The description for options.nixpkgs.system already hints at this:
Neither ${opt.system} nor any other option in nixpkgs.* is meant
to be read by modules and configurations.
Use pkgs.stdenv.hostPlatform instead.
We can support this goal by not elaborating the systems anymore, forcing
users to go via pkgs.stdenv.
This will prevent problems when making the top-level package sets
composable in the next commit. For this to work, you should pass a fully
elaborated system to nixpkgs' localSystem or crossSystem options.
We need to do the virtio link setup prior to `network.target`, since
systemd-networkd orders itself before `network.target`. So in order for
the bond to properly enslave the two virtio links, they should be
configured as a part of `network-pre.target`.
Version 257.1 of systemd changed[1] the PrivateTmp setting for the
systemd-timesyncd service from "yes" to "disconnected", which broke our
systemd-timesyncd test.
The reason for this is because the systemd-tmpfiles-setup.service is
*only*[2] added as a dependency of systemd-timesyncd.service if
PrivateTmp is set to "yes" but not when it is set to "disconnected"
(which would make sense given that the tmpfiles.d mechanism was
originally designed for temporary files).
Commit 339a866b7c switched the activation
script to using systemd-tmpfiles, but the commit in question doesn't
provide an explanation why this was necessary in this particular case.
However the pull request[3] lists an ongoing effort to get rid of Perl
and in the future get also rid of BASH for activation. The reasons for
doing this are outlined in the document[4]:
> The simple presence of interpreters on a system pose a security risk.
> An attacker that gains access to a system can abuse them to execute
> arbitrary commands. Mitre lists this as technique T1059. The most
> radical yet simple solution to mitigate this exploit is to remove all
> interpreters from a system (Mitre M1042). This radical solution is
> only really feasible and/or interesting for appliances (i.e.
> non-interactive) systems. Especially for high-security solutions this
> mitigtation is interesting.
I personally don't think this is a very compelling reason, at least for
our activation scripts, since an attacker could simply drop an
executable binary. Nevertheless, getting rid of additional dependencies
on eg. Perl or BASH is something worth pursuing to trim down moving
parts.
To address this, I decided to implement this as a normal systemd service
unit, since we need to guarantee that it's started before
systemd-timesyncd.service and with a dedicated unit we can ensure
explicit ordering. This has the advantage that we don't interfere with
the effort of getting rid of Perl/BASH for activation/boot and also
don't risk running into race conditions (again) because it's very
unlikely that systemd will change/deprecate explicit unit ordering in
the near future.
[1]: 1f6e192848
[2]: 30675a6ee9/src/core/unit.c (L1274)
[3]: https://github.com/NixOS/nixpkgs/pull/263203
[4]: https://pad.lassul.us/nixos-perlless-activation
Signed-off-by: aszlig <aszlig@nix.build>
Fixes this eval warning:
evaluation warning: The option `services.hound.config' defined in `makeTest parameters' has been changed to `services.hound.settings' that has a different type. Please read `services.hound.settings' documentation and update your configuration accordingly.
This allows for instance to reject switching into a configuration, while
still allowing to reboot into that same configuration.
This can be useful for instance to reject switching to a configuration
with a new systemd major version, but setting that same configuration as
the new boot default with `switch-to-configuration boot` is fine.
Now that we are disabling telemetry by default, we should attempt to
override it and other options in existing mutable configs,
if the user had a mutable config and advances their system.stateVersion.
We should disable telemetry but enable security update checks. Make both
controlable in the module without digging into settings.
Disabling telemetry also makes NixOS tests faster because the server
tries to send telemetry on first start.
Every postgresql testcase essentially does the following things:
* Filter `postgresqlVersions` for server packages
* Filter postgresql server packages for suitable ones (i.e. extensions
must support the given version)
* Generate an attribute-set of testcases
The first item became necessary in
7ab1e88833 given that
`postgresql/default.nix` now exposes JIT and non-JIT servers AND a
`libpq` that is not suitable for the tests here.
This changes restructures this a little bit, i.e.:
* Having an attribute-set that contains a bunch of postgresql servers
and a single client package seems odd (and the sole consumer of
`postgresqlVersions` in nixpkgs, the test suite, has to take that into
account). Hence, postgresql's default.nix now provides `libpq` (the client)
and a `postgresqlVersions` attribute with all supported JIT and non-JIT
variants of postgresql.
* Each test-case gets a third argument, a function called `genTests`:
this function sets `recurseForDerivations = true;` and generates an
attribute-set of tests for each postgresql version given a function
that returns a testcase or multiple test-cases (`makeTestFor`). The
argument to `makeTestFor` is a postgresql server package.
This function also accepts a filter predicate that is passed against
`filterAttrs` to remove postgresql server packages that are not
suitable for the test (e.g. because the version isn't supported by the
extension to test).
I checked by making sure that the `.drv` doesn't change on staging with
this change on top for postgresq, postgresql-jit,
postgresql-wal-receiver, postgresql-tls-client-cert, anonymizer, pgjwt,
pgvecto-rs, timescaledb, tsja and wal2json.
While it is possible to globally enable or disable security wrappers, it
isn't possible to disable only a subset of them. Consequently, users
will have to overwrite the security wrappers completely and re-add the
desired subset in case they want to disable a subset of those set up by
the NixOS modules.
Address this usecase by adding a new per-wrapper enable option.
The `autoDeployCharts` option further improves the auto deploying
capabilities of the k3s module by allowing to deploy and configure Helm charts
that are then instaled via the k3s Helm controller. Although this was
also previously possible by using auto deploying manifests, it required
some knowledge of the k3s Helm controller and led to a lot of
boilerplate code.
A couple of improvements:
1. Avoid the generally discouraged apply argument to options, as it has
quite weird semantics
2. Avoid issues when a user calls a preSwitchCheck `script`, which
would've been silently overridden by the existing implementation.
Reliance on a special attribute name like that is bound to lead to a
very-hard-to-debug problem for someone at some point
3. Use writeShellApplication so that the preSwitchChecks are checked by
shellcheck and and so that they run with basic bash guardrails
4. Fix shellcheck issue (testing the value of $?)
5. Add a positive preSwitchCheck to the nixos test, to make sure that
that works as intended
Previously in https://github.com/NixOS/nixpkgs/pull/308740
`BindReadOnlyPaths=` was fixed, but remained mounting non-existing Git repositories:
vm-test-run-public-inbox> machine # [ 19.503051] (ox-httpd)[1489]:
public-inbox-httpd.service: Failed to set up mount namespacing:
/var/lib/gitolite/repositories/user/repo1.git: No such file or directory
This patch changes the implementation of the subtests to
check for redis' cache being non empty to only run redis-cli
and jq in a shell and assert the returned length in python.
This fixes jq "len" simply not compiling and makes sure
regressions get noticed.
This patch adds a subtest and corresponding configuration to
with-declarative-redis-and-secrets to test for nextcloud notify_push
to be working, just as in with-postgresql-and-redis.
As notify_push needs to connect to the database, including it
in this test checks that it can read the dbpassFile properly.
Based on #198040. Prioritizes backwards compatibility, including
database and plugin compatibility, while adding more sensible
defaults like database peer authentication.
Expand the scope of tests to include plugins (including building
from source) and testing that a piece of media uploads and downloads
to make sure the storage directory doesn't vanish.
We originally used a systemd preStart command to provision the DB. We
recently extracted this to a proper systemd unit (to go around the
timeout issue). This created a race condition in the VM test.
Restarting explicitely the db provision unit to make sure the
migrations are applied.
Test build and services start, but libeufin-bank fails when trying to
access the database to change the admin's password.
We need to execute the command as the libeufin-bank user.
tests/taler: add master private key
tests/taler: rewrite `register_bank_account` to Nix
tests/taler: rename libeufin node to bank
tests/taler: use xtaler wire_type instead of iban
tests/taler: remove redundant data from conf files
tests/taler: enable exchange account
tests/taler: remove unused talerConfig
tests/taler: add client node and attempt a withdrawal
tests/taler: systemd_run optional user and group args
tests/taler: refactor and make a withdrawal
tests/taler: refactor tasks into subtests
tests/taler: properly read and test balance
tests/taler: refactor commands and add comments
nixos/taler: rename private key
tests/taler: enable nexus service in bank node
tests/taler: nexus fake incoming payment test
tests/taler: use correct path for nexus client keys
tests/taler: add merchant node
tests/taler: merchant register instance
tests/taler: init pay for order merchant
tests/taler: fix payto uri
tests/taler: withdraw smaller amount
This makes the test faster
tests/taler: verify balance
tests/nixos: debugging merchant payment, cleanup
tests/taler: fix libeufin command, use curl to register accounts
tests/taler: add basic online test
tests/taler: move nodes into separate directory
tests/taler: fix insufficient balance error
Turns out that the exchange wire fees need to be set up (even if they're
0) in order for the CLI wallet to deposit coins into the merchant's bank
account.
tests/taler: improve node importing, port forwarding
tests/taler: import scripts from a separate file
tests/taler: move tests into a sub-directory
tests/taler: manually start services, cleanup
This results in less overhead and conflict since components will not try
to prematurely connect to the ones that haven't finished their set up.
tests/taler: remove online test
This was used to debug the insufficient balance problem, but it's not
really that useful by itself.
tests/taler: add nexus keys
tests/taler: use bank initalAccounts option
taler/tests: use initialAccount
tests/taler: make nexus work
tests/taler: don't run nexus test if there is no internet
tests/taler: use openFirewall, remove manual package install
fix(test): evaluation errors
fix(test): create nexus role by enabling createLocalDatabase
Paperless includes a document exporter that can be used for e.g.
backups.
This change extends the module to provide a way to enable and configure
a timer, export settings, pre- and post-processing
scripts (e.g. to ship the backup somewhere else, clean up, ...).
It works out of the box when just enabling it but can be customized.
Includes suitable tests.
I recently learned about the way, individuals from the Gitea community
(and company apparently) treat the Forgejo people. Personally, I think
this is entirely inappropriate. I hereby retract my maintainership
since I don't want to support this project with packaging work any
longer.
Luckily, there's a viable alternative available.
[1] https://codeberg.org/forgejo/discussions/issues/251
All tests continue to pass except for `nixosTests.lvm2.lvm-raid-sd-stage-1-linux-5_15` which continues to fail due to not having a kernel with the appropriate options configured.
Merge conflict in `pkgs/by-name/en/envision/package.nix` between efb2d2b815fe9f7d12f4aab42c83e759db5ec716 (staging) and b9d59c4515ea7cd4595d342c9d87877b544e6dbd+de7a60960219b303cc44ad446f9e7ddaf23b9944 (staging-next).
* ghostty: add nixos test
* ghostty: add nixosTests.allTerminfo to passthru.tests
* ghostty: factor out dependencies
This is meant to make cross platform support a bit easier. The options
are kept private as they aren't meant to be touched by end users
* ghostty: add optimizationLevel option
* ghostty: cleanup outputs
* ghostty: fix x11 backend
Forcing linkage isn't enough for Zig's `dlopen()` call. Let's just point
it towards the exact path instead
* ghostty: add darwin to meta.platforms
With the release of 2.3.0-rc, we know that 2.3.0 will be coming sometime
soon. Per the [ZFS release policy][1], only the current and previous
releases are expected to be supported, so 2.1.x will become unsupported.
Unfortunately upstream does not have any specific timelines, so we do
not know when it will become unsupported, but when it does we will
likely backport the removal. As such, begin warning of imminent removal.
[1]: 6187b19434/RELEASES.md
This fixes "frequency file /var/lib/ntp/ntp.drift.TEMP: Permission denied".
Creating a directory via StateDirectory makes that directory /var/lib/ntp owned by root:root.
However, when running ntpd we change to user ntp (see ntpFlags), so the process cannot
actually use that directory.
Actually creating a home directory for the user at that location solves that problem.
It was kinda weird to assert that the clear-text password was
in the unit when the hashed password was the effective one.
This change makes it explicit that both are in there and the latter
takes precedence.
I haven't been doing much maintenance in the last couple of years
really, so this is long overdue. I still run NixOS on all my computers
and greatly appreciate the time that the *real* maintainers put into it.
❤️
I'm hoping to be able to contribute again at some point down the line.
The grow-partition test uses a bootloader installed on the disk image
resulting from `make-disk-image.nix`, which requires that the nixos
config is "switchable".
The `/usr` entry in `fileSystems` is superfluous and currently
interferes with the systemd generator. Dropping the `fileSystem` entry
requires making the appropriate module explicitly available in initrd.
- change text in `wait_for_console_text` to prevent sending curl with
pairing response before moonlight can accept it
- remove "close moonlight" step as next window stays on top in
fullscreen, previous window with pairing result does not interfere
with test. Otherwise it needs OCR or some other way to only do
`send_key("kp_enter")` after "Pairing complete" window is visible.
- add different ways to increase chances of successfull OCR: hide icewm
panel, gxmessage window takes full screen without titlebar or buttons,
black background, white foreground, consolas font,"ABC" text
- add `wait_for_console_text` to only run OCR after window is visible
- nixfmt on apparmor test
- move apparmor test to nixos/tests/apparmor directory
- expected profile contents are now generated in its own file to make the test file less confusing and hard to maintain
- enforce/complain is now being tested via diff of expected against aa-status
- path is now tested against diff+file checking symlink target of /etc/static/apparmor.d/<name>
- profile is now checked by diff of /etc/static/apparmor.d/<name> against original string added in nix config
- test still successfully passes
- added test for confined hello to succeed
- added test for confined hexdump on denied path to fail
This commit adds two new tests to show that the ordering of password
overrides documentation in nixos/modules/config/user-groups.nix is
correct. The override behavior differs depending on whether a system
has systemd-sysusers enabled, so there are two tests.
It broke somewhere between NixOS 24.05 and 24.11 due to flask-session
being upgraded. It now requires an explicit value and an empty string
will no longer do.
cachelib's SimpleCache was chosen as it doesn't require any other
configuration, and keeps previous behaviour.
