Commit Graph

8215 Commits

Author SHA1 Message Date
Patrick
05b36f060d
nixosTests.your_spotify: init 2024-05-13 22:12:17 +02:00
Yongun Seong
7715ce37e7 nixosTests.fcitx5: make test less flaky 2024-05-13 19:06:22 +02:00
Cosima Neidahl
068c0e3c95
Merge pull request #303745 from quantenzitrone/ydotool
ydotool: refactor ; nixos/ydotool: init module & nixosTest
2024-05-13 15:49:49 +02:00
Florian Klink
2a2f796888
Merge pull request #308801 from jmbaur/switch-to-configuration-rs
nixos/switch-to-configuration: add new implementation
2024-05-13 15:39:09 +02:00
Christina Rust
31a5a35b7e
Merge pull request #305286 from cafkafk/devpi-server-init
nixos/devpi-server: init
2024-05-13 13:14:51 +02:00
Quantenzitrone
483392f209
nixosTests.ydotool: init
Co-authored-by: Cosima Neidahl <opna2608@protonmail.com>
2024-05-13 12:22:06 +02:00
Christina Sørensen
52e0ad744d
nixos/devpi-server: init
Signed-off-by: Christina Sørensen <christina@cafkafk.com>
2024-05-13 12:14:44 +02:00
Florian Klink
aff6a121a3
Merge pull request #311039 from DavHau/pr_smokeping
nixos/smokeping: use nginx instead of thttpd
2024-05-13 01:11:59 +02:00
aszlig
0a9cecc35a
nixos/systemd-confinement: Make / read-only
Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.

This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:

> The goal is to deny write access to / to non-root users,
>
>   * TemporaryFileSystem=/ gives us that through the ownership of / by
>     root (instead of the service's user inherited from
>     RuntimeDirectory=).
>   * ProtectSystem=strict gives us that by mounting / read-only (while
>     keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
>   ...
>
> I guess this would require at least two changes to the current tests:
>
>   1. to no longer expect root to be able to write to some paths (like
>      /bin) (at least not without first remounting / in read-write
>      mode).
>   2. to no longer expect non-root users to fail to write to certain
>      paths with a "permission denied" error code, but with a
>      "read-only file system" error code.

I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.

[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:40 +02:00
aszlig
27f36b5e57
nixos/tests/confinement: Parametrise subtests
This is to make sure that we test all of the DynamicUser/User/Group and
PrivateTmp options in a uniform way. The reason why we need to do this
is because we recently introduced support for the DynamicUser option and
since there are some corner cases where we might end up with more
elevated privileges (eg. writable directories in some cases), we want to
make sure that the environment is as restrictive as with a static
User/Group assignment.

I also removed various checks that try to os.chown(), since with our new
recursive checker those are redundant.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:38 +02:00
aszlig
51d3f3475c
nixos/tests/confinement: Run test probes in Python
So far the architecture for the tests was that we would use a systemd
socket unit using the Accept option to start a small shell process where
we can pipe commands into by connecting to the socket created by the
socket unit.

This is unnecessary since we can directly use the code snippets from the
individual subtests and systemd will take care of checking the return
code in case we get any assertions[^1].

Another advantage of this is that tests now run in parallel, so we can
do rather expensive things such as looking in /nix to see whether
anything is writable.

The new assert_permissions() function is the main driver behind this and
allows for a more fine-grained way to check whether we got the right
permissions whilst also ignoring irrelevant things such as read-only
empty directories.

Our previous approach also just did a read-only check, which might be
fine in full-apivfs mode where the attack surface already is large, but
in chroot-only mode we really want to make sure nothing is every
writable.

A downside of the new approach is that currently the unit names are
numbered via lib.imap1, which makes it annoying to track its definition.

[^1]: Speaking of assertions, I wrapped the code to be run with pytest's
      assertion rewriting, so that we get more useful AssertionErrors.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:36 +02:00
aszlig
f7d026b431
nixos/tests/confinement: Move to dedicated dir
When experimenting on ways how to refactor the test, I wrote a
significant enough amount of Python to warrant a dedicated Python file.

This commit is mainly to prepare for that and make it easier to track
renames.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:34 +02:00
aszlig
ba31b3753e
nixos/tests/confinement: Re-add description attr
The reason why I originally used the "description" attribute was that it
can be easily used to parametrise the tests so that we can specify
common constraints and apply it across a number of different
configurations.

When porting the tests to Python, the description attribute was replaced
by inlining it into the Python code, most probably because it was easier
to do in bulk since using Nix to generate the subtest parts would be
very complicated to do since we also had to please Black (a Python code
formatter that we no longer use in test scripts).

Since we now also want to support DynamicUser in systemd-confinement,
the need to parametrise the tests became apparent again because it's now
easier to refactor our subtests to run both with *and* without
DynamicUser set to true.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:32 +02:00
Julien Moutinho
0a5542c766
nixos/systemd-confinement: support ProtectSystem=/DynamicUser=
See https://discourse.nixos.org/t/hardening-systemd-services/17147/14
2024-05-13 00:40:25 +02:00
Jade Lovelace
3fd324f823 nixos: remove historical maintainership of modules by eelco
Eelco has made several early contributions to NixOS including writing
the samba module among other things, but is more or less inactive these
days.

By my brief inspection, he has not committed to the nixos/ tree since
releasing Nix 2.13 in early 2023 and merging a PR to networking tests
slightly before that. A lot of these tests/modules are actually
unmaintained in practice, so we should update the code to reflect the
practical reality so someone can consider picking them up.
2024-05-12 12:48:57 -07:00
Andreas Rammhold
d157db3480
Merge pull request #307051 from hax404/modules/tayga/mappings
nixos/tayga: add mappings option
2024-05-12 21:16:26 +02:00
Martin Weinelt
6ce8bb794d
Merge pull request #311085 from mweinelt/knot-test-xfr
nixos/tests/knot: wait for successful zone transfers
2024-05-12 21:01:40 +02:00
Raito Bezarius
b35ccb7fda nixos/tests/misc: call the tester test to be callTest-ed
Otherwise, this will destroy the release machinery to collect all the
systems.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-05-12 18:15:52 +02:00
Martin Weinelt
c1b293ca0c
nixos/tests/knot: wait for successful zone transfers
Depending on the startup order of the two machines it might take a few
moments to get both zones transfered, which can lead to SERVFAIL
responses on busy machines.
2024-05-12 16:40:23 +02:00
Ryan Lahfa
df0bced725
Merge pull request #310194 from RaitoBezarius/lix
lix: init at 2.90-beta.1
2024-05-12 16:28:36 +02:00
DavHau
0b6c484848 nixos/smokeping: use nginx instead of thttpd
Motivation:
fixes #265953

Changes:
- deprecate `services.smokeping.port` in favor of the niginx native option
- mention in release notes
2024-05-12 13:31:11 +02:00
Pol Dellaiera
aff1950a3f
nixos/private-gpt: init 2024-05-11 22:42:04 +02:00
Raito Bezarius
81854ca604 nixos/tests/misc: rework and take ownership
`nixosTests.misc` is an interesting smoketest as a last (cheap) line of
defense against Nix regressions.

We rework it to accept any arbitrary package manager for Lix.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-05-11 21:33:25 +02:00
Jared Baur
32bf051ba4
nixos/switch-to-configuration: add new implementation
This adds an implementation of switch-to-configuration that allows for
closer interaction with the lifecycle of systemd units by using DBus
APIs directly instead of using systemctl. It is disabled by default, but
can be enabled by specifying `{ system.switch = { enable = false; enableNg = true; }; }`.
2024-05-10 16:33:06 -07:00
superherointj
602a9cec5b
Merge pull request #309904 from superherointj/k3s-format-rfc
k3s: enforce rfc 0166 format
2024-05-10 20:25:35 -03:00
Martin Weinelt
e21dccc5a1
Merge pull request #310645 from gepbird/fix-firefox-test
nixosTests.firefox-{beta,devedition,esr,esr-115}: unbreak
2024-05-11 00:07:56 +02:00
superherointj
6cfcd3c754 k3s: format with nixfmt-rfc-style 2024-05-10 18:55:54 -03:00
Gutyina Gergő
e1d179e36e
nixosTests.firefox-{beta,devedition,esr,esr-115}: unbreak 2024-05-10 19:28:41 +02:00
Adam C. Stephens
6878d98e5c
Merge pull request #310341 from adamcstephens/incus/6.1.0
incus: 6.0.0 -> 6.1.0, enable non-LTS testing
2024-05-10 10:17:20 -04:00
Martin Weinelt
7da17ece76
Merge pull request #310366 from mweinelt/pretix-pretalx-homemode
pretix, pretalx: fixes, hardening
2024-05-10 14:50:24 +02:00
Franz Pletz
fb382c2628
Merge pull request #310452 from fpletz/nginx-acme-servername
nixos/nginx: fix reference to acme cert hostname
2024-05-10 14:04:24 +02:00
Franz Pletz
04f0aed442
Merge pull request #267880 from Izorkin/update-nixos-tests-logrotate 2024-05-10 02:06:59 +02:00
Franz Pletz
b7d060d10d
nixos/nginx: fix reference to acme cert hostname
The change introduced in #308303 refers to the virtualHosts attrset
key which can be any string. The servername is the actual primary
hostname used for the certificate.

This fixes use cases like:

    services.nginx.virualHosts.foobar.serverName = "my.fqdn.org";
2024-05-10 01:36:34 +02:00
Martin Weinelt
e2ccc754ac
nixos/tests/pretalx: test cli wrapper and print systemd unit security 2024-05-09 18:20:13 +02:00
Adam Stephens
e58c57a868
nixos/tests/incus: enable testing both LTS and non-LTS 2024-05-09 10:03:07 -04:00
Adam C. Stephens
215dd64e07
Merge pull request #307039 from adamcstephens/nixos-unstable
nixos/incus: add support for soft daemon restarts
2024-05-09 09:59:37 -04:00
Adam Stephens
7d5b333dcd
nixos/incus: add support for soft daemon restart
This is a feature supported out of the box by upstream and allows the
incusd service to be restarted without impacting running
instances. While this does give up a bit of reproducibility, qemu and
lxc for example, there are clear benefits in allowing the host to
apply updates without impacting instances.

Modeled after the zabbly implementation: 2a67c3e260/systemd/incus-startup.service

This will now be the default.
2024-05-09 09:01:12 -04:00
Peder Bergebakken Sundt
9873938432
Merge pull request #302814 from paumr/auto-update/archi
archi: 5.2.0 -> 5.3.0
2024-05-08 13:07:09 +02:00
superherointj
dd7c32ab3e
Merge pull request #309099 from rorosen/package-k3s-kilall
k3s: package k3s-killall script
2024-05-07 11:02:03 -03:00
Robert Rose
2b0b15ec94 k3s: package k3s-killall script
Provide the k3s-killall.sh script for orderly shutdown of k3s.
2024-05-07 11:53:15 +02:00
Pol Dellaiera
52b35c5833
Merge pull request #309534 from getchoo/nixos/fish/package-option
nixos/fish: add `package` option
2024-05-07 08:56:13 +02:00
seth
f959fd3fff
nixos/fish: disable logrotate service in module test
headstart on https://github.com/NixOS/nixpkgs/pull/267880
2024-05-07 00:37:47 -04:00
paumr
8027f83d32 archi: removed OCR welcome check 2024-05-07 01:56:25 +02:00
Adam C. Stephens
f9ae6eb427
Merge pull request #309363 from adamcstephens/patroni/3.3.0
patroni: 2.1.3 -> 3.3.0
2024-05-06 09:49:12 -04:00
Izorkin
772ae48e69
nixos/tests: disable logrotate service by default in tests 2024-05-06 14:53:38 +03:00
Adam Stephens
3d20a75e9a
patroni: 2.1.3 -> 3.3.0
https://github.com/zalando/patroni/blob/v3.3.0/docs/releases.rst#version-330
2024-05-05 16:37:18 -04:00
Georg Haas
e83b8cfd43
nixos/tayga: add mappings option 2024-05-05 21:10:51 +02:00
Even Brenden
9fa89d0e2c nixos/jotta-cli: move to services.jotta-cli 2024-05-05 19:30:16 +02:00
Thomas Gerbet
8528f32728
varnish75: init at 7.5.0 (#308604)
Changes: https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html
2024-05-03 19:03:01 +00:00
github-actions[bot]
31135daf48
Merge master into staging-next 2024-05-02 18:01:05 +00:00