownHosts = { - text = concatStrings [ - "server," - "${toString (head (splitString " " ( - toString (elemAt (splitString "\n" config.networking.extraHosts) 2) - )))} " - "${readFile ./dropbear.pub}" - ]; + environment.etc = { + knownHosts = { + text = concatStrings [ + "server," + "${toString (head (splitString " " ( + toString (elemAt (splitString "\n" config.networking.extraHosts) 2) + )))} " + "${readFile ./dropbear.pub}" + ]; + }; + sshKey = { + source = ./openssh.priv; # dont use this anywhere else + mode = "0600"; + }; }; }; }; testScript = '' - startAll; - $client->waitForUnit("network.target"); - $client->copyFileFromHost("${./openssh.priv}","/etc/sshKey"); - $client->succeed("chmod 0600 /etc/sshKey"); - $client->waitUntilSucceeds("ping -c 1 server"); - $client->succeed("ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'touch /fnord'"); - $client->shutdown; + start_all() + client.wait_for_unit("network.target") + client.wait_until_succeeds("ping -c 1 server") + client.succeed( + "ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'touch /fnord'" + ) + client.shutdown() ''; }) diff --git a/nixpkgs/nixos/tests/installed-tests/colord.nix b/nixpkgs/nixos/tests/installed-tests/colord.nix new file mode 100644 index 00000000000..77e6b917fe6 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/colord.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.colord; +} diff --git a/nixpkgs/nixos/tests/installed-tests/default.nix b/nixpkgs/nixos/tests/installed-tests/default.nix new file mode 100644 index 00000000000..f4780bdcfc9 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/default.nix @@ -0,0 +1,80 @@ +# NixOS tests for gnome-desktop-testing-runner using software +# See https://wiki.gnome.org/Initiatives/GnomeGoals/InstalledTests + +{ system ? builtins.currentSystem, + config ? {}, + pkgs ? import ../../.. { inherit system config; } +}: + +with import ../../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +let + + callInstalledTest = pkgs.newScope { inherit makeInstalledTest; }; + + makeInstalledTest = + { # Package to test. Needs to have an installedTests output + tested + + # Config to inject into machine + , testConfig ? {} + + # Test script snippet to inject before gnome-desktop-testing-runner begins. + # This is useful for extra setup the environment may need before the runner begins. + , preTestScript ? "" + + # Does test need X11? + , withX11 ? false + + # Extra flags to pass to gnome-desktop-testing-runner. + , testRunnerFlags ? "" + }: + makeTest rec { + name = tested.name; + + meta = { + maintainers = tested.meta.maintainers; + }; + + machine = { ... }: { + imports = [ + testConfig + ] ++ optional withX11 ../common/x11.nix; + + environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; + + }; + + testScript = + optionalString withX11 '' + machine.wait_for_x() + '' + + optionalString (preTestScript != "") '' + ${preTestScript} + '' + + '' + machine.succeed( + "gnome-desktop-testing-runner ${testRunnerFlags} -d '${tested.installedTests}/share'" + ) + ''; + }; + +in + +{ + colord = callInstalledTest ./colord.nix {}; + flatpak = callInstalledTest ./flatpak.nix {}; + flatpak-builder = callInstalledTest ./flatpak-builder.nix {}; + fwupd = callInstalledTest ./fwupd.nix {}; + gcab = callInstalledTest ./gcab.nix {}; + gdk-pixbuf = callInstalledTest ./gdk-pixbuf.nix {}; + gjs = callInstalledTest ./gjs.nix {}; + glib-networking = callInstalledTest ./glib-networking.nix {}; + gnome-photos = callInstalledTest ./gnome-photos.nix {}; + graphene = callInstalledTest ./graphene.nix {}; + libgdata = callInstalledTest ./libgdata.nix {}; + libxmlb = callInstalledTest ./libxmlb.nix {}; + ostree = callInstalledTest ./ostree.nix {}; + xdg-desktop-portal = callInstalledTest ./xdg-desktop-portal.nix {}; +} diff --git a/nixpkgs/nixos/tests/installed-tests/flatpak-builder.nix b/nixpkgs/nixos/tests/installed-tests/flatpak-builder.nix new file mode 100644 index 00000000000..31b9f2b258f --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/flatpak-builder.nix @@ -0,0 +1,14 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.flatpak-builder; + + testConfig = { + services.flatpak.enable = true; + xdg.portal.enable = true; + environment.systemPackages = with pkgs; [ flatpak-builder ] ++ flatpak-builder.installedTestsDependencies; + virtualisation.diskSize = 2048; + }; + + testRunnerFlags = "--timeout 3600"; +} diff --git a/nixpkgs/nixos/tests/installed-tests/flatpak.nix b/nixpkgs/nixos/tests/installed-tests/flatpak.nix new file mode 100644 index 00000000000..091c9932662 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/flatpak.nix @@ -0,0 +1,19 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.flatpak; + withX11 = true; + + testConfig = { + services.xserver.desktopManager.gnome3.enable = true; # TODO: figure out minimal environment where the tests work + # common/x11.nix enables the auto display manager (lightdm) + services.xserver.displayManager.gdm.enable = false; + services.gnome3.core-utilities.enable = false; + services.flatpak.enable = true; + environment.systemPackages = with pkgs; [ gnupg ostree python2 ]; + virtualisation.memorySize = 2047; + virtualisation.diskSize = 1024; + }; + + testRunnerFlags = "--timeout 3600"; +} diff --git a/nixpkgs/nixos/tests/installed-tests/fwupd.nix b/nixpkgs/nixos/tests/installed-tests/fwupd.nix new file mode 100644 index 00000000000..b9f761e9958 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/fwupd.nix @@ -0,0 +1,12 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.fwupd; + + testConfig = { + services.fwupd.enable = true; + services.fwupd.blacklistPlugins = []; # don't blacklist test plugin + services.fwupd.enableTestRemote = true; + virtualisation.memorySize = 768; + }; +} diff --git a/nixpkgs/nixos/tests/installed-tests/gcab.nix b/nixpkgs/nixos/tests/installed-tests/gcab.nix new file mode 100644 index 00000000000..b24cc2e0126 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/gcab.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.gcab; +} diff --git a/nixpkgs/nixos/tests/installed-tests/gdk-pixbuf.nix b/nixpkgs/nixos/tests/installed-tests/gdk-pixbuf.nix new file mode 100644 index 00000000000..3d0011a427a --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/gdk-pixbuf.nix @@ -0,0 +1,13 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.gdk-pixbuf; + + testConfig = { + # Tests allocate a lot of memory trying to exploit a CVE + # but qemu-system-i386 has a 2047M memory limit + virtualisation.memorySize = if pkgs.stdenv.isi686 then 2047 else 4096; + }; + + testRunnerFlags = "--timeout 1800"; +} diff --git a/nixpkgs/nixos/tests/installed-tests/gjs.nix b/nixpkgs/nixos/tests/installed-tests/gjs.nix new file mode 100644 index 00000000000..1656e9de171 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/gjs.nix @@ -0,0 +1,6 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.gjs; + withX11 = true; +} diff --git a/nixpkgs/nixos/tests/installed-tests/glib-networking.nix b/nixpkgs/nixos/tests/installed-tests/glib-networking.nix new file mode 100644 index 00000000000..b58d4df21fc --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/glib-networking.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.glib-networking; +} diff --git a/nixpkgs/nixos/tests/installed-tests/gnome-photos.nix b/nixpkgs/nixos/tests/installed-tests/gnome-photos.nix new file mode 100644 index 00000000000..05e7ccb65ad --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/gnome-photos.nix @@ -0,0 +1,35 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.gnome-photos; + + withX11 = true; + + testConfig = { + programs.dconf.enable = true; + services.gnome3.at-spi2-core.enable = true; # needed for dogtail + environment.systemPackages = with pkgs; [ + # gsettings tool with access to gsettings-desktop-schemas + (stdenv.mkDerivation { + name = "desktop-gsettings"; + dontUnpack = true; + nativeBuildInputs = [ glib wrapGAppsHook ]; + buildInputs = [ gsettings-desktop-schemas ]; + installPhase = '' + runHook preInstall + mkdir -p $out/bin + ln -s ${glib.bin}/bin/gsettings $out/bin/desktop-gsettings + runHook postInstall + ''; + }) + ]; + services.dbus.packages = with pkgs; [ gnome-photos ]; + }; + + preTestScript = '' + # dogtail needs accessibility enabled + machine.succeed( + "desktop-gsettings set org.gnome.desktop.interface toolkit-accessibility true 2>&1" + ) + ''; +} diff --git a/nixpkgs/nixos/tests/installed-tests/graphene.nix b/nixpkgs/nixos/tests/installed-tests/graphene.nix new file mode 100644 index 00000000000..e43339abd88 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/graphene.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.graphene; +} diff --git a/nixpkgs/nixos/tests/installed-tests/libgdata.nix b/nixpkgs/nixos/tests/installed-tests/libgdata.nix new file mode 100644 index 00000000000..f11a7bc1bc5 --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/libgdata.nix @@ -0,0 +1,11 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.libgdata; + + testConfig = { + # # GLib-GIO-DEBUG: _g_io_module_get_default: Found default implementation dummy (GDummyTlsBackend) for ‘gio-tls-backend’ + # Bail out! libgdata:ERROR:../gdata/tests/common.c:134:gdata_test_init: assertion failed (child_error == NULL): TLS support is not available (g-tls-error-quark, 0) + services.gnome3.glib-networking.enable = true; + }; +} diff --git a/nixpkgs/nixos/tests/installed-tests/libxmlb.nix b/nixpkgs/nixos/tests/installed-tests/libxmlb.nix new file mode 100644 index 00000000000..af2bbe9c35e --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/libxmlb.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.libxmlb; +} diff --git a/nixpkgs/nixos/tests/installed-tests/ostree.nix b/nixpkgs/nixos/tests/installed-tests/ostree.nix new file mode 100644 index 00000000000..eef7cace54c --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/ostree.nix @@ -0,0 +1,23 @@ +{ pkgs, lib, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.ostree; + + # TODO: Wrap/patch the tests directly in the package + testConfig = { + environment.systemPackages = with pkgs; [ + (python3.withPackages (p: with p; [ pyyaml ])) + gnupg + ostree + ]; + + # for GJS tests + environment.variables.GI_TYPELIB_PATH = lib.makeSearchPath "lib/girepository-1.0" (with pkgs; [ + gtk3 + pango.out + ostree + gdk-pixbuf + atk + ]); + }; +} diff --git a/nixpkgs/nixos/tests/installed-tests/xdg-desktop-portal.nix b/nixpkgs/nixos/tests/installed-tests/xdg-desktop-portal.nix new file mode 100644 index 00000000000..b16008ff4ad --- /dev/null +++ b/nixpkgs/nixos/tests/installed-tests/xdg-desktop-portal.nix @@ -0,0 +1,5 @@ +{ pkgs, makeInstalledTest, ... }: + +makeInstalledTest { + tested = pkgs.xdg-desktop-portal; +} diff --git a/nixpkgs/nixos/tests/installer.nix b/nixpkgs/nixos/tests/installer.nix index a136678c6ef..eb1f4f192dd 100644 --- a/nixpkgs/nixos/tests/installer.nix +++ b/nixpkgs/nixos/tests/installer.nix @@ -54,8 +54,6 @@ let hardware.enableAllFirmware = lib.mkForce false; - services.udisks2.enable = lib.mkDefault false; - ${replaceChars ["\n"] ["\n "] extraConfig} } ''; @@ -295,8 +293,6 @@ let ++ optional (bootLoader == "grub" && grubVersion == 1) pkgs.grub ++ optionals (bootLoader == "grub" && grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ]; - services.udisks2.enable = mkDefault false; - nix.binaryCaches = mkForce [ ]; nix.extraOptions = '' diff --git a/nixpkgs/nixos/tests/jackett.nix b/nixpkgs/nixos/tests/jackett.nix index c749c32ad04..0a706c99b99 100644 --- a/nixpkgs/nixos/tests/jackett.nix +++ b/nixpkgs/nixos/tests/jackett.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: with lib; @@ -11,8 +11,9 @@ with lib; { services.jackett.enable = true; }; testScript = '' - $machine->waitForUnit('jackett.service'); - $machine->waitForOpenPort('9117'); - $machine->succeed("curl --fail http://localhost:9117/"); + machine.start() + machine.wait_for_unit("jackett.service") + machine.wait_for_open_port(9117) + machine.succeed("curl --fail http://localhost:9117/") ''; }) diff --git a/nixpkgs/nixos/tests/jellyfin.nix b/nixpkgs/nixos/tests/jellyfin.nix index b60c6eb94f4..65360624d48 100644 --- a/nixpkgs/nixos/tests/jellyfin.nix +++ b/nixpkgs/nixos/tests/jellyfin.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ...}: +import ./make-test-python.nix ({ lib, ...}: { name = "jellyfin"; @@ -9,8 +9,8 @@ import ./make-test.nix ({ lib, ...}: { services.jellyfin.enable = true; }; testScript = '' - $machine->waitForUnit('jellyfin.service'); - $machine->waitForOpenPort('8096'); - $machine->succeed("curl --fail http://localhost:8096/"); + machine.wait_for_unit("jellyfin.service") + machine.wait_for_open_port(8096) + machine.succeed("curl --fail http://localhost:8096/") ''; }) diff --git a/nixpkgs/nixos/tests/jenkins.nix b/nixpkgs/nixos/tests/jenkins.nix index a6eec411ff2..cd64ff51287 100644 --- a/nixpkgs/nixos/tests/jenkins.nix +++ b/nixpkgs/nixos/tests/jenkins.nix @@ -3,7 +3,7 @@ # 2. jenkins user can be extended on both master and slave # 3. jenkins service not started on slave node -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "jenkins"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ bjornfor coconnor domenkozar eelco ]; @@ -33,18 +33,17 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $master->waitForUnit("jenkins"); + master.wait_for_unit("jenkins") - $master->mustSucceed("curl http://localhost:8080 | grep 'Authentication required'"); + assert "Authentication required" in master.succeed("curl http://localhost:8080") - print $master->execute("sudo -u jenkins groups"); - $master->mustSucceed("sudo -u jenkins groups | grep jenkins | grep users"); + for host in master, slave: + groups = host.succeed("sudo -u jenkins groups") + assert "jenkins" in groups + assert "users" in groups - print $slave->execute("sudo -u jenkins groups"); - $slave->mustSucceed("sudo -u jenkins groups | grep jenkins | grep users"); - - $slave->mustFail("systemctl is-enabled jenkins.service"); + slave.fail("systemctl is-enabled jenkins.service") ''; }) diff --git a/nixpkgs/nixos/tests/jormungandr.nix b/nixpkgs/nixos/tests/jormungandr.nix deleted file mode 100644 index 2abafc53ce5..00000000000 --- a/nixpkgs/nixos/tests/jormungandr.nix +++ /dev/null @@ -1,77 +0,0 @@ -import ./make-test.nix ({ pkgs, ... }: { - name = "jormungandr"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ mmahut ]; - }; - - nodes = { - # Testing the Byzantine Fault Tolerant protocol - bft = { ... }: { - environment.systemPackages = [ pkgs.jormungandr ]; - services.jormungandr.enable = true; - services.jormungandr.genesisBlockFile = "/var/lib/jormungandr/block-0.bin"; - services.jormungandr.secretFile = "/etc/secrets/jormungandr.yaml"; - }; - - # Testing the Ouroboros Genesis Praos protocol - genesis = { ... }: { - environment.systemPackages = [ pkgs.jormungandr ]; - services.jormungandr.enable = true; - services.jormungandr.genesisBlockFile = "/var/lib/jormungandr/block-0.bin"; - services.jormungandr.secretFile = "/etc/secrets/jormungandr.yaml"; - }; - }; - - testScript = '' - startAll; - - ## Testing BFT - # Let's wait for the StateDirectory - $bft->waitForFile("/var/lib/jormungandr/"); - - # First, we generate the genesis file for our new blockchain - $bft->succeed("jcli genesis init > /root/genesis.yaml"); - - # We need to generate our secret key - $bft->succeed("jcli key generate --type=Ed25519 > /root/key.prv"); - - # We include the secret key into our services.jormungandr.secretFile - $bft->succeed("mkdir -p /etc/secrets"); - $bft->succeed("echo -e \"bft:\\n signing_key:\" \$(cat /root/key.prv) > /etc/secrets/jormungandr.yaml"); - - # After that, we generate our public key from it - $bft->succeed("cat /root/key.prv | jcli key to-public > /root/key.pub"); - - # We add our public key as a consensus leader in the genesis configration file - $bft->succeed("sed -ie \"s/ed25519_pk1vvwp2s0n5jl5f4xcjurp2e92sj2awehkrydrlas4vgqr7xzt33jsadha32/\$(cat /root/key.pub)/\" /root/genesis.yaml"); - - # Now we can generate the genesis block from it - $bft->succeed("jcli genesis encode --input /root/genesis.yaml --output /var/lib/jormungandr/block-0.bin"); - - # We should have everything to start the service now - $bft->succeed("systemctl restart jormungandr"); - $bft->waitForUnit("jormungandr.service"); - - # Now we can test if we are able to reach the REST API - $bft->waitUntilSucceeds("curl -L http://localhost:8607/api/v0/node/stats | grep uptime"); - - ## Testing Genesis - # Let's wait for the StateDirectory - $genesis->waitForFile("/var/lib/jormungandr/"); - - # Bootstraping the configuration - $genesis->succeed("jormungandr-bootstrap -g -p 8607 -s 1"); - - # Moving generated files in place - $genesis->succeed("mkdir -p /etc/secrets"); - $genesis->succeed("mv pool-secret1.yaml /etc/secrets/jormungandr.yaml"); - $genesis->succeed("mv block-0.bin /var/lib/jormungandr/"); - - # We should have everything to start the service now - $genesis->succeed("systemctl restart jormungandr"); - $genesis->waitForUnit("jormungandr.service"); - - # Now we can create and delegate an account - $genesis->succeed("./create-account-and-delegate.sh | tee -a /tmp/delegate.log"); - ''; -}) diff --git a/nixpkgs/nixos/tests/kerberos/heimdal.nix b/nixpkgs/nixos/tests/kerberos/heimdal.nix index a0551b131e9..8abae667d04 100644 --- a/nixpkgs/nixos/tests/kerberos/heimdal.nix +++ b/nixpkgs/nixos/tests/kerberos/heimdal.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({pkgs, ...}: { +import ../make-test-python.nix ({pkgs, ...}: { name = "kerberos_server-heimdal"; machine = { config, libs, pkgs, ...}: { services.kerberos_server = @@ -23,31 +23,20 @@ import ../make-test.nix ({pkgs, ...}: { }; testScript = '' - $machine->start; + machine.succeed( + "kadmin -l init --realm-max-ticket-life='8 day' --realm-max-renewable-life='10 day' FOO.BAR", + "systemctl restart kadmind.service kdc.service", + ) - $machine->succeed( - "kadmin -l init --realm-max-ticket-life='8 day' \\ - --realm-max-renewable-life='10 day' FOO.BAR" - ); + for unit in ["kadmind", "kdc", "kpasswdd"]: + machine.wait_for_unit(f"{unit}.service") - $machine->succeed("systemctl restart kadmind.service kdc.service"); - $machine->waitForUnit("kadmind.service"); - $machine->waitForUnit("kdc.service"); - $machine->waitForUnit("kpasswdd.service"); - - $machine->succeed( - "kadmin -l add --password=admin_pw --use-defaults admin" - ); - $machine->succeed( - "kadmin -l ext_keytab --keytab=admin.keytab admin" - ); - $machine->succeed( - "kadmin -p admin -K admin.keytab add --password=alice_pw --use-defaults \\ - alice" - ); - $machine->succeed( - "kadmin -l ext_keytab --keytab=alice.keytab alice" - ); - $machine->succeed("kinit -kt alice.keytab alice"); + machine.succeed( + "kadmin -l add --password=admin_pw --use-defaults admin", + "kadmin -l ext_keytab --keytab=admin.keytab admin", + "kadmin -p admin -K admin.keytab add --password=alice_pw --use-defaults alice", + "kadmin -l ext_keytab --keytab=alice.keytab alice", + "kinit -kt alice.keytab alice", + ) ''; }) diff --git a/nixpkgs/nixos/tests/kerberos/mit.nix b/nixpkgs/nixos/tests/kerberos/mit.nix index 6da3a384aa9..93b4020d499 100644 --- a/nixpkgs/nixos/tests/kerberos/mit.nix +++ b/nixpkgs/nixos/tests/kerberos/mit.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({pkgs, ...}: { +import ../make-test-python.nix ({pkgs, ...}: { name = "kerberos_server-mit"; machine = { config, libs, pkgs, ...}: { services.kerberos_server = @@ -24,22 +24,18 @@ import ../make-test.nix ({pkgs, ...}: { }; testScript = '' - $machine->start; + machine.succeed( + "kdb5_util create -s -r FOO.BAR -P master_key", + "systemctl restart kadmind.service kdc.service", + ) - $machine->succeed( - "kdb5_util create -s -r FOO.BAR -P master_key" - ); + for unit in ["kadmind", "kdc"]: + machine.wait_for_unit(f"{unit}.service") - $machine->succeed("systemctl restart kadmind.service kdc.service"); - $machine->waitForUnit("kadmind.service"); - $machine->waitForUnit("kdc.service"); - - $machine->succeed( - "kadmin.local add_principal -pw admin_pw admin" - ); - $machine->succeed( - "kadmin -p admin -w admin_pw addprinc -pw alice_pw alice" - ); - $machine->succeed("echo alice_pw | sudo -u alice kinit"); + machine.succeed( + "kadmin.local add_principal -pw admin_pw admin", + "kadmin -p admin -w admin_pw addprinc -pw alice_pw alice", + "echo alice_pw | sudo -u alice kinit", + ) ''; }) diff --git a/nixpkgs/nixos/tests/kernel-latest.nix b/nixpkgs/nixos/tests/kernel-latest.nix index f30bd2e2e76..f09d0926d22 100644 --- a/nixpkgs/nixos/tests/kernel-latest.nix +++ b/nixpkgs/nixos/tests/kernel-latest.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "kernel-latest"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -11,7 +11,7 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - $machine->succeed("uname -s | grep 'Linux'"); - $machine->succeed("uname -a | grep '${pkgs.linuxPackages_latest.kernel.version}'"); + assert "Linux" in machine.succeed("uname -s") + assert "${pkgs.linuxPackages_latest.kernel.version}" in machine.succeed("uname -a") ''; }) diff --git a/nixpkgs/nixos/tests/kernel-lts.nix b/nixpkgs/nixos/tests/kernel-lts.nix index 28717fa6a84..bad706d63c0 100644 --- a/nixpkgs/nixos/tests/kernel-lts.nix +++ b/nixpkgs/nixos/tests/kernel-lts.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "kernel-lts"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -11,7 +11,7 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - $machine->succeed("uname -s | grep 'Linux'"); - $machine->succeed("uname -a | grep '${pkgs.linuxPackages.kernel.version}'"); + assert "Linux" in machine.succeed("uname -s") + assert "${pkgs.linuxPackages.kernel.version}" in machine.succeed("uname -a") ''; }) diff --git a/nixpkgs/nixos/tests/kernel-testing.nix b/nixpkgs/nixos/tests/kernel-testing.nix index 276d2de12bb..b7e10ebd5bd 100644 --- a/nixpkgs/nixos/tests/kernel-testing.nix +++ b/nixpkgs/nixos/tests/kernel-testing.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "kernel-testing"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -11,7 +11,7 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - $machine->succeed("uname -s | grep 'Linux'"); - $machine->succeed("uname -a | grep '${pkgs.linuxPackages_testing.kernel.modDirVersion}'"); + assert "Linux" in machine.succeed("uname -s") + assert "${pkgs.linuxPackages_testing.kernel.modDirVersion}" in machine.succeed("uname -a") ''; }) diff --git a/nixpkgs/nixos/tests/knot.nix b/nixpkgs/nixos/tests/knot.nix index e46159836cc..0588cf86ac0 100644 --- a/nixpkgs/nixos/tests/knot.nix +++ b/nixpkgs/nixos/tests/knot.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ...} : +import ./make-test-python.nix ({ pkgs, lib, ...} : let common = { networking.firewall.enable = false; @@ -30,6 +30,10 @@ let }; in { name = "knot"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ hexa ]; + }; + nodes = { master = { lib, ... }: { @@ -161,37 +165,35 @@ in { slave4 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv4.addresses).address; slave6 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv6.addresses).address; in '' - startAll; - - $client->waitForUnit("network.target"); - $master->waitForUnit("knot.service"); - $slave->waitForUnit("knot.service"); - - sub assertResponse { - my ($knot, $query_type, $query, $expected) = @_; - my $out = $client->succeed("khost -t $query_type $query $knot"); - $client->log("$knot replies with: $out"); - chomp $out; - die "DNS query for $query ($query_type) against $knot gave '$out' instead of '$expected'" - if ($out !~ $expected); - } - - foreach ("${master4}", "${master6}", "${slave4}", "${slave6}") { - subtest $_, sub { - assertResponse($_, "SOA", "example.com", qr/start of authority.*?noc\.example\.com/); - assertResponse($_, "A", "example.com", qr/has no [^ ]+ record/); - assertResponse($_, "AAAA", "example.com", qr/has no [^ ]+ record/); - - assertResponse($_, "A", "www.example.com", qr/address 192.0.2.1$/); - assertResponse($_, "AAAA", "www.example.com", qr/address 2001:db8::1$/); - - assertResponse($_, "NS", "sub.example.com", qr/nameserver is ns\d\.example\.com.$/); - assertResponse($_, "A", "sub.example.com", qr/address 192.0.2.2$/); - assertResponse($_, "AAAA", "sub.example.com", qr/address 2001:db8::2$/); - - assertResponse($_, "RRSIG", "www.example.com", qr/RR set signature is/); - assertResponse($_, "DNSKEY", "example.com", qr/DNSSEC key is/); - }; - } + import re + + start_all() + + client.wait_for_unit("network.target") + master.wait_for_unit("knot.service") + slave.wait_for_unit("knot.service") + + + def test(host, query_type, query, pattern): + out = client.succeed(f"khost -t {query_type} {query} {host}").strip() + client.log(f"{host} replied with: {out}") + assert re.search(pattern, out), f'Did not match "{pattern}"' + + + for host in ("${master4}", "${master6}", "${slave4}", "${slave6}"): + with subtest(f"Interrogate {host}"): + test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.") + test(host, "A", "example.com", r"has no [^ ]+ record") + test(host, "AAAA", "example.com", r"has no [^ ]+ record") + + test(host, "A", "www.example.com", r"address 192.0.2.1$") + test(host, "AAAA", "www.example.com", r"address 2001:db8::1$") + + test(host, "NS", "sub.example.com", r"nameserver is ns\d\.example\.com.$") + test(host, "A", "sub.example.com", r"address 192.0.2.2$") + test(host, "AAAA", "sub.example.com", r"address 2001:db8::2$") + + test(host, "RRSIG", "www.example.com", r"RR set signature is") + test(host, "DNSKEY", "example.com", r"DNSSEC key is") ''; }) diff --git a/nixpkgs/nixos/tests/kubernetes/base.nix b/nixpkgs/nixos/tests/kubernetes/base.nix index f21634c4ffb..adb73650689 100644 --- a/nixpkgs/nixos/tests/kubernetes/base.nix +++ b/nixpkgs/nixos/tests/kubernetes/base.nix @@ -53,6 +53,7 @@ let services.flannel.iface = "eth1"; services.kubernetes = { addons.dashboard.enable = true; + proxy.hostname = "${masterName}.${domain}"; easyCerts = true; inherit (machine) roles; diff --git a/nixpkgs/nixos/tests/libgdata.nix b/nixpkgs/nixos/tests/libgdata.nix deleted file mode 100644 index 10a3ca97dd2..00000000000 --- a/nixpkgs/nixos/tests/libgdata.nix +++ /dev/null @@ -1,21 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "libgdata"; - - meta = { - maintainers = pkgs.libgdata.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - # # GLib-GIO-DEBUG: _g_io_module_get_default: Found default implementation dummy (GDummyTlsBackend) for ‘gio-tls-backend’ - # Bail out! libgdata:ERROR:../gdata/tests/common.c:134:gdata_test_init: assertion failed (child_error == NULL): TLS support is not available (g-tls-error-quark, 0) - services.gnome3.glib-networking.enable = true; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.libgdata.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/libxmlb.nix b/nixpkgs/nixos/tests/libxmlb.nix deleted file mode 100644 index 3bee568ac5a..00000000000 --- a/nixpkgs/nixos/tests/libxmlb.nix +++ /dev/null @@ -1,17 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "libxmlb"; - meta = { - maintainers = pkgs.libxmlb.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.libxmlb.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/lightdm.nix b/nixpkgs/nixos/tests/lightdm.nix index c805f1ed9f3..ef30f7741e2 100644 --- a/nixpkgs/nixos/tests/lightdm.nix +++ b/nixpkgs/nixos/tests/lightdm.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "lightdm"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ aszlig worldofpeace ]; @@ -18,12 +18,12 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; in '' - startAll; - $machine->waitForText(qr/${user.description}/); - $machine->screenshot("lightdm"); - $machine->sendChars("${user.password}\n"); - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow("^IceWM "); + start_all() + machine.wait_for_text("${user.description}") + machine.screenshot("lightdm") + machine.send_chars("${user.password}\n") + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + machine.wait_for_window("^IceWM ") ''; }) diff --git a/nixpkgs/nixos/tests/login.nix b/nixpkgs/nixos/tests/login.nix index bd8ed23a7b8..d36c1a91be4 100644 --- a/nixpkgs/nixos/tests/login.nix +++ b/nixpkgs/nixos/tests/login.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, latestKernel ? false, ... }: +import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... }: { name = "login"; @@ -12,62 +12,48 @@ import ./make-test.nix ({ pkgs, latestKernel ? false, ... }: sound.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then }; - testScript = - '' - $machine->waitForUnit('multi-user.target'); - $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty1'"); - $machine->screenshot("postboot"); - - subtest "create user", sub { - $machine->succeed("useradd -m alice"); - $machine->succeed("(echo foobar; echo foobar) | passwd alice"); - }; - - # Check whether switching VTs works. - subtest "virtual console switching", sub { - $machine->fail("pgrep -f 'agetty.*tty2'"); - $machine->sendKeys("alt-f2"); - $machine->waitUntilSucceeds("[ \$(fgconsole) = 2 ]"); - $machine->waitForUnit('getty@tty2.service'); - $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty2'"); - }; - - # Log in as alice on a virtual console. - subtest "virtual console login", sub { - $machine->waitUntilTTYMatches(2, "login: "); - $machine->sendChars("alice\n"); - $machine->waitUntilTTYMatches(2, "login: alice"); - $machine->waitUntilSucceeds("pgrep login"); - $machine->waitUntilTTYMatches(2, "Password: "); - $machine->sendChars("foobar\n"); - $machine->waitUntilSucceeds("pgrep -u alice bash"); - $machine->sendChars("touch done\n"); - $machine->waitForFile("/home/alice/done"); - }; - - # Check whether systemd gives and removes device ownership as - # needed. - subtest "device permissions", sub { - $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); - $machine->sendKeys("alt-f1"); - $machine->waitUntilSucceeds("[ \$(fgconsole) = 1 ]"); - $machine->fail("getfacl -p /dev/snd/timer | grep -q alice"); - $machine->succeed("chvt 2"); - $machine->waitUntilSucceeds("getfacl -p /dev/snd/timer | grep -q alice"); - }; - - # Log out. - subtest "virtual console logout", sub { - $machine->sendChars("exit\n"); - $machine->waitUntilFails("pgrep -u alice bash"); - $machine->screenshot("mingetty"); - }; - - # Check whether ctrl-alt-delete works. - subtest "ctrl-alt-delete", sub { - $machine->sendKeys("ctrl-alt-delete"); - $machine->waitForShutdown; - }; - ''; - + testScript = '' + machine.wait_for_unit("multi-user.target") + machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'") + machine.screenshot("postboot") + + with subtest("create user"): + machine.succeed("useradd -m alice") + machine.succeed("(echo foobar; echo foobar) | passwd alice") + + with subtest("Check whether switching VTs works"): + machine.fail("pgrep -f 'agetty.*tty2'") + machine.send_key("alt-f2") + machine.wait_until_succeeds("[ $(fgconsole) = 2 ]") + machine.wait_for_unit("getty@tty2.service") + machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'") + + with subtest("Log in as alice on a virtual console"): + machine.wait_until_tty_matches(2, "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches(2, "login: alice") + machine.wait_until_succeeds("pgrep login") + machine.wait_until_tty_matches(2, "Password: ") + machine.send_chars("foobar\n") + machine.wait_until_succeeds("pgrep -u alice bash") + machine.send_chars("touch done\n") + machine.wait_for_file("/home/alice/done") + + with subtest("Systemd gives and removes device ownership as needed"): + machine.succeed("getfacl /dev/snd/timer | grep -q alice") + machine.send_key("alt-f1") + machine.wait_until_succeeds("[ $(fgconsole) = 1 ]") + machine.fail("getfacl /dev/snd/timer | grep -q alice") + machine.succeed("chvt 2") + machine.wait_until_succeeds("getfacl /dev/snd/timer | grep -q alice") + + with subtest("Virtual console logout"): + machine.send_chars("exit\n") + machine.wait_until_fails("pgrep -u alice bash") + machine.screenshot("mingetty") + + with subtest("Check whether ctrl-alt-delete works"): + machine.send_key("ctrl-alt-delete") + machine.wait_for_shutdown() + ''; }) diff --git a/nixpkgs/nixos/tests/loki.nix b/nixpkgs/nixos/tests/loki.nix index 9c3058d02f8..dbf1e8a650f 100644 --- a/nixpkgs/nixos/tests/loki.nix +++ b/nixpkgs/nixos/tests/loki.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, pkgs, ... }: +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "loki"; @@ -26,12 +26,14 @@ import ./make-test.nix ({ lib, pkgs, ... }: }; testScript = '' - $machine->start; - $machine->waitForUnit("loki.service"); - $machine->waitForUnit("promtail.service"); - $machine->waitForOpenPort(3100); - $machine->waitForOpenPort(9080); - $machine->succeed("echo 'Loki Ingestion Test' > /var/log/testlog"); - $machine->waitUntilSucceeds("${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'"); + machine.start + machine.wait_for_unit("loki.service") + machine.wait_for_unit("promtail.service") + machine.wait_for_open_port(3100) + machine.wait_for_open_port(9080) + machine.succeed("echo 'Loki Ingestion Test' > /var/log/testlog") + machine.wait_until_succeeds( + "${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/lorri/builder.sh b/nixpkgs/nixos/tests/lorri/builder.sh new file mode 100644 index 00000000000..b586b2bf798 --- /dev/null +++ b/nixpkgs/nixos/tests/lorri/builder.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +printf "%s" "${name:?}" > "${out:?}" diff --git a/nixpkgs/nixos/tests/lorri/default.nix b/nixpkgs/nixos/tests/lorri/default.nix new file mode 100644 index 00000000000..53074385a65 --- /dev/null +++ b/nixpkgs/nixos/tests/lorri/default.nix @@ -0,0 +1,26 @@ +import ../make-test-python.nix { + machine = { pkgs, ... }: { + imports = [ ../../modules/profiles/minimal.nix ]; + environment.systemPackages = [ pkgs.lorri ]; + }; + + testScript = '' + # Copy files over + machine.succeed( + "cp '${./fake-shell.nix}' shell.nix" + ) + machine.succeed( + "cp '${./builder.sh}' builder.sh" + ) + + # Start the daemon and wait until it is ready + machine.execute("lorri daemon > lorri.stdout 2> lorri.stderr &") + machine.wait_until_succeeds("grep --fixed-strings 'lorri: ready' lorri.stdout") + + # Ping the daemon + machine.execute("lorri ping_ $(readlink -f shell.nix)") + + # Wait for the daemon to finish the build + machine.wait_until_succeeds("grep --fixed-strings 'OutputPaths' lorri.stdout") + ''; +} diff --git a/nixpkgs/nixos/tests/lorri/fake-shell.nix b/nixpkgs/nixos/tests/lorri/fake-shell.nix new file mode 100644 index 00000000000..9de9d247e54 --- /dev/null +++ b/nixpkgs/nixos/tests/lorri/fake-shell.nix @@ -0,0 +1,5 @@ +derivation { + system = builtins.currentSystem; + name = "fake-shell"; + builder = ./builder.sh; +} diff --git a/nixpkgs/nixos/tests/magnetico.nix b/nixpkgs/nixos/tests/magnetico.nix index bc7aef653ee..6770d32358e 100644 --- a/nixpkgs/nixos/tests/magnetico.nix +++ b/nixpkgs/nixos/tests/magnetico.nix @@ -1,4 +1,9 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : + +let + port = 8081; +in +{ name = "magnetico"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ rnhmjoj ]; @@ -12,17 +17,24 @@ import ./make-test.nix ({ pkgs, ...} : { services.magnetico = { enable = true; crawler.port = 9000; + web.port = port; web.credentials.user = "$2y$12$P88ZF6soFthiiAeXnz64aOWDsY3Dw7Yw8fZ6GtiqFNjknD70zDmNe"; }; }; testScript = '' - startAll; - $machine->waitForUnit("magneticod"); - $machine->waitForUnit("magneticow"); - $machine->succeed("${pkgs.curl}/bin/curl -u user:password http://localhost:8080"); - $machine->succeed("${pkgs.curl}/bin/curl -u user:wrongpwd http://localhost:8080") =~ "Unauthorised." or die; - $machine->shutdown(); + start_all() + machine.wait_for_unit("magneticod") + machine.wait_for_unit("magneticow") + machine.succeed( + "${pkgs.curl}/bin/curl " + + "-u user:password http://localhost:${toString port}" + ) + assert "Unauthorised." in machine.succeed( + "${pkgs.curl}/bin/curl " + + "-u user:wrongpwd http://localhost:${toString port}" + ) + machine.shutdown() ''; }) diff --git a/nixpkgs/nixos/tests/mailcatcher.nix b/nixpkgs/nixos/tests/mailcatcher.nix index d45b5d4edfc..eb5b606ecc8 100644 --- a/nixpkgs/nixos/tests/mailcatcher.nix +++ b/nixpkgs/nixos/tests/mailcatcher.nix @@ -9,8 +9,8 @@ import ./make-test.nix ({ lib, ... }: { services.mailcatcher.enable = true; - networking.defaultMailServer.directDelivery = true; - networking.defaultMailServer.hostName = "localhost:1025"; + services.ssmtp.enable = true; + services.ssmtp.hostName = "localhost:1025"; environment.systemPackages = [ pkgs.mailutils ]; }; diff --git a/nixpkgs/nixos/tests/make-test-python.nix b/nixpkgs/nixos/tests/make-test-python.nix new file mode 100644 index 00000000000..89897fe7e61 --- /dev/null +++ b/nixpkgs/nixos/tests/make-test-python.nix @@ -0,0 +1,9 @@ +f: { + system ? builtins.currentSystem, + pkgs ? import ../.. { inherit system; config = {}; }, + ... +} @ args: + +with import ../lib/testing-python.nix { inherit system pkgs; }; + +makeTest (if pkgs.lib.isFunction f then f (args // { inherit pkgs; inherit (pkgs) lib; }) else f) diff --git a/nixpkgs/nixos/tests/matomo.nix b/nixpkgs/nixos/tests/matomo.nix new file mode 100644 index 00000000000..4efa65a7b6d --- /dev/null +++ b/nixpkgs/nixos/tests/matomo.nix @@ -0,0 +1,43 @@ +{ system ? builtins.currentSystem, config ? { } +, pkgs ? import ../.. { inherit system config; } }: + +with import ../lib/testing.nix { inherit system pkgs; }; +with pkgs.lib; + +let + matomoTest = package: + makeTest { + machine = { config, pkgs, ... }: { + services.matomo = { + package = package; + enable = true; + nginx = { + forceSSL = false; + enableACME = false; + }; + }; + services.mysql = { + enable = true; + package = pkgs.mysql; + }; + services.nginx.enable = true; + }; + + testScript = '' + startAll; + $machine->waitForUnit("mysql.service"); + $machine->waitForUnit("phpfpm-matomo.service"); + $machine->waitForUnit("nginx.service"); + $machine->succeed("curl -sSfL http://localhost/ | grep '<title>Matomo[^<]*Installation'"); + ''; + }; +in { + matomo = matomoTest pkgs.matomo // { + name = "matomo"; + meta.maintainers = with maintainers; [ florianjacob kiwi mmilata ]; + }; + matomo-beta = matomoTest pkgs.matomo-beta // { + name = "matomo-beta"; + meta.maintainers = with maintainers; [ florianjacob kiwi mmilata ]; + }; +} diff --git a/nixpkgs/nixos/tests/matrix-synapse.nix b/nixpkgs/nixos/tests/matrix-synapse.nix index 882e4b75814..fca53009083 100644 --- a/nixpkgs/nixos/tests/matrix-synapse.nix +++ b/nixpkgs/nixos/tests/matrix-synapse.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... } : let +import ./make-test-python.nix ({ pkgs, ... } : let runWithOpenSSL = file: cmd: pkgs.runCommand file { @@ -55,13 +55,17 @@ in { }; testScript = '' - startAll; - $serverpostgres->waitForUnit("matrix-synapse.service"); - $serverpostgres->waitUntilSucceeds("curl -L --cacert ${ca_pem} https://localhost:8448/"); - $serverpostgres->requireActiveUnit("postgresql.service"); - $serversqlite->waitForUnit("matrix-synapse.service"); - $serversqlite->waitUntilSucceeds("curl -L --cacert ${ca_pem} https://localhost:8448/"); - $serversqlite->mustSucceed("[ -e /var/lib/matrix-synapse/homeserver.db ]"); + start_all() + serverpostgres.wait_for_unit("matrix-synapse.service") + serverpostgres.wait_until_succeeds( + "curl -L --cacert ${ca_pem} https://localhost:8448/" + ) + serverpostgres.require_unit_state("postgresql.service") + serversqlite.wait_for_unit("matrix-synapse.service") + serversqlite.wait_until_succeeds( + "curl -L --cacert ${ca_pem} https://localhost:8448/" + ) + serversqlite.succeed("[ -e /var/lib/matrix-synapse/homeserver.db ]") ''; }) diff --git a/nixpkgs/nixos/tests/memcached.nix b/nixpkgs/nixos/tests/memcached.nix index b120599c51d..31f5627d25c 100644 --- a/nixpkgs/nixos/tests/memcached.nix +++ b/nixpkgs/nixos/tests/memcached.nix @@ -1,28 +1,24 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ... }: { name = "memcached"; - nodes = { - machine = - { ... }: - { - imports = [ ../modules/profiles/minimal.nix ]; - services.memcached.enable = true; - }; + machine = { + imports = [ ../modules/profiles/minimal.nix ]; + services.memcached.enable = true; }; testScript = let - testScript = pkgs.writeScript "testScript.py" '' - #!${pkgs.python3.withPackages (p: [p.memcached])}/bin/python - + testScript = pkgs.writers.writePython3 "test_memcache" { + libraries = with pkgs.python3Packages; [ memcached ]; + } '' import memcache c = memcache.Client(['localhost:11211']) c.set('key', 'value') assert 'value' == c.get('key') ''; in '' - startAll; - $machine->waitForUnit("memcached.service"); - $machine->waitForOpenPort("11211"); - $machine->succeed("${testScript}"); + machine.start() + machine.wait_for_unit("memcached.service") + machine.wait_for_open_port(11211) + machine.succeed("${testScript}") ''; }) diff --git a/nixpkgs/nixos/tests/metabase.nix b/nixpkgs/nixos/tests/metabase.nix index be9e5ed5b1e..1450a4e9086 100644 --- a/nixpkgs/nixos/tests/metabase.nix +++ b/nixpkgs/nixos/tests/metabase.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "metabase"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ mmahut ]; @@ -12,9 +12,9 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - startAll; - $machine->waitForUnit("metabase.service"); - $machine->waitForOpenPort(3000); - $machine->waitUntilSucceeds("curl -L http://localhost:3000/setup | grep Metabase"); + start_all() + machine.wait_for_unit("metabase.service") + machine.wait_for_open_port(3000) + machine.wait_until_succeeds("curl -L http://localhost:3000/setup | grep Metabase") ''; }) diff --git a/nixpkgs/nixos/tests/minidlna.nix b/nixpkgs/nixos/tests/minidlna.nix index 7bf1bed69d0..d852c7f60bc 100644 --- a/nixpkgs/nixos/tests/minidlna.nix +++ b/nixpkgs/nixos/tests/minidlna.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "minidlna"; nodes = { @@ -29,11 +29,11 @@ import ./make-test.nix ({ pkgs, ... }: { testScript = '' - startAll; - $server->succeed("mkdir -p /tmp/stuff && chown minidlna: /tmp/stuff"); - $server->waitForUnit("minidlna"); - $server->waitForOpenPort("8200"); - $server->succeed("curl --fail http://localhost:8200/"); - $client->succeed("curl --fail http://server:8200/"); + start_all() + server.succeed("mkdir -p /tmp/stuff && chown minidlna: /tmp/stuff") + server.wait_for_unit("minidlna") + server.wait_for_open_port("8200") + server.succeed("curl --fail http://localhost:8200/") + client.succeed("curl --fail http://server:8200/") ''; }) diff --git a/nixpkgs/nixos/tests/miniflux.nix b/nixpkgs/nixos/tests/miniflux.nix index 19ab4803a1d..7d83d061a9d 100644 --- a/nixpkgs/nixos/tests/miniflux.nix +++ b/nixpkgs/nixos/tests/miniflux.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let port = 3142; @@ -37,16 +37,20 @@ with lib; }; }; testScript = '' - startAll; + start_all() - $default->waitForUnit('miniflux.service'); - $default->waitForOpenPort(${toString defaultPort}); - $default->succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep -q OK"); - $default->succeed("curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'"); + default.wait_for_unit("miniflux.service") + default.wait_for_open_port(${toString defaultPort}) + default.succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep -q OK") + default.succeed( + "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'" + ) - $customized->waitForUnit('miniflux.service'); - $customized->waitForOpenPort(${toString port}); - $customized->succeed("curl --fail 'http://localhost:${toString port}/healthcheck' | grep -q OK"); - $customized->succeed("curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep -q '\"is_admin\":true'"); + customized.wait_for_unit("miniflux.service") + customized.wait_for_open_port(${toString port}) + customized.succeed("curl --fail 'http://localhost:${toString port}/healthcheck' | grep -q OK") + customized.succeed( + "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep -q '\"is_admin\":true'" + ) ''; }) diff --git a/nixpkgs/nixos/tests/minio.nix b/nixpkgs/nixos/tests/minio.nix index f1218b53771..3b061974267 100644 --- a/nixpkgs/nixos/tests/minio.nix +++ b/nixpkgs/nixos/tests/minio.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : let accessKey = "BKIKJAA5BMMU2RHO6IBB"; secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12"; @@ -18,7 +18,7 @@ let sio.seek(0) minioClient.put_object('test-bucket', 'test.txt', sio, sio_len, content_type='text/plain') ''; - in { +in { name = "minio"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ bachp ]; @@ -37,19 +37,19 @@ let }; }; - testScript = - '' - startAll; - $machine->waitForUnit("minio.service"); - $machine->waitForOpenPort(9000); + testScript = '' + start_all() + machine.wait_for_unit("minio.service") + machine.wait_for_open_port(9000) - # Create a test bucket on the server - $machine->succeed("mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} S3v4"); - $machine->succeed("mc mb minio/test-bucket"); - $machine->succeed("${minioPythonScript}"); - $machine->succeed("mc ls minio") =~ /test-bucket/ or die; - $machine->succeed("mc cat minio/test-bucket/test.txt") =~ /Test from Python/ or die; - $machine->shutdown; - - ''; + # Create a test bucket on the server + machine.succeed( + "mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} S3v4" + ) + machine.succeed("mc mb minio/test-bucket") + machine.succeed("${minioPythonScript}") + assert "test-bucket" in machine.succeed("mc ls minio") + assert "Test from Python" in machine.succeed("mc cat minio/test-bucket/test.txt") + machine.shutdown() + ''; }) diff --git a/nixpkgs/nixos/tests/moinmoin.nix b/nixpkgs/nixos/tests/moinmoin.nix new file mode 100644 index 00000000000..2662b79aa09 --- /dev/null +++ b/nixpkgs/nixos/tests/moinmoin.nix @@ -0,0 +1,24 @@ +import ./make-test.nix ({ pkgs, lib, ... }: { + name = "moinmoin"; + meta.maintainers = [ ]; # waiting for https://github.com/NixOS/nixpkgs/pull/65397 + + machine = + { ... }: + { services.moinmoin.enable = true; + services.moinmoin.wikis.ExampleWiki.superUsers = [ "admin" ]; + services.moinmoin.wikis.ExampleWiki.webHost = "localhost"; + + services.nginx.virtualHosts.localhost.enableACME = false; + services.nginx.virtualHosts.localhost.forceSSL = false; + }; + + testScript = '' + startAll; + + $machine->waitForUnit('moin-ExampleWiki.service'); + $machine->waitForUnit('nginx.service'); + $machine->waitForFile('/run/moin/ExampleWiki/gunicorn.sock'); + $machine->succeed('curl -L http://localhost/') =~ /If you have just installed/ or die; + $machine->succeed('moin-ExampleWiki account create --name=admin --email=admin@example.com --password=foo 2>&1') =~ /status success/ or die; + ''; +}) diff --git a/nixpkgs/nixos/tests/mongodb.nix b/nixpkgs/nixos/tests/mongodb.nix index 0ccbeb062f9..9ebf84eed23 100644 --- a/nixpkgs/nixos/tests/mongodb.nix +++ b/nixpkgs/nixos/tests/mongodb.nix @@ -1,6 +1,6 @@ # This test start mongodb, runs a query using mongo shell -import ./make-test.nix ({ pkgs, ...} : let +import ./make-test-python.nix ({ pkgs, ...} : let testQuery = pkgs.writeScript "nixtest.js" '' db.greetings.insert({ "greeting": "hello" }); print(db.greetings.findOne().greeting); @@ -33,8 +33,10 @@ in { }; testScript = '' - startAll; - $one->waitForUnit("mongodb.service"); - $one->succeed("mongo -u nixtest -p nixtest nixtest ${testQuery}") =~ /hello/ or die; + start_all() + one.wait_for_unit("mongodb.service") + one.succeed( + "mongo -u nixtest -p nixtest nixtest ${testQuery} | grep -q hello" + ) ''; }) diff --git a/nixpkgs/nixos/tests/moodle.nix b/nixpkgs/nixos/tests/moodle.nix index 565a6b63694..56aa62596c0 100644 --- a/nixpkgs/nixos/tests/moodle.nix +++ b/nixpkgs/nixos/tests/moodle.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "moodle"; meta.maintainers = [ lib.maintainers.aanderse ]; @@ -15,8 +15,8 @@ import ./make-test.nix ({ pkgs, lib, ... }: { }; testScript = '' - startAll; - $machine->waitForUnit('phpfpm-moodle.service'); - $machine->succeed('curl http://localhost/') =~ /You are not logged in/ or die; + start_all() + machine.wait_for_unit("phpfpm-moodle.service") + machine.wait_until_succeeds("curl http://localhost/ | grep 'You are not logged in'") ''; }) diff --git a/nixpkgs/nixos/tests/morty.nix b/nixpkgs/nixos/tests/morty.nix index eab123bd50f..64c5a27665d 100644 --- a/nixpkgs/nixos/tests/morty.nix +++ b/nixpkgs/nixos/tests/morty.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "morty"; @@ -22,11 +22,9 @@ import ./make-test.nix ({ pkgs, ... }: testScript = { ... }: '' - $mortyProxyWithKey->waitForUnit("default.target"); - - $mortyProxyWithKey->waitForOpenPort(3001); - $mortyProxyWithKey->succeed("curl -L 127.0.0.1:3001 | grep MortyProxy"); - + mortyProxyWithKey.wait_for_unit("default.target") + mortyProxyWithKey.wait_for_open_port(3001) + mortyProxyWithKey.succeed("curl -L 127.0.0.1:3001 | grep MortyProxy") ''; }) diff --git a/nixpkgs/nixos/tests/mosquitto.nix b/nixpkgs/nixos/tests/mosquitto.nix index b4c897c3ab5..1f2fdf4237f 100644 --- a/nixpkgs/nixos/tests/mosquitto.nix +++ b/nixpkgs/nixos/tests/mosquitto.nix @@ -1,21 +1,10 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let port = 1888; username = "mqtt"; password = "VERY_secret"; topic = "test/foo"; - - cmd = bin: pkgs.lib.concatStringsSep " " [ - "${pkgs.mosquitto}/bin/mosquitto_${bin}" - "-V mqttv311" - "-h server" - "-p ${toString port}" - "-u ${username}" - "-P '${password}'" - "-t ${topic}" - ]; - in { name = "mosquitto"; meta = with pkgs.stdenv.lib; { @@ -49,40 +38,53 @@ in { testScript = let file = "/tmp/msg"; - sub = args: - "(${cmd "sub"} -C 1 ${args} | tee ${file} &)"; in '' - startAll; - $server->waitForUnit("mosquitto.service"); + def mosquitto_cmd(binary): + return ( + "${pkgs.mosquitto}/bin/mosquitto_{} " + "-V mqttv311 " + "-h server " + "-p ${toString port} " + "-u ${username} " + "-P '${password}' " + "-t ${topic}" + ).format(binary) + + + def publish(args): + return "{} {}".format(mosquitto_cmd("pub"), args) + - $server->fail("test -f ${file}"); - $client1->fail("test -f ${file}"); - $client2->fail("test -f ${file}"); + def subscribe(args): + return "({} -C 1 {} | tee ${file} &)".format(mosquitto_cmd("sub"), args) + start_all() + server.wait_for_unit("mosquitto.service") + + for machine in server, client1, client2: + machine.fail("test -f ${file}") + # QoS = 0, so only one subscribers should get it - $server->execute("${sub "-q 0"}"); + server.execute(subscribe("-q 0")) # we need to give the subscribers some time to connect - $client2->execute("sleep 5"); - $client2->succeed("${cmd "pub"} -m FOO -q 0"); - - $server->waitUntilSucceeds("grep -q FOO ${file}"); - $server->execute("rm ${file}"); + client2.execute("sleep 5") + client2.succeed(publish("-m FOO -q 0")) + server.wait_until_succeeds("grep -q FOO ${file}") + server.execute("rm ${file}") # QoS = 1, so both subscribers should get it - $server->execute("${sub "-q 1"}"); - $client1->execute("${sub "-q 1"}"); + server.execute(subscribe("-q 1")) + client1.execute(subscribe("-q 1")) # we need to give the subscribers some time to connect - $client2->execute("sleep 5"); - $client2->succeed("${cmd "pub"} -m BAR -q 1"); - - $server->waitUntilSucceeds("grep -q BAR ${file}"); - $server->execute("rm ${file}"); + client2.execute("sleep 5") + client2.succeed(publish("-m BAR -q 1")) - $client1->waitUntilSucceeds("grep -q BAR ${file}"); - $client1->execute("rm ${file}"); + for machine in server, client1: + machine.wait_until_succeeds("grep -q BAR ${file}") + machine.execute("rm ${file}") ''; }) diff --git a/nixpkgs/nixos/tests/mpd.nix b/nixpkgs/nixos/tests/mpd.nix index ac2b810defe..895b7e2014c 100644 --- a/nixpkgs/nixos/tests/mpd.nix +++ b/nixpkgs/nixos/tests/mpd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let track = pkgs.fetchurl { # Sourced from http://freemusicarchive.org/music/Blue_Wave_Theory/Surf_Music_Month_Challenge/Skyhawk_Beach_fade_in @@ -46,74 +46,87 @@ import ./make-test.nix ({ pkgs, ... }: }; nodes = - { client = + { client = { ... }: { }; serverALSA = - { ... }: (mkServer { - mpd = defaultMpdCfg // { - network.listenAddress = "any"; - extraConfig = '' - audio_output { - type "alsa" - name "ALSA" - mixer_type "null" - } - ''; - }; - - musicService = with defaultMpdCfg; musicService { inherit user group musicDirectory; }; - }) // { networking.firewall.allowedTCPPorts = [ 6600 ]; }; + { ... }: lib.mkMerge [ + (mkServer { + mpd = defaultMpdCfg // { + network.listenAddress = "any"; + extraConfig = '' + audio_output { + type "alsa" + name "ALSA" + mixer_type "null" + } + ''; + }; + musicService = with defaultMpdCfg; musicService { inherit user group musicDirectory; }; + }) + { networking.firewall.allowedTCPPorts = [ 6600 ]; } + ]; serverPulseAudio = - { ... }: (mkServer { - mpd = defaultMpdCfg // { - extraConfig = '' - audio_output { - type "pulse" - name "The Pulse" - } - ''; - }; - - musicService = with defaultCfg; musicService { inherit user group musicDirectory; }; - }) // { hardware.pulseaudio.enable = true; }; + { ... }: lib.mkMerge [ + (mkServer { + mpd = defaultMpdCfg // { + extraConfig = '' + audio_output { + type "pulse" + name "The Pulse" + } + ''; + }; + + musicService = with defaultCfg; musicService { inherit user group musicDirectory; }; + }) + { + hardware.pulseaudio = { + enable = true; + systemWide = true; + tcp.enable = true; + tcp.anonymousClients.allowAll = true; + }; + systemd.services.mpd.environment.PULSE_SERVER = "localhost"; + } + ]; }; testScript = '' - my $mpc = "${pkgs.mpc_cli}/bin/mpc --wait"; + mpc = "${pkgs.mpc_cli}/bin/mpc --wait" # Connects to the given server and attempts to play a tune. - sub play_some_music { - my $server = $_[0]; + def play_some_music(server): + server.wait_for_unit("mpd.service") + server.succeed(f"{mpc} update") + _, tracks = server.execute(f"{mpc} ls") - $server->waitForUnit("mpd.service"); - $server->succeed("$mpc update"); - my @tracks = $server->execute("$mpc ls"); + for track in tracks.splitlines(): + server.succeed(f"{mpc} add {track}") - for my $track (split(/\n/, $tracks[1])) { - $server->succeed("$mpc add $track"); - }; + _, added_tracks = server.execute(f"{mpc} listall") - my @added_tracks = $server->execute("$mpc listall"); - (length $added_tracks[1]) > 0 or die "Failed to add audio tracks to the playlist."; + # Check we succeeded adding audio tracks to the playlist + assert len(added_tracks.splitlines()) > 0 - $server->succeed("$mpc play"); + server.succeed(f"{mpc} play") - my @status = $server->execute("$mpc status"); - my @output = split(/\n/, $status[1]); - $output[1] =~ /.*playing.*/ or die "Audio track is not playing, as expected."; + _, output = server.execute(f"{mpc} status") + # Assure audio track is playing + assert "playing" in output + + server.succeed(f"{mpc} stop") - $server->succeed("$mpc stop"); - }; - play_some_music($serverALSA); - play_some_music($serverPulseAudio); + play_some_music(serverALSA) + play_some_music(serverPulseAudio) - $client->succeed("$mpc -h serverALSA status"); + client.wait_for_unit("multi-user.target") + client.succeed(f"{mpc} -h serverALSA status") # The PulseAudio-based server is configured not to accept external client connections # to perform the following test: - $client->fail("$mpc -h serverPulseAudio status"); + client.fail(f"{mpc} -h serverPulseAudio status") ''; }) diff --git a/nixpkgs/nixos/tests/mysql-backup.nix b/nixpkgs/nixos/tests/mysql-backup.nix index 81482dfef7e..a0595e4d553 100644 --- a/nixpkgs/nixos/tests/mysql-backup.nix +++ b/nixpkgs/nixos/tests/mysql-backup.nix @@ -1,5 +1,5 @@ # Test whether mysqlBackup option works -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, ... } : { name = "mysql-backup"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ rvl ]; @@ -20,31 +20,37 @@ import ./make-test.nix ({ pkgs, ... } : { }; }; - testScript = - '' startAll; + testScript = '' + start_all() - # Delete backup file that may be left over from a previous test run. - # This is not needed on Hydra but useful for repeated local test runs. - $master->execute("rm -f /var/backup/mysql/testdb.gz"); + # Delete backup file that may be left over from a previous test run. + # This is not needed on Hydra but useful for repeated local test runs. + master.execute("rm -f /var/backup/mysql/testdb.gz") - # Need to have mysql started so that it can be populated with data. - $master->waitForUnit("mysql.service"); + # Need to have mysql started so that it can be populated with data. + master.wait_for_unit("mysql.service") - # Wait for testdb to be fully populated (5 rows). - $master->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); + # Wait for testdb to be fully populated (5 rows). + master.wait_until_succeeds( + "mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5" + ) - # Do a backup and wait for it to start - $master->startJob("mysql-backup.service"); - $master->waitForJob("mysql-backup.service"); + # Do a backup and wait for it to start + master.start_job("mysql-backup.service") + master.wait_for_unit("mysql-backup.service") - # wait for backup to fail, because of database 'doesnotexist' - $master->waitUntilFails("systemctl is-active -q mysql-backup.service"); + # wait for backup to fail, because of database 'doesnotexist' + master.wait_until_fails("systemctl is-active -q mysql-backup.service") - # wait for backup file and check that data appears in backup - $master->waitForFile("/var/backup/mysql/testdb.gz"); - $master->succeed("${pkgs.gzip}/bin/zcat /var/backup/mysql/testdb.gz | grep hello"); + # wait for backup file and check that data appears in backup + master.wait_for_file("/var/backup/mysql/testdb.gz") + master.succeed( + "${pkgs.gzip}/bin/zcat /var/backup/mysql/testdb.gz | grep hello" + ) - # Check that a failed backup is logged - $master->succeed("journalctl -u mysql-backup.service | grep 'fail.*doesnotexist' > /dev/null"); - ''; + # Check that a failed backup is logged + master.succeed( + "journalctl -u mysql-backup.service | grep 'fail.*doesnotexist' > /dev/null" + ) + ''; }) diff --git a/nixpkgs/nixos/tests/mysql-replication.nix b/nixpkgs/nixos/tests/mysql-replication.nix index c75a862106f..a2654f041ad 100644 --- a/nixpkgs/nixos/tests/mysql-replication.nix +++ b/nixpkgs/nixos/tests/mysql-replication.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : let replicateUser = "replicate"; @@ -54,28 +54,36 @@ in }; testScript = '' - $master->start; - $master->waitForUnit("mysql"); - $master->waitForOpenPort(3306); + master.start() + master.wait_for_unit("mysql") + master.wait_for_open_port(3306) # Wait for testdb to be fully populated (5 rows). - $master->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); + master.wait_until_succeeds( + "mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5" + ) - $slave1->start; - $slave2->start; - $slave1->waitForUnit("mysql"); - $slave1->waitForOpenPort(3306); - $slave2->waitForUnit("mysql"); - $slave2->waitForOpenPort(3306); + slave1.start() + slave2.start() + slave1.wait_for_unit("mysql") + slave1.wait_for_open_port(3306) + slave2.wait_for_unit("mysql") + slave2.wait_for_open_port(3306) # wait for replications to finish - $slave1->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); - $slave2->waitUntilSucceeds("mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5"); + slave1.wait_until_succeeds( + "mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5" + ) + slave2.wait_until_succeeds( + "mysql -u root -D testdb -N -B -e 'select count(id) from tests' | grep -q 5" + ) - $slave2->succeed("systemctl stop mysql"); - $master->succeed("echo 'insert into testdb.tests values (123, 456);' | mysql -u root -N"); - $slave2->succeed("systemctl start mysql"); - $slave2->waitForUnit("mysql"); - $slave2->waitForOpenPort(3306); - $slave2->waitUntilSucceeds("echo 'select * from testdb.tests where Id = 123;' | mysql -u root -N | grep 456"); + slave2.succeed("systemctl stop mysql") + master.succeed("echo 'insert into testdb.tests values (123, 456);' | mysql -u root -N") + slave2.succeed("systemctl start mysql") + slave2.wait_for_unit("mysql") + slave2.wait_for_open_port(3306) + slave2.wait_until_succeeds( + "echo 'select * from testdb.tests where Id = 123;' | mysql -u root -N | grep 456" + ) ''; }) diff --git a/nixpkgs/nixos/tests/mysql.nix b/nixpkgs/nixos/tests/mysql.nix index 05bd968de02..2c0d212c2f1 100644 --- a/nixpkgs/nixos/tests/mysql.nix +++ b/nixpkgs/nixos/tests/mysql.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "mysql"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco shlevy ]; @@ -47,17 +47,23 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all - $mysql->waitForUnit("mysql"); - $mysql->succeed("echo 'use empty_testdb;' | mysql -u root"); - $mysql->succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4"); + mysql.wait_for_unit("mysql") + mysql.succeed("echo 'use empty_testdb;' | mysql -u root") + mysql.succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4") # ';' acts as no-op, just check whether login succeeds with the user created from the initialScript - $mysql->succeed("echo ';' | mysql -u passworduser --password=password123"); + mysql.succeed("echo ';' | mysql -u passworduser --password=password123") - $mariadb->waitForUnit("mysql"); - $mariadb->succeed("echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser"); - $mariadb->succeed("echo 'use testdb; insert into tests values (42);' | sudo -u testuser mysql -u testuser"); - $mariadb->succeed("echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42"); + mariadb.wait_for_unit("mysql") + mariadb.succeed( + "echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser" + ) + mariadb.succeed( + "echo 'use testdb; insert into tests values (42);' | sudo -u testuser mysql -u testuser" + ) + mariadb.succeed( + "echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42" + ) ''; }) diff --git a/nixpkgs/nixos/tests/ndppd.nix b/nixpkgs/nixos/tests/ndppd.nix index 6a6f602726d..b67b26a7934 100644 --- a/nixpkgs/nixos/tests/ndppd.nix +++ b/nixpkgs/nixos/tests/ndppd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ...} : { name = "ndppd"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ fpletz ]; @@ -52,9 +52,9 @@ import ./make-test.nix ({ pkgs, lib, ...} : { }; testScript = '' - startAll; - $server->waitForUnit("multi-user.target"); - $upstream->waitForUnit("multi-user.target"); - $upstream->waitUntilSucceeds("ping -c5 fd42::2"); + start_all() + server.wait_for_unit("multi-user.target") + upstream.wait_for_unit("multi-user.target") + upstream.wait_until_succeeds("ping -c5 fd42::2") ''; }) diff --git a/nixpkgs/nixos/tests/neo4j.nix b/nixpkgs/nixos/tests/neo4j.nix index 86ed8970517..32ee7f501b8 100644 --- a/nixpkgs/nixos/tests/neo4j.nix +++ b/nixpkgs/nixos/tests/neo4j.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "neo4j"; nodes = { @@ -11,10 +11,10 @@ import ./make-test.nix { }; testScript = '' - startAll; + start_all() - $master->waitForUnit("neo4j"); - $master->sleep(20); # Hopefully this is long enough!! - $master->succeed("curl http://localhost:7474/"); + master.wait_for_unit("neo4j") + master.wait_for_open_port(7474) + master.succeed("curl http://localhost:7474/") ''; } diff --git a/nixpkgs/nixos/tests/netdata.nix b/nixpkgs/nixos/tests/netdata.nix index 9bd147968e4..8dd5eafb097 100644 --- a/nixpkgs/nixos/tests/netdata.nix +++ b/nixpkgs/nixos/tests/netdata.nix @@ -1,6 +1,6 @@ # This test runs netdata and checks for data via apps.plugin -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "netdata"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ cransom ]; @@ -16,23 +16,22 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $netdata->waitForUnit("netdata.service"); + netdata.wait_for_unit("netdata.service") # wait for the service to listen before sending a request - $netdata->waitForOpenPort(19999); + netdata.wait_for_open_port(19999) # check if the netdata main page loads. - $netdata->succeed("curl --fail http://localhost:19999/"); + netdata.succeed("curl --fail http://localhost:19999/") # check if netdata can read disk ops for root owned processes. # if > 0, successful. verifies both netdata working and # apps.plugin has elevated capabilities. - my $cmd = <<'CMD'; - curl -s http://localhost:19999/api/v1/data\?chart=users.pwrites | \ - jq -e '[.data[range(10)][.labels | indices("root")[0]]] | add | . > 0' - CMD - $netdata->waitUntilSucceeds($cmd); + url = "http://localhost:19999/api/v1/data\?chart=users.pwrites" + filter = '[.data[range(10)][.labels | indices("root")[0]]] | add | . > 0' + cmd = f"curl -s {url} | jq -e '{filter}'" + netdata.wait_until_succeeds(cmd) ''; }) diff --git a/nixpkgs/nixos/tests/nextcloud/basic.nix b/nixpkgs/nixos/tests/nextcloud/basic.nix index bfb97ec3f23..75862feb202 100644 --- a/nixpkgs/nixos/tests/nextcloud/basic.nix +++ b/nixpkgs/nixos/tests/nextcloud/basic.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ...}: let +import ../make-test-python.nix ({ pkgs, ...}: let adminpass = "notproduction"; adminuser = "root"; in { @@ -50,11 +50,15 @@ in { diff <(echo 'hi') <(${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file) ''; in '' - startAll(); - $nextcloud->waitForUnit("multi-user.target"); - $nextcloud->succeed("curl -sSf http://nextcloud/login"); - $nextcloud->succeed("${withRcloneEnv} ${copySharedFile}"); - $client->waitForUnit("multi-user.target"); - $client->succeed("${withRcloneEnv} ${diffSharedFile}"); + start_all() + nextcloud.wait_for_unit("multi-user.target") + nextcloud.succeed("curl -sSf http://nextcloud/login") + nextcloud.succeed( + "${withRcloneEnv} ${copySharedFile}" + ) + client.wait_for_unit("multi-user.target") + client.succeed( + "${withRcloneEnv} ${diffSharedFile}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix b/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix index aaf37ee4c81..b9ba5888187 100644 --- a/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix +++ b/nixpkgs/nixos/tests/nextcloud/with-mysql-and-memcached.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ...}: let +import ../make-test-python.nix ({ pkgs, ...}: let adminpass = "hunter2"; adminuser = "root"; in { @@ -85,13 +85,16 @@ in { diff <(echo 'hi') <(${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file) ''; in '' - startAll(); - $nextcloud->waitForUnit("multi-user.target"); - $nextcloud->succeed("${configureMemcached}"); - $nextcloud->succeed("curl -sSf http://nextcloud/login"); - $nextcloud->succeed("${withRcloneEnv} ${copySharedFile}"); - $client->waitForUnit("multi-user.target"); - $client->succeed("${withRcloneEnv} ${diffSharedFile}"); - + start_all() + nextcloud.wait_for_unit("multi-user.target") + nextcloud.succeed("${configureMemcached}") + nextcloud.succeed("curl -sSf http://nextcloud/login") + nextcloud.succeed( + "${withRcloneEnv} ${copySharedFile}" + ) + client.wait_for_unit("multi-user.target") + client.succeed( + "${withRcloneEnv} ${diffSharedFile}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix b/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix index f655aba9d45..324853350af 100644 --- a/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix +++ b/nixpkgs/nixos/tests/nextcloud/with-postgresql-and-redis.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ...}: let +import ../make-test-python.nix ({ pkgs, ...}: let adminpass = "hunter2"; adminuser = "custom-admin-username"; in { @@ -85,12 +85,16 @@ in { diff <(echo 'hi') <(${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file) ''; in '' - startAll(); - $nextcloud->waitForUnit("multi-user.target"); - $nextcloud->succeed("${configureRedis}"); - $nextcloud->succeed("curl -sSf http://nextcloud/login"); - $nextcloud->succeed("${withRcloneEnv} ${copySharedFile}"); - $client->waitForUnit("multi-user.target"); - $client->succeed("${withRcloneEnv} ${diffSharedFile}"); + start_all() + nextcloud.wait_for_unit("multi-user.target") + nextcloud.succeed("${configureRedis}") + nextcloud.succeed("curl -sSf http://nextcloud/login") + nextcloud.succeed( + "${withRcloneEnv} ${copySharedFile}" + ) + client.wait_for_unit("multi-user.target") + client.succeed( + "${withRcloneEnv} ${diffSharedFile}" + ) ''; }) diff --git a/nixpkgs/nixos/tests/nexus.nix b/nixpkgs/nixos/tests/nexus.nix index 783c9f5c019..1ec5c40476a 100644 --- a/nixpkgs/nixos/tests/nexus.nix +++ b/nixpkgs/nixos/tests/nexus.nix @@ -3,7 +3,7 @@ # 2. nexus service can startup on server (creating database and all other initial stuff) # 3. the web application is reachable via HTTP -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "nexus"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ironpinguin ma27 ]; @@ -22,11 +22,11 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $server->waitForUnit("nexus"); - $server->waitForOpenPort(8081); + server.wait_for_unit("nexus") + server.wait_for_open_port(8081) - $server->succeed("curl -f 127.0.0.1:8081"); + server.succeed("curl -f 127.0.0.1:8081") ''; }) diff --git a/nixpkgs/nixos/tests/nix-ssh-serve.nix b/nixpkgs/nixos/tests/nix-ssh-serve.nix index 494d55121eb..03f83542c7c 100644 --- a/nixpkgs/nixos/tests/nix-ssh-serve.nix +++ b/nixpkgs/nixos/tests/nix-ssh-serve.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; ssh-config = builtins.toFile "ssh.conf" '' @@ -18,22 +18,28 @@ in client.nix.package = pkgs.nix; }; testScript = '' - startAll; + start_all() - $client->succeed("mkdir -m 700 /root/.ssh"); - $client->copyFileFromHost("${ssh-config}", "/root/.ssh/config"); - $client->succeed("cat ${snakeOilPrivateKey} > /root/.ssh/id_ecdsa"); - $client->succeed("chmod 600 /root/.ssh/id_ecdsa"); + client.succeed("mkdir -m 700 /root/.ssh") + client.succeed( + "cat ${ssh-config} > /root/.ssh/config" + ) + client.succeed( + "cat ${snakeOilPrivateKey} > /root/.ssh/id_ecdsa" + ) + client.succeed("chmod 600 /root/.ssh/id_ecdsa") - $client->succeed("nix-store --add /etc/machine-id > mach-id-path"); + client.succeed("nix-store --add /etc/machine-id > mach-id-path") - $server->waitForUnit("sshd"); + server.wait_for_unit("sshd") - $client->fail("diff /root/other-store\$(cat mach-id-path) /etc/machine-id"); + client.fail("diff /root/other-store$(cat mach-id-path) /etc/machine-id") # Currently due to shared store this is a noop :( - $client->succeed("nix copy --to ssh-ng://nix-ssh\@server \$(cat mach-id-path)"); - $client->succeed("nix-store --realise \$(cat mach-id-path) --store /root/other-store --substituters ssh-ng://nix-ssh\@server"); - $client->succeed("diff /root/other-store\$(cat mach-id-path) /etc/machine-id"); + client.succeed("nix copy --to ssh-ng://nix-ssh@server $(cat mach-id-path)") + client.succeed( + "nix-store --realise $(cat mach-id-path) --store /root/other-store --substituters ssh-ng://nix-ssh@server" + ) + client.succeed("diff /root/other-store$(cat mach-id-path) /etc/machine-id") ''; } ) diff --git a/nixpkgs/nixos/tests/nixos-generate-config.nix b/nixpkgs/nixos/tests/nixos-generate-config.nix index 15a173e024b..6c83ccecc70 100644 --- a/nixpkgs/nixos/tests/nixos-generate-config.nix +++ b/nixpkgs/nixos/tests/nixos-generate-config.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... } : { +import ./make-test-python.nix ({ lib, ... } : { name = "nixos-generate-config"; meta.maintainers = with lib.maintainers; [ basvandijk ]; machine = { @@ -11,14 +11,16 @@ import ./make-test.nix ({ lib, ... } : { ''; }; testScript = '' - startAll; - $machine->waitForUnit("multi-user.target"); - $machine->succeed("nixos-generate-config"); + start_all() + machine.wait_for_unit("multi-user.target") + machine.succeed("nixos-generate-config") # Test if the configuration really is overridden - $machine->succeed("grep 'OVERRIDDEN' /etc/nixos/configuration.nix"); + machine.succeed("grep 'OVERRIDDEN' /etc/nixos/configuration.nix") # Test of if the Perl variable $bootLoaderConfig is spliced correctly: - $machine->succeed("grep 'boot\\.loader\\.grub\\.enable = true;' /etc/nixos/configuration.nix"); + machine.succeed( + "grep 'boot\\.loader\\.grub\\.enable = true;' /etc/nixos/configuration.nix" + ) ''; }) diff --git a/nixpkgs/nixos/tests/openarena.nix b/nixpkgs/nixos/tests/openarena.nix new file mode 100644 index 00000000000..4cc4db22963 --- /dev/null +++ b/nixpkgs/nixos/tests/openarena.nix @@ -0,0 +1,36 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "openarena"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ tomfitzhenry ]; + }; + + machine = + { pkgs, ... }: + + { imports = []; + environment.systemPackages = with pkgs; [ + socat + ]; + services.openarena = { + enable = true; + extraFlags = [ + "+set dedicated 2" + "+set sv_hostname 'My NixOS server'" + "+map oa_dm1" + ]; + }; + }; + + testScript = + '' + $machine->waitForUnit("openarena.service"); + $machine->waitUntilSucceeds("ss --numeric --udp --listening | grep -q 27960"); + + # The log line containing 'resolve address' is last and only message that occurs after + # the server starts accepting clients. + $machine->waitUntilSucceeds("journalctl -u openarena.service | grep 'resolve address: dpmaster.deathmask.net'"); + + # Check it's possible to join the server. + $machine->succeed("echo -n -e '\\xff\\xff\\xff\\xffgetchallenge' | socat - UDP4-DATAGRAM:127.0.0.1:27960 | grep -q challengeResponse"); + ''; +}) diff --git a/nixpkgs/nixos/tests/opensmtpd.nix b/nixpkgs/nixos/tests/opensmtpd.nix index 883ad760494..e6f52db1d98 100644 --- a/nixpkgs/nixos/tests/opensmtpd.nix +++ b/nixpkgs/nixos/tests/opensmtpd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "opensmtpd"; nodes = { @@ -102,23 +102,23 @@ import ./make-test.nix { }; testScript = '' - startAll; + start_all() - $client->waitForUnit("network-online.target"); - $smtp1->waitForUnit('opensmtpd'); - $smtp2->waitForUnit('opensmtpd'); - $smtp2->waitForUnit('dovecot2'); + client.wait_for_unit("network-online.target") + smtp1.wait_for_unit("opensmtpd") + smtp2.wait_for_unit("opensmtpd") + smtp2.wait_for_unit("dovecot2") # To prevent sporadic failures during daemon startup, make sure # services are listening on their ports before sending requests - $smtp1->waitForOpenPort(25); - $smtp2->waitForOpenPort(25); - $smtp2->waitForOpenPort(143); + smtp1.wait_for_open_port(25) + smtp2.wait_for_open_port(25) + smtp2.wait_for_open_port(143) - $client->succeed('send-a-test-mail'); - $smtp1->waitUntilFails('smtpctl show queue | egrep .'); - $smtp2->waitUntilFails('smtpctl show queue | egrep .'); - $client->succeed('check-mail-landed >&2'); + client.succeed("send-a-test-mail") + smtp1.wait_until_fails("smtpctl show queue | egrep .") + smtp2.wait_until_fails("smtpctl show queue | egrep .") + client.succeed("check-mail-landed >&2") ''; meta.timeout = 30; diff --git a/nixpkgs/nixos/tests/openssh.nix b/nixpkgs/nixos/tests/openssh.nix index 8b9e2170f15..e9692b50327 100644 --- a/nixpkgs/nixos/tests/openssh.nix +++ b/nixpkgs/nixos/tests/openssh.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; @@ -58,47 +58,55 @@ in { }; testScript = '' - startAll; - - my $key=`${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f key -N ""`; - - $server->waitForUnit("sshd"); - - subtest "manual-authkey", sub { - $server->succeed("mkdir -m 700 /root/.ssh"); - $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys"); - $server_lazy->succeed("mkdir -m 700 /root/.ssh"); - $server_lazy->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys"); - - $client->succeed("mkdir -m 700 /root/.ssh"); - $client->copyFileFromHost("key", "/root/.ssh/id_ed25519"); - $client->succeed("chmod 600 /root/.ssh/id_ed25519"); - - $client->waitForUnit("network.target"); - $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2"); - $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024"); - - $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2"); - $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024"); - - }; - - subtest "configured-authkey", sub { - $client->succeed("cat ${snakeOilPrivateKey} > privkey.snakeoil"); - $client->succeed("chmod 600 privkey.snakeoil"); - $client->succeed("ssh -o UserKnownHostsFile=/dev/null" . - " -o StrictHostKeyChecking=no -i privkey.snakeoil" . - " server true"); - - $client->succeed("ssh -o UserKnownHostsFile=/dev/null" . - " -o StrictHostKeyChecking=no -i privkey.snakeoil" . - " server_lazy true"); - - }; - - subtest "localhost-only", sub { - $server_localhost_only->succeed("ss -nlt | grep '127.0.0.1:22'"); - $server_localhost_only_lazy->succeed("ss -nlt | grep '127.0.0.1:22'"); - } + start_all() + + server.wait_for_unit("sshd") + + with subtest("manual-authkey"): + client.succeed("mkdir -m 700 /root/.ssh") + client.succeed( + '${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""' + ) + public_key = client.succeed( + "${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519" + ) + public_key = public_key.strip() + client.succeed("chmod 600 /root/.ssh/id_ed25519") + + server.succeed("mkdir -m 700 /root/.ssh") + server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key)) + server_lazy.succeed("mkdir -m 700 /root/.ssh") + server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key)) + + client.wait_for_unit("network.target") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2" + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024" + ) + + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2" + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024" + ) + + with subtest("configured-authkey"): + client.succeed( + "cat ${snakeOilPrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true" + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server_lazy true" + ) + + with subtest("localhost-only"): + server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'") + server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'") ''; }) diff --git a/nixpkgs/nixos/tests/orangefs.nix b/nixpkgs/nixos/tests/orangefs.nix new file mode 100644 index 00000000000..bdf4fc10c44 --- /dev/null +++ b/nixpkgs/nixos/tests/orangefs.nix @@ -0,0 +1,88 @@ +import ./make-test.nix ({ ... } : + +let + server = { pkgs, ... } : { + networking.firewall.allowedTCPPorts = [ 3334 ]; + boot.initrd.postDeviceCommands = '' + ${pkgs.e2fsprogs}/bin/mkfs.ext4 -L data /dev/vdb + ''; + + virtualisation.emptyDiskImages = [ 4096 ]; + + fileSystems = pkgs.lib.mkVMOverride + [ { mountPoint = "/data"; + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + } + ]; + + services.orangefs.server = { + enable = true; + dataStorageSpace = "/data/storage"; + metadataStorageSpace = "/data/meta"; + servers = { + server1 = "tcp://server1:3334"; + server2 = "tcp://server2:3334"; + }; + }; + }; + + client = { lib, ... } : { + networking.firewall.enable = true; + + services.orangefs.client = { + enable = true; + fileSystems = [{ + target = "tcp://server1:3334/orangefs"; + mountPoint = "/orangefs"; + }]; + }; + }; + +in { + name = "orangefs"; + + nodes = { + server1 = server; + server2 = server; + + client1 = client; + client2 = client; + }; + + testScript = '' + # format storage + foreach my $server (($server1,$server2)) + { + $server->start(); + $server->waitForUnit("multi-user.target"); + $server->succeed("mkdir -p /data/storage /data/meta"); + $server->succeed("chown orangefs:orangefs /data/storage /data/meta"); + $server->succeed("chmod 0770 /data/storage /data/meta"); + $server->succeed("sudo -g orangefs -u orangefs pvfs2-server -f /etc/orangefs/server.conf"); + } + + # start services after storage is formated on all machines + foreach my $server (($server1,$server2)) + { + $server->succeed("systemctl start orangefs-server.service"); + } + + # Check if clients can reach and mount the FS + foreach my $client (($client1,$client2)) + { + $client->start(); + $client->waitForUnit("orangefs-client.service"); + # Both servers need to be reachable + $client->succeed("pvfs2-check-server -h server1 -f orangefs -n tcp -p 3334"); + $client->succeed("pvfs2-check-server -h server2 -f orangefs -n tcp -p 3334"); + $client->waitForUnit("orangefs.mount"); + + } + + # R/W test between clients + $client1->succeed("echo test > /orangefs/file1"); + $client2->succeed("grep test /orangefs/file1"); + + ''; +}) diff --git a/nixpkgs/nixos/tests/os-prober.nix b/nixpkgs/nixos/tests/os-prober.nix index 9cd9f4ecd15..5407a62339f 100644 --- a/nixpkgs/nixos/tests/os-prober.nix +++ b/nixpkgs/nixos/tests/os-prober.nix @@ -51,12 +51,11 @@ let hashed-mirrors = connect-timeout = 1 ''; - services.udisks2.enable = lib.mkForce false; }; # /etc/nixos/configuration.nix for the vm configFile = pkgs.writeText "configuration.nix" '' {config, pkgs, ...}: ({ - imports = + imports = [ ./hardware-configuration.nix <nixpkgs/nixos/modules/testing/test-instrumentation.nix> ]; diff --git a/nixpkgs/nixos/tests/osquery.nix b/nixpkgs/nixos/tests/osquery.nix deleted file mode 100644 index d95871ffafc..00000000000 --- a/nixpkgs/nixos/tests/osquery.nix +++ /dev/null @@ -1,28 +0,0 @@ -import ./make-test.nix ({ pkgs, lib, ... }: - -with lib; - -{ - name = "osquery"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ ma27 ]; - }; - - machine = { - services.osquery.enable = true; - services.osquery.loggerPath = "/var/log/osquery/logs"; - services.osquery.pidfile = "/run/osqueryd.pid"; - }; - - testScript = '' - $machine->start; - $machine->waitForUnit("osqueryd.service"); - - $machine->succeed("echo 'SELECT address FROM etc_hosts LIMIT 1;' | osqueryi | grep '127.0.0.1'"); - $machine->succeed( - "echo 'SELECT value FROM osquery_flags WHERE name = \"logger_path\";' | osqueryi | grep /var/log/osquery/logs" - ); - - $machine->succeed("echo 'SELECT value FROM osquery_flags WHERE name = \"pidfile\";' | osqueryi | grep /run/osqueryd.pid"); - ''; -}) diff --git a/nixpkgs/nixos/tests/ostree.nix b/nixpkgs/nixos/tests/ostree.nix deleted file mode 100644 index d7ad84a1a5f..00000000000 --- a/nixpkgs/nixos/tests/ostree.nix +++ /dev/null @@ -1,21 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, lib, ... }: { - name = "ostree"; - - meta = { - maintainers = pkgs.ostree.meta.maintainers; - }; - - # TODO: Wrap/patch the tests directly in the package - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ - gnome-desktop-testing ostree gnupg (python3.withPackages (p: with p; [ pyyaml ])) - ]; - - environment.variables.GI_TYPELIB_PATH = lib.makeSearchPath "lib/girepository-1.0" (with pkgs; [ gtk3 pango.out ostree gdk-pixbuf atk ]); # for GJS tests - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d ${pkgs.ostree.installedTests}/share"); - ''; -}) diff --git a/nixpkgs/nixos/tests/packagekit.nix b/nixpkgs/nixos/tests/packagekit.nix index e2d68af661f..7e93ad35e80 100644 --- a/nixpkgs/nixos/tests/packagekit.nix +++ b/nixpkgs/nixos/tests/packagekit.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "packagekit"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ peterhoeg ]; @@ -13,12 +13,14 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - startAll; + start_all() # send a dbus message to activate the service - $machine->succeed("dbus-send --system --type=method_call --print-reply --dest=org.freedesktop.PackageKit /org/freedesktop/PackageKit org.freedesktop.DBus.Introspectable.Introspect"); + machine.succeed( + "dbus-send --system --type=method_call --print-reply --dest=org.freedesktop.PackageKit /org/freedesktop/PackageKit org.freedesktop.DBus.Introspectable.Introspect" + ) # so now it should be running - $machine->succeed("systemctl is-active packagekit.service"); + machine.wait_for_unit("packagekit.service") ''; }) diff --git a/nixpkgs/nixos/tests/pantheon.nix b/nixpkgs/nixos/tests/pantheon.nix index 9888887ee8b..c0434f20754 100644 --- a/nixpkgs/nixos/tests/pantheon.nix +++ b/nixpkgs/nixos/tests/pantheon.nix @@ -1,9 +1,10 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : { name = "pantheon"; + meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ worldofpeace ]; + maintainers = pkgs.pantheon.maintainers; }; machine = { ... }: @@ -21,35 +22,38 @@ import ./make-test.nix ({ pkgs, ...} : testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; + bob = nodes.machine.config.users.users.bob; in '' - startAll; - - # Wait for display manager to start - $machine->waitForText(qr/${user.description}/); - $machine->screenshot("lightdm"); - - # Log in - $machine->sendChars("${user.password}\n"); - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - - # Check if "pantheon-shell" components actually start - $machine->waitUntilSucceeds("pgrep gala"); - $machine->waitForWindow(qr/gala/); - $machine->waitUntilSucceeds("pgrep wingpanel"); - $machine->waitForWindow("wingpanel"); - $machine->waitUntilSucceeds("pgrep plank"); - $machine->waitForWindow(qr/plank/); - - # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); - - # Open elementary terminal - $machine->execute("su - alice -c 'DISPLAY=:0.0 io.elementary.terminal &'"); - $machine->waitForWindow(qr/io.elementary.terminal/); - - # Take a screenshot of the desktop - $machine->sleep(20); - $machine->screenshot("screen"); + machine.wait_for_unit("display-manager.service") + + with subtest("Test we can see usernames in elementary-greeter"): + machine.wait_for_text("${user.description}") + # OCR was struggling with this one. + # machine.wait_for_text("${bob.description}") + machine.screenshot("elementary_greeter_lightdm") + + with subtest("Login with elementary-greeter"): + machine.send_chars("${user.password}\n") + machine.wait_for_x() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + + with subtest("Check that logging in has given the user ownership of devices"): + machine.succeed("getfacl -p /dev/snd/timer | grep -q ${user.name}") + + # TODO: DBus API could eliminate this? Pantheon uses Bamf. + with subtest("Check if pantheon session components actually start"): + machine.wait_until_succeeds("pgrep gala") + machine.wait_for_window("gala") + machine.wait_until_succeeds("pgrep wingpanel") + machine.wait_for_window("wingpanel") + machine.wait_until_succeeds("pgrep plank") + machine.wait_for_window("plank") + + with subtest("Open elementary terminal"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0 io.elementary.terminal &'") + machine.wait_for_window("io.elementary.terminal") + machine.sleep(20) + machine.screenshot("screen") ''; }) diff --git a/nixpkgs/nixos/tests/pgjwt.nix b/nixpkgs/nixos/tests/pgjwt.nix index a2d81288c81..4793a3e3150 100644 --- a/nixpkgs/nixos/tests/pgjwt.nix +++ b/nixpkgs/nixos/tests/pgjwt.nix @@ -1,12 +1,5 @@ -import ./make-test.nix ({ pkgs, lib, ...}: -let - test = with pkgs; runCommand "patch-test" { - nativeBuildInputs = [ pgjwt ]; - } - '' - sed -e '12 i CREATE EXTENSION pgcrypto;\nCREATE EXTENSION pgtap;\nSET search_path TO tap,public;' ${pgjwt.src}/test.sql > $out; - ''; -in +import ./make-test-python.nix ({ pkgs, lib, ...}: + with pkgs; { name = "pgjwt"; meta = with lib.maintainers; { @@ -29,9 +22,13 @@ with pkgs; { pgProve = "${pkgs.perlPackages.TAPParserSourceHandlerpgTAP}"; in '' - startAll; - $master->waitForUnit("postgresql"); - $master->copyFileFromHost("${test}","/tmp/test.sql"); - $master->succeed("${pkgs.sudo}/bin/sudo -u ${sqlSU} PGOPTIONS=--search_path=tap,public ${pgProve}/bin/pg_prove -d postgres -v -f /tmp/test.sql"); + start_all() + master.wait_for_unit("postgresql") + master.succeed( + "${pkgs.gnused}/bin/sed -e '12 i CREATE EXTENSION pgcrypto;\\nCREATE EXTENSION pgtap;\\nSET search_path TO tap,public;' ${pgjwt.src}/test.sql > /tmp/test.sql" + ) + master.succeed( + "${pkgs.sudo}/bin/sudo -u ${sqlSU} PGOPTIONS=--search_path=tap,public ${pgProve}/bin/pg_prove -d postgres -v -f /tmp/test.sql" + ) ''; }) diff --git a/nixpkgs/nixos/tests/plasma5.nix b/nixpkgs/nixos/tests/plasma5.nix index 614fc9bf316..6884f17aabb 100644 --- a/nixpkgs/nixos/tests/plasma5.nix +++ b/nixpkgs/nixos/tests/plasma5.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : { name = "plasma5"; @@ -7,23 +7,11 @@ import ./make-test.nix ({ pkgs, ...} : }; machine = { ... }: - let - sddm_theme = pkgs.stdenv.mkDerivation { - name = "breeze-ocr-theme"; - phases = "buildPhase"; - buildCommand = '' - mkdir -p $out/share/sddm/themes/ - cp -r ${pkgs.plasma-workspace}/share/sddm/themes/breeze $out/share/sddm/themes/breeze-ocr-theme - chmod -R +w $out/share/sddm/themes/breeze-ocr-theme - printf "[General]\ntype=color\ncolor=#1d99f3\nbackground=\n" > $out/share/sddm/themes/breeze-ocr-theme/theme.conf - ''; - }; - in + { imports = [ ./common/user-account.nix ]; services.xserver.enable = true; services.xserver.displayManager.sddm.enable = true; - services.xserver.displayManager.sddm.theme = "breeze-ocr-theme"; services.xserver.desktopManager.plasma5.enable = true; services.xserver.desktopManager.default = "plasma5"; services.xserver.displayManager.sddm.autoLogin = { @@ -32,34 +20,40 @@ import ./make-test.nix ({ pkgs, ...} : }; hardware.pulseaudio.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then virtualisation.memorySize = 1024; - environment.systemPackages = [ sddm_theme ]; }; testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; xdo = "${pkgs.xdotool}/bin/xdotool"; in '' - startAll; - # wait for log in - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - - $machine->waitUntilSucceeds("pgrep plasmashell"); - $machine->waitForWindow("^Desktop "); - - # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 dolphin &'"); - $machine->waitForWindow(" Dolphin"); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 konsole &'"); - $machine->waitForWindow("Konsole"); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 systemsettings5 &'"); - $machine->waitForWindow("Settings"); - - $machine->execute("${xdo} key Alt+F1 sleep 10"); - $machine->screenshot("screen"); + with subtest("Wait for login"): + start_all() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + + with subtest("Check plasmashell started"): + machine.wait_until_succeeds("pgrep plasmashell") + machine.wait_for_window("^Desktop ") + + with subtest("Check that logging in has given the user ownership of devices"): + machine.succeed("getfacl -p /dev/snd/timer | grep -q ${user.name}") + + with subtest("Run Dolphin"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0.0 dolphin &'") + machine.wait_for_window(" Dolphin") + + with subtest("Run Konsole"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0.0 konsole &'") + machine.wait_for_window("Konsole") + + with subtest("Run systemsettings"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0.0 systemsettings5 &'") + machine.wait_for_window("Settings") + + with subtest("Wait to get a screenshot"): + machine.execute( + "${xdo} key Alt+F1 sleep 10" + ) + machine.screenshot("screen") ''; }) diff --git a/nixpkgs/nixos/tests/postgresql.nix b/nixpkgs/nixos/tests/postgresql.nix index ae5d6d095ea..e71c3888288 100644 --- a/nixpkgs/nixos/tests/postgresql.nix +++ b/nixpkgs/nixos/tests/postgresql.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let @@ -40,29 +40,33 @@ let backupName = if backup-all then "all" else "postgres"; backupService = if backup-all then "postgresqlBackup" else "postgresqlBackup-postgres"; in '' - sub check_count { - my ($select, $nlines) = @_; - return 'test $(sudo -u postgres psql postgres -tAc "' . $select . '"|wc -l) -eq ' . $nlines; - } + def check_count(statement, lines): + return 'test $(sudo -u postgres psql postgres -tAc "{}"|wc -l) -eq {}'.format( + statement, lines + ) + + + machine.start() + machine.wait_for_unit("postgresql") - $machine->start; - $machine->waitForUnit("postgresql"); # postgresql should be available just after unit start - $machine->succeed("cat ${test-sql} | sudo -u postgres psql"); - $machine->shutdown; # make sure that postgresql survive restart (bug #1735) - sleep(2); - $machine->start; - $machine->waitForUnit("postgresql"); - $machine->fail(check_count("SELECT * FROM sth;", 3)); - $machine->succeed(check_count("SELECT * FROM sth;", 5)); - $machine->fail(check_count("SELECT * FROM sth;", 4)); - $machine->succeed(check_count("SELECT xpath(\'/test/text()\', doc) FROM xmltest;", 1)); + machine.succeed( + "cat ${test-sql} | sudo -u postgres psql" + ) + machine.shutdown() # make sure that postgresql survive restart (bug #1735) + time.sleep(2) + machine.start() + machine.wait_for_unit("postgresql") + machine.fail(check_count("SELECT * FROM sth;", 3)) + machine.succeed(check_count("SELECT * FROM sth;", 5)) + machine.fail(check_count("SELECT * FROM sth;", 4)) + machine.succeed(check_count("SELECT xpath('/test/text()', doc) FROM xmltest;", 1)) # Check backup service - $machine->succeed("systemctl start ${backupService}.service"); - $machine->succeed("zcat /var/backup/postgresql/${backupName}.sql.gz | grep '<test>ok</test>'"); - $machine->succeed("stat -c '%a' /var/backup/postgresql/${backupName}.sql.gz | grep 600"); - $machine->shutdown; + machine.succeed("systemctl start ${backupService}.service") + machine.succeed("zcat /var/backup/postgresql/${backupName}.sql.gz | grep '<test>ok</test>'") + machine.succeed("stat -c '%a' /var/backup/postgresql/${backupName}.sql.gz | grep 600") + machine.shutdown() ''; }; diff --git a/nixpkgs/nixos/tests/powerdns.nix b/nixpkgs/nixos/tests/powerdns.nix index 8addcc78401..75d71315e64 100644 --- a/nixpkgs/nixos/tests/powerdns.nix +++ b/nixpkgs/nixos/tests/powerdns.nix @@ -1,12 +1,13 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "powerdns"; nodes.server = { ... }: { services.powerdns.enable = true; + environment.systemPackages = [ pkgs.dnsutils ]; }; testScript = '' - $server->waitForUnit("pdns"); - $server->succeed("${pkgs.dnsutils}/bin/dig version.bind txt chaos \@127.0.0.1"); + server.wait_for_unit("pdns") + server.succeed("dig version.bind txt chaos \@127.0.0.1") ''; }) diff --git a/nixpkgs/nixos/tests/pppd.nix b/nixpkgs/nixos/tests/pppd.nix index 91f81185909..bda0aa75bb5 100644 --- a/nixpkgs/nixos/tests/pppd.nix +++ b/nixpkgs/nixos/tests/pppd.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ( +import ./make-test-python.nix ( let chap-secrets = { text = ''"flynn" * "reindeerflotilla" *''; @@ -53,10 +53,10 @@ import ./make-test.nix ( environment.etc."ppp/chap-secrets" = chap-secrets; }; }; - + testScript = '' - startAll; - $client->waitUntilSucceeds("ping -c1 -W1 192.0.2.1"); - $server->waitUntilSucceeds("ping -c1 -W1 192.0.2.2"); + start_all() + client.wait_until_succeeds("ping -c1 -W1 192.0.2.1") + server.wait_until_succeeds("ping -c1 -W1 192.0.2.2") ''; - }) + }) diff --git a/nixpkgs/nixos/tests/prometheus-exporters.nix b/nixpkgs/nixos/tests/prometheus-exporters.nix index 676183f6356..563f2472647 100644 --- a/nixpkgs/nixos/tests/prometheus-exporters.nix +++ b/nixpkgs/nixos/tests/prometheus-exporters.nix @@ -4,12 +4,10 @@ }: let - inherit (import ../lib/testing.nix { inherit system pkgs; }) makeTest; + inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest; inherit (pkgs.lib) concatStringsSep maintainers mapAttrs mkMerge removeSuffix replaceChars singleton splitString; - escape' = str: replaceChars [''"'' "$" "\n"] [''\\\"'' "\\$" ""] str; - /* * The attrset `exporterTests` contains one attribute * for each exporter test. Each of these attributes @@ -33,9 +31,9 @@ let * services.<metricProvider>.enable = true; * }; * exporterTest = '' - * waitForUnit("prometheus-<exporterName>-exporter.service"); - * waitForOpenPort("1234"); - * succeed("curl -sSf 'localhost:1234/metrics'"); + * wait_for_unit("prometheus-<exporterName>-exporter.service") + * wait_for_open_port("1234") + * succeed("curl -sSf 'localhost:1234/metrics'") * ''; * }; * @@ -49,11 +47,11 @@ let * }; * * testScript = '' - * $<exporterName>->start(); - * $<exporterName>->waitForUnit("prometheus-<exporterName>-exporter.service"); - * $<exporterName>->waitForOpenPort("1234"); - * $<exporterName>->succeed("curl -sSf 'localhost:1234/metrics'"); - * $<exporterName>->shutdown(); + * <exporterName>.start() + * <exporterName>.wait_for_unit("prometheus-<exporterName>-exporter.service") + * <exporterName>.wait_for_open_port("1234") + * <exporterName>.succeed("curl -sSf 'localhost:1234/metrics'") + * <exporterName>.shutdown() * ''; */ @@ -72,9 +70,11 @@ let ''; }; exporterTest = '' - waitForUnit("prometheus-bind-exporter.service"); - waitForOpenPort(9119); - succeed("curl -sSf http://localhost:9119/metrics | grep -q 'bind_query_recursions_total 0'"); + wait_for_unit("prometheus-bind-exporter.service") + wait_for_open_port(9119) + succeed( + "curl -sSf http://localhost:9119/metrics | grep -q 'bind_query_recursions_total 0'" + ) ''; }; @@ -89,9 +89,11 @@ let }); }; exporterTest = '' - waitForUnit("prometheus-blackbox-exporter.service"); - waitForOpenPort(9115); - succeed("curl -sSf 'http://localhost:9115/probe?target=localhost&module=icmp_v6' | grep -q 'probe_success 1'"); + wait_for_unit("prometheus-blackbox-exporter.service") + wait_for_open_port(9115) + succeed( + "curl -sSf 'http://localhost:9115/probe?target=localhost&module=icmp_v6' | grep -q 'probe_success 1'" + ) ''; }; @@ -100,7 +102,7 @@ let enable = true; extraFlags = [ "--web.collectd-push-path /collectd" ]; }; - exporterTest =let postData = escape' '' + exporterTest = let postData = replaceChars [ "\n" ] [ "" ] '' [{ "values":[23], "dstypes":["gauge"], @@ -108,13 +110,21 @@ let "interval":1000, "host":"testhost", "plugin":"testplugin", - "time":$(date +%s) + "time":DATE }] ''; in '' - waitForUnit("prometheus-collectd-exporter.service"); - waitForOpenPort(9103); - succeed("curl -sSfH 'Content-Type: application/json' -X POST --data \"${postData}\" localhost:9103/collectd"); - succeed("curl -sSf localhost:9103/metrics | grep -q 'collectd_testplugin_gauge{instance=\"testhost\"} 23'"); + wait_for_unit("prometheus-collectd-exporter.service") + wait_for_open_port(9103) + succeed( + 'echo \'${postData}\'> /tmp/data.json' + ) + succeed('sed -ie "s DATE $(date +%s) " /tmp/data.json') + succeed( + "curl -sSfH 'Content-Type: application/json' -X POST --data @/tmp/data.json localhost:9103/collectd" + ) + succeed( + "curl -sSf localhost:9103/metrics | grep -q 'collectd_testplugin_gauge{instance=\"testhost\"} 23'" + ) ''; }; @@ -127,9 +137,9 @@ let services.dnsmasq.enable = true; }; exporterTest = '' - waitForUnit("prometheus-dnsmasq-exporter.service"); - waitForOpenPort(9153); - succeed("curl -sSf http://localhost:9153/metrics | grep -q 'dnsmasq_leases 0'"); + wait_for_unit("prometheus-dnsmasq-exporter.service") + wait_for_open_port(9153) + succeed("curl -sSf http://localhost:9153/metrics | grep -q 'dnsmasq_leases 0'") ''; }; @@ -144,9 +154,11 @@ let services.dovecot2.enable = true; }; exporterTest = '' - waitForUnit("prometheus-dovecot-exporter.service"); - waitForOpenPort(9166); - succeed("curl -sSf http://localhost:9166/metrics | grep -q 'dovecot_up{scope=\"global\"} 1'"); + wait_for_unit("prometheus-dovecot-exporter.service") + wait_for_open_port(9166) + succeed( + "curl -sSf http://localhost:9166/metrics | grep -q 'dovecot_up{scope=\"global\"} 1'" + ) ''; }; @@ -155,9 +167,11 @@ let enable = true; }; exporterTest = '' - waitForUnit("prometheus-fritzbox-exporter.service"); - waitForOpenPort(9133); - succeed("curl -sSf http://localhost:9133/metrics | grep -q 'fritzbox_exporter_collect_errors 0'"); + wait_for_unit("prometheus-fritzbox-exporter.service") + wait_for_open_port(9133) + succeed( + "curl -sSf http://localhost:9133/metrics | grep -q 'fritzbox_exporter_collect_errors 0'" + ) ''; }; @@ -180,11 +194,11 @@ let }; }; exporterTest = '' - waitForUnit("nginx.service"); - waitForOpenPort(80); - waitForUnit("prometheus-json-exporter.service"); - waitForOpenPort(7979); - succeed("curl -sSf localhost:7979/metrics | grep -q 'json_test_metric 1'"); + wait_for_unit("nginx.service") + wait_for_open_port(80) + wait_for_unit("prometheus-json-exporter.service") + wait_for_open_port(7979) + succeed("curl -sSf localhost:7979/metrics | grep -q 'json_test_metric 1'") ''; }; @@ -222,10 +236,12 @@ let users.users.mailexporter.isSystemUser = true; }; exporterTest = '' - waitForUnit("postfix.service") - waitForUnit("prometheus-mail-exporter.service") - waitForOpenPort(9225) - waitUntilSucceeds("curl -sSf http://localhost:9225/metrics | grep -q 'mail_deliver_success{configname=\"testserver\"} 1'") + wait_for_unit("postfix.service") + wait_for_unit("prometheus-mail-exporter.service") + wait_for_open_port(9225) + wait_until_succeeds( + "curl -sSf http://localhost:9225/metrics | grep -q 'mail_deliver_success{configname=\"testserver\"} 1'" + ) ''; }; @@ -256,9 +272,9 @@ let }; }; exporterTest = '' - waitForUnit("nginx.service") - waitForUnit("prometheus-nextcloud-exporter.service") - waitForOpenPort(9205) + wait_for_unit("nginx.service") + wait_for_unit("prometheus-nextcloud-exporter.service") + wait_for_open_port(9205) succeed("curl -sSf http://localhost:9205/metrics | grep -q 'nextcloud_up 1'") ''; }; @@ -275,9 +291,9 @@ let }; }; exporterTest = '' - waitForUnit("nginx.service") - waitForUnit("prometheus-nginx-exporter.service") - waitForOpenPort(9113) + wait_for_unit("nginx.service") + wait_for_unit("prometheus-nginx-exporter.service") + wait_for_open_port(9113) succeed("curl -sSf http://localhost:9113/metrics | grep -q 'nginx_up 1'") ''; }; @@ -287,9 +303,11 @@ let enable = true; }; exporterTest = '' - waitForUnit("prometheus-node-exporter.service"); - waitForOpenPort(9100); - succeed("curl -sSf http://localhost:9100/metrics | grep -q 'node_exporter_build_info{.\\+} 1'"); + wait_for_unit("prometheus-node-exporter.service") + wait_for_open_port(9100) + succeed( + "curl -sSf http://localhost:9100/metrics | grep -q 'node_exporter_build_info{.\\+} 1'" + ) ''; }; @@ -301,9 +319,11 @@ let services.postfix.enable = true; }; exporterTest = '' - waitForUnit("prometheus-postfix-exporter.service"); - waitForOpenPort(9154); - succeed("curl -sSf http://localhost:9154/metrics | grep -q 'postfix_smtpd_connects_total 0'"); + wait_for_unit("prometheus-postfix-exporter.service") + wait_for_open_port(9154) + succeed( + "curl -sSf http://localhost:9154/metrics | grep -q 'postfix_smtpd_connects_total 0'" + ) ''; }; @@ -316,18 +336,24 @@ let services.postgresql.enable = true; }; exporterTest = '' - waitForUnit("prometheus-postgres-exporter.service"); - waitForOpenPort(9187); - waitForUnit("postgresql.service"); - succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_exporter_last_scrape_error 0'"); - succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 1'"); - systemctl("stop postgresql.service"); - succeed("curl -sSf http://localhost:9187/metrics | grep -qv 'pg_exporter_last_scrape_error 0'"); - succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 0'"); - systemctl("start postgresql.service"); - waitForUnit("postgresql.service"); - succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_exporter_last_scrape_error 0'"); - succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 1'"); + wait_for_unit("prometheus-postgres-exporter.service") + wait_for_open_port(9187) + wait_for_unit("postgresql.service") + succeed( + "curl -sSf http://localhost:9187/metrics | grep -q 'pg_exporter_last_scrape_error 0'" + ) + succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 1'") + systemctl("stop postgresql.service") + succeed( + "curl -sSf http://localhost:9187/metrics | grep -qv 'pg_exporter_last_scrape_error 0'" + ) + succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 0'") + systemctl("start postgresql.service") + wait_for_unit("postgresql.service") + succeed( + "curl -sSf http://localhost:9187/metrics | grep -q 'pg_exporter_last_scrape_error 0'" + ) + succeed("curl -sSf http://localhost:9187/metrics | grep -q 'pg_up 1'") ''; }; @@ -339,11 +365,13 @@ let services.rspamd.enable = true; }; exporterTest = '' - waitForUnit("rspamd.service"); - waitForUnit("prometheus-rspamd-exporter.service"); - waitForOpenPort(11334); - waitForOpenPort(7980); - waitUntilSucceeds("curl -sSf localhost:7980/metrics | grep -q 'rspamd_scanned{host=\"rspamd\"} 0'"); + wait_for_unit("rspamd.service") + wait_for_unit("prometheus-rspamd-exporter.service") + wait_for_open_port(11334) + wait_for_open_port(7980) + wait_until_succeeds( + "curl -sSf localhost:7980/metrics | grep -q 'rspamd_scanned{host=\"rspamd\"} 0'" + ) ''; }; @@ -356,9 +384,9 @@ let }; }; exporterTest = '' - waitForUnit("prometheus-snmp-exporter.service"); - waitForOpenPort(9116); - succeed("curl -sSf localhost:9116/metrics | grep -q 'snmp_request_errors_total 0'"); + wait_for_unit("prometheus-snmp-exporter.service") + wait_for_open_port(9116) + succeed("curl -sSf localhost:9116/metrics | grep -q 'snmp_request_errors_total 0'") ''; }; @@ -377,11 +405,11 @@ let }; }; exporterTest = '' - waitForUnit("nginx.service"); - waitForOpenPort(80); - waitForUnit("prometheus-surfboard-exporter.service"); - waitForOpenPort(9239); - succeed("curl -sSf localhost:9239/metrics | grep -q 'surfboard_up 1'"); + wait_for_unit("nginx.service") + wait_for_open_port(80) + wait_for_unit("prometheus-surfboard-exporter.service") + wait_for_open_port(9239) + succeed("curl -sSf localhost:9239/metrics | grep -q 'surfboard_up 1'") ''; }; @@ -396,11 +424,11 @@ let services.tor.controlPort = 9051; }; exporterTest = '' - waitForUnit("tor.service"); - waitForOpenPort(9051); - waitForUnit("prometheus-tor-exporter.service"); - waitForOpenPort(9130); - succeed("curl -sSf localhost:9130/metrics | grep -q 'tor_version{.\\+} 1'"); + wait_for_unit("tor.service") + wait_for_open_port(9051) + wait_for_unit("prometheus-tor-exporter.service") + wait_for_open_port(9130) + succeed("curl -sSf localhost:9130/metrics | grep -q 'tor_version{.\\+} 1'") ''; }; @@ -426,10 +454,10 @@ let }; }; exporterTest = '' - waitForUnit("prometheus-varnish-exporter.service"); - waitForOpenPort(6081); - waitForOpenPort(9131); - succeed("curl -sSf http://localhost:9131/metrics | grep -q 'varnish_up 1'"); + wait_for_unit("prometheus-varnish-exporter.service") + wait_for_open_port(6081) + wait_for_open_port(9131) + succeed("curl -sSf http://localhost:9131/metrics | grep -q 'varnish_up 1'") ''; }; @@ -451,9 +479,11 @@ let systemd.services.prometheus-wireguard-exporter.after = [ "wireguard-wg0.service" ]; }; exporterTest = '' - waitForUnit("prometheus-wireguard-exporter.service"); - waitForOpenPort(9586); - waitUntilSucceeds("curl -sSf http://localhost:9586/metrics | grep '${snakeoil.peer1.publicKey}'"); + wait_for_unit("prometheus-wireguard-exporter.service") + wait_for_open_port(9586) + wait_until_succeeds( + "curl -sSf http://localhost:9586/metrics | grep '${snakeoil.peer1.publicKey}'" + ) ''; }; }; @@ -466,11 +496,13 @@ mapAttrs (exporter: testConfig: (makeTest { } testConfig.metricProvider or {}]; testScript = '' - ${"$"+exporter}->start(); - ${concatStringsSep " " (map (line: '' - ${"$"+exporter}->${line}; - '') (splitString "\n" (removeSuffix "\n" testConfig.exporterTest)))} - ${"$"+exporter}->shutdown(); + ${exporter}.start() + ${concatStringsSep "\n" (map (line: + if (builtins.substring 0 1 line == " " || builtins.substring 0 1 line == ")") + then line + else "${exporter}.${line}" + ) (splitString "\n" (removeSuffix "\n" testConfig.exporterTest)))} + ${exporter}.shutdown() ''; meta = with maintainers; { diff --git a/nixpkgs/nixos/tests/prometheus.nix b/nixpkgs/nixos/tests/prometheus.nix index 52f61046be3..8bfd0c131e6 100644 --- a/nixpkgs/nixos/tests/prometheus.nix +++ b/nixpkgs/nixos/tests/prometheus.nix @@ -31,7 +31,7 @@ let }; }; -in import ./make-test.nix { +in import ./make-test-python.nix { name = "prometheus"; nodes = { @@ -173,67 +173,73 @@ in import ./make-test.nix { testScript = { nodes, ... } : '' # Before starting the other machines we first make sure that our S3 service is online # and has a bucket added for thanos: - $s3->start; - $s3->waitForUnit("minio.service"); - $s3->waitForOpenPort(${toString minioPort}); - $s3->succeed( - "mc config host add minio " . - "http://localhost:${toString minioPort} ${s3.accessKey} ${s3.secretKey} S3v4"); - $s3->succeed("mc mb minio/thanos-bucket"); + s3.start() + s3.wait_for_unit("minio.service") + s3.wait_for_open_port(${toString minioPort}) + s3.succeed( + "mc config host add minio " + + "http://localhost:${toString minioPort} " + + "${s3.accessKey} ${s3.secretKey} S3v4", + "mc mb minio/thanos-bucket", + ) # Now that s3 has started we can start the other machines: - $prometheus->start; - $query->start; - $store->start; + for machine in prometheus, query, store: + machine.start() # Check if prometheus responds to requests: - $prometheus->waitForUnit("prometheus.service"); - $prometheus->waitForOpenPort(${toString queryPort}); - $prometheus->succeed("curl -s http://127.0.0.1:${toString queryPort}/metrics"); + prometheus.wait_for_unit("prometheus.service") + prometheus.wait_for_open_port(${toString queryPort}) + prometheus.succeed("curl -s http://127.0.0.1:${toString queryPort}/metrics") # Let's test if pushing a metric to the pushgateway succeeds: - $prometheus->waitForUnit("pushgateway.service"); - $prometheus->succeed( - "echo 'some_metric 3.14' | " . - "curl --data-binary \@- http://127.0.0.1:${toString pushgwPort}/metrics/job/some_job"); + prometheus.wait_for_unit("pushgateway.service") + prometheus.succeed( + "echo 'some_metric 3.14' | " + + "curl --data-binary \@- " + + "http://127.0.0.1:${toString pushgwPort}/metrics/job/some_job" + ) # Now check whether that metric gets ingested by prometheus. # Since we'll check for the metric several times on different machines # we abstract the test using the following function: # Function to check if the metric "some_metric" has been received and returns the correct value. - local *Machine::waitForMetric = sub { - my ($self) = @_; - $self->waitUntilSucceeds( - "curl -sf 'http://127.0.0.1:${toString queryPort}/api/v1/query?query=some_metric' " . - "| jq '.data.result[0].value[1]' | grep '\"3.14\"'"); - }; + def wait_for_metric(machine): + return machine.wait_until_succeeds( + "curl -sf 'http://127.0.0.1:${toString queryPort}/api/v1/query?query=some_metric' | " + + "jq '.data.result[0].value[1]' | grep '\"3.14\"'" + ) + - $prometheus->waitForMetric; + wait_for_metric(prometheus) # Let's test if the pushgateway persists metrics to the configured location. - $prometheus->waitUntilSucceeds("test -e /var/lib/prometheus-pushgateway/metrics"); + prometheus.wait_until_succeeds("test -e /var/lib/prometheus-pushgateway/metrics") # Test thanos - $prometheus->waitForUnit("thanos-sidecar.service"); + prometheus.wait_for_unit("thanos-sidecar.service") # Test if the Thanos query service can correctly retrieve the metric that was send above. - $query->waitForUnit("thanos-query.service"); - $query->waitForMetric; + query.wait_for_unit("thanos-query.service") + wait_for_metric(query) # Test if the Thanos sidecar has correctly uploaded its TSDB to S3, if the # Thanos storage service has correctly downloaded it from S3 and if the Thanos # query service running on $store can correctly retrieve the metric: - $store->waitForUnit("thanos-store.service"); - $store->waitForMetric; + store.wait_for_unit("thanos-store.service") + wait_for_metric(store) - $store->waitForUnit("thanos-compact.service"); + store.wait_for_unit("thanos-compact.service") # Test if the Thanos bucket command is able to retrieve blocks from the S3 bucket # and check if the blocks have the correct labels: - $store->succeed( - "thanos bucket ls" . - " --objstore.config-file=${nodes.store.config.services.thanos.store.objstore.config-file}" . - " --output=json | jq .thanos.labels.some_label | grep 'required by thanos'"); + store.succeed( + "thanos bucket ls " + + "--objstore.config-file=${nodes.store.config.services.thanos.store.objstore.config-file} " + + "--output=json | " + + "jq .thanos.labels.some_label | " + + "grep 'required by thanos'" + ) ''; } diff --git a/nixpkgs/nixos/tests/quake3.nix b/nixpkgs/nixos/tests/quake3.nix deleted file mode 100644 index 4253ce4a867..00000000000 --- a/nixpkgs/nixos/tests/quake3.nix +++ /dev/null @@ -1,95 +0,0 @@ -import ./make-test.nix ({ pkgs, ...} : - -let - - # Build Quake with coverage instrumentation. - overrides = pkgs: - { - quake3game = pkgs.quake3game.override (args: { - stdenv = pkgs.stdenvAdapters.addCoverageInstrumentation args.stdenv; - }); - }; - - # Only allow the demo data to be used (only if it's unfreeRedistributable). - unfreePredicate = pkg: with pkgs.lib; let - allowPackageNames = [ "quake3-demodata" "quake3-pointrelease" ]; - allowLicenses = [ pkgs.lib.licenses.unfreeRedistributable ]; - in elem pkg.pname allowPackageNames && - elem (pkg.meta.license or null) allowLicenses; - -in - -rec { - name = "quake3"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ domenkozar eelco ]; - }; - - # TODO: lcov doesn't work atm - #makeCoverageReport = true; - - client = - { pkgs, ... }: - - { imports = [ ./common/x11.nix ]; - hardware.opengl.driSupport = true; - environment.systemPackages = [ pkgs.quake3demo ]; - nixpkgs.config.packageOverrides = overrides; - nixpkgs.config.allowUnfreePredicate = unfreePredicate; - }; - - nodes = - { server = - { pkgs, ... }: - - { systemd.services.quake3-server = - { wantedBy = [ "multi-user.target" ]; - script = - "${pkgs.quake3demo}/bin/quake3-server +set g_gametype 0 " + - "+map q3dm7 +addbot grunt +addbot daemia 2> /tmp/log"; - }; - nixpkgs.config.packageOverrides = overrides; - nixpkgs.config.allowUnfreePredicate = unfreePredicate; - networking.firewall.allowedUDPPorts = [ 27960 ]; - }; - - client1 = client; - client2 = client; - }; - - testScript = - '' - startAll; - - $server->waitForUnit("quake3-server"); - $client1->waitForX; - $client2->waitForX; - - $client1->execute("quake3 +set r_fullscreen 0 +set name Foo +connect server &"); - $client2->execute("quake3 +set r_fullscreen 0 +set name Bar +connect server &"); - - $server->waitUntilSucceeds("grep -q 'Foo.*entered the game' /tmp/log"); - $server->waitUntilSucceeds("grep -q 'Bar.*entered the game' /tmp/log"); - - $server->sleep(10); # wait for a while to get a nice screenshot - - $client1->block(); - - $server->sleep(20); - - $client1->screenshot("screen1"); - $client2->screenshot("screen2"); - - $client1->unblock(); - - $server->sleep(10); - - $client1->screenshot("screen3"); - $client2->screenshot("screen4"); - - $client1->shutdown(); - $client2->shutdown(); - $server->stopJob("quake3-server"); - ''; - -}) diff --git a/nixpkgs/nixos/tests/rabbitmq.nix b/nixpkgs/nixos/tests/rabbitmq.nix index bb5932c3641..8e7f34d06e3 100644 --- a/nixpkgs/nixos/tests/rabbitmq.nix +++ b/nixpkgs/nixos/tests/rabbitmq.nix @@ -1,21 +1,21 @@ # This test runs rabbitmq and checks if rabbitmq is up and running. -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "rabbitmq"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco offline ]; }; - nodes = { - one = { ... }: { - services.rabbitmq.enable = true; - }; + machine = { + services.rabbitmq.enable = true; }; testScript = '' - startAll; + machine.start() - $one->waitForUnit("rabbitmq.service"); - $one->waitUntilSucceeds("su -s ${pkgs.stdenv.shell} rabbitmq -c \"rabbitmqctl status\""); + machine.wait_for_unit("rabbitmq.service") + machine.wait_until_succeeds( + 'su -s ${pkgs.stdenv.shell} rabbitmq -c "rabbitmqctl status"' + ) ''; }) diff --git a/nixpkgs/nixos/tests/radarr.nix b/nixpkgs/nixos/tests/radarr.nix index 9bc5607ccd5..ed90025ac42 100644 --- a/nixpkgs/nixos/tests/radarr.nix +++ b/nixpkgs/nixos/tests/radarr.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: with lib; @@ -11,8 +11,8 @@ with lib; { services.radarr.enable = true; }; testScript = '' - $machine->waitForUnit('radarr.service'); - $machine->waitForOpenPort('7878'); - $machine->succeed("curl --fail http://localhost:7878/"); + machine.wait_for_unit("radarr.service") + machine.wait_for_open_port("7878") + machine.succeed("curl --fail http://localhost:7878/") ''; }) diff --git a/nixpkgs/nixos/tests/redis.nix b/nixpkgs/nixos/tests/redis.nix index 325d93424dd..529965d7acd 100644 --- a/nixpkgs/nixos/tests/redis.nix +++ b/nixpkgs/nixos/tests/redis.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "redis"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ flokli ]; @@ -15,12 +15,10 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - - $machine->waitForUnit("redis"); - $machine->waitForOpenPort("6379"); - - $machine->succeed("redis-cli ping | grep PONG"); - $machine->succeed("redis-cli -s /run/redis/redis.sock ping | grep PONG"); + start_all() + machine.wait_for_unit("redis") + machine.wait_for_open_port("6379") + machine.succeed("redis-cli ping | grep PONG") + machine.succeed("redis-cli -s /run/redis/redis.sock ping | grep PONG") ''; }) diff --git a/nixpkgs/nixos/tests/redmine.nix b/nixpkgs/nixos/tests/redmine.nix index 2d4df288b05..f0f4cbf6a21 100644 --- a/nixpkgs/nixos/tests/redmine.nix +++ b/nixpkgs/nixos/tests/redmine.nix @@ -64,18 +64,13 @@ let }; in { - v3-mysql = mysqlTest pkgs.redmine // { - name = "v3-mysql"; + mysql = mysqlTest pkgs.redmine // { + name = "mysql"; meta.maintainers = [ maintainers.aanderse ]; }; - v4-mysql = mysqlTest pkgs.redmine_4 // { - name = "v4-mysql"; - meta.maintainers = [ maintainers.aanderse ]; - }; - - v4-pgsql = pgsqlTest pkgs.redmine_4 // { - name = "v4-pgsql"; + pgsql = pgsqlTest pkgs.redmine // { + name = "pgsql"; meta.maintainers = [ maintainers.aanderse ]; }; } diff --git a/nixpkgs/nixos/tests/roundcube.nix b/nixpkgs/nixos/tests/roundcube.nix index ed0ebd7dd19..1897b53e283 100644 --- a/nixpkgs/nixos/tests/roundcube.nix +++ b/nixpkgs/nixos/tests/roundcube.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "roundcube"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ globin ]; @@ -9,7 +9,7 @@ import ./make-test.nix ({ pkgs, ...} : { services.roundcube = { enable = true; hostName = "roundcube"; - database.password = "notproduction"; + database.password = "not production"; package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]); plugins = [ "persistent_login" ]; }; @@ -21,10 +21,10 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - $roundcube->start; - $roundcube->waitForUnit("postgresql.service"); - $roundcube->waitForUnit("phpfpm-roundcube.service"); - $roundcube->waitForUnit("nginx.service"); - $roundcube->succeed("curl -sSfL http://roundcube/ | grep 'Keep me logged in'"); + roundcube.start + roundcube.wait_for_unit("postgresql.service") + roundcube.wait_for_unit("phpfpm-roundcube.service") + roundcube.wait_for_unit("nginx.service") + roundcube.succeed("curl -sSfL http://roundcube/ | grep 'Keep me logged in'") ''; }) diff --git a/nixpkgs/nixos/tests/rss2email.nix b/nixpkgs/nixos/tests/rss2email.nix index 492d47da9f5..d62207a417b 100644 --- a/nixpkgs/nixos/tests/rss2email.nix +++ b/nixpkgs/nixos/tests/rss2email.nix @@ -1,4 +1,4 @@ -import ./make-test.nix { +import ./make-test-python.nix { name = "opensmtpd"; nodes = { @@ -53,14 +53,14 @@ import ./make-test.nix { }; testScript = '' - startAll; + start_all() - $server->waitForUnit("network-online.target"); - $server->waitForUnit("opensmtpd"); - $server->waitForUnit("dovecot2"); - $server->waitForUnit("nginx"); - $server->waitForUnit("rss2email"); + server.wait_for_unit("network-online.target") + server.wait_for_unit("opensmtpd") + server.wait_for_unit("dovecot2") + server.wait_for_unit("nginx") + server.wait_for_unit("rss2email") - $server->waitUntilSucceeds('check-mail-landed >&2'); + server.wait_until_succeeds("check-mail-landed >&2") ''; } diff --git a/nixpkgs/nixos/tests/rxe.nix b/nixpkgs/nixos/tests/rxe.nix index d0b53db8eeb..194a2e3d2b9 100644 --- a/nixpkgs/nixos/tests/rxe.nix +++ b/nixpkgs/nixos/tests/rxe.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ ... } : +import ./make-test-python.nix ({ ... } : let node = { pkgs, ... } : { @@ -26,27 +26,21 @@ in { testScript = '' # Test if rxe interface comes up - $server->waitForUnit("default.target"); - $server->succeed("systemctl status rxe.service"); - $server->succeed("ibv_devices | grep rxe0"); + server.wait_for_unit("default.target") + server.succeed("systemctl status rxe.service") + server.succeed("ibv_devices | grep rxe0") - $client->waitForUnit("default.target"); + client.wait_for_unit("default.target") - # ping pong test - $server->succeed("screen -dmS rc_pingpong ibv_rc_pingpong -p 4800 -g0"); - $client->succeed("sleep 2; ibv_rc_pingpong -p 4800 -g0 server"); + # ping pong tests + for proto in "rc", "uc", "ud", "srq": + server.succeed( + "screen -dmS {0}_pingpong ibv_{0}_pingpong -p 4800 -s 1024 -g0".format(proto) + ) + client.succeed("sleep 2; ibv_{}_pingpong -p 4800 -s 1024 -g0 server".format(proto)) - $server->succeed("screen -dmS uc_pingpong ibv_uc_pingpong -p 4800 -g0"); - $client->succeed("sleep 2; ibv_uc_pingpong -p 4800 -g0 server"); - - $server->succeed("screen -dmS ud_pingpong ibv_ud_pingpong -p 4800 -s 1024 -g0"); - $client->succeed("sleep 2; ibv_ud_pingpong -p 4800 -s 1024 -g0 server"); - - $server->succeed("screen -dmS srq_pingpong ibv_srq_pingpong -p 4800 -g0"); - $client->succeed("sleep 2; ibv_srq_pingpong -p 4800 -g0 server"); - - $server->succeed("screen -dmS rping rping -s -a server -C 10"); - $client->succeed("sleep 2; rping -c -a server -C 10"); + server.succeed("screen -dmS rping rping -s -a server -C 10") + client.succeed("sleep 2; rping -c -a server -C 10") ''; }) diff --git a/nixpkgs/nixos/tests/samba.nix b/nixpkgs/nixos/tests/samba.nix index 2802e00a5b1..142269752b3 100644 --- a/nixpkgs/nixos/tests/samba.nix +++ b/nixpkgs/nixos/tests/samba.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "samba"; @@ -36,12 +36,12 @@ import ./make-test.nix ({ pkgs, ... }: testScript = '' - $server->start; - $server->waitForUnit("samba.target"); - $server->succeed("mkdir -p /public; echo bar > /public/foo"); + server.start() + server.wait_for_unit("samba.target") + server.succeed("mkdir -p /public; echo bar > /public/foo") - $client->start; - $client->waitForUnit("remote-fs.target"); - $client->succeed("[[ \$(cat /public/foo) = bar ]]"); + client.start() + client.wait_for_unit("remote-fs.target") + client.succeed("[[ $(cat /public/foo) = bar ]]") ''; }) diff --git a/nixpkgs/nixos/tests/sddm.nix b/nixpkgs/nixos/tests/sddm.nix index 678bcbeab20..4bdcd701dcf 100644 --- a/nixpkgs/nixos/tests/sddm.nix +++ b/nixpkgs/nixos/tests/sddm.nix @@ -3,7 +3,7 @@ pkgs ? import ../.. { inherit system config; } }: -with import ../lib/testing.nix { inherit system pkgs; }; +with import ../lib/testing-python.nix { inherit system pkgs; }; let inherit (pkgs) lib; @@ -26,13 +26,13 @@ let testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; in '' - startAll; - $machine->waitForText(qr/select your user/i); - $machine->screenshot("sddm"); - $machine->sendChars("${user.password}\n"); - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow("^IceWM "); + start_all() + machine.wait_for_text("(?i)select your user") + machine.screenshot("sddm") + machine.send_chars("${user.password}\n") + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + machine.wait_for_window("^IceWM ") ''; }; @@ -57,11 +57,13 @@ let services.xserver.desktopManager.default = "none"; }; - testScript = { ... }: '' - startAll; - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow("^IceWM "); + testScript = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + in '' + start_all() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + machine.wait_for_window("^IceWM ") ''; }; }; diff --git a/nixpkgs/nixos/tests/shiori.nix b/nixpkgs/nixos/tests/shiori.nix index 0022a7220fe..a5771262c6f 100644 --- a/nixpkgs/nixos/tests/shiori.nix +++ b/nixpkgs/nixos/tests/shiori.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ...}: +import ./make-test-python.nix ({ pkgs, lib, ...}: { name = "shiori"; @@ -8,10 +8,74 @@ import ./make-test.nix ({ lib, ...}: { ... }: { services.shiori.enable = true; }; - testScript = '' - $machine->waitForUnit('shiori.service'); - $machine->waitForOpenPort('8080'); - $machine->succeed("curl --fail http://localhost:8080/"); - $machine->succeed("curl --fail --location http://localhost:8080/ | grep -qi shiori"); + testScript = let + authJSON = pkgs.writeText "auth.json" (builtins.toJSON { + username = "shiori"; + password = "gopher"; + remember = 1; # hour + owner = true; + }); + + insertBookmark = { + url = "http://example.org"; + title = "Example Bookmark"; + }; + + insertBookmarkJSON = pkgs.writeText "insertBookmark.json" (builtins.toJSON insertBookmark); + in '' + import json + + machine.wait_for_unit("shiori.service") + machine.wait_for_open_port(8080) + machine.succeed("curl --fail http://localhost:8080/") + machine.succeed("curl --fail --location http://localhost:8080/ | grep -qi shiori") + + with subtest("login"): + auth_json = machine.succeed( + "curl --fail --location http://localhost:8080/api/login " + "-X POST -H 'Content-Type:application/json' -d @${authJSON}" + ) + auth_ret = json.loads(auth_json) + session_id = auth_ret["session"] + + with subtest("bookmarks"): + with subtest("first use no bookmarks"): + bookmarks_json = machine.succeed( + ( + "curl --fail --location http://localhost:8080/api/bookmarks " + "-H 'X-Session-Id:{}'" + ).format(session_id) + ) + + if json.loads(bookmarks_json)["bookmarks"] != []: + raise Exception("Shiori have a bookmark on first use") + + with subtest("insert bookmark"): + machine.succeed( + ( + "curl --fail --location http://localhost:8080/api/bookmarks " + "-X POST -H 'X-Session-Id:{}' " + "-H 'Content-Type:application/json' -d @${insertBookmarkJSON}" + ).format(session_id) + ) + + with subtest("get inserted bookmark"): + bookmarks_json = machine.succeed( + ( + "curl --fail --location http://localhost:8080/api/bookmarks " + "-H 'X-Session-Id:{}'" + ).format(session_id) + ) + + bookmarks = json.loads(bookmarks_json)["bookmarks"] + if len(bookmarks) != 1: + raise Exception("Shiori didn't save the bookmark") + + bookmark = bookmarks[0] + if ( + bookmark["url"] != "${insertBookmark.url}" + or bookmark["title"] != "${insertBookmark.title}" + ): + raise Exception("Inserted bookmark doesn't have same URL or title") ''; }) diff --git a/nixpkgs/nixos/tests/signal-desktop.nix b/nixpkgs/nixos/tests/signal-desktop.nix index 605b9c3e130..c746d46dc55 100644 --- a/nixpkgs/nixos/tests/signal-desktop.nix +++ b/nixpkgs/nixos/tests/signal-desktop.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : { name = "signal-desktop"; @@ -24,14 +24,14 @@ import ./make-test.nix ({ pkgs, ...} : testScript = { nodes, ... }: let user = nodes.machine.config.users.users.alice; in '' - startAll; - $machine->waitForX; + start_all() + machine.wait_for_x() # start signal desktop - $machine->execute("su - alice -c signal-desktop &"); + machine.execute("su - alice -c signal-desktop &") # wait for the "Link your phone to Signal Desktop" message - $machine->waitForText(qr/Link your phone to Signal Desktop/); - $machine->screenshot("signal_desktop"); + machine.wait_for_text("Link your phone to Signal Desktop") + machine.screenshot("signal_desktop") ''; }) diff --git a/nixpkgs/nixos/tests/simple.nix b/nixpkgs/nixos/tests/simple.nix index 84c5621d962..3810a2cd3a5 100644 --- a/nixpkgs/nixos/tests/simple.nix +++ b/nixpkgs/nixos/tests/simple.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "simple"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco ]; @@ -10,8 +10,8 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - startAll; - $machine->waitForUnit("multi-user.target"); - $machine->shutdown; + start_all() + machine.wait_for_unit("multi-user.target") + machine.shutdown() ''; }) diff --git a/nixpkgs/nixos/tests/slim.nix b/nixpkgs/nixos/tests/slim.nix deleted file mode 100644 index 42c87dfa039..00000000000 --- a/nixpkgs/nixos/tests/slim.nix +++ /dev/null @@ -1,66 +0,0 @@ -import ./make-test.nix ({ pkgs, ...} : { - name = "slim"; - - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ aszlig ]; - }; - - machine = { pkgs, ... }: { - imports = [ ./common/user-account.nix ]; - services.xserver.enable = true; - services.xserver.windowManager.default = "icewm"; - services.xserver.windowManager.icewm.enable = true; - services.xserver.desktopManager.default = "none"; - services.xserver.displayManager.slim = { - enable = true; - - # Use a custom theme in order to get best OCR results - theme = pkgs.runCommand "slim-theme-ocr" { - nativeBuildInputs = [ pkgs.imagemagick ]; - } '' - mkdir "$out" - convert -size 1x1 xc:white "$out/background.jpg" - convert -size 200x100 xc:white "$out/panel.jpg" - cat > "$out/slim.theme" <<EOF - background_color #ffffff - background_style tile - - input_fgcolor #000000 - msg_color #000000 - - session_color #000000 - session_font Verdana:size=16:bold - - username_msg Username: - username_font Verdana:size=16:bold - username_color #000000 - username_x 50% - username_y 40% - - password_msg Password: - password_x 50% - password_y 40% - EOF - ''; - }; - }; - - enableOCR = true; - - testScript = { nodes, ... }: let - user = nodes.machine.config.users.users.alice; - in '' - startAll; - $machine->waitForText(qr/Username:/); - $machine->sendChars("${user.name}\n"); - $machine->waitForText(qr/Password:/); - $machine->sendChars("${user.password}\n"); - - $machine->waitForFile('${user.home}/.Xauthority'); - $machine->succeed('xauth merge ${user.home}/.Xauthority'); - $machine->waitForWindow('^IceWM '); - - # Make sure SLiM doesn't create a log file - $machine->fail('test -e /var/log/slim.log'); - ''; -}) diff --git a/nixpkgs/nixos/tests/slurm.nix b/nixpkgs/nixos/tests/slurm.nix index 4c2cd3c3d26..17527378cf0 100644 --- a/nixpkgs/nixos/tests/slurm.nix +++ b/nixpkgs/nixos/tests/slurm.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: +import ./make-test-python.nix ({ lib, ... }: let mungekey = "mungeverryweakkeybuteasytointegratoinatest"; @@ -54,10 +54,15 @@ in { networking.firewall.enable = false; services.slurm.dbdserver = { enable = true; + storagePass = "password123"; }; services.mysql = { enable = true; - package = pkgs.mysql; + package = pkgs.mariadb; + initialScript = pkgs.writeText "mysql-init.sql" '' + CREATE USER 'slurm'@'localhost' IDENTIFIED BY 'password123'; + GRANT ALL PRIVILEGES ON slurm_acct_db.* TO 'slurm'@'localhost'; + ''; ensureDatabases = [ "slurm_acct_db" ]; ensureUsers = [{ ensurePermissions = { "slurm_acct_db.*" = "ALL PRIVILEGES"; }; @@ -80,63 +85,57 @@ in { testScript = '' - startAll; + start_all() # Set up authentification across the cluster - foreach my $node (($submit,$control,$dbd,$node1,$node2,$node3)) - { - $node->waitForUnit("default.target"); + for node in [submit, control, dbd, node1, node2, node3]: - $node->succeed("mkdir /etc/munge"); - $node->succeed("echo '${mungekey}' > /etc/munge/munge.key"); - $node->succeed("chmod 0400 /etc/munge/munge.key"); - $node->succeed("chown munge:munge /etc/munge/munge.key"); - $node->succeed("systemctl restart munged"); + node.wait_for_unit("default.target") + + node.succeed("mkdir /etc/munge") + node.succeed( + "echo '${mungekey}' > /etc/munge/munge.key" + ) + node.succeed("chmod 0400 /etc/munge/munge.key") + node.succeed("chown munge:munge /etc/munge/munge.key") + node.succeed("systemctl restart munged") + + node.wait_for_unit("munged") - $node->waitForUnit("munged"); - }; # Restart the services since they have probably failed due to the munge init # failure - subtest "can_start_slurmdbd", sub { - $dbd->succeed("systemctl restart slurmdbd"); - $dbd->waitForUnit("slurmdbd.service"); - $dbd->waitForOpenPort(6819); - }; + with subtest("can_start_slurmdbd"): + dbd.succeed("systemctl restart slurmdbd") + dbd.wait_for_unit("slurmdbd.service") + dbd.wait_for_open_port(6819) # there needs to be an entry for the current # cluster in the database before slurmctld is restarted - subtest "add_account", sub { - $control->succeed("sacctmgr -i add cluster default"); - # check for cluster entry - $control->succeed("sacctmgr list cluster | awk '{ print \$1 }' | grep default"); - }; + with subtest("add_account"): + control.succeed("sacctmgr -i add cluster default") + # check for cluster entry + control.succeed("sacctmgr list cluster | awk '{ print $1 }' | grep default") - subtest "can_start_slurmctld", sub { - $control->succeed("systemctl restart slurmctld"); - $control->waitForUnit("slurmctld.service"); - }; + with subtest("can_start_slurmctld"): + control.succeed("systemctl restart slurmctld") + control.waitForUnit("slurmctld.service") - subtest "can_start_slurmd", sub { - foreach my $node (($node1,$node2,$node3)) - { - $node->succeed("systemctl restart slurmd.service"); - $node->waitForUnit("slurmd"); - } - }; + with subtest("can_start_slurmd"): + for node in [node1, node2, node3]: + node.succeed("systemctl restart slurmd.service") + node.wait_for_unit("slurmd") # Test that the cluster works and can distribute jobs; - subtest "run_distributed_command", sub { - # Run `hostname` on 3 nodes of the partition (so on all the 3 nodes). - # The output must contain the 3 different names - $submit->succeed("srun -N 3 hostname | sort | uniq | wc -l | xargs test 3 -eq"); - }; + with subtest("run_distributed_command"): + # Run `hostname` on 3 nodes of the partition (so on all the 3 nodes). + # The output must contain the 3 different names + submit.succeed("srun -N 3 hostname | sort | uniq | wc -l | xargs test 3 -eq") - subtest "check_slurm_dbd", sub { - # find the srun job from above in the database - sleep 5; - $control->succeed("sacct | grep hostname"); - }; + with subtest("check_slurm_dbd"): + # find the srun job from above in the database + control.succeed("sleep 5") + control.succeed("sacct | grep hostname") ''; }) diff --git a/nixpkgs/nixos/tests/smokeping.nix b/nixpkgs/nixos/tests/smokeping.nix index 07d22805112..4f8f0fcc9fe 100644 --- a/nixpkgs/nixos/tests/smokeping.nix +++ b/nixpkgs/nixos/tests/smokeping.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "smokeping"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ cransom ]; @@ -22,12 +22,12 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - $sm->waitForUnit("smokeping"); - $sm->waitForUnit("thttpd"); - $sm->waitForFile("/var/lib/smokeping/data/Local/LocalMachine.rrd"); - $sm->succeed("curl -s -f localhost:8081/smokeping.fcgi?target=Local"); - $sm->succeed("ls /var/lib/smokeping/cache/Local/LocalMachine_mini.png"); - $sm->succeed("ls /var/lib/smokeping/cache/index.html"); + start_all() + sm.wait_for_unit("smokeping") + sm.wait_for_unit("thttpd") + sm.wait_for_file("/var/lib/smokeping/data/Local/LocalMachine.rrd") + sm.succeed("curl -s -f localhost:8081/smokeping.fcgi?target=Local") + sm.succeed("ls /var/lib/smokeping/cache/Local/LocalMachine_mini.png") + sm.succeed("ls /var/lib/smokeping/cache/index.html") ''; }) diff --git a/nixpkgs/nixos/tests/snapper.nix b/nixpkgs/nixos/tests/snapper.nix index 74ec22fd349..018102d7f64 100644 --- a/nixpkgs/nixos/tests/snapper.nix +++ b/nixpkgs/nixos/tests/snapper.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ ... }: +import ./make-test-python.nix ({ ... }: { name = "snapper"; @@ -20,24 +20,16 @@ import ./make-test.nix ({ ... }: }; testScript = '' - $machine->succeed("btrfs subvolume create /home/.snapshots"); - - $machine->succeed("snapper -c home list"); - - $machine->succeed("snapper -c home create --description empty"); - - $machine->succeed("echo test > /home/file"); - $machine->succeed("snapper -c home create --description file"); - - $machine->succeed("snapper -c home status 1..2"); - - $machine->succeed("snapper -c home undochange 1..2"); - $machine->fail("ls /home/file"); - - $machine->succeed("snapper -c home delete 2"); - - $machine->succeed("systemctl --wait start snapper-timeline.service"); - - $machine->succeed("systemctl --wait start snapper-cleanup.service"); + machine.succeed("btrfs subvolume create /home/.snapshots") + machine.succeed("snapper -c home list") + machine.succeed("snapper -c home create --description empty") + machine.succeed("echo test > /home/file") + machine.succeed("snapper -c home create --description file") + machine.succeed("snapper -c home status 1..2") + machine.succeed("snapper -c home undochange 1..2") + machine.fail("ls /home/file") + machine.succeed("snapper -c home delete 2") + machine.succeed("systemctl --wait start snapper-timeline.service") + machine.succeed("systemctl --wait start snapper-cleanup.service") ''; }) diff --git a/nixpkgs/nixos/tests/spike.nix b/nixpkgs/nixos/tests/spike.nix new file mode 100644 index 00000000000..47763e75ffa --- /dev/null +++ b/nixpkgs/nixos/tests/spike.nix @@ -0,0 +1,22 @@ +import ./make-test-python.nix ({ pkgs, ... }: + +let + riscvPkgs = import ../.. { crossSystem = pkgs.stdenv.lib.systems.examples.riscv64-embedded; }; +in +{ + name = "spike"; + meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ blitz ]; }; + + machine = { pkgs, lib, ... }: { + environment.systemPackages = [ pkgs.spike riscvPkgs.riscv-pk riscvPkgs.hello ]; + }; + + # Run the RISC-V hello applications using the proxy kernel on the + # Spike emulator and see whether we get the expected output. + testScript = + '' + machine.wait_for_unit("multi-user.target") + output = machine.succeed("spike -m64 $(which pk) $(which hello)") + assert output == "Hello, world!\n" + ''; +}) diff --git a/nixpkgs/nixos/tests/strongswan-swanctl.nix b/nixpkgs/nixos/tests/strongswan-swanctl.nix index 9bab9349ea7..152c0d61c54 100644 --- a/nixpkgs/nixos/tests/strongswan-swanctl.nix +++ b/nixpkgs/nixos/tests/strongswan-swanctl.nix @@ -16,7 +16,7 @@ # See the NixOS manual for how to run this test: # https://nixos.org/nixos/manual/index.html#sec-running-nixos-tests-interactively -import ./make-test.nix ({ pkgs, ...} : +import ./make-test-python.nix ({ pkgs, ...} : let allowESP = "iptables --insert INPUT --protocol ESP --jump ACCEPT"; @@ -142,7 +142,7 @@ in { }; testScript = '' - startAll(); - $carol->waitUntilSucceeds("ping -c 1 alice"); + start_all() + carol.wait_until_succeeds("ping -c 1 alice") ''; }) diff --git a/nixpkgs/nixos/tests/sudo.nix b/nixpkgs/nixos/tests/sudo.nix index fc16b99cc19..5bbec3d5726 100644 --- a/nixpkgs/nixos/tests/sudo.nix +++ b/nixpkgs/nixos/tests/sudo.nix @@ -4,7 +4,7 @@ let password = "helloworld"; in - import ./make-test.nix ({ pkgs, ...} : { + import ./make-test-python.nix ({ pkgs, ...} : { name = "sudo"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ lschuermann ]; @@ -50,44 +50,34 @@ in testScript = '' - subtest "users in wheel group should have passwordless sudo", sub { - $machine->succeed("su - test0 -c \"sudo -u root true\""); - }; + with subtest("users in wheel group should have passwordless sudo"): + machine.succeed('su - test0 -c "sudo -u root true"') - subtest "test1 user should have sudo with password", sub { - $machine->succeed("su - test1 -c \"echo ${password} | sudo -S -u root true\""); - }; + with subtest("test1 user should have sudo with password"): + machine.succeed('su - test1 -c "echo ${password} | sudo -S -u root true"') - subtest "test1 user should not be able to use sudo without password", sub { - $machine->fail("su - test1 -c \"sudo -n -u root true\""); - }; + with subtest("test1 user should not be able to use sudo without password"): + machine.fail('su - test1 -c "sudo -n -u root true"') - subtest "users in group 'foobar' should be able to use sudo with password", sub { - $machine->succeed("sudo -u test2 echo ${password} | sudo -S -u root true"); - }; + with subtest("users in group 'foobar' should be able to use sudo with password"): + machine.succeed("sudo -u test2 echo ${password} | sudo -S -u root true") - subtest "users in group 'barfoo' should be able to use sudo without password", sub { - $machine->succeed("sudo -u test3 sudo -n -u root true"); - }; + with subtest("users in group 'barfoo' should be able to use sudo without password"): + machine.succeed("sudo -u test3 sudo -n -u root true") - subtest "users in group 'baz' (GID 1337) should be able to use sudo without password", sub { - $machine->succeed("sudo -u test4 sudo -n -u root echo true"); - }; + with subtest("users in group 'baz' (GID 1337)"): + machine.succeed("sudo -u test4 sudo -n -u root echo true") - subtest "test5 user should be able to run commands under test1", sub { - $machine->succeed("sudo -u test5 sudo -n -u test1 true"); - }; + with subtest("test5 user should be able to run commands under test1"): + machine.succeed("sudo -u test5 sudo -n -u test1 true") - subtest "test5 user should not be able to run commands under root", sub { - $machine->fail("sudo -u test5 sudo -n -u root true"); - }; + with subtest("test5 user should not be able to run commands under root"): + machine.fail("sudo -u test5 sudo -n -u root true") - subtest "test5 user should be able to keep his environment", sub { - $machine->succeed("sudo -u test5 sudo -n -E -u test1 true"); - }; + with subtest("test5 user should be able to keep his environment"): + machine.succeed("sudo -u test5 sudo -n -E -u test1 true") - subtest "users in group 'barfoo' should not be able to keep their environment", sub { - $machine->fail("sudo -u test3 sudo -n -E -u root true"); - }; + with subtest("users in group 'barfoo' should not be able to keep their environment"): + machine.fail("sudo -u test3 sudo -n -E -u root true") ''; }) diff --git a/nixpkgs/nixos/tests/syncthing-init.nix b/nixpkgs/nixos/tests/syncthing-init.nix index 0de76b688bd..9c8e0a3d087 100644 --- a/nixpkgs/nixos/tests/syncthing-init.nix +++ b/nixpkgs/nixos/tests/syncthing-init.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, pkgs, ... }: let +import ./make-test-python.nix ({ lib, pkgs, ... }: let testId = "7CFNTQM-IMTJBHJ-3UWRDIU-ZGQJFR6-VCXZ3NB-XUH3KZO-N52ITXR-LAIYUAU"; @@ -22,13 +22,11 @@ in { }; testScript = '' - my $config; - - $machine->waitForUnit("syncthing-init.service"); - $config = $machine->succeed("cat /var/lib/syncthing/.config/syncthing/config.xml"); + machine.wait_for_unit("syncthing-init.service") + config = machine.succeed("cat /var/lib/syncthing/.config/syncthing/config.xml") - $config =~ /${testId}/ or die; - $config =~ /testFolder/ or die; + assert "testFolder" in config + assert "${testId}" in config ''; }) diff --git a/nixpkgs/nixos/tests/syncthing-relay.nix b/nixpkgs/nixos/tests/syncthing-relay.nix index f1ceb499333..cd72ef1cbe1 100644 --- a/nixpkgs/nixos/tests/syncthing-relay.nix +++ b/nixpkgs/nixos/tests/syncthing-relay.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, pkgs, ... }: { +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "syncthing-relay"; meta.maintainers = with pkgs.stdenv.lib.maintainers; [ delroth ]; @@ -14,9 +14,13 @@ import ./make-test.nix ({ lib, pkgs, ... }: { }; testScript = '' - $machine->waitForUnit("syncthing-relay.service"); - $machine->waitForOpenPort(12345); - $machine->waitForOpenPort(12346); - $machine->succeed("curl http://localhost:12346/status | jq -r '.options.\"provided-by\"'") =~ /nixos-test/ or die; + machine.wait_for_unit("syncthing-relay.service") + machine.wait_for_open_port(12345) + machine.wait_for_open_port(12346) + + out = machine.succeed( + "curl -sS http://localhost:12346/status | jq -r '.options.\"provided-by\"'" + ) + assert "nixos-test" in out ''; }) diff --git a/nixpkgs/nixos/tests/systemd-networkd-wireguard.nix b/nixpkgs/nixos/tests/systemd-networkd-wireguard.nix index aa0ac54e796..be5c0da981d 100644 --- a/nixpkgs/nixos/tests/systemd-networkd-wireguard.nix +++ b/nixpkgs/nixos/tests/systemd-networkd-wireguard.nix @@ -1,4 +1,4 @@ -let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ...}: { +let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { imports = [ common/user-account.nix ]; systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug"; networking.useNetworkd = true; @@ -7,13 +7,16 @@ let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ... virtualisation.vlans = [ 1 ]; environment.systemPackages = with pkgs; [ wireguard-tools ]; boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + systemd.tmpfiles.rules = [ + "f /run/wg_priv 0640 root systemd-network - ${privk}" + ]; systemd.network = { enable = true; netdevs = { "90-wg0" = { netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; wireguardConfig = { - PrivateKeyFile = privkpath ; + PrivateKeyFile = "/run/wg_priv"; ListenPort = 51820; FwMark = 42; }; @@ -45,7 +48,7 @@ let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ... }; }; }; -in import ./make-test.nix ({pkgs, ... }: { +in import ./make-test-python.nix ({pkgs, ... }: { name = "networkd-wireguard"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ninjatrappeur ]; @@ -53,7 +56,7 @@ in import ./make-test.nix ({pkgs, ... }: { nodes = { node1 = { pkgs, ... }@attrs: let localConf = { - privkpath = pkgs.writeText "priv.key" "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00="; + privk = "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00="; pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE="; nodeId = "1"; peerId = "2"; @@ -62,7 +65,7 @@ in import ./make-test.nix ({pkgs, ... }: { node2 = { pkgs, ... }@attrs: let localConf = { - privkpath = pkgs.writeText "priv.key" "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k="; + privk = "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k="; pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g="; nodeId = "2"; peerId = "1"; @@ -70,12 +73,12 @@ in import ./make-test.nix ({pkgs, ... }: { in generateNodeConf (attrs // localConf); }; testScript = '' - startAll; - $node1->waitForUnit('systemd-networkd-wait-online.service'); - $node2->waitForUnit('systemd-networkd-wait-online.service'); - $node1->succeed('ping -c 5 10.0.0.2'); - $node2->succeed('ping -c 5 10.0.0.1'); + start_all() + node1.wait_for_unit("systemd-networkd-wait-online.service") + node2.wait_for_unit("systemd-networkd-wait-online.service") + node1.succeed("ping -c 5 10.0.0.2") + node2.succeed("ping -c 5 10.0.0.1") # Is the fwmark set? - $node2->succeed('wg | grep -q 42'); + node2.succeed("wg | grep -q 42") ''; }) diff --git a/nixpkgs/nixos/tests/systemd-nspawn.nix b/nixpkgs/nixos/tests/systemd-nspawn.nix new file mode 100644 index 00000000000..5bf55060d2e --- /dev/null +++ b/nixpkgs/nixos/tests/systemd-nspawn.nix @@ -0,0 +1,60 @@ +import ./make-test-python.nix ({pkgs, lib, ...}: +let + gpgKeyring = (pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } '' + mkdir -p $out + export GNUPGHOME=$out + cat > foo <<EOF + %echo Generating a basic OpenPGP key + %no-protection + Key-Type: DSA + Key-Length: 1024 + Subkey-Type: ELG-E + Subkey-Length: 1024 + Name-Real: Joe Tester + Name-Email: joe@foo.bar + Expire-Date: 0 + # Do a commit here, so that we can later print "done" + %commit + %echo done + EOF + gpg --batch --generate-key foo + rm $out/S.gpg-agent $out/S.gpg-agent.* + gpg --export joe@foo.bar -a > $out/pubkey.gpg + ''); + + nspawnImages = (pkgs.runCommand "localhost" { buildInputs = [ pkgs.coreutils pkgs.gnupg ]; } '' + mkdir -p $out + cd $out + dd if=/dev/urandom of=$out/testimage.raw bs=$((1024*1024+7)) count=5 + sha256sum testimage.raw > SHA256SUMS + export GNUPGHOME="$(mktemp -d)" + cp -R ${gpgKeyring}/* $GNUPGHOME + gpg --batch --sign --detach-sign --output SHA256SUMS.gpg SHA256SUMS + ''); +in { + name = "systemd-nspawn"; + + nodes = { + server = { pkgs, ... }: { + networking.firewall.allowedTCPPorts = [ 80 ]; + services.nginx = { + enable = true; + virtualHosts."server".root = nspawnImages; + }; + }; + client = { pkgs, ... }: { + environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/pubkey.gpg"; + }; + }; + + testScript = '' + start_all() + + server.wait_for_unit("nginx.service") + client.wait_for_unit("network-online.target") + client.succeed("machinectl pull-raw --verify=signature http://server/testimage.raw") + client.succeed( + "cmp /var/lib/machines/testimage.raw ${nspawnImages}/testimage.raw" + ) + ''; +}) diff --git a/nixpkgs/nixos/tests/telegraf.nix b/nixpkgs/nixos/tests/telegraf.nix index 6776f8d8c37..73f741b1135 100644 --- a/nixpkgs/nixos/tests/telegraf.nix +++ b/nixpkgs/nixos/tests/telegraf.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "telegraf"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ mic92 ]; @@ -22,9 +22,9 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $machine->waitForUnit("telegraf.service"); - $machine->waitUntilSucceeds("grep -q example /tmp/metrics.out"); + machine.wait_for_unit("telegraf.service") + machine.wait_until_succeeds("grep -q example /tmp/metrics.out") ''; }) diff --git a/nixpkgs/nixos/tests/tinydns.nix b/nixpkgs/nixos/tests/tinydns.nix index cb7ee0c5fb5..c7740d5ade3 100644 --- a/nixpkgs/nixos/tests/tinydns.nix +++ b/nixpkgs/nixos/tests/tinydns.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ...} : { +import ./make-test-python.nix ({ lib, ...} : { name = "tinydns"; meta = { maintainers = with lib.maintainers; [ basvandijk ]; @@ -19,8 +19,8 @@ import ./make-test.nix ({ lib, ...} : { }; }; testScript = '' - $nameserver->start; - $nameserver->waitForUnit("tinydns.service"); - $nameserver->succeed("host bla.foo.bar | grep '1\.2\.3\.4'"); + nameserver.start() + nameserver.wait_for_unit("tinydns.service") + nameserver.succeed("host bla.foo.bar | grep '1\.2\.3\.4'") ''; }) diff --git a/nixpkgs/nixos/tests/tor.nix b/nixpkgs/nixos/tests/tor.nix index 0cb44ddff24..ad07231557c 100644 --- a/nixpkgs/nixos/tests/tor.nix +++ b/nixpkgs/nixos/tests/tor.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ lib, ... }: with lib; +import ./make-test-python.nix ({ lib, ... }: with lib; rec { name = "tor"; @@ -21,8 +21,10 @@ rec { }; testScript = '' - $client->waitForUnit("tor.service"); - $client->waitForOpenPort(9051); - $client->succeed("echo GETINFO version | nc 127.0.0.1 9051") =~ /514 Authentication required./ or die; + client.wait_for_unit("tor.service") + client.wait_for_open_port(9051) + assert "514 Authentication required." in client.succeed( + "echo GETINFO version | nc 127.0.0.1 9051" + ) ''; }) diff --git a/nixpkgs/nixos/tests/trac.nix b/nixpkgs/nixos/tests/trac.nix new file mode 100644 index 00000000000..7953f8d41f7 --- /dev/null +++ b/nixpkgs/nixos/tests/trac.nix @@ -0,0 +1,19 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "trac"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ mmahut ]; + }; + + nodes = { + machine = { ... }: { + services.trac.enable = true; + }; + }; + + testScript = '' + start_all() + machine.wait_for_unit("trac.service") + machine.wait_for_open_port(8000) + machine.wait_until_succeeds("curl -L http://localhost:8000/ | grep 'Trac Powered'") + ''; +}) diff --git a/nixpkgs/nixos/tests/transmission.nix b/nixpkgs/nixos/tests/transmission.nix index f1c238730eb..f4f2186be1f 100644 --- a/nixpkgs/nixos/tests/transmission.nix +++ b/nixpkgs/nixos/tests/transmission.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "transmission"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ coconnor ]; @@ -14,8 +14,8 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' - startAll; - $machine->waitForUnit("transmission"); - $machine->shutdown; + start_all() + machine.wait_for_unit("transmission") + machine.shutdown() ''; }) diff --git a/nixpkgs/nixos/tests/trezord.nix b/nixpkgs/nixos/tests/trezord.nix index 1c85bf53934..8d908a52249 100644 --- a/nixpkgs/nixos/tests/trezord.nix +++ b/nixpkgs/nixos/tests/trezord.nix @@ -1,7 +1,7 @@ -import ./make-test.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ pkgs, ... }: { name = "trezord"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ mmahut ]; + maintainers = [ mmahut "1000101" ]; }; nodes = { @@ -12,9 +12,9 @@ import ./make-test.nix ({ pkgs, ... }: { }; testScript = '' - startAll; - $machine->waitForUnit("trezord.service"); - $machine->waitForOpenPort(21325); - $machine->waitUntilSucceeds("curl -L http://localhost:21325/status/ | grep Version"); + start_all() + machine.wait_for_unit("trezord.service") + machine.wait_for_open_port(21325) + machine.wait_until_succeeds("curl -L http://localhost:21325/status/ | grep Version") ''; }) diff --git a/nixpkgs/nixos/tests/trickster.nix b/nixpkgs/nixos/tests/trickster.nix new file mode 100644 index 00000000000..e2ca00980d5 --- /dev/null +++ b/nixpkgs/nixos/tests/trickster.nix @@ -0,0 +1,37 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "trickster"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ "1000101" ]; + }; + + nodes = { + prometheus = { ... }: { + services.prometheus.enable = true; + networking.firewall.allowedTCPPorts = [ 9090 ]; + }; + trickster = { ... }: { + services.trickster.enable = true; + }; + }; + + testScript = '' + start_all() + prometheus.wait_for_unit("prometheus.service") + prometheus.wait_for_open_port(9090) + prometheus.wait_until_succeeds( + "curl -L http://localhost:9090/metrics | grep 'promhttp_metric_handler_requests_total{code=\"500\"} 0'" + ) + trickster.wait_for_unit("trickster.service") + trickster.wait_for_open_port(8082) + trickster.wait_for_open_port(9090) + trickster.wait_until_succeeds( + "curl -L http://localhost:8082/metrics | grep 'promhttp_metric_handler_requests_total{code=\"500\"} 0'" + ) + trickster.wait_until_succeeds( + "curl -L http://prometheus:9090/metrics | grep 'promhttp_metric_handler_requests_total{code=\"500\"} 0'" + ) + trickster.wait_until_succeeds( + "curl -L http://localhost:9090/metrics | grep 'promhttp_metric_handler_requests_total{code=\"500\"} 0'" + ) + ''; +})
\ No newline at end of file diff --git a/nixpkgs/nixos/tests/udisks2.nix b/nixpkgs/nixos/tests/udisks2.nix index dcf869908d8..0cbfa0c4c7b 100644 --- a/nixpkgs/nixos/tests/udisks2.nix +++ b/nixpkgs/nixos/tests/udisks2.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let @@ -30,32 +30,40 @@ in testScript = '' - my $stick = $machine->stateDir . "/usbstick.img"; - system("xz -d < ${stick} > $stick") == 0 or die; + import lzma - $machine->succeed("udisksctl info -b /dev/vda >&2"); - $machine->fail("udisksctl info -b /dev/sda1"); + with lzma.open( + "${stick}" + ) as data, open(machine.state_dir + "/usbstick.img", "wb") as stick: + stick.write(data.read()) + + machine.succeed("udisksctl info -b /dev/vda >&2") + machine.fail("udisksctl info -b /dev/sda1") # Attach a USB stick and wait for it to show up. - $machine->sendMonitorCommand("drive_add 0 id=stick,if=none,file=$stick,format=raw"); - $machine->sendMonitorCommand("device_add usb-storage,id=stick,drive=stick"); - $machine->waitUntilSucceeds("udisksctl info -b /dev/sda1"); - $machine->succeed("udisksctl info -b /dev/sda1 | grep 'IdLabel:.*USBSTICK'"); + machine.send_monitor_command( + f"drive_add 0 id=stick,if=none,file={stick.name},format=raw" + ) + machine.send_monitor_command("device_add usb-storage,id=stick,drive=stick") + machine.wait_until_succeeds("udisksctl info -b /dev/sda1") + machine.succeed("udisksctl info -b /dev/sda1 | grep 'IdLabel:.*USBSTICK'") # Mount the stick as a non-root user and do some stuff with it. - $machine->succeed("su - alice -c 'udisksctl info -b /dev/sda1'"); - $machine->succeed("su - alice -c 'udisksctl mount -b /dev/sda1'"); - $machine->succeed("su - alice -c 'cat /run/media/alice/USBSTICK/test.txt'") =~ /Hello World/ or die; - $machine->succeed("su - alice -c 'echo foo > /run/media/alice/USBSTICK/bar.txt'"); + machine.succeed("su - alice -c 'udisksctl info -b /dev/sda1'") + machine.succeed("su - alice -c 'udisksctl mount -b /dev/sda1'") + machine.succeed( + "su - alice -c 'cat /run/media/alice/USBSTICK/test.txt' | grep -q 'Hello World'" + ) + machine.succeed("su - alice -c 'echo foo > /run/media/alice/USBSTICK/bar.txt'") # Unmounting the stick should make the mountpoint disappear. - $machine->succeed("su - alice -c 'udisksctl unmount -b /dev/sda1'"); - $machine->fail("[ -d /run/media/alice/USBSTICK ]"); + machine.succeed("su - alice -c 'udisksctl unmount -b /dev/sda1'") + machine.fail("[ -d /run/media/alice/USBSTICK ]") # Remove the USB stick. - $machine->sendMonitorCommand("device_del stick"); - $machine->waitUntilFails("udisksctl info -b /dev/sda1"); - $machine->fail("[ -e /dev/sda ]"); + machine.send_monitor_command("device_del stick") + machine.wait_until_fails("udisksctl info -b /dev/sda1") + machine.fail("[ -e /dev/sda ]") ''; }) diff --git a/nixpkgs/nixos/tests/upnp.nix b/nixpkgs/nixos/tests/upnp.nix index 98344aee3ef..d2e7fdd4fbe 100644 --- a/nixpkgs/nixos/tests/upnp.nix +++ b/nixpkgs/nixos/tests/upnp.nix @@ -5,7 +5,7 @@ # this succeeds an external client will try to connect to the port # mapping. -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: let internalRouterAddress = "192.168.3.1"; @@ -75,20 +75,20 @@ in testScript = { nodes, ... }: '' - startAll; + start_all() # Wait for network and miniupnpd. - $router->waitForUnit("network-online.target"); - # $router->waitForUnit("nat"); - $router->waitForUnit("firewall.service"); - $router->waitForUnit("miniupnpd"); + router.wait_for_unit("network-online.target") + # $router.wait_for_unit("nat") + router.wait_for_unit("firewall.service") + router.wait_for_unit("miniupnpd") - $client1->waitForUnit("network-online.target"); + client1.wait_for_unit("network-online.target") - $client1->succeed("upnpc -a ${internalClient1Address} 9000 9000 TCP"); + client1.succeed("upnpc -a ${internalClient1Address} 9000 9000 TCP") - $client1->waitForUnit("httpd"); - $client2->waitUntilSucceeds("curl http://${externalRouterAddress}:9000/"); + client1.wait_for_unit("httpd") + client2.wait_until_succeeds("curl http://${externalRouterAddress}:9000/") ''; }) diff --git a/nixpkgs/nixos/tests/uwsgi.nix b/nixpkgs/nixos/tests/uwsgi.nix index afc03e74ed7..78a87147f55 100644 --- a/nixpkgs/nixos/tests/uwsgi.nix +++ b/nixpkgs/nixos/tests/uwsgi.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "uwsgi"; meta = with pkgs.stdenv.lib.maintainers; { @@ -30,9 +30,9 @@ import ./make-test.nix ({ pkgs, ... }: testScript = '' - $machine->waitForUnit('multi-user.target'); - $machine->waitForUnit('uwsgi.service'); - $machine->waitForOpenPort(8000); - $machine->succeed('curl -v 127.0.0.1:8000 | grep "Hello World!"'); + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("uwsgi.service") + machine.wait_for_open_port(8000) + assert "Hello World" in machine.succeed("curl -v 127.0.0.1:8000") ''; }) diff --git a/nixpkgs/nixos/tests/vault.nix b/nixpkgs/nixos/tests/vault.nix index caf0cbb2abf..ac8cf0703da 100644 --- a/nixpkgs/nixos/tests/vault.nix +++ b/nixpkgs/nixos/tests/vault.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "vault"; meta = with pkgs.stdenv.lib.maintainers; { @@ -12,12 +12,12 @@ import ./make-test.nix ({ pkgs, ... }: testScript = '' - startAll; + start_all() - $machine->waitForUnit('multi-user.target'); - $machine->waitForUnit('vault.service'); - $machine->waitForOpenPort(8200); - $machine->succeed('vault operator init'); - $machine->succeed('vault status | grep Sealed | grep true'); + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("vault.service") + machine.wait_for_open_port(8200) + machine.succeed("vault operator init") + machine.succeed("vault status | grep Sealed | grep true") ''; }) diff --git a/nixpkgs/nixos/tests/wireguard/default.nix b/nixpkgs/nixos/tests/wireguard/default.nix index b0797b96323..8206823a918 100644 --- a/nixpkgs/nixos/tests/wireguard/default.nix +++ b/nixpkgs/nixos/tests/wireguard/default.nix @@ -2,7 +2,7 @@ let wg-snakeoil-keys = import ./snakeoil-keys.nix; in -import ../make-test.nix ({ pkgs, ...} : { +import ../make-test-python.nix ({ pkgs, ...} : { name = "wireguard"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ma27 ]; @@ -86,12 +86,12 @@ import ../make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $peer0->waitForUnit("wireguard-wg0.service"); - $peer1->waitForUnit("wireguard-wg0.service"); + peer0.wait_for_unit("wireguard-wg0.service") + peer1.wait_for_unit("wireguard-wg0.service") - $peer1->succeed("ping -c5 fc00::1"); - $peer1->succeed("ping -c5 10.23.42.1") + peer1.succeed("ping -c5 fc00::1") + peer1.succeed("ping -c5 10.23.42.1") ''; }) diff --git a/nixpkgs/nixos/tests/wireguard/generated.nix b/nixpkgs/nixos/tests/wireguard/generated.nix index 897feafe3ff..a29afd2d466 100644 --- a/nixpkgs/nixos/tests/wireguard/generated.nix +++ b/nixpkgs/nixos/tests/wireguard/generated.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ...} : { +import ../make-test-python.nix ({ pkgs, ...} : { name = "wireguard-generated"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ma27 grahamc ]; @@ -28,30 +28,34 @@ import ../make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; - - $peer1->waitForUnit("wireguard-wg0.service"); - $peer2->waitForUnit("wireguard-wg0.service"); - - my ($retcode, $peer1pubkey) = $peer1->execute("wg pubkey < /etc/wireguard/private"); - $peer1pubkey =~ s/\s+$//; - if ($retcode != 0) { - die "Could not read public key from peer1"; - } - - my ($retcode, $peer2pubkey) = $peer2->execute("wg pubkey < /etc/wireguard/private"); - $peer2pubkey =~ s/\s+$//; - if ($retcode != 0) { - die "Could not read public key from peer2"; - } - - $peer1->succeed("wg set wg0 peer $peer2pubkey allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1"); - $peer1->succeed("ip route replace 10.10.10.2/32 dev wg0 table main"); - - $peer2->succeed("wg set wg0 peer $peer1pubkey allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1"); - $peer2->succeed("ip route replace 10.10.10.1/32 dev wg0 table main"); - - $peer1->succeed("ping -c1 10.10.10.2"); - $peer2->succeed("ping -c1 10.10.10.1"); + start_all() + + peer1.wait_for_unit("wireguard-wg0.service") + peer2.wait_for_unit("wireguard-wg0.service") + + retcode, peer1pubkey = peer1.execute("wg pubkey < /etc/wireguard/private") + if retcode != 0: + raise Exception("Could not read public key from peer1") + + retcode, peer2pubkey = peer2.execute("wg pubkey < /etc/wireguard/private") + if retcode != 0: + raise Exception("Could not read public key from peer2") + + peer1.succeed( + "wg set wg0 peer {} allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1".format( + peer2pubkey.strip() + ) + ) + peer1.succeed("ip route replace 10.10.10.2/32 dev wg0 table main") + + peer2.succeed( + "wg set wg0 peer {} allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1".format( + peer1pubkey.strip() + ) + ) + peer2.succeed("ip route replace 10.10.10.1/32 dev wg0 table main") + + peer1.succeed("ping -c1 10.10.10.2") + peer2.succeed("ping -c1 10.10.10.1") ''; }) diff --git a/nixpkgs/nixos/tests/wireguard/namespaces.nix b/nixpkgs/nixos/tests/wireguard/namespaces.nix new file mode 100644 index 00000000000..94f993d9475 --- /dev/null +++ b/nixpkgs/nixos/tests/wireguard/namespaces.nix @@ -0,0 +1,80 @@ +let + listenPort = 12345; + socketNamespace = "foo"; + interfaceNamespace = "bar"; + node = { + networking.wireguard.interfaces.wg0 = { + listenPort = listenPort; + ips = [ "10.10.10.1/24" ]; + privateKeyFile = "/etc/wireguard/private"; + generatePrivateKeyFile = true; + }; + }; + +in + +import ../make-test.nix ({ pkgs, ...} : { + name = "wireguard-with-namespaces"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ asymmetric ]; + }; + + nodes = { + # interface should be created in the socketNamespace + # and not moved from there + peer0 = pkgs.lib.attrsets.recursiveUpdate node { + networking.wireguard.interfaces.wg0 = { + preSetup = '' + ip netns add ${socketNamespace} + ''; + inherit socketNamespace; + }; + }; + # interface should be created in the init namespace + # and moved to the interfaceNamespace + peer1 = pkgs.lib.attrsets.recursiveUpdate node { + networking.wireguard.interfaces.wg0 = { + preSetup = '' + ip netns add ${interfaceNamespace} + ''; + inherit interfaceNamespace; + }; + }; + # interface should be created in the socketNamespace + # and moved to the interfaceNamespace + peer2 = pkgs.lib.attrsets.recursiveUpdate node { + networking.wireguard.interfaces.wg0 = { + preSetup = '' + ip netns add ${socketNamespace} + ip netns add ${interfaceNamespace} + ''; + inherit socketNamespace interfaceNamespace; + }; + }; + # interface should be created in the socketNamespace + # and moved to the init namespace + peer3 = pkgs.lib.attrsets.recursiveUpdate node { + networking.wireguard.interfaces.wg0 = { + preSetup = '' + ip netns add ${socketNamespace} + ''; + inherit socketNamespace; + interfaceNamespace = "init"; + }; + }; + }; + + testScript = '' + startAll(); + + $peer0->waitForUnit("wireguard-wg0.service"); + $peer1->waitForUnit("wireguard-wg0.service"); + $peer2->waitForUnit("wireguard-wg0.service"); + $peer3->waitForUnit("wireguard-wg0.service"); + + $peer0->succeed("ip -n ${socketNamespace} link show wg0"); + $peer1->succeed("ip -n ${interfaceNamespace} link show wg0"); + $peer2->succeed("ip -n ${interfaceNamespace} link show wg0"); + $peer3->succeed("ip link show wg0"); + ''; +}) diff --git a/nixpkgs/nixos/tests/wordpress.nix b/nixpkgs/nixos/tests/wordpress.nix index c6acfa6c1f3..b7449859f7e 100644 --- a/nixpkgs/nixos/tests/wordpress.nix +++ b/nixpkgs/nixos/tests/wordpress.nix @@ -1,9 +1,13 @@ -import ./make-test.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, ... }: { name = "wordpress"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ grahamc ]; # under duress! + maintainers = [ + flokli + grahamc # under duress! + mmilata + ]; }; machine = @@ -23,19 +27,31 @@ import ./make-test.nix ({ pkgs, ... }: }; testScript = '' - startAll; + import re - $machine->waitForUnit("httpd"); - $machine->waitForUnit("phpfpm-wordpress-site1.local"); - $machine->waitForUnit("phpfpm-wordpress-site2.local"); + start_all() - $machine->succeed("curl -L site1.local | grep 'Welcome to the famous'"); - $machine->succeed("curl -L site2.local | grep 'Welcome to the famous'"); + machine.wait_for_unit("httpd") - $machine->succeed("systemctl --no-pager show wordpress-init-site1.local.service | grep 'ExecStart=.*status=0'"); - $machine->succeed("systemctl --no-pager show wordpress-init-site2.local.service | grep 'ExecStart=.*status=0'"); - $machine->succeed("grep -E '^define.*NONCE_SALT.{64,};\$' /var/lib/wordpress/site1.local/secret-keys.php"); - $machine->succeed("grep -E '^define.*NONCE_SALT.{64,};\$' /var/lib/wordpress/site2.local/secret-keys.php"); - ''; + machine.wait_for_unit("phpfpm-wordpress-site1.local") + machine.wait_for_unit("phpfpm-wordpress-site2.local") + + site_names = ["site1.local", "site2.local"] + + with subtest("website returns welcome screen"): + for site_name in site_names: + assert "Welcome to the famous" in machine.succeed(f"curl -L {site_name}") + with subtest("wordpress-init went through"): + for site_name in site_names: + info = machine.get_unit_info(f"wordpress-init-{site_name}") + assert info["Result"] == "success" + + with subtest("secret keys are set"): + pattern = re.compile(r"^define.*NONCE_SALT.{64,};$", re.MULTILINE) + for site_name in site_names: + assert pattern.search( + machine.succeed(f"cat /var/lib/wordpress/{site_name}/secret-keys.php") + ) + ''; }) diff --git a/nixpkgs/nixos/tests/xautolock.nix b/nixpkgs/nixos/tests/xautolock.nix index ee46d9e05b0..10e92b40e95 100644 --- a/nixpkgs/nixos/tests/xautolock.nix +++ b/nixpkgs/nixos/tests/xautolock.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: with lib; @@ -15,10 +15,10 @@ with lib; }; testScript = '' - $machine->start; - $machine->waitForX; - $machine->mustFail("pgrep xlock"); - $machine->sleep(120); - $machine->mustSucceed("pgrep xlock"); + machine.start() + machine.wait_for_x() + machine.fail("pgrep xlock") + machine.sleep(120) + machine.succeed("pgrep xlock") ''; }) diff --git a/nixpkgs/nixos/tests/xdg-desktop-portal.nix b/nixpkgs/nixos/tests/xdg-desktop-portal.nix deleted file mode 100644 index 79ebb83c49a..00000000000 --- a/nixpkgs/nixos/tests/xdg-desktop-portal.nix +++ /dev/null @@ -1,17 +0,0 @@ -# run installed tests -import ./make-test.nix ({ pkgs, ... }: - -{ - name = "xdg-desktop-portal"; - meta = { - maintainers = pkgs.xdg-desktop-portal.meta.maintainers; - }; - - machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gnome-desktop-testing ]; - }; - - testScript = '' - $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.xdg-desktop-portal.installedTests}/share'"); - ''; -}) diff --git a/nixpkgs/nixos/tests/xfce.nix b/nixpkgs/nixos/tests/xfce.nix index 7ff623062d9..3ea96b38363 100644 --- a/nixpkgs/nixos/tests/xfce.nix +++ b/nixpkgs/nixos/tests/xfce.nix @@ -1,8 +1,5 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "xfce"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ eelco shlevy ]; - }; machine = { pkgs, ... }: @@ -16,31 +13,26 @@ import ./make-test.nix ({ pkgs, ...} : { services.xserver.desktopManager.xfce.enable = true; - environment.systemPackages = [ pkgs.xorg.xmessage ]; - hardware.pulseaudio.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then virtualisation.memorySize = 1024; }; - testScript = - '' - $machine->waitForX; - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow(qr/xfce4-panel/); - $machine->sleep(10); + testScript = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + in '' + machine.wait_for_x() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + machine.wait_for_window("xfce4-panel") + machine.sleep(10) # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); - - $machine->succeed("su - alice -c 'DISPLAY=:0.0 xfce4-terminal &'"); - $machine->waitForWindow(qr/Terminal/); - $machine->sleep(10); - $machine->screenshot("screen"); + machine.succeed("getfacl -p /dev/snd/timer | grep -q ${user.name}") - # Ensure that the X server does proper access control. - $machine->mustFail("su - bob -c 'DISPLAY=:0.0 xmessage Foo'"); - $machine->mustFail("su - bob -c 'DISPLAY=:0 xmessage Foo'"); + machine.succeed("su - ${user.name} -c 'DISPLAY=:0.0 xfce4-terminal &'") + machine.wait_for_window("Terminal") + machine.sleep(10) + machine.screenshot("screen") ''; }) diff --git a/nixpkgs/nixos/tests/xfce4-14.nix b/nixpkgs/nixos/tests/xfce4-14.nix deleted file mode 100644 index d9b87b08437..00000000000 --- a/nixpkgs/nixos/tests/xfce4-14.nix +++ /dev/null @@ -1,37 +0,0 @@ -import ./make-test.nix ({ pkgs, ...} : { - name = "xfce4-14"; - - machine = - { pkgs, ... }: - - { imports = [ ./common/user-account.nix ]; - - services.xserver.enable = true; - - services.xserver.displayManager.auto.enable = true; - services.xserver.displayManager.auto.user = "alice"; - - services.xserver.desktopManager.xfce4-14.enable = true; - - hardware.pulseaudio.enable = true; # needed for the factl test, /dev/snd/* exists without them but udev doesn't care then - - virtualisation.memorySize = 1024; - }; - - testScript = - '' - $machine->waitForX; - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow(qr/xfce4-panel/); - $machine->sleep(10); - - # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl -p /dev/snd/timer | grep -q alice"); - - $machine->succeed("su - alice -c 'DISPLAY=:0.0 xfce4-terminal &'"); - $machine->waitForWindow(qr/Terminal/); - $machine->sleep(10); - $machine->screenshot("screen"); - ''; -}) diff --git a/nixpkgs/nixos/tests/xmonad.nix b/nixpkgs/nixos/tests/xmonad.nix index 79c15ccffec..c2e5ba60d7b 100644 --- a/nixpkgs/nixos/tests/xmonad.nix +++ b/nixpkgs/nixos/tests/xmonad.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "xmonad"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -21,19 +21,21 @@ import ./make-test.nix ({ pkgs, ...} : { }; }; - testScript = { ... }: '' - $machine->waitForX; - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->sendKeys("alt-ctrl-x"); - $machine->waitForWindow(qr/alice.*machine/); - $machine->sleep(1); - $machine->screenshot("terminal"); - $machine->waitUntilSucceeds("xmonad --restart"); - $machine->sleep(3); - $machine->sendKeys("alt-shift-ret"); - $machine->waitForWindow(qr/alice.*machine/); - $machine->sleep(1); - $machine->screenshot("terminal"); + testScript = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + in '' + machine.wait_for_x() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + machine.send_chars("alt-ctrl-x") + machine.wait_for_window("${user.name}.*machine") + machine.sleep(1) + machine.screenshot("terminal") + machine.wait_until_succeeds("xmonad --restart") + machine.sleep(3) + machine.send_chars("alt-shift-ret") + machine.wait_for_window("${user.name}.*machine") + machine.sleep(1) + machine.screenshot("terminal") ''; }) diff --git a/nixpkgs/nixos/tests/xmpp/ejabberd.nix b/nixpkgs/nixos/tests/xmpp/ejabberd.nix index 196a04aca30..1518aaacc8a 100644 --- a/nixpkgs/nixos/tests/xmpp/ejabberd.nix +++ b/nixpkgs/nixos/tests/xmpp/ejabberd.nix @@ -1,4 +1,4 @@ -import ../make-test.nix ({ pkgs, ... }: { +import ../make-test-python.nix ({ pkgs, ... }: { name = "ejabberd"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ajs124 ]; @@ -248,13 +248,21 @@ import ../make-test.nix ({ pkgs, ... }: { }; testScript = { nodes, ... }: '' - $server->waitForUnit('ejabberd.service'); - $server->succeed('su ejabberd -s $(which ejabberdctl) status|grep started') =~ /ejabberd is running/; - $server->succeed('su ejabberd -s $(which ejabberdctl) register azurediamond example.com hunter2'); - $server->succeed('su ejabberd -s $(which ejabberdctl) register cthon98 example.com nothunter2'); - $server->fail('su ejabberd -s $(which ejabberdctl) register asdf wrong.domain'); - $client->succeed('send-message'); - $server->succeed('su ejabberd -s $(which ejabberdctl) unregister cthon98 example.com'); - $server->succeed('su ejabberd -s $(which ejabberdctl) unregister azurediamond example.com'); + ejabberd_prefix = "su ejabberd -s $(which ejabberdctl) " + + server.wait_for_unit("ejabberd.service") + + assert "status: started" in server.succeed(ejabberd_prefix + "status") + + server.succeed( + ejabberd_prefix + "register azurediamond example.com hunter2", + ejabberd_prefix + "register cthon98 example.com nothunter2", + ) + server.fail(ejabberd_prefix + "register asdf wrong.domain") + client.succeed("send-message") + server.succeed( + ejabberd_prefix + "unregister cthon98 example.com", + ejabberd_prefix + "unregister azurediamond example.com", + ) ''; }) diff --git a/nixpkgs/nixos/tests/xmpp/prosody-mysql.nix b/nixpkgs/nixos/tests/xmpp/prosody-mysql.nix index 62b4a17421e..0507227021b 100644 --- a/nixpkgs/nixos/tests/xmpp/prosody-mysql.nix +++ b/nixpkgs/nixos/tests/xmpp/prosody-mysql.nix @@ -1,4 +1,4 @@ -import ../make-test.nix { +import ../make-test-python.nix { name = "prosody-mysql"; nodes = { @@ -57,21 +57,21 @@ import ../make-test.nix { }; testScript = { nodes, ... }: '' - $mysql->waitForUnit('mysql.service'); - $server->waitForUnit('prosody.service'); - $server->succeed('prosodyctl status') =~ /Prosody is running/; + mysql.wait_for_unit("mysql.service") + server.wait_for_unit("prosody.service") + server.succeed('prosodyctl status | grep "Prosody is running"') # set password to 'nothunter2' (it's asked twice) - $server->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com'); + server.succeed("yes nothunter2 | prosodyctl adduser cthon98@example.com") # set password to 'y' - $server->succeed('yes | prosodyctl adduser azurediamond@example.com'); + server.succeed("yes | prosodyctl adduser azurediamond@example.com") # correct password to 'hunter2' - $server->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com'); + server.succeed("yes hunter2 | prosodyctl passwd azurediamond@example.com") - $client->succeed("send-message"); + client.succeed("send-message") - $server->succeed('prosodyctl deluser cthon98@example.com'); - $server->succeed('prosodyctl deluser azurediamond@example.com'); + server.succeed("prosodyctl deluser cthon98@example.com") + server.succeed("prosodyctl deluser azurediamond@example.com") ''; } diff --git a/nixpkgs/nixos/tests/xmpp/prosody.nix b/nixpkgs/nixos/tests/xmpp/prosody.nix index 8331c7b6d33..9d1374bff6b 100644 --- a/nixpkgs/nixos/tests/xmpp/prosody.nix +++ b/nixpkgs/nixos/tests/xmpp/prosody.nix @@ -1,4 +1,4 @@ -import ../make-test.nix { +import ../make-test-python.nix { name = "prosody"; nodes = { @@ -28,19 +28,19 @@ import ../make-test.nix { }; testScript = { nodes, ... }: '' - $server->waitForUnit('prosody.service'); - $server->succeed('prosodyctl status') =~ /Prosody is running/; + server.wait_for_unit("prosody.service") + server.succeed('prosodyctl status | grep "Prosody is running"') # set password to 'nothunter2' (it's asked twice) - $server->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com'); + server.succeed("yes nothunter2 | prosodyctl adduser cthon98@example.com") # set password to 'y' - $server->succeed('yes | prosodyctl adduser azurediamond@example.com'); - # correct password to 'hunter2' - $server->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com'); + server.succeed("yes | prosodyctl adduser azurediamond@example.com") + # correct password to "hunter2" + server.succeed("yes hunter2 | prosodyctl passwd azurediamond@example.com") - $client->succeed("send-message"); + client.succeed("send-message") - $server->succeed('prosodyctl deluser cthon98@example.com'); - $server->succeed('prosodyctl deluser azurediamond@example.com'); + server.succeed("prosodyctl deluser cthon98@example.com") + server.succeed("prosodyctl deluser azurediamond@example.com") ''; } diff --git a/nixpkgs/nixos/tests/xss-lock.nix b/nixpkgs/nixos/tests/xss-lock.nix index 0d757e8cef3..3a7dea07d53 100644 --- a/nixpkgs/nixos/tests/xss-lock.nix +++ b/nixpkgs/nixos/tests/xss-lock.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: with lib; @@ -26,15 +26,19 @@ with lib; }; testScript = '' - startAll; - - ${concatStringsSep "\n" (mapAttrsToList (name: lockCmd: '' - ${"$"+name}->start; - ${"$"+name}->waitForX; - ${"$"+name}->waitForUnit("xss-lock.service", "alice"); - ${"$"+name}->fail("pgrep ${lockCmd}"); - ${"$"+name}->succeed("su -l alice -c 'xset dpms force standby'"); - ${"$"+name}->waitUntilSucceeds("pgrep ${lockCmd}"); - '') { simple = "i3lock"; custom_lockcmd = "xlock"; })} + def perform_xsslock_test(machine, lockCmd): + machine.start() + machine.wait_for_x() + machine.wait_for_unit("xss-lock.service", "alice") + machine.fail(f"pgrep {lockCmd}") + machine.succeed("su -l alice -c 'xset dpms force standby'") + machine.wait_until_succeeds(f"pgrep {lockCmd}") + + + with subtest("simple"): + perform_xsslock_test(simple, "i3lock") + + with subtest("custom_cmd"): + perform_xsslock_test(custom_lockcmd, "xlock") ''; }) diff --git a/nixpkgs/nixos/tests/yabar.nix b/nixpkgs/nixos/tests/yabar.nix index bbc0cf4c7dd..9108004d4df 100644 --- a/nixpkgs/nixos/tests/yabar.nix +++ b/nixpkgs/nixos/tests/yabar.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, lib, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: with lib; @@ -20,14 +20,14 @@ with lib; }; testScript = '' - $machine->start; - $machine->waitForX; + machine.start() + machine.wait_for_x() # confirm proper startup - $machine->waitForUnit("yabar.service", "bob"); - $machine->sleep(10); - $machine->waitForUnit("yabar.service", "bob"); + machine.wait_for_unit("yabar.service", "bob") + machine.sleep(10) + machine.wait_for_unit("yabar.service", "bob") - $machine->screenshot("top_bar"); + machine.screenshot("top_bar") ''; }) diff --git a/nixpkgs/nixos/tests/yggdrasil.nix b/nixpkgs/nixos/tests/yggdrasil.nix new file mode 100644 index 00000000000..468fcf67127 --- /dev/null +++ b/nixpkgs/nixos/tests/yggdrasil.nix @@ -0,0 +1,125 @@ +let + aliceIp6 = "200:3b91:b2d8:e708:fbf3:f06:fdd5:90d0"; + aliceKeys = { + EncryptionPublicKey = "13e23986fe76bc3966b42453f479bc563348b7ff76633b7efcb76e185ec7652f"; + EncryptionPrivateKey = "9f86947b15e86f9badac095517a1982e39a2db37ca726357f95987b898d82208"; + SigningPublicKey = "e2c43349083bc1e998e4ec4535b4c6a8f44ca9a5a8e07336561267253b2be5f4"; + SigningPrivateKey = "fe3add8da35316c05f6d90d3ca79bd2801e6ccab6d37e5339fef4152589398abe2c43349083bc1e998e4ec4535b4c6a8f44ca9a5a8e07336561267253b2be5f4"; + }; + bobIp6 = "201:ebbd:bde9:f138:c302:4afa:1fb6:a19a"; + bobConfig = { + InterfacePeers = { + eth1 = [ "tcp://192.168.1.200:12345" ]; + }; + MulticastInterfaces = [ "eth1" ]; + LinkLocalTCPPort = 54321; + EncryptionPublicKey = "c99d6830111e12d1b004c52fe9e5a2eef0f6aefca167aca14589a370b7373279"; + EncryptionPrivateKey = "2e698a53d3fdce5962d2ff37de0fe77742a5c8b56cd8259f5da6aa792f6e8ba3"; + SigningPublicKey = "de111da0ec781e45bf6c63ecb45a78c24d7d4655abfaeea83b26c36eb5c0fd5b"; + SigningPrivateKey = "2a6c21550f3fca0331df50668ffab66b6dce8237bcd5728e571e8033b363e247de111da0ec781e45bf6c63ecb45a78c24d7d4655abfaeea83b26c36eb5c0fd5b"; + }; + +in import ./make-test-python.nix ({ pkgs, ...} : { + name = "yggdrasil"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ gazally ]; + }; + + nodes = rec { + # Alice is listening for peerings on a specified port, + # but has multicast peering disabled. Alice has part of her + # yggdrasil config in Nix and part of it in a file. + alice = + { ... }: + { + networking = { + interfaces.eth1.ipv4.addresses = [{ + address = "192.168.1.200"; + prefixLength = 24; + }]; + firewall.allowedTCPPorts = [ 80 12345 ]; + }; + services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + + services.yggdrasil = { + enable = true; + config = { + Listen = ["tcp://0.0.0.0:12345"]; + MulticastInterfaces = [ ]; + }; + configFile = toString (pkgs.writeTextFile { + name = "yggdrasil-alice-conf"; + text = builtins.toJSON aliceKeys; + }); + }; + }; + + # Bob is set up to peer with Alice, and also to do local multicast + # peering. Bob's yggdrasil config is in a file. + bob = + { ... }: + { + networking.firewall.allowedTCPPorts = [ 54321 ]; + services.yggdrasil = { + enable = true; + openMulticastPort = true; + configFile = toString (pkgs.writeTextFile { + name = "yggdrasil-bob-conf"; + text = builtins.toJSON bobConfig; + }); + }; + }; + + # Carol only does local peering. Carol's yggdrasil config is all Nix. + carol = + { ... }: + { + networking.firewall.allowedTCPPorts = [ 43210 ]; + services.yggdrasil = { + enable = true; + denyDhcpcdInterfaces = [ "ygg0" ]; + config = { + IfTAPMode = true; + IfName = "ygg0"; + MulticastInterfaces = [ "eth1" ]; + LinkLocalTCPPort = 43210; + }; + }; + }; + }; + + testScript = + '' + import re + + # Give Alice a head start so she is ready when Bob calls. + alice.start() + alice.wait_for_unit("yggdrasil.service") + + bob.start() + carol.start() + bob.wait_for_unit("yggdrasil.service") + carol.wait_for_unit("yggdrasil.service") + + ip_addr_show = "ip -o -6 addr show dev ygg0 scope global" + carol.wait_until_succeeds(f"[ `{ip_addr_show} | grep -v tentative | wc -l` -ge 1 ]") + carol_ip6 = re.split(" +|/", carol.succeed(ip_addr_show))[3] + + # If Alice can talk to Carol, then Bob's outbound peering and Carol's + # local peering have succeeded and everybody is connected. + alice.wait_until_succeeds(f"ping -c 1 {carol_ip6}") + alice.succeed(f"ping -c 1 ${bobIp6}") + + bob.succeed("ping -c 1 ${aliceIp6}") + bob.succeed(f"ping -c 1 {carol_ip6}") + + carol.succeed("ping -c 1 ${aliceIp6}") + carol.succeed("ping -c 1 ${bobIp6}") + + carol.fail("journalctl -u dhcpcd | grep ygg0") + + alice.wait_for_unit("httpd.service") + carol.succeed("curl --fail -g http://[${aliceIp6}]") + ''; +}) diff --git a/nixpkgs/nixos/tests/zfs.nix b/nixpkgs/nixos/tests/zfs.nix index d7a08268e98..8f844aca416 100644 --- a/nixpkgs/nixos/tests/zfs.nix +++ b/nixpkgs/nixos/tests/zfs.nix @@ -7,7 +7,7 @@ with import ../lib/testing.nix { inherit system pkgs; }; let - makeTest = import ./make-test.nix; + makeTest = import ./make-test-python.nix; makeZfsTest = name: { kernelPackage ? pkgs.linuxPackages_latest @@ -34,12 +34,12 @@ let }; testScript = '' - $machine->succeed("modprobe zfs"); - $machine->succeed("zpool status"); + machine.succeed("modprobe zfs") + machine.succeed("zpool status") - $machine->succeed("ls /dev"); + machine.succeed("ls /dev") - $machine->succeed( + machine.succeed( "mkdir /tmp/mnt", "udevadm settle", @@ -55,9 +55,7 @@ let "umount /tmp/mnt", "zpool destroy rpool", "udevadm settle" - - ); - + ) '' + extraTest; }; @@ -70,8 +68,8 @@ in { unstable = makeZfsTest "unstable" { enableUnstable = true; extraTest = '' - $machine->succeed( - "echo password | zpool create -o altroot='/tmp/mnt' -O encryption=aes-256-gcm -O keyformat=passphrase rpool /dev/vdb1", + machine.succeed( + "echo password | zpool create -o altroot=\"/tmp/mnt\" -O encryption=aes-256-gcm -O keyformat=passphrase rpool /dev/vdb1", "zfs create -o mountpoint=legacy rpool/root", "mount -t zfs rpool/root /tmp/mnt", "udevadm settle", @@ -79,7 +77,7 @@ in { "umount /tmp/mnt", "zpool destroy rpool", "udevadm settle" - ); + ) ''; }; diff --git a/nixpkgs/nixos/tests/zookeeper.nix b/nixpkgs/nixos/tests/zookeeper.nix index f343ebd39e4..42cf20b39c5 100644 --- a/nixpkgs/nixos/tests/zookeeper.nix +++ b/nixpkgs/nixos/tests/zookeeper.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, ...} : { name = "zookeeper"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ nequissimus ]; @@ -15,14 +15,20 @@ import ./make-test.nix ({ pkgs, ...} : { }; testScript = '' - startAll; + start_all() - $server->waitForUnit("zookeeper"); - $server->waitForUnit("network.target"); - $server->waitForOpenPort(2181); + server.wait_for_unit("zookeeper") + server.wait_for_unit("network.target") + server.wait_for_open_port(2181) - $server->waitUntilSucceeds("${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 create /foo bar"); - $server->waitUntilSucceeds("${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 set /foo hello"); - $server->waitUntilSucceeds("${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 get /foo | grep hello"); + server.wait_until_succeeds( + "${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 create /foo bar" + ) + server.wait_until_succeeds( + "${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 set /foo hello" + ) + server.wait_until_succeeds( + "${pkgs.zookeeper}/bin/zkCli.sh -server localhost:2181 get /foo | grep hello" + ) ''; }) |