I guess my time has come as well...
With this commit, I'm not just dropping my maintainer entry, but I'm also
resigning from my duties as a board observer and NixCon project lead.
I also terminated my Summer of Nix contract today.
I'll also stop hosting the local NixOS meetup.
The only "project" I'll finish under the NixOS Foundation umbrella is
Google Summer of Code because the mentees aren't even remotely
responsible for why I'm leaving, and it would be unfair to leave them
hanging.
I'm grateful for all the things I was able to learn, for all the experiences
I could gather, and for all the friends I made along the way.
NixOS is what makes computers bearable for me, so I'll go and work on
some fork (*something something* you always meet twice in life).
sometimes takes a while for upstream to publish on pypi so switch to using github source for master, pkg, worker and github releases for the plugins which require built assets
ChangeLog: https://github.com/grafana/grafana/releases/tag/v11.1.0
A few additional changes were necessary:
* Grafana now refuses to listen on non-IP values and aborts with
Error: ✗ *apiserver.service run error: invalid IP address: localhost
* packages/grafana-e2e doesn't exist anymore, so the build fixes for
that could be removed.
* Make sure we always compile the binary parts of cypress.
* Grafana tends to set the minimum Go version to the latest Go version
available now[1].
* The `url` of a datasource was set to `localhost` by default. I don't
expect anybody to have not set it when needed, also Grafana aborts now
if `url` is non-empty for a random walk datasource (which broke the VM
tests).
[1] https://github.com/grafana/grafana/pull/88794#discussion_r1630563467
This contribution extends the k3s module to
enable the usage of Helm charts and container
images in air-gapped environments. Additionally,
the manifests option allows to specify arbitrary
manifests that are deployed by k3s automatically.
It is now possible to deploy Kubernetes workloads
using the k3s module.
Preflight check failed with error: Journal directory
</var/lib/graylog/data/journal> has not enough free space (3412 MB) available.
You need to provide additional 1707 MB to contain 'message_journal_max_size = 5120 MB'
The spook package includes two separate integrations and the module was
adapted to account for that scenario. Add a test to ensure the changed
keeps working correctly going forward.
tcp*.bt scripts tried to include glibc headers, which didn't work on
nixos because bpftrace tried to call clang-major with some options to
get the paths, but we never told it where to find it.
Give bpftrace the path directly instead of giving it a path to clang.
runqlat.bt doesn't work with glibc headers and requires kernel headers
which are no longer extracted, just provide its value.
Note the default clang output also had some clang-internal headers, but
these seem to be included anyway through libclang API without having to
give them here, so we only pass the glibc ones.
While here:
- also backport another bpftrace patch that made the tcp*.bt tools to
actually not require these includes
- and add tests that we can include these.
Co-authored-by: Arian van Putten <arian.vanputten@gmail.com>
To allow migration from 23.11 to 24.05 without triggering re-registrations,
the account hashing behaviour of the previous release can be retained by setting
`security.acme.defaults.server` to `null`.
We better also check for hash consistency with that setting to avoid unexpected
account hash changes again.
Odoo does not initialize the database by default,
it must be explicitly initialized for the test as written to succeed.
Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
Verify that all `href` attributes emitted as part of the entrypoint page
after logging in are reachable.
Co-authored-by: Bruno BELANYI <bruno@belanyi.fr>
Closes#320381
Installation with a custom dbtableprefix is not allowed anymore for a
while[1] and we shouldn't advertise it as such.
The option is deprecated for now since I'm not sure if there are some
weird corner-cases where removing the option directly would break
existing installations from before <20 with a custom dbtableprefix. The
migration-path for such a case is as follows:
* Check if /var/lib/nextcloud/config/config.php has the correct
dbtableprefix set and if not, take care of it.
* Remove `dbtableprefix` from the NixOS configuration. It's effectively
state anyways.
After a bit of time to switch (perhaps after the next release
branchoff), the option can be removed.
[1] https://github.com/nextcloud/server/issues/24836
General cleanup -- following the logic that NixOS 23.11 contains Kafka
3.5, so there is a sensible upgrade path for everyone as long as we keep
that around until after the next release.
- rename hardware.opengl to hardware.graphics
- remove hardware.opengl.driSupport, which does nothing
- remove hardware.opengl.setLdLibraryPath, which should never be done
- rename hardware.opengl.driSupport32Bit to hardware.graphics.enable32Bit
- lost of small docs / formatting cleanups
Allows users to refer to `config.programs.ydotool.group` rather than
hard-coding "ydotool".
Allows users to override the group name for whatever reason.
This closes#317013.
Co-authored-by: Cosima Neidahl <opna2608@protonmail.com>
The tests had very much duplication and some if it was even wrong! For
instance, `withRcloneEnv` in the MySQL test didn't have the `"$@"` at
the bottom to execute commands passed to it. Because of that, the MySQL
testcase never checked whether files can be uploaded.
Since tests are just another module-system I decided to abstract away
common things by using it:
* Define a base module with
* an empty `client` node and a `nextcloud` node with defaults
shared among all tests.
* rclone scripts that are used by all tests.
* a `testScript` checking upload/download. Additional checks can be
added via `test-helpers.extraTests`.
* Make common information such as admin user & password shared via
options.
Also, changed the following things:
* The `name` of the final derivation also includes the Nextcloud major
it was tested against.
* Improved the objecstore test by making sure the file was actually
uploaded into the bucket.
* Make sure `withRcloneEnv` actually invokes the command it gets as
`argv`. Until no, nothing was uploaded. This mistake was copied from
the MySQL test that appears to have the same issue (will be addressed
in the next commit).
* Test upload/download through with rclone once to see if Nextcloud
interaction with S3 works fine.
* Make sure we actually have something in the bucket (until now with an
`ls` and no real check, will do some larger cleanups and make this
better in the next commit).
* Use actual AWS-style access keys.
Allow users to disable the shadow authentication suite.
My primary motivation is to reduce the attack surface via setuid
binaries, which shadow understandably introduces many. I realised,
however, that I don't use any of these.
The test demonstrates login working without needing the shadow suite.
We can expose the PLAT prefix to the client via DNS64 so clatd is able
to determine the prefix dynamically. We can also test that some
systemd-networkd PREF64 settings work as expected when exposed on the
router.
- Introduce more possible options by using the krb format generator.
- Enforce package choice is using a correct package.
- Use meta attribute to decide implementation, allows for overriding the
package.
- Make necessary changes to the format, to allow for multiple ACL files in
heimdal.
- Add systemd target and slice for both implementations.
- Move state to `/var/lib`
- Add documentation
When I initially wrote this test, I wasn't aware that services.openssh
could opt into using OpenSSH's default algorithms by just setting the
relevant settings to null.
That's a better approach since:
* it's a simpler setting for this test to have to worry about
* it introduces test coverage for the null case
* the null case should be demonstrated as an example for those that
want to compile without OpenSSL
- Use the print dialog to create a sample score.
- Copy also the sample score from the vm to $out of the test.
- Create a bit more screenshots
- Only use machine.wait_for_window, never machine.wait_for_text which
requires OCR which is slow.
- Set XDG_RUNTIME_DIR so it won't dump core.
Without this change, the systemd unit will be marked as ready even though BIND has not finished starting yet.
This causes other units that depend on BIND to start even though BIND is not ready yet.
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900788: "Bind9 will daemonize itself _when it is ready_."
Also modify the NixOS test. With this change, waiting for the unit alone will ensure that BIND is ready to accept queries. I would have expected to see the test failing without this commit but with the `machine.wait_for_open_port(53)` line removed but I found this to not be the case most of the time. This is probably the case because the situation is inherently racy and on my machine BIND happens to start in time most of the time.
nix tests now moved to `nixosTests.nix-misc`
Revert "nixos/tests/misc: support old and new path-info output structure"
This reverts commit 903f315fe5.
Revert "nixos/tests/misc: call the tester `test` to be `callTest`-ed"
This reverts commit b35ccb7fda.
Revert "nixos/tests/misc: rework and take ownership"
This reverts commit 81854ca604.
Needs a GLib change to be fixed, which needs a staging cycle, which I was told won't happen in time anymore.
Luckily it's not a crucial component for the desktop mode.
Given that we were overriding qemu_test to enable this anyway,
enabling this by default saves Hydra a QEMU build.
There's also clear demand from users[1] for this feature, so our
alternatives are:
- Offer a qemu-canokey attribute. I don't want to do this, because I
don't think there's any reason to make Hydra build an extra QEMU.
- Enable it only for qemu_test. I don't want to do this, because it
will lead to users using qemu_test without understanding its
subtleties.
- Force users to build from source. I don't think there's any reason
to do this when it's unlikely to hurt anybody having it enabled by
default. There's no reason to single out canokey to be disabled by
default in spite of users' needs given that we enable so many other
optional QEMU features.
[1]: https://github.com/canokeys/canokey-qemu/issues/6
This patch is about removing `wireguardPeerConfig`,
`dhcpServerStaticLeaseConfig` - a.k.a. the
AbstractSingletonProxyFactoryBean of nixpkgs - and friends.
As a former colleague said
> worst abstraction ever
I second that. I've written enough networkd config for NixOS systems so
far to have a strong dislike. In fact, these don't even make sense:
`netdevs.wireguardPeers._.wireguardPeerConfig` will be rendered into
the key `[WireGuardPeer]` and every key from `wireguardPeerConfig` is in
there. Since it's INI, there's no place where sections on the same level
as wireguardPeerConfig fit into. Hence, get rid of it all.
For the transition, using the old way is still allowed, but gives a
warning. I think we could drop this after one release.
The tests of rosenpass and systemd-networkd-dhcpserver-static-leases
were broken on the rev before, hence they were updated, but are still
not building.
Module has been fixed and now uses the maintenance service to cache
settings so as to not require environment files wherever possible.
The tests now test using mariadb and postgresql as well as sqlite to be
more complete. A test has been added for testing whether app.js has been
compiled successfully, as well as to check whether the cronjob fires
successfully.
This migrates the syntax for a few configuration values,
which now need to be quoted strings for user values.
This also disables the use of a public resolver,
which is not accessible in the sandbox.
This fixes build failures with the wayland dependency:
Quoting @nevivurn:
"guestadditions->...->wayland, but the test config pulls in
modules/profiles/minimal.nix which disables xlibs and thus it won't build"
Co-authored-by: Yongun Seong <nevivurn@nevi.dev>
Upstream (accidentally) broke support for postgresql 12 and 13 on
v0.2.1 by changing the signature of the `from_datum` function[^1].
This went unnoticed since the release branch `0.2` did not have CI.
Furthermore, they are removing support for these versions of postgresql
on v0.3.0[^2].
[^1]: 97e861d51d
[^2]: https://github.com/tensorchord/pgvecto.rs/issues/343
Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.
This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:
> The goal is to deny write access to / to non-root users,
>
> * TemporaryFileSystem=/ gives us that through the ownership of / by
> root (instead of the service's user inherited from
> RuntimeDirectory=).
> * ProtectSystem=strict gives us that by mounting / read-only (while
> keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
> ...
>
> I guess this would require at least two changes to the current tests:
>
> 1. to no longer expect root to be able to write to some paths (like
> /bin) (at least not without first remounting / in read-write
> mode).
> 2. to no longer expect non-root users to fail to write to certain
> paths with a "permission denied" error code, but with a
> "read-only file system" error code.
I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.
[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215
Signed-off-by: aszlig <aszlig@nix.build>
This is to make sure that we test all of the DynamicUser/User/Group and
PrivateTmp options in a uniform way. The reason why we need to do this
is because we recently introduced support for the DynamicUser option and
since there are some corner cases where we might end up with more
elevated privileges (eg. writable directories in some cases), we want to
make sure that the environment is as restrictive as with a static
User/Group assignment.
I also removed various checks that try to os.chown(), since with our new
recursive checker those are redundant.
Signed-off-by: aszlig <aszlig@nix.build>
So far the architecture for the tests was that we would use a systemd
socket unit using the Accept option to start a small shell process where
we can pipe commands into by connecting to the socket created by the
socket unit.
This is unnecessary since we can directly use the code snippets from the
individual subtests and systemd will take care of checking the return
code in case we get any assertions[^1].
Another advantage of this is that tests now run in parallel, so we can
do rather expensive things such as looking in /nix to see whether
anything is writable.
The new assert_permissions() function is the main driver behind this and
allows for a more fine-grained way to check whether we got the right
permissions whilst also ignoring irrelevant things such as read-only
empty directories.
Our previous approach also just did a read-only check, which might be
fine in full-apivfs mode where the attack surface already is large, but
in chroot-only mode we really want to make sure nothing is every
writable.
A downside of the new approach is that currently the unit names are
numbered via lib.imap1, which makes it annoying to track its definition.
[^1]: Speaking of assertions, I wrapped the code to be run with pytest's
assertion rewriting, so that we get more useful AssertionErrors.
Signed-off-by: aszlig <aszlig@nix.build>
When experimenting on ways how to refactor the test, I wrote a
significant enough amount of Python to warrant a dedicated Python file.
This commit is mainly to prepare for that and make it easier to track
renames.
Signed-off-by: aszlig <aszlig@nix.build>
The reason why I originally used the "description" attribute was that it
can be easily used to parametrise the tests so that we can specify
common constraints and apply it across a number of different
configurations.
When porting the tests to Python, the description attribute was replaced
by inlining it into the Python code, most probably because it was easier
to do in bulk since using Nix to generate the subtest parts would be
very complicated to do since we also had to please Black (a Python code
formatter that we no longer use in test scripts).
Since we now also want to support DynamicUser in systemd-confinement,
the need to parametrise the tests became apparent again because it's now
easier to refactor our subtests to run both with *and* without
DynamicUser set to true.
Signed-off-by: aszlig <aszlig@nix.build>
Eelco has made several early contributions to NixOS including writing
the samba module among other things, but is more or less inactive these
days.
By my brief inspection, he has not committed to the nixos/ tree since
releasing Nix 2.13 in early 2023 and merging a PR to networking tests
slightly before that. A lot of these tests/modules are actually
unmaintained in practice, so we should update the code to reflect the
practical reality so someone can consider picking them up.
Depending on the startup order of the two machines it might take a few
moments to get both zones transfered, which can lead to SERVFAIL
responses on busy machines.
`nixosTests.misc` is an interesting smoketest as a last (cheap) line of
defense against Nix regressions.
We rework it to accept any arbitrary package manager for Lix.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
The kernel used on aarch64-linux is built with CONFIG_BLK_DEV_LOOP=y,
so the test previously did not work on aarch64-linux.
The module for Hybla congestion control is available as a loadable
module both on x86_64-linux and aarch64-linux.
This adds an implementation of switch-to-configuration that allows for
closer interaction with the lifecycle of systemd units by using DBus
APIs directly instead of using systemctl. It is disabled by default, but
can be enabled by specifying `{ system.switch = { enable = false; enableNg = true; }; }`.
The change introduced in #308303 refers to the virtualHosts attrset
key which can be any string. The servername is the actual primary
hostname used for the certificate.
This fixes use cases like:
services.nginx.virualHosts.foobar.serverName = "my.fqdn.org";
This is a feature supported out of the box by upstream and allows the
incusd service to be restarted without impacting running
instances. While this does give up a bit of reproducibility, qemu and
lxc for example, there are clear benefits in allowing the host to
apply updates without impacting instances.
Modeled after the zabbly implementation: 2a67c3e260/systemd/incus-startup.service
This will now be the default.
In accordance to the upstream release cycle, we now provide 2 flavours
of the percona mysql ecosystem. The default is the LTS variant,
additionally there is now the floating `percona-server_innovation`
always pointing to the most recent regular release.
- mentioned in release notes
- adapted all depending tests and tools (xtrabackup)
This release belongs to the "innovation" release track of Percona,
making it likely to diverge over time from the LTS release. Hence I just
created a separate packaging expression for this.
Motivation: Allow the sshd package to be built differently to the ssh
package (programs.ssh.package). For example, build sshd(1) without
openssl, but built ssh(1) with OpenSSL support.
Set the default to be programs.ssh.package, to preserve compatibility.
https://github.com/kanidm/kanidm/releases/tag/v1.2.0
Added updatescript, and removed Cargo.lock as no more git deps.
New release process documented here:
a67d1f5160/book/src/support.md
Re-ordered test and removed anonymous login as logout no longer works:
[info]: Ignoring request to logout session - these sessions are not recorded
Notes:
- barf went into contrib/ and officially unsupported.
- verify was removed entirely.
- the makefile is a bit smarter now and doesn't require many
of the previous workarounds.
