Commit Graph

8326 Commits

Author SHA1 Message Date
OPNA2608
1f6ba2e3c8 ayatana-indicator-sound: init at 24.4.0
(cherry picked from commit a7440c7873)
2024-05-23 18:11:33 +00:00
Jonas Heinrich
d4b0f03904 nixos/tests/stalwart-mail: Add test for server version >= 0.7
(cherry picked from commit 4c626c52b7)
2024-05-23 11:55:05 +00:00
nhnn
3d47565193
nixos/filesender: init module 2024-05-22 08:37:48 +03:00
Weijia Wang
d8c7ea7586
Merge pull request #313382 from Moraxyc/fix-step-ca-test
nixosTests.step-ca: fix journal error
2024-05-22 00:39:10 +02:00
Weijia Wang
536826e05d
Merge pull request #313298 from Moraxyc/fix-tigervnc-test
nixosTests.tigervnc: fix test
2024-05-22 00:36:55 +02:00
Yt
15c7efd37c
Merge pull request #313020 from jpds/nixos-test-vector-api+clickhouse
nixos/vector: Tests for API/Clickhouse
2024-05-21 21:25:31 +00:00
Fabián Heredia Montiel
13003e44c5
Merge pull request #313236 from NixOS/update-hardened
Linux hardened kernels for 2024-05-20
2024-05-21 14:34:49 -06:00
Jonathan Davies
af4a391424
nixos/vector: Added DNSTAP testcase 2024-05-21 19:31:10 +01:00
Jonathan Davies
8dc825ca36
nixos/vector: Added nginx→clickhouse test case 2024-05-21 19:14:55 +01:00
Jonathan Davies
1b27c58827
nixos/vector: Added testcase for verifying API endpoint 2024-05-21 19:14:52 +01:00
Jonathan Davies
87cb265588
nixos/vector: Moved existing test to subdirectory 2024-05-21 18:41:00 +01:00
Sandro
b4bf5efd73
Merge pull request #305092 from OPNA2608/init/lomiri/ayatana-indicator-power 2024-05-21 16:01:47 +02:00
Moraxyc
212d236936
nixosTests.step-ca: fix journal error 2024-05-21 20:21:26 +08:00
Alexander Bantyev
047433f472
Merge pull request #313243 from AleXoundOS/castopod
nixosTests.castopod: fix timeout
2024-05-21 14:55:43 +04:00
Bjørn Forsman
1f82020865 nixos/tests/keepalived: use openFirewall option
Instead of networking.firewall.extraCommands.
2024-05-21 08:35:46 +02:00
Moraxyc
1de961a89c
nixosTests.tigervnc: fix test 2024-05-21 13:16:56 +08:00
OPNA2608
98c84e67e4 nixos/lomiri: Add power indicator 2024-05-21 00:10:42 +02:00
OPNA2608
6539b60f0b ayatana-indicator-power: init at 24.1.0 2024-05-21 00:10:42 +02:00
Fabián Heredia Montiel
79081fda5e linux/hardened/patches/6.9: init at 6.9.1-hardened1
- ACPI_CUSTOM_METHOD: dropped in 0cc46f1a52b4220ec11d98a01575909ca820a7b4
- UBSAN_SANITIZE_ALL: dropped in 918327e9b7ffb45321cbb4b9b86b58ec555fe6b3
2024-05-20 15:13:13 -06:00
Alexander Tomokhov
992735db22 nixosTests.castopod: fix mp3 generation
Fix `--cbr` encoding mode.
2024-05-21 00:29:56 +04:00
Alexander Tomokhov
dddad8555c nixosTests.castopod: fix timeout
Increase HTTP request timeout in selenium.
2024-05-21 00:28:29 +04:00
Cosima Neidahl
bd9b1718a9
Merge pull request #311428 from OPNA2608/fix/lomiri-tests-ydotool
nixos/tests/lomiri: Use ydotool for mouse control
2024-05-19 20:57:25 +02:00
Sandro
52f4cce004
Merge pull request #308423 from Moraxyc/add-artalk
artalk: init at 2.8.6
2024-05-19 18:06:08 +02:00
Sandro
5497cebc92
Merge pull request #304257 from Raroh73/add/commafeed
commafeed: init at 4.3.3
2024-05-19 17:44:06 +02:00
Aleksana
f1f4eb1e36
Merge pull request #312626 from jpds/step-ldflags-version
step-ca: Set version in ldflags so this is correctly displayed in startup
2024-05-19 22:12:11 +08:00
Pol Dellaiera
006641f290
Merge pull request #312623 from jpds/nixos-test-step-caddy
nixos/step-ca: Added Caddy example to integration tests
2024-05-19 10:55:17 +02:00
Marcus Ramberg
b7d845292c
Merge pull request #308813 from anthonyroussel/update-nagios
nagios: 4.5.1 -> 4.5.2
2024-05-19 00:03:53 +01:00
Pol Dellaiera
aa5d9c30f8
Merge pull request #309236 from ElvishJerricco/sd-s1-fix-xfs-fsck
nixos/systemd-stage-1: Fix fsck.xfs needing bash's sh symlink
2024-05-18 23:57:04 +02:00
Jonathan Davies
52743c88f5
nixos/step-ca: Added test case for finding package version in journald logs 2024-05-18 22:24:04 +01:00
Sandro
c21d10ba30
Merge pull request #263375 from lorenzleutgeb/benchexec
benchexec: init at 3.21
2024-05-18 15:52:30 +02:00
Jonathan Davies
d01d430342
nixos/step-ca: Added Caddy example to integration tests. 2024-05-18 10:43:23 +01:00
Lorenz Leutgeb
88d736df69 nixos/benchexec: init 2024-05-17 21:24:05 +02:00
Moraxyc
da28a5ff2a
nixos/artalk: init module 2024-05-18 02:15:33 +08:00
OPNA2608
9c5ceeb61e nixos/tests/lomiri: Use ydotool for mouse control
Certain elements are not reachable via the keyboard, and some keyboard-centric methods for testing elements have flaky downsides.
2024-05-17 19:52:56 +02:00
Wanja Hentze
62bfa65656 linux/hardened/patches/6.8: init at 6.8.9-hardened1 2024-05-17 18:09:01 +02:00
Jade Lovelace
007f0f90aa
Merge pull request #311574 from lf-/jade/fix-nixos-installtest-nixos-option
nixosTests.installer: test nixos-option anew
2024-05-16 10:00:23 -07:00
Maximilian Bosch
d5f39744c8
Merge pull request #309953 from flyingcircusio/PL-132430-percona-innovation
percona: restructure releases according to upstream release policy
2024-05-16 16:35:08 +00:00
Fabian Möller
da68f358bc
treewide: Remove usage of pkgs.{system,hostPlatform} aliases
These aliases should not be used inside nixpkgs and are only there for backward
compatibility.
2024-05-16 11:48:32 +02:00
Franz Pletz
389408695e
Merge pull request #311479 from fpletz/nixos-test/mediamtx-sleep
nixos/tests/mediamtx: make more robust, reformat
2024-05-16 07:57:51 +02:00
Yt
c8a9664fac
Merge pull request #311790 from jpds/vector-test-metrics
nixos/vector: Added Prometheus exporter integration to tests
2024-05-15 23:21:48 +00:00
Martin Weinelt
10955966a5
Merge pull request #311916 from wegank/pretalx-plugins-init
pretalx: add a few plugins
2024-05-15 21:41:03 +02:00
Pol Dellaiera
4275fc290a
Merge pull request #293817 from PatrickDaG/your_spotify
nixos/your_spotify: init at 1.10.1
2024-05-15 16:45:23 +02:00
Martin Weinelt
29fd61c784
nixos/tests/pretalx: test pages plugin install 2024-05-15 16:27:25 +02:00
Jonas Heinrich
b3fcfcfabd
Merge pull request #311766 from pacien/stalwart-0-6-0-module-fixes
nixos/stalwart-mail: module and test fixes for v0.6.0
2024-05-15 14:04:30 +02:00
Jonathan Davies
c97e5f8d17
nixos/vector: Added Prometheus exporter/Vector logs integration to tests. 2024-05-15 12:10:26 +01:00
Florian Klink
ea6604c03a nixosTests.garage: migrate replicationMode to string
Do the same config change steps the assertion asks users to.
2024-05-15 11:50:11 +02:00
teutat3s
948c550669
nixosTests.garage: run test for garage_1_x
Add reminder comment to add new versions to tests
2024-05-15 11:09:41 +02:00
Weijia Wang
88b7d613f5
Merge pull request #311689 from teutat3s/zhf/virtualbox-tests
nixosTests.virtualbox: fix tests, remove minimal profile
2024-05-15 10:56:39 +02:00
euxane
aa107a60c4 nixos/stalwart-mail: fix vm test for v0.6.0
This migrates the syntax for a few configuration values,
which now need to be quoted strings for user values.

This also disables the use of a public resolver,
which is not accessible in the sandbox.
2024-05-15 00:45:21 +02:00
teutat3s
bb99280c9c
nixosTests.virtualbox: remove minimal profile
This fixes build failures with the wayland dependency:
Quoting @nevivurn:
"guestadditions->...->wayland, but the test config pulls in
modules/profiles/minimal.nix which disables xlibs and thus it won't build"

Co-authored-by: Yongun Seong <nevivurn@nevi.dev>
2024-05-14 18:14:45 +02:00
Jade Lovelace
099671c419 nixosTests.installer: test nixos-option anew
Someone put a FIXME in here. The FIXME looked really old. I uncommented
out the thing and it still passes. Calling this fixed.
2024-05-13 23:34:03 -07:00
Franz Pletz
8e7ebfe4f5
nixos/tests/mediamtx: make more robust, reformat
We're sleeping now until the timeout of the receive service is reached
to check for its state since it might fail until the stream is
available.
2024-05-13 23:47:34 +02:00
Franz Pletz
fc96e711c3
Merge pull request #310823 from WilliButz/systemd-initrd/fix-aarch64-modprobe-test 2024-05-13 23:03:39 +02:00
Weijia Wang
1fbd31f24d
Merge pull request #311293 from diogotcorreia/pgvecto.rs-broken-pg12-pg13
pgvecto-rs: mark as broken in pg12 and pg13
2024-05-13 23:02:50 +02:00
Patrick
05b36f060d
nixosTests.your_spotify: init 2024-05-13 22:12:17 +02:00
Yongun Seong
7715ce37e7 nixosTests.fcitx5: make test less flaky 2024-05-13 19:06:22 +02:00
Cosima Neidahl
068c0e3c95
Merge pull request #303745 from quantenzitrone/ydotool
ydotool: refactor ; nixos/ydotool: init module & nixosTest
2024-05-13 15:49:49 +02:00
Florian Klink
2a2f796888
Merge pull request #308801 from jmbaur/switch-to-configuration-rs
nixos/switch-to-configuration: add new implementation
2024-05-13 15:39:09 +02:00
Christina Rust
31a5a35b7e
Merge pull request #305286 from cafkafk/devpi-server-init
nixos/devpi-server: init
2024-05-13 13:14:51 +02:00
Quantenzitrone
483392f209
nixosTests.ydotool: init
Co-authored-by: Cosima Neidahl <opna2608@protonmail.com>
2024-05-13 12:22:06 +02:00
Christina Sørensen
52e0ad744d
nixos/devpi-server: init
Signed-off-by: Christina Sørensen <christina@cafkafk.com>
2024-05-13 12:14:44 +02:00
Diogo Correia
101e8a0a2b
pgvecto-rs: mark as broken in pg12 and pg13
Upstream (accidentally) broke support for postgresql 12 and 13 on
v0.2.1 by changing the signature of the `from_datum` function[^1].
This went unnoticed since the release branch `0.2` did not have CI.
Furthermore, they are removing support for these versions of postgresql
on v0.3.0[^2].

[^1]: 97e861d51d
[^2]: https://github.com/tensorchord/pgvecto.rs/issues/343
2024-05-13 09:25:06 +01:00
Florian Klink
aff6a121a3
Merge pull request #311039 from DavHau/pr_smokeping
nixos/smokeping: use nginx instead of thttpd
2024-05-13 01:11:59 +02:00
aszlig
0a9cecc35a
nixos/systemd-confinement: Make / read-only
Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.

This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:

> The goal is to deny write access to / to non-root users,
>
>   * TemporaryFileSystem=/ gives us that through the ownership of / by
>     root (instead of the service's user inherited from
>     RuntimeDirectory=).
>   * ProtectSystem=strict gives us that by mounting / read-only (while
>     keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
>   ...
>
> I guess this would require at least two changes to the current tests:
>
>   1. to no longer expect root to be able to write to some paths (like
>      /bin) (at least not without first remounting / in read-write
>      mode).
>   2. to no longer expect non-root users to fail to write to certain
>      paths with a "permission denied" error code, but with a
>      "read-only file system" error code.

I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.

[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:40 +02:00
aszlig
27f36b5e57
nixos/tests/confinement: Parametrise subtests
This is to make sure that we test all of the DynamicUser/User/Group and
PrivateTmp options in a uniform way. The reason why we need to do this
is because we recently introduced support for the DynamicUser option and
since there are some corner cases where we might end up with more
elevated privileges (eg. writable directories in some cases), we want to
make sure that the environment is as restrictive as with a static
User/Group assignment.

I also removed various checks that try to os.chown(), since with our new
recursive checker those are redundant.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:38 +02:00
aszlig
51d3f3475c
nixos/tests/confinement: Run test probes in Python
So far the architecture for the tests was that we would use a systemd
socket unit using the Accept option to start a small shell process where
we can pipe commands into by connecting to the socket created by the
socket unit.

This is unnecessary since we can directly use the code snippets from the
individual subtests and systemd will take care of checking the return
code in case we get any assertions[^1].

Another advantage of this is that tests now run in parallel, so we can
do rather expensive things such as looking in /nix to see whether
anything is writable.

The new assert_permissions() function is the main driver behind this and
allows for a more fine-grained way to check whether we got the right
permissions whilst also ignoring irrelevant things such as read-only
empty directories.

Our previous approach also just did a read-only check, which might be
fine in full-apivfs mode where the attack surface already is large, but
in chroot-only mode we really want to make sure nothing is every
writable.

A downside of the new approach is that currently the unit names are
numbered via lib.imap1, which makes it annoying to track its definition.

[^1]: Speaking of assertions, I wrapped the code to be run with pytest's
      assertion rewriting, so that we get more useful AssertionErrors.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:36 +02:00
aszlig
f7d026b431
nixos/tests/confinement: Move to dedicated dir
When experimenting on ways how to refactor the test, I wrote a
significant enough amount of Python to warrant a dedicated Python file.

This commit is mainly to prepare for that and make it easier to track
renames.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:34 +02:00
aszlig
ba31b3753e
nixos/tests/confinement: Re-add description attr
The reason why I originally used the "description" attribute was that it
can be easily used to parametrise the tests so that we can specify
common constraints and apply it across a number of different
configurations.

When porting the tests to Python, the description attribute was replaced
by inlining it into the Python code, most probably because it was easier
to do in bulk since using Nix to generate the subtest parts would be
very complicated to do since we also had to please Black (a Python code
formatter that we no longer use in test scripts).

Since we now also want to support DynamicUser in systemd-confinement,
the need to parametrise the tests became apparent again because it's now
easier to refactor our subtests to run both with *and* without
DynamicUser set to true.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:32 +02:00
Julien Moutinho
0a5542c766
nixos/systemd-confinement: support ProtectSystem=/DynamicUser=
See https://discourse.nixos.org/t/hardening-systemd-services/17147/14
2024-05-13 00:40:25 +02:00
Jade Lovelace
3fd324f823 nixos: remove historical maintainership of modules by eelco
Eelco has made several early contributions to NixOS including writing
the samba module among other things, but is more or less inactive these
days.

By my brief inspection, he has not committed to the nixos/ tree since
releasing Nix 2.13 in early 2023 and merging a PR to networking tests
slightly before that. A lot of these tests/modules are actually
unmaintained in practice, so we should update the code to reflect the
practical reality so someone can consider picking them up.
2024-05-12 12:48:57 -07:00
Andreas Rammhold
d157db3480
Merge pull request #307051 from hax404/modules/tayga/mappings
nixos/tayga: add mappings option
2024-05-12 21:16:26 +02:00
Martin Weinelt
6ce8bb794d
Merge pull request #311085 from mweinelt/knot-test-xfr
nixos/tests/knot: wait for successful zone transfers
2024-05-12 21:01:40 +02:00
Raito Bezarius
b35ccb7fda nixos/tests/misc: call the tester test to be callTest-ed
Otherwise, this will destroy the release machinery to collect all the
systems.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-05-12 18:15:52 +02:00
Martin Weinelt
c1b293ca0c
nixos/tests/knot: wait for successful zone transfers
Depending on the startup order of the two machines it might take a few
moments to get both zones transfered, which can lead to SERVFAIL
responses on busy machines.
2024-05-12 16:40:23 +02:00
Ryan Lahfa
df0bced725
Merge pull request #310194 from RaitoBezarius/lix
lix: init at 2.90-beta.1
2024-05-12 16:28:36 +02:00
DavHau
0b6c484848 nixos/smokeping: use nginx instead of thttpd
Motivation:
fixes #265953

Changes:
- deprecate `services.smokeping.port` in favor of the niginx native option
- mention in release notes
2024-05-12 13:31:11 +02:00
Pol Dellaiera
aff1950a3f
nixos/private-gpt: init 2024-05-11 22:42:04 +02:00
Raito Bezarius
81854ca604 nixos/tests/misc: rework and take ownership
`nixosTests.misc` is an interesting smoketest as a last (cheap) line of
defense against Nix regressions.

We rework it to accept any arbitrary package manager for Lix.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-05-11 21:33:25 +02:00
WilliButz
d8eb6d3b97
nixos/tests/systemd-initrd-modprobe: use loadable module
The kernel used on aarch64-linux is built with CONFIG_BLK_DEV_LOOP=y,
so the test previously did not work on aarch64-linux.

The module for Hybla congestion control is available as a loadable
module both on x86_64-linux and aarch64-linux.
2024-05-11 13:04:20 +02:00
Jared Baur
32bf051ba4
nixos/switch-to-configuration: add new implementation
This adds an implementation of switch-to-configuration that allows for
closer interaction with the lifecycle of systemd units by using DBus
APIs directly instead of using systemctl. It is disabled by default, but
can be enabled by specifying `{ system.switch = { enable = false; enableNg = true; }; }`.
2024-05-10 16:33:06 -07:00
superherointj
602a9cec5b
Merge pull request #309904 from superherointj/k3s-format-rfc
k3s: enforce rfc 0166 format
2024-05-10 20:25:35 -03:00
Martin Weinelt
e21dccc5a1
Merge pull request #310645 from gepbird/fix-firefox-test
nixosTests.firefox-{beta,devedition,esr,esr-115}: unbreak
2024-05-11 00:07:56 +02:00
superherointj
6cfcd3c754 k3s: format with nixfmt-rfc-style 2024-05-10 18:55:54 -03:00
Gutyina Gergő
e1d179e36e
nixosTests.firefox-{beta,devedition,esr,esr-115}: unbreak 2024-05-10 19:28:41 +02:00
Adam C. Stephens
6878d98e5c
Merge pull request #310341 from adamcstephens/incus/6.1.0
incus: 6.0.0 -> 6.1.0, enable non-LTS testing
2024-05-10 10:17:20 -04:00
Martin Weinelt
7da17ece76
Merge pull request #310366 from mweinelt/pretix-pretalx-homemode
pretix, pretalx: fixes, hardening
2024-05-10 14:50:24 +02:00
Franz Pletz
fb382c2628
Merge pull request #310452 from fpletz/nginx-acme-servername
nixos/nginx: fix reference to acme cert hostname
2024-05-10 14:04:24 +02:00
Franz Pletz
04f0aed442
Merge pull request #267880 from Izorkin/update-nixos-tests-logrotate 2024-05-10 02:06:59 +02:00
Franz Pletz
b7d060d10d
nixos/nginx: fix reference to acme cert hostname
The change introduced in #308303 refers to the virtualHosts attrset
key which can be any string. The servername is the actual primary
hostname used for the certificate.

This fixes use cases like:

    services.nginx.virualHosts.foobar.serverName = "my.fqdn.org";
2024-05-10 01:36:34 +02:00
Martin Weinelt
e2ccc754ac
nixos/tests/pretalx: test cli wrapper and print systemd unit security 2024-05-09 18:20:13 +02:00
Adam Stephens
e58c57a868
nixos/tests/incus: enable testing both LTS and non-LTS 2024-05-09 10:03:07 -04:00
Adam C. Stephens
215dd64e07
Merge pull request #307039 from adamcstephens/nixos-unstable
nixos/incus: add support for soft daemon restarts
2024-05-09 09:59:37 -04:00
Adam Stephens
7d5b333dcd
nixos/incus: add support for soft daemon restart
This is a feature supported out of the box by upstream and allows the
incusd service to be restarted without impacting running
instances. While this does give up a bit of reproducibility, qemu and
lxc for example, there are clear benefits in allowing the host to
apply updates without impacting instances.

Modeled after the zabbly implementation: 2a67c3e260/systemd/incus-startup.service

This will now be the default.
2024-05-09 09:01:12 -04:00
Peder Bergebakken Sundt
9873938432
Merge pull request #302814 from paumr/auto-update/archi
archi: 5.2.0 -> 5.3.0
2024-05-08 13:07:09 +02:00
Oliver Schmidt
52506a2744 percona: adapt upstream release model
In accordance to the upstream release cycle, we now provide 2 flavours
of the percona mysql ecosystem. The default is the LTS variant,
additionally there is now the floating `percona-server_innovation`
always pointing to the most recent regular release.

- mentioned in release notes
- adapted all depending tests and tools (xtrabackup)
2024-05-08 00:40:06 +02:00
Oliver Schmidt
0999991e93 percona-server_8_3: init at 8.3.0-1
This release belongs to the "innovation" release track of Percona,
making it likely to diverge over time from the LTS release. Hence I just
created a separate packaging expression for this.
2024-05-07 19:56:32 +02:00
superherointj
dd7c32ab3e
Merge pull request #309099 from rorosen/package-k3s-kilall
k3s: package k3s-killall script
2024-05-07 11:02:03 -03:00
Robert Rose
2b0b15ec94 k3s: package k3s-killall script
Provide the k3s-killall.sh script for orderly shutdown of k3s.
2024-05-07 11:53:15 +02:00
Pol Dellaiera
52b35c5833
Merge pull request #309534 from getchoo/nixos/fish/package-option
nixos/fish: add `package` option
2024-05-07 08:56:13 +02:00
seth
f959fd3fff
nixos/fish: disable logrotate service in module test
headstart on https://github.com/NixOS/nixpkgs/pull/267880
2024-05-07 00:37:47 -04:00