Adds a fully fledged NixOS VM integration test which uses jmtpfs and
gvfs to test the functionality of MTP inside of NixOS. It uses USB
device emulation in QEMU to create MTP device(s) which can be tested
against.
Without configuring the block size a default of 512 bytes is used, which can
slow down the transfer speed massively.
In a test I've done with a semi-decent USB stick, I only get a transfer speed
of around 180 KB/sec when not specifying the block size but see 27 MB/sec when
setting the block size to 1 MB. This makes the transfer of the minimal
installation ISO take half a minute instead of an hour.
Installs Java into the Jenkins agent and allows specifying the JDK/JRE package to use. This is necessary as Jenkins verifies if the agent contains Java installed through the java -fullversion command, which if not, the connection will fail.
As requested by @roberth, we now have an option similar to
environment.etc. There's also extra store paths to copy and a way to
suppress store paths to make customizations possible.
We also link mount and umount to /bin to make recovery easier when
something fails
the build-time check is not safe (e.g. doesn't protect from bad users or nomissingok
paths missing), so add a new unit for configuration switch time check
Now the service no longer starts immediately,
check if the config we generated makes sense as soon as possible.
The check isn't perfect because logrotate --debug wants to check
users required, there are two problems:
- /etc/passwd and /etc/group are sandboxed and we don't have
visibility of system users
- the check phase runs as nixbld which cannot su to other users
and logrotate fails on this
Until these two problems can be addressed, users-related checks
are filtered out, it's still much better than no check.
The check can be disabled with services.logrotate.checkConfig
if required
(bird also has a preCheck param, to prepare the environment
before check, but we can add it if it becomes necessary)
Since this makes for very verbose builds, we only show errors:
There is no way to control log level, but logrotate hardcodes
'error:' at common log level, so we can use grep, taking care
to keep error codes
Some manual tests:
───────┬──────────────────────────────────────────
│ File: valid-config.conf
───────┼──────────────────────────────────────────
1 │ missingok
───────┴──────────────────────────────────────────
logrotate --debug ok
grep ok
───────┬──────────────────────────────────────────
│ File: postrotate-no-end.conf
───────┼──────────────────────────────────────────
1 │ missingok
2 │ /file {
3 │ postrotate
4 │ test
5 │ }
───────┴──────────────────────────────────────────
error: postrotate-no-end.conf:prerotate, postrotate or preremove without endscript
───────┬──────────────────────────────────────────
│ File: missing-file.conf
───────┼──────────────────────────────────────────
1 │ "test" { daily }
───────┴──────────────────────────────────────────
error: stat of test failed: No such file or directory
───────┬──────────────────────────────────────────
│ File: unknown-option.conf
───────┼──────────────────────────────────────────
1 │ some syntax error
───────┴──────────────────────────────────────────
logrotate --debug ok
error: unknown-option.conf:1 unknown option 'some' -- ignoring line
───────┬──────────────────────────────────────────
│ File: unknown-user.conf
───────┼──────────────────────────────────────────
1 │ su notauser notagroup
───────┴──────────────────────────────────────────
error: unknown-user.conf:1 unknown user 'notauser'
In particular note that logrotate would not error on unknown option
(it just ignores the line) but this change makes the check fail.
using freeform is the new standard way of using modules and should replace
extraConfig.
In particular, this will allow us to place a condition on mails
having pkgs.logrotate depend on mailutils brings in quite a bit of dependencies
through mailutil itself and recursive dependency to guile when most people
do not need it.
Remove mailutils dependency from the package, and conditionally add it to the
service if the user specify the mail option either at top level or in a path
Fixes#162001
This accomplishes multiple things:
- Allows us to start systemd without stage-2-init.sh. This was not
possible before because the environment would have been wrong
- `systemctl daemon-reexec` also changes the environment, giving us
newer tools for the fs packages
- Starts systemd in a fully clean environment, making everything more
consistent and pure
* Change groupId to gid to align with the rest of NixOS modules
* Add a check to the gid option to ensure it is greater than or equal
to 1000
* Use the overridden package for the wrappers
At some point, I'd like to make another attempt at
71f1f4884b ("openssl: stop static binaries referencing libs"), which
was reverted in 195c7da07d. One problem with my previous attempt is
that I moved OpenSSL's libraries to a lib output, but many dependent
packages were hardcoding the out output as the location of the
libraries. This patch fixes every such case I could find in the tree.
It won't have any effect immediately, but will mean these packages
will automatically use an OpenSSL lib output if it is reintroduced in
future.
This patch should cause very few rebuilds, because it shouldn't make
any change at all to most packages I'm touching. The few rebuilds
that are introduced come from when I've changed a package builder not
to use variable names like openssl.out in scripts / substitution
patterns, which would be confusing since they don't hardcode the
output any more.
I started by making the following global replacements:
${pkgs.openssl.out}/lib -> ${lib.getLib pkgs.openssl}/lib
${openssl.out}/lib -> ${lib.getLib openssl}/lib
Then I removed the ".out" suffix when part of the argument to
lib.makeLibraryPath, since that function uses lib.getLib internally.
Then I fixed up cases where openssl was part of the -L flag to the
compiler/linker, since that unambigously is referring to libraries.
Then I manually investigated and fixed the following packages:
- pycurl
- citrix-workspace
- ppp
- wraith
- unbound
- gambit
- acl2
I'm reasonably confindent in my fixes for all of them.
For acl2, since the openssl library paths are manually provided above
anyway, I don't think openssl is required separately as a build input
at all. Removing it doesn't make a difference to the output size, the
file list, or the closure.
I've tested evaluation with the OfBorg meta checks, to protect against
introducing evaluation failures.
Commit 7addb1c0ec disabled this as a
side effect of switching gnome-terminal to gnome-console, but it’s
still useful for gnome-console.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Lo and behold, we're finally catching up with Mozillas very own firefox
build in terms of speed.
PGO is an optimization technique in which in a first step we create a
build that supports instrumentation, meaning we can use it to create a
profile of how the browser behaved during usage. Then in a second pass
we create the final build that uses the acquired profiling data to
optimize the browser for the workload it actually received during
profiling.
The downside is that with PGO we now need to build Firefox twice, which
increases the build time from around 20 minutes to roughly 50 minutes.
In the Speedometer 2.0 benchmark multiple tests could see a
responsiveness improvemeant around 20-25%, which makes the increased
build time well worth it.
Sadly this benefit seems limited to x86_64-linux, builds on
aarch64-linux get stuck during profiling and I haven't found out why.
Finally, after a long time, we can say:
Closes: #76484
Supersedes: #129503
We can perform most of the mkdir/ln/rm using systemd-tmpfiles
instead which cleans up the script.
/bin and /home are created by their activation script snippets
usbfs is deprecated and unused.
hwclock seems to be automatically executed by systemd on startup.
The mkswap to prevent hibernation cycles seems to be executed by systemd
as well since the provided regression tests succeeds.
Before this patch, services.dendrite.environmentFile is used for
secrets and environment variable substitution only happens when this
option is used.
systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.
This patch always substitute environment variables, which enables the
usage of systemd LoadCredential.
* With the upgrade to waydroid to 1.2.0, dependencies that previously
were shipped in the service's path have been moved to the waydroid
package.
* Make sure /var/lib/misc exists when starting waydroid. As required
by dnsmasq
This patch allows creation of files like
/etc/systemd/system/user-.slice.d/limits.conf with
systemd.units."user-.slice.d/limits.conf" = {
text = ''
[Slice]
CPUAccounting=yes
CPUQuota=50%
'';
};
which previously threw an error
Also renames the systemd-unit-path test to sytsemd-misc, and extends it to
test that `systemd.units` can handle directories. In this case we make
sure that resource limits specified in user slices apply.
While doing kernel development with the nixos testing infrastructure, it
is useful to quickly compile the kernel on the side and boot it in the testing VM.
This patch allows overriding the kernel through the environment
variable. For example, the following:
$ NIXPKGS_QEMU_KERNEL_testvm=$LINUX_SRC/arch/x86/boot/bzImage $VM/bin/nixos-test-driver
runs testvm testing VM with the fresh kernel compiled in $LINUX_SRC.
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
GNOME Shell 42 switched an icon for the accessibility menu in the top panel
to one from gnome-control-center instead of a legacy one from adwaita-icon-theme:
https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2155
Let’s add that dependency to the systemd unit since installing it
through `environment.systemPackages` is not enough due to environment isolation.
The tests complained:
/nix/store/nm3nf5y4hzgmy00lw5s6ls68j38y84y0-gjs-1.72.0-installedTests/libexec/installed-tests/gjs/scripts/testCommandLineModules.sh: line 90: gjs-console: command not found
But they still passed.
Sendto device selection is removed in gnome-bluetooth 42.
I decide it is not worth to maintain a legacy gnome-bluetooth
package for the contract.
This should also be broken in elementary OS 7.
The current wrapper only includes vim, gvim and the man pages
(optionally). This rewrite distinguishes two scenarios, which I expect
cover the majority of use cases:
- standalone mode, when `name != "vim"`, means the user already has a
vim in scope and only wants to add a customized version with a
different name. In this case we only include wrappers for `/bin/*vim`.
- non-standalone mode, when `name == "vim"`, means the user expects a
normal vim package that uses the specified configuration. In this case
we include everything in the original derivation, with wrappers for
all the executables that accept a vimrc.
Browser Integration requires setgid and setuid programs, which needs to be done in the system configuration.
This is cleaner than the ad-hoc ways we have to set things up for platforms without a global configuration file.
* nixos/earlyoom: bring the module up to date
Removes deprecated option `ignoreOOMScoreAdjust`, introduces `killHook`
as a replacement for `notificationsCommand`, and adds an `extraArgs`
option for things not covered by the module.
* nixos/earlyoom: add nixos test
* nixos/earlyoom: add reportInterval
Allows setting the interval for logging a memory report. Defaults to
3600 following upstream
(https://github.com/rfjakob/earlyoom/blob/master/earlyoom.default#L5)
to avoid flooding logs.
* nixos/earlyoom: add free{Mem,Swap}KillThreshold
Fixes https://github.com/NixOS/nixpkgs/issues/83504
When a NixOS system uses flakes, i.e., /etc/nixos/flake.nix exists, it
is impossible to use nixos-rebuild to build a pre-flake
configuration.nix. Of course, one can directly use nix command to
build the configuration, but not everybody remembers the correct nix
options to do that.
With the new option, it is possible to build a pre-flake configuration
with command like this:
nixos-rebuild build-vm -I nixos-config=./vm.nix --no-flake
The option might be useful for people following older pre-flake
tutorials on a flake-based system.
In https://github.com/NixOS/nixpkgs/pull/142747, the implementation
behind Machine.execute() has been changed to pipe all the command's
output into base64 on the guest machine.
Unfortunately this means that base64 is blocking until stdout is closed,
which in turn means that we now need to make sure that whenever we run a
program in background via "&" we also need to make sure to close stdout,
which we do by redirecting stdout to stderr.
Signed-off-by: aszlig <aszlig@nix.build>
This adds the option `networking.wg-quick.interfaces.<name>.autostart`, which defaults to `true`, which is the previous behavior. With this option set to `false`, the systemd-unit will no longer be set to `wantedBy = [ "multi-user.target" ]` and therefore the tunnel has to be enabled/disabled via `systemctl start/stop wg-quick-<name>`.
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
Naively deduplicate VLANs in the python driver for NixOS tests. The
current implementation accidentally works, since the VLan class mutates
the environment. On construction it sets QEMU_VDE_SOCKET_${id} and this
environment variable gets overwritten once a second VLAN with the same
id is constructed. Because the NIC flags passed to qemu just use the
QEMU_VDE_SOCKET_${id} environment variable, this implicitly chooses a
single vde_switch process for each VLAN.
However, this leads to unusable vde_switch processes being spawned in
each test run and as a side effect makes it impossible to access the
correct VLan objects in the interactive test driver. It also makes it
remarkably hard to understand why the current implementation ever
worked.
Use `recursiveUpdate` instead of the // operator, as recommended in https://nix.dev/anti-patterns/language#attr1-attr2-merge-operator. Without this change, setting `services.ipfs.extraConfig.Addresses.NoAnnounce` for example will cause `services.ipfs.apiAddress`, `services.ipfs.gatewayAddress` and `services.ipfs.swarmAddress` to be ignored.
The Nix-provided `nix-daemon.socket` file has a
> ConditionPathIsReadWrite=/nix/var/nix/daemon-socket/socket
line, to skip that unit if /nix/var/nix/daemon-socket/socket is
read-only (which is the case in some nixos-containers with that folder
bind-ro-mounted from the host).
In these cases, the unit was skipped.
Systemd 250 (rightfully) started to also skip in these cases:
> [ 237.187747] systemd[1]: Nix Daemon Socket was skipped because of a failed condition check (ConditionPathIsReadWrite=/nix/var/nix/daemon-socket).
However, systemd < 250 didn't skip if /nix/var/nix/daemon-socket/socket
didn't /exist at all/, and we were relying on this bug in the case for
fresh NixOS systems, to have /nix/var/nix/daemon-socket/socket created
initially.
Move the creation of that folder to systemd-tmpfiles, by shipping an
appropriate file in `${nixPackage}/lib/tmpfiles.d/nix-daemon.conf`
(NixOS/nix#6285).
In the meantime, set a systemd tmpfiles rule manually in NixOS.
This has been tested to still work with read-only bind-mounted
/nix/var/nix/daemon-socket/socket in containers, it'll keep them
read-only ;-)
some change in the last 24 hours altered the behaviour of st such that
it now dies with a non-zero exit code when the shell exits, so kill is
now necessary
For now at least. I expect someone will find a working type later.
It's incorrect and was causing bad issues. Example test case:
nix-instantiate nixos/release.nix -A tests.xfce.x86_64-linux --dry-run
This is a partial revert of commit b2d803c from PR #162271.
hostNames being deprecated makes configuring hosts with multiple keys a
pain. including the attr name of the entry in the host name list is a
nice convenience though, so we'll retain it and clarify the
documentation on how the actual host name list for an entry is put
together.
* _7zz: correct license and remove p7zip dependency
The code under Compress/Rar* is licensed under a specific unRAR license
Also Compress/LzfseDecoder.cpp is covered by BSD3
The unRAR code is removed from the `.tar.xz` since the license posits you
agree or remove the code from your hard drive
This adds some complexity to updating 7zz so there is also an update
script
Meta has been updated and tweaked
Source is now downloaded from sourceforge in the `.tar.xz` version to
avoid depending on p7zip
* _7zz: add notice of the license updates and optional unRAR licenced code
Currently it is only possible to add upstream _system_ units. The option
systemd.additionalUpstreamSystemUnits can be used for this.
However, this was not yet possible for systemd.user. In a similar
fashion this was added to systemd-user.nix.
This is intended to have other modules add upstream units.
Add an exception to the `paperless-ng-server` service's
`SystemCallFilter` as the `mbind` syscall is needed when consuming a
document while having a classification model present.
Since b9cfbcafdf, the lack of hexdump in
the closure lead to the generation of empty cookie files. This empty
cookie file is making pleroma to crash at startup now we correctly
read it.
We introduce a migration forcing these empty cookies to be
re-generated to something not empty.
It was originally impossible to login in toot without having an
interactive shell. I opened https://github.com/ihabunek/toot/pull/180
upstream to fix that and fetch this patch for this test.
The author decided to fix the issue using a slightly different
approach at a3eb5dca24
Because of this upstream fix, our custom patch does not apply anymore.
Using that stdin-based login upstream feature.
We inject the release cookie path to the pleroma derivation in order
to wrap pleroma_ctl with it. Doing this allows us to remove the
systemd-injected RELEASE_COOKIE path, which was sadly
buggy (RELEASE_COOKIE should point to the *content* of the cookie, not
the file containing it).
We take advantage of this to factor out the cookie path.
Now, one can just use `networking.networkmanager.plugins = lib.mkForce [];`
if they want to get rid of the plug-ins.
Co-authored-by: lassulus <lassulus@lassul.us>
Fixes race conditions like this:
> systemd[1]: Started prometheus-kea-exporter.service.
> kea-exporter[927]: Listening on http://0.0.0.0:9547
> kea-exporter[927]: Socket at /run/kea/dhcp4.sock does not exist. Is Kea running?
> systemd[1]: prometheus-kea-exporter.service: Main process exited, code=exited, status=1/FAILURE
It doesn't make sense to have a default value for this that's
incompatible with the default locate implementation. It means that
just doing services.locate.enable = true; generates a warning, even if
you don't care about pruning anything. So only use the default prune
list if the locate implementation supports it (i.e., isn't findutils).
If `services.tor.client.enable` is set to false (the default), the `SOCKSPort` option is not added to the torrc file but since Tor defaults to listening on port 9050 when the option is not specified, the tor client is not actually disabled. To fix this, simply set `SOCKSPort` to 0, which disables the client.
Use `mkForce` to prevent potentially two different `SOCKSPort` options in the torrc file, with one of them being 0 as this would cause Tor to fail to start. When `services.tor.client.enable` is set to false, this should always be disabled.
When `services.resolved.enable` is set to true, the file /etc/resolv.conf becomes a symlink to /etc/static/resolv.conf, which is a symlink to /run/systemd/resolve/stub-resolv.conf. Without this commit, tor does not have access to this file thanks to systemd confinement. This results in the following warning when tor starts:
```
[warn] Unable to stat resolver configuration in '/etc/resolv.conf': No such file or directory
[warn] Could not read your DNS config from '/etc/resolv.conf' - please investigate your DNS configuration. This is possibly a problem. Meanwhile, falling back to local DNS at 127.0.0.1.
```
To fix this, simply allow read-only access to the file when resolved is in use.
According to https://github.com/NixOS/nixpkgs/pull/161818#discussion_r824820462, the symlink may also point to /run/systemd/resolve/resolv.conf, so allow that as well.
The new option (disabled by default) pulls in the experimental sensor
calibration files for the Facetime HD camera. These will also be pulled
in by hardware.enableAllFirmware.
Use a quoted heredoc to inject installBootLoader safely into the script,
and restore the previous invocation of `system` with a single argument so
that shell commands keep working.
pam-ussh allows authorizing using an SSH certificate stored in your
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
certificates rather than raw public keys.
Without this fix, evaluating a NixOS configuration with Tomcat enabled and the
default settings results in the following evaluation error:
Failed assertions:
- users.users.tomcat.group is unset. This used to default to
nogroup, but this is unsafe. For example you can create a group
for this user with:
users.users.tomcat.group = "tomcat";
users.groups.tomcat = {};
As of systemd/systemd@e908434458,
systemd-networkd now automatically configures routes to addresses
specified in AllowedIPs unless explicitly disabled with
"RouteTable=off".
As a novice to using this module, I found the existing description to be
quite misleading. It does not at all disable pulling from the registry,
it just loads some image archive that may or may not be related to the
container you're specifying. I had thought there was extra magic behind
this option, but it's just a `docker load`. You need foreknowledge of
the contents of the archive so that whatever it contained is actually
used to run the container.
I've reworded the description to hopefully make this behavior clearer.
it's really easy to accidentally write the wrong systemd Exec* directive, ones
that works most of the time but fails when users include systemd metacharacters
in arguments that are interpolated into an Exec* directive. add a few functions
analogous to escapeShellArg{,s} and some documentation on how and when to use them.
This bug is so obscure and unlikely that I was honestly not able to
properly write a test for it. What happens is that we are calling
handleModifiedUnit() with $unitsToStart=\%unitsToRestart. We do this to
make sure that the unit is stopped before it's started again which is
not possible by regular means because the stop phase is already done
when calling the activation script.
recordUnit() still gets $startListFile, however which is the wrong file.
The bug would be triggered if an activation script requests a service
restart for a service that has `stopIfChanged = true` and
switch-to-configuration is killed before the restart phase was run. If
the script is run again, but the activation script is not requesting
more restarts, the unit would be started instead of restarted.
