Commit Graph

343 Commits

Author SHA1 Message Date
Aaron Andersen
3bd03d2c0a nixos/moodle: init service 2019-08-25 08:12:28 -04:00
Jan Tojnar
a8d3aebdce
Merge pull request #67318 from jtojnar/gnome-photos
gnome-photos: 3.32.0 → 3.32.1
2019-08-23 19:49:43 +02:00
Jan Tojnar
c6eb691fb8
gnome-photos: add installed tests 2019-08-23 19:31:14 +02:00
Marek Mahut
882e5b0e05
Merge pull request #67213 from mmahut/jormungandr
nixos: adding jormungandr service
2019-08-23 11:07:49 +02:00
Marek Mahut
4aef2212ee
Revert "nixos/containers: add unprivileged option" 2019-08-23 08:24:06 +02:00
Marek Mahut
27acea73b8
Merge pull request #67130 from uvNikita/containers/unprivileged
nixos/containers: add unprivileged option
2019-08-23 08:00:35 +02:00
Jan Tojnar
91b46353a5
Merge pull request #67308 from jtojnar/libxmlb-0.1.11
libxmlb: 0.1.10 → 0.1.11
2019-08-23 02:06:41 +02:00
Jan Tojnar
93f4d6f6ae
nixos/tests/libxmlb: init 2019-08-23 01:34:48 +02:00
Marek Mahut
f4ca6e3dd1
Merge pull request #66722 from mmahut/trezord-emulator
trezord: adding emulator support (plus test)
2019-08-22 23:25:18 +02:00
Marek Mahut
8d0776be66 nixos/tests: adding jormungandr service test 2019-08-22 07:10:16 +02:00
worldofpeace
fd7d31b50e nixosTests.xfce4-14: init
This is pretty much identical to the xfce test we currently have.
2019-08-21 22:04:29 -04:00
Florian Klink
9f237fe444
Merge pull request #45392 from dguibert/dg/wireguard
nixos/wireguard: setup interface with systemd-networkd
2019-08-21 15:48:05 +02:00
Félix Baylac-Jacqué
0528816570 systemd-networkd: add tests
(cherry picked from commit ec073e41a0)
2019-08-21 11:11:28 +02:00
Nikita Uvarov
7e7fc6471e
nixos/containers: add unprivileged option
Fixes #57083.
2019-08-21 00:01:29 +02:00
Matthieu Coudron
0f32b32c95
Merge pull request #63150 from Izorkin/prosody-test
nixos/tests/prosody: update prosody tests
2019-08-20 17:52:58 +09:00
Michael Raskin
0cbeac4f66
Merge pull request #66736 from markuskowa/upd-gluster
glusterfs: 4.0 -> 6.5
2019-08-20 08:08:57 +00:00
Izorkin
bb4816d41c nixos/tests/prosodyMysql: add check work prosody with MySQL database 2019-08-20 10:24:49 +03:00
Izorkin
691da63cba nixos/tests: move ejabberd and prosody test to xmpp folder 2019-08-20 10:24:47 +03:00
Marek Mahut
3b6258946f
Merge pull request #64407 from dasJ/icingaweb-test
nixos/icingaweb: Fix module path; Add test
2019-08-19 21:27:16 +02:00
Marek Mahut
94c51859df
Merge pull request #66846 from uvNikita/containers/ephemeral
nixos/containers: add 'ephemeral' option
2019-08-19 20:55:33 +02:00
Nikita Uvarov
c740f0d400
nixos/containers: add 'ephemeral' option 2019-08-19 15:21:35 +02:00
Aaron Andersen
8227b2f29e
Merge pull request #66399 from mmahut/metabase
metabase: service module and test
2019-08-18 19:49:05 -04:00
Markus Kowalewski
6104ad00a1
nixos/glusterfs: add test 2019-08-18 18:58:00 +02:00
Marek Mahut
d2ebcec779 tests: adding metabase service test 2019-08-18 13:44:26 +02:00
Marek Mahut
20ea4b6dd3 tests: adding trezord 2019-08-16 17:05:13 +02:00
Notkea
4ff9a48398 nixos/postgresql-wal-receiver: add module (#63799) 2019-08-11 20:09:42 +03:00
worldofpeace
2eaef474f2
Merge pull request #66236 from worldofpeace/test-reorganize
Reorganize GNOME tests, re-enable LightDM for release-combined
2019-08-10 11:23:57 -04:00
Silvan Mosberger
ce82d0b61a
Couchdb: Don't chown /var/log to couchdb (#65347)
Couchdb: Don't chown /var/log to couchdb
2019-08-10 01:36:15 +02:00
Bas van Dijk
810388afd2 nixos-generate-config: enable overriding configuration.nix 2019-08-08 17:00:10 +02:00
worldofpeace
63a1787ed5 nixosTests.gnome{xorg}: re-enable on aarch64 2019-08-07 15:53:26 -04:00
worldofpeace
feb4b30074 nixos/release-combined: re-enable lightdm test
This has been tested in the Pantheon test
for a year now and it does fine on hydra.
2019-08-06 20:51:44 -04:00
worldofpeace
5efe51ccc2 nixosTests.gnome3: rename from gnome3-gdm
The actual only difference from the gnome3-xorg
test is that this tests the wayland session.
It's also more accurate to call it just "gnome3"
since wayland is default here.
2019-08-06 20:51:44 -04:00
worldofpeace
087c640e1a nixosTests.gnome3-xorg: rename from gnome3 2019-08-06 19:13:35 -04:00
Aaron Andersen
a1f738ba87
Merge pull request #62748 from aanderse/mediawiki
nixos/mediawiki: init service to replace httpd subservice
2019-07-31 22:12:23 -04:00
Andrew Childs
a5328e1386 fluentd: add simple test 2019-07-30 00:37:21 +09:00
Silvan Mosberger
12eb0f524b
nixos/tests: Reenable couchdb
Works just fine in current master
2019-07-24 20:53:02 +02:00
Aaron Andersen
455d33f514 nixos/mediawiki: init service to replace httpd subservice 2019-07-23 22:02:33 -04:00
Franz Pletz
376b5fd000
Merge pull request #64463 from Ma27/graylog-test
nixos/graylog: minor fixes, add test
2019-07-21 20:53:39 +00:00
Aaron Andersen
44565adda5
Merge pull request #60436 from nbardiuk/master
nixos/tiddlywiki: init
2019-07-21 16:39:42 -04:00
Samuel Dionne-Riel
56836c31ad nixos/tests: drop tomcat connector test
The httpd subservice was dropped in #64052.
2019-07-20 15:19:45 -04:00
Nazarii Bardiuk
976928daa2
nixos/tiddlywiki: init
Service that runs TiddlyWiki nodejs server
2019-07-16 23:12:16 +01:00
edef
950d91cc9c nixos/tests: include the etcd-cluster test in all-tests.nix
We seem to have had this test for quite a while, but nothing seems to
reference it.
2019-07-09 23:46:57 +00:00
Maximilian Bosch
16d0b8dcbd
nixos/graylog: add test
Basic test which confirms new inputs can be created and that messages
can be sent to a UDP-GELF input using `netcat`.

This test requires 4GB of RAM to avoid issues due insufficient
memory (please refer to `nixos/tests/elk.nix` for a detailed explanation of
the issue) for elasticsearch.

Also it's ensured that elasticsearch has an open HTTP port for communication
when starting `graylog`. This is a workaround to ensure that all services
are started in proper order, even in test environments with less power.
However this shouldn't be implemented in the `nixos/graylog` module as
this might be harmful when using elasticsearch clusters that require e.g.
authentication and/or run on different servers.
2019-07-09 23:57:45 +02:00
WilliButz
d902420290
nixos/tests: add test for loki 2019-07-08 16:10:00 +02:00
Janne Heß
9e2a8f5023 nixos/icingaweb: Fix module path; Add test 2019-07-07 03:03:59 +02:00
Jan Tojnar
c96ee919cf
flatpak-builder: 1.0.6 -> 1.0.7 (#62413)
flatpak-builder: 1.0.6 -> 1.0.7
2019-06-16 01:39:09 +02:00
Jan Tojnar
ccc6ffe2dc
flatpak-builder: add installed tests 2019-06-16 01:22:12 +02:00
Vladimír Čunát
788261a1a9
Merge branch 'master' into staging-next
Brings in Haskell rebuild.
Hydra nixpkgs: ?compare=1525186
2019-06-14 17:47:23 +02:00
Daniel Schaefer
2bcca9271a nixos/cassandra: Reenable tests 2019-06-13 04:36:41 +02:00
Symphorien Gibol
9e06a61cf0 mention the os-prober test in pkgs.os-prober.passthru.tests 2019-06-09 20:26:05 +02:00
Frederik Rietdijk
d3afcac771 Merge master into staging-next 2019-06-09 12:28:52 +02:00
Daiderd Jordan
9b52ff5335
Merge pull request #62133 from LnL7/nixos-uwsgi
nixos: add test for uwsgi
2019-06-08 11:25:51 +02:00
Vladimír Čunát
ee86a325dd
Merge branch 'staging-next' into staging
Conflicts (simple):
	nixos/doc/manual/release-notes/rl-1909.xml
2019-06-03 22:34:49 +02:00
Andreas Rammhold
024a383d64
nixos/systemd: migrate systemd-timesync state when required
Somewhen between systemd v239 and v242 upstream decided to no longer run
a few system services with `DyanmicUser=1` but failed to provide a
migration path for all the state those services left behind.

For the case of systemd-timesync the state has to be moved from
/var/lib/private/systemd/timesync to /var/lib/systemd/timesync if
/var/lib/systemd/timesync is currently a symlink.

We only do this if the stateVersion is still below 19.09 to avoid
starting to have an ever growing activation script for (then) ancient
systemd migrations that are no longer required.

See https://github.com/systemd/systemd/issues/12131 for details about
the missing migration path and related discussion.
2019-06-03 15:05:19 +02:00
Matthew Bauer
f21b846afe
Merge pull request #57752 from aanderse/limesurvey
limesurvey: 2.05_plus_141210 -> 3.17.1+190408, init module
2019-06-01 17:31:15 -04:00
Aaron Andersen
73e175a6ce nixos/limesurvey: add basic nixos test 2019-05-28 23:02:38 -04:00
Daiderd Jordan
8ce93e26b0
nixos: add test for uwsgi 2019-05-27 23:03:22 +02:00
Arian van Putten
a48047a755 nixos: Add test that demonstrates how to use nesting.clone
This is actually very useful. Allows you to test switch-to-configuration

nesting.children is still currently still broken as it will throw
away 'too much' of the config, including the modules that make
nixos tests work in the first place. But that's something for
another time.
2019-05-26 00:37:13 +02:00
Florian Klink
5695696664 nixosTests.signal-desktop: add test 2019-05-23 00:56:46 +02:00
Renaud
42c0ce80e6
Merge pull request #61610 from worldofpeace/init/graphene
graphene: init at 1.8.6
2019-05-22 17:26:46 +02:00
lassulus
a3e7e1bbc8 nixos/syncthing: add options for declarative device/folder config 2019-05-20 17:56:17 +09:00
Aaron Andersen
b5a0c38e55
Merge pull request #59401 from mguentner/mxisd_1_3
mxisd: 1.2.0 -> 1.4.3
2019-05-19 07:00:47 -04:00
Maximilian Güntner
e2c58c19c4
tests: add mxisd to all-tests 2019-05-18 22:18:01 +02:00
worldofpeace
cc7c76f206 nixosTests.graphene: init 2019-05-16 21:29:17 -04:00
Bas van Dijk
71fdb69314 nixos: add test for tinydns 2019-05-16 23:46:17 +02:00
worldofpeace
bb7e5566c7
Merge pull request #44086 from erikarvstedt/paperless
paperless: add package and service
2019-05-08 17:17:49 -04:00
Erik Arvstedt
80c3ddbad8
paperless service: init 2019-05-08 09:26:32 +02:00
nyanloutre
f82bfd5e80
nixos/jellyfin: add test to all-tests.nix 2019-05-01 11:57:34 +02:00
Silvan Mosberger
77fb90d27e
Merge pull request #59731 from ajs124/ejabberd_test
ejabberd: refactor module, add test
2019-04-27 23:36:52 +02:00
Florian Klink
033882e0b7
Merge pull request #60019 from aanderse/nzbget
nzbget: fix broken service, as well as some improvements
2019-04-27 18:26:50 +02:00
Peter Hoeg
eb6ce1c8a9
Merge pull request #60146 from peterhoeg/f/packagekit
nixos/packagekit: make it not error out + test
2019-04-26 14:19:46 +08:00
Aaron Andersen
5b76046db3 nixos/nzbget: fix broken service, add a nixos test, as well as some general improvements 2019-04-25 20:28:39 -04:00
Peter Hoeg
ab15949f81 nixos/packagekit: add test 2019-04-24 22:31:36 +08:00
Peter Hoeg
f81ddbf8e7
Merge pull request #60149 from peterhoeg/u/mosquitto_160
mosquitto: 1.5.8 -> 1.6 + nixos tests
2019-04-24 22:29:08 +08:00
Graham Christensen
f57fc6c881
wireguard: add generatePrivateKeyFile option + test
Ideally, private keys never leave the host they're generated on - like
SSH. Setting generatePrivateKeyFile to true causes the PK to be
generate automatically.
2019-04-24 07:46:01 -04:00
Peter Hoeg
c5af9fd4dd nixos/mosquitto: add test 2019-04-24 17:02:20 +08:00
ajs124
2b84c8d560 nixos/ejabberd: add basic test 2019-04-19 12:44:43 +02:00
Aaron Andersen
5f4df8e509 automysqlinit: init at 3.0_rc6 2019-04-15 21:51:55 -04:00
Joachim F
5dafbb2cb1
Merge pull request #56719 from bricewge/miniflux-service
miniflux: add service
2019-04-12 09:57:30 +00:00
Bas van Dijk
2f2e2971d6
Merge pull request #58255 from jbgi/prometheus2
Add Prometheus 2 service in parallel with 1.x version (continuation)
2019-04-09 14:14:18 +02:00
Robin Gloster
a58ab8fc05
Merge pull request #58398 from Ma27/package-documize
documize-community: init at 2.2.1
2019-04-08 22:34:11 +00:00
Maximilian Bosch
acbb74ed18
documize-community: init at 2.2.1
Documize is an open-source alternative for wiki software like Confluence
based on Go and EmberJS. This patch adds the sources for the community
edition[1], for commercial their paid-plan[2] needs to be used.

For commercial use a derivation that bundles the commercial package and
contains a `$out/bin/documize` can be passed to
`services.documize.enable`.

The package compiles the Go sources, the build process also bundles the
pre-built frontend from `gui/public` into the binary.

The NixOS module generates a simple `systemd` unit which starts the
service as a dynamic user, database and a reverse proxy won't be
configured.

[1] https://www.documize.com/get-started/
[2] https://www.documize.com/pricing/
2019-04-08 23:54:57 +02:00
Bas van Dijk
394970047e nixos/tests: register the prometheus2 test 2019-04-08 15:24:23 +02:00
Jeremy Apthorp
e8b68dd4f4 miniflux: add service 2019-04-06 03:52:15 +02:00
Jörg Thalheim
d8445c9925
tests/pdns-recursor: add 2019-04-04 19:42:49 +01:00
Franz Pletz
ab574424a0
Merge pull request #57789 from Ma27/wireguard-test
nixos/wireguard: add test
2019-04-02 08:11:52 +00:00
Tim Steinbach
5aef5c5931
kafka: Add test for 2.2
Also add back tests, don't seem broken anymore.

This is just fine:
nix-build ./nixos/release.nix -A tests.kafka.kafka_2_1.x86_64-linux -A tests.kafka.kafka_2_2.x86_64-linux
2019-04-01 08:39:25 -04:00
Tim Steinbach
3db50cc82f
linux: Add testing test 2019-04-01 08:31:36 -04:00
aszlig
dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Aaron Andersen
c99ea1c203 nixos/mailcatcher: add nixos test 2019-03-27 09:56:46 -04:00
Benjamin Staffin
c94005358c NixOS: Run Docker containers as declarative systemd services (#55179)
* WIP: Run Docker containers as declarative systemd services

* PR feedback round 1

* docker-containers: add environment, ports, user, workdir options

* docker-containers: log-driver, string->str, line wrapping

* ExecStart instead of script wrapper, %n for container name

* PR feedback: better description and example formatting

* Fix docbook formatting (oops)

* Use a list of strings for ports, expand documentation

* docker-continers: add a simple nixos test

* waitUntilSucceeds to avoid potential weird async issues

* Don't enable docker daemon unless we actually need it

* PR feedback: leave ExecReload undefined
2019-03-25 00:59:09 +02:00
aszlig
12efcc2dee
Merge overlayfs fix, LTS kernel bump and test
In Linux 4.19 there has been a major rework of the overlayfs
implementation and it now opens files in lowerdir with O_NOATIME, which
in turn caused issues in our VM tests because the process owner of QEMU
doesn't match the file owner of the lowerdir.

The crux here is that 9p propagates the O_NOATIME flag to the host and
the guest kernel has no way of verifying whether that flag will lead to
any problems beforehand.

There is ongoing work to possibly fix this in the kernel, but it will
take a while until there is a working patch and consensus.

So in order to bring our default kernel back to 4.19 and of course make
it possible to run newer kernels in VM tests, I'm merging a small QEMU
patch as an interim solution, which we can drop once we have a working
fix in the next round of stable kernels.

Now we already had Linux 4.19 set as the default kernel, but that was
subsequently reverted in 048c36ccaa
because the patch we have used was the revert of the commit I bisected a
while ago.

This patch broke overlayfs in other ways, so I'm also merging in a VM
test by @bachp, which only tests whether overlayfs is working, just to
be on the safe side that something like this won't happen in the future.

Even though this change could be considered a moderate mass-rebuild at
least for GNU/Linux, I'm merging this to master, mainly to give us some
time to get it into the current 19.03 release branch (and subsequent
testing window) once we got no new breaking builds from Hydra.

Cc: @samueldr, @lheckemann

Fixes: https://github.com/NixOS/nixpkgs/issues/54509
Fixes: https://github.com/NixOS/nixpkgs/issues/48828
Merges: https://github.com/NixOS/nixpkgs/pull/57641
Merges: https://github.com/NixOS/nixpkgs/pull/54508
2019-03-19 00:15:51 +01:00
worldofpeace
5e7623aefc nixos/tests/colord: init 2019-03-18 08:05:42 -04:00
Maximilian Bosch
0c4e9e397e
nixos/wireguard: add test
After working on the last wireguard bump (#57534), we figured that it's
probably a good idea to have a basic test which confirms that a simple
VPN with wireguard still works.

This test starts two peers with a `wg0` network interface and adds a v4
and a v6 route that goes through `wg0`.
2019-03-18 00:22:23 +01:00
Pascal Bach
a8307b9f39 nixos/overlayfs: add test 2019-03-15 15:15:32 +01:00
aszlig
0ba48f46da
nixos/systemd-chroot: Rename chroot to confinement
Quoting @edolstra from [1]:

  I don't really like the name "chroot", something like "confine[ment]"
  or "restrict" seems better. Conceptually we're not providing a
  completely different filesystem tree but a restricted view of the same
  tree.

I already used "confinement" as a sub-option and I do agree that
"chroot" sounds a bit too specific (especially because not *only* chroot
is involved).

So this changes the module name and its option to use "confinement"
instead of "chroot" and also renames the "chroot.confinement" to
"confinement.mode".

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:03 +01:00
aszlig
ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Martin Weinelt
a978d3dcd2
nixos/knot: init 2019-03-14 01:28:53 +01:00
hyperfekt
3731835efc nixos/fish: generate autocompletions from man pages 2019-02-27 12:23:48 +01:00
aanderse
e5405f9ae8 nixos/beanstalkd: new service for existing package (#55953) 2019-02-22 14:10:02 +01:00
Frederik Rietdijk
6fe10d2779 Merge master into staging-next 2019-02-16 09:29:54 +01:00
Frederik Rietdijk
7257dedd7c Merge master into staging-next 2019-02-13 12:33:29 +01:00
Johan Thomsen
adc9da6178 nixos/flannel: fix flannel nixos test, add test to all-tests.nix 2019-02-12 18:26:39 +01:00
Florian Klink
e6df4dfe59
Merge pull request #54800 from nlewo/nova
Remove cloud-init from the Openstack image configuration
2019-02-11 22:23:32 +01:00
Antoine Eiche
d190b204f0 Rename novaImage to openstackImage
People don't necessary know `nova` is related to Openstack (it is a
component of Openstack). So, it is more explicit to call it
`openstackImage`.
2019-02-11 20:58:44 +01:00
Matthew Bauer
5c09d977c7 Merge remote-tracking branch 'origin/master' into staging 2019-02-09 12:14:06 -05:00
Ryan Mulligan
d2904c8fbd
Merge pull request #53442 from erictapen/osrm-test
nixos/tests: add osrm-backend test
2019-02-08 06:46:57 -08:00
Florian Klink
400aa7b86a minio: add test to nixos/tests/all-tests.nix 2019-02-05 17:38:34 +01:00
Maximilian Bosch
a29294cb95
nixos/ndppd: register test 2019-02-03 16:47:01 +01:00
Florian Klink
e84a23c5f7 neo4j: add neo4j test 2019-02-01 16:01:08 +01:00
Vladimír Čunát
8ba516664b
Merge branch 'staging-next' into staging 2019-02-01 09:42:53 +01:00
Pierre Bourdon
20b1febace
nixos/tests: add nginx-sso basic functionality test 2019-01-29 19:54:14 +01:00
Wael Nasreddine
f072cfe1eb
nixos/pam: refactor U2F, docs about u2f_keys path (#54756)
* change enableU2F option to u2f.* set
* add few u2f options (not all) to customize pam-u2f module
* document default u2f_keys locations

Co-authored-by: Tomasz Czyż <tomasz.czyz@gmail.com>
Co-authored-by: Arda Xi <arda@ardaxi.com>
2019-01-29 08:45:26 -08:00
Matthew Bauer
92f0f8dd68 Merge remote-tracking branch 'NixOS/master' into staging 2019-01-27 00:01:13 -05:00
Elis Hirwing
3df02c6c03
nixos/jackett: Add test for jackett to ensure startup 2019-01-25 07:12:41 +01:00
Elis Hirwing
eb356ef3f8
nixos/lidarr: Add test for lidarr to ensure startup 2019-01-25 07:12:08 +01:00
Elis Hirwing
ddcb2c473d
nixos/radarr: Add test for radarr to ensure startup 2019-01-25 07:11:28 +01:00
Elis Hirwing
8be2345baf
nixos/sonarr: Add test for sonarr to ensure startup 2019-01-25 07:10:40 +01:00
Justin Humm
694c351cc3
nixos/tests: add osrm-backend test 2019-01-25 00:43:34 +01:00
worldofpeace
4abc6ff9e8 nixos/tests/all-tests.nix: add pantheon 2019-01-24 17:33:05 -05:00
Jörg Thalheim
ecd1129dee
nixos/telegraf: add test 2019-01-21 11:37:20 +00:00
Piotr Bogdan
cfc281f571 nixos/tests/kerberos: fix evaluation 2019-01-11 04:36:51 +00:00
Joachim Fasting
e6538caa48
nixos/tests: re-enable hardened test
Has been okay since 62623b60d5
2019-01-06 14:08:20 +01:00
Jan Tojnar
ef935fa101
Merge branch 'master' into staging 2018-12-24 15:02:29 +01:00
Florian Klink
0f46188ca1 nixos/tests: add google-oslogin test 2018-12-21 17:52:37 +01:00
Maximilian Bosch
64d05bbdd2
clickhouse: fix module and package runtime
Although the package itself builds fine, the module fails because it
tries to log into a non-existant file in `/var/log` which breaks the
service. Patching to default config to log to stdout by default fixes
the issue. Additionally this is the better solution as NixOS heavily
relies on systemd (and thus journald) for logging.

Also, the runtime relies on `/etc/localtime` to start, as it's not
required by the module system we set UTC as sensitive default when using
the module.

To ensure that the service's basic functionality is available, a simple
NixOS test has been added.
2018-12-20 13:03:41 +01:00
Frederik Rietdijk
9ab61ab8e2 Merge staging-next into staging 2018-12-19 09:00:36 +01:00
Franz Pletz
58db4c1a7e
Revert "nixos/tests: add clamav test"
This reverts commit 6433f3b13b.

Fixes #52446.
2018-12-17 19:24:44 +01:00
Jan Tojnar
aead6e12f9
Merge remote-tracking branch 'upstream/master' into staging 2018-12-16 22:55:06 +01:00
Franz Pletz
6433f3b13b
nixos/tests: add clamav test 2018-12-16 19:04:07 +01:00
Florian Klink
91c65721f7 owncloud: remove server
pkgs.owncloud still pointed to owncloud 7.0.15 (from May 13 2016)

Last owncloud server update in nixpkgs was in Jun 2016.
At the same time Nextcloud forked away from it, indicating users
switched over to that.

cc @matej (original maintainer)
2018-12-16 15:05:53 +01:00
Kai Wohlfahrt
337bc20e5f kerberos: Add tests/kerberos to release.nix 2018-12-11 13:33:10 +00:00
Vladimír Čunát
3946d83a3c
nixos tests: disable kafka for now
They consistently fail since openjdk bump with some out-of-space errors.
That's not a problem by itself, but each test instance ties a build slot
for many hours and consequently they also delay channels as those wait
for all builds to finish.

Feel free to re-enable when fixed, of course.
2018-12-10 13:19:00 +01:00
Robin Gloster
1262a5ca97
roundcube: apply code review suggestions 2018-11-28 18:53:37 +01:00
Michael Raskin
5e159d463b
Merge pull request #49228 from Ekleog/rss2email-module
rss2email module: init
2018-11-23 22:30:29 +00:00
Pierre Bourdon
08f24cadaa syncthing-relay module: init 2018-11-19 01:09:54 +01:00
Léo Gaspard
0483ce0eee
rss2email module: init
Also adding `system-sendmail` package for sharing the code with other
modules or packages needing it.
2018-11-15 23:44:16 +09:00
Sarah Brofeldt
1b02e6a907 nixos/tests/all-tests.nix: Fix incron test path 2018-11-14 23:51:15 +01:00
Jörg Thalheim
552c223625
nodePackages.statsd: remove
The package/service is broken. Upstream is dead
2018-11-14 18:32:44 +00:00
Daniël de Kok
40f41772aa tests: handbrake: test transcoding to MKV and MP4. 2018-11-12 08:19:58 +01:00
Léo Gaspard
2986ce16a8
meta.tests: rename into passthru.tests
Nix currently rejects derivations in `meta` values. This works around
that limitation by using `passthru` instead.

Closes https://github.com/NixOS/nixpkgs/issues/50230
2018-11-11 23:11:46 +09:00
Léo Gaspard
aade4e577b
tests: disable some broken tests and/or restrict to x86_64 2018-11-11 23:11:46 +09:00
Léo Gaspard
83b27f60ce
tests: split into a separate all-tests.nix file
This will make the list much easier to re-use, eg. for `nixosTests`

The drawback is that this approaches makes the
```
nix-build release.nix -A tests.opensmtpd.x86_64-linux
```
command about twice as slow (3s to 6s): it now has to evaluate `nixpkgs`
once for each architecture, instead of just having the hardcoded list of
tests that allowed to say “ok just evaluate for x86_64-linux”.

On the other hand, complete evaluation of `release.nix` should be much
faster because we no longer import `nixpkgs` for each test: testing with
the following command went from 30s to 18s, and that's just for a few
tests.
```
time nix-instantiate --eval --strict nixos/release.nix -A tests.nat
```
I initially wanted to test on the whole `release.nix`, but there are too
many broken tests and it takes too long to eval them all, especially
compared to the fact that the current implementation breaks some setup.

Given developers can just `nix-build nixos/tests/my-test.nix`, it sounds
like an overall win.
2018-11-11 23:11:46 +09:00