systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.
Some options in config.yaml need values to be strings, which currently
can be used with environmentFile but not loadCredential. But it's
possible to use loadCredential for those options, e.g. we can
substitute their values in ExecStart, but not in ExecStartPre due to
[1].
[1]: https://github.com/systemd/systemd/issues/19604
Prior to this patch:
$ nix-instantiate --eval -E '
> with import ./. {
> localSystem.config = "aarch64-unknown-linux-musl";
> };
> (nixos {}).config.nixpkgs.localSystem.config
> '
"aarch64-unknown-linux-gnu"
Because only the system triple was being passed through, the Musl part
of the system specification was lost. This patch fixes various
occurrences of NixOS evaluation when a Nixpkgs evaluation is already
available, to pass through the full elaborated system attribute set,
to avoid this loss of precision.
we expose it under settings instead of at the listener toplevel because
mosquitto seems to pick the addresses it will listen on
nondeterministically from the set of addresses configured on the
interface being bound to. encouraging its use by putting it into the
toplevel options for a listener seems inadvisable.
The old attribute is deprecated:
trace: warning: In test `chromium-stable': The `machine' attribute in NixOS
tests (pkgs.nixosTest / make-test-pyton.nix / testing-python.nix / makeTest) is
deprecated. Please use the equivalent `nodes.machine'.
Note: This is only a refactoring.
This allows btrbk instances without a triggering timer by setting
`onCalendar` to `null`.
This is useful for manual-starting only btrbk backup settings.
This will package up the closure of pkgs.hello in a tarball, and will
later on verify machinectl pull-tar properly unpacked it, serving as a
regression test for #108158.
Closes#108158
Initially applied via e7f6370701, then
reverted by 96aaf29234.
Re-applying this patch: the pleroma NixOS test is broken without it.
It was originally impossible to login in toot without having an
interactive shell. I opened https://github.com/ihabunek/toot/pull/180
upstream to fix that and fetch this patch for this test.
The author decided to fix the issue using a slightly different
approach at a3eb5dca24
Because of this upstream fix, our custom patch does not apply anymore.
Using that stdin-based login upstream feature.
Pointing pleroma_ctl to the right RELEASE_COOKIE as well.
Added Nextcloud 23 and set it as the default Nextcloud version for the
NixOS module. Added PHP 8.1 as an option for phpPackage and default for
Nextcloud ≥ 24.
The test would previously error out like this:
> synapse_homeserver[1155]: synapse.config._base.ConfigError: You have
> enabled open registration without any verification. This is a known
> vector for spam and abuse. If you would like to allow public
> registration, please consider adding email, captcha, or token-based
> verification. Otherwise this check can be removed by setting the
> `enable_registration_without_verification` config option to `true`.
- Make tests/lxd.nix use NixOS's lxdMeta & lxdImage to avoid relying on
3rd party containers such as Alpine Linux for testing purposes.
- Merge tests/lxd-image.nix into tests/lxd.nix, since now both have a
similar structure.
- Extract duplicated inline LXD configuration into a separate file,
- Add passthru.lxd-nftables & passthru.lxd-image-server.
This commit implements the following additional test cases for gitlab:
- Creating regular users
- git clone over http and ssh
- git push over ssh
- Forking projects
- Creating and merging Merge Requests
- Opening and closing issues.
Run each browser check as a separate NixOS test.
This fixes a problem in which one browser starts up before the previous
browser is finished exiting, exhausting a resource and causing a
spurious test failure.
As a bonus, splitting the test
* Gives more signal about exactly what's broken in the pass/fail status,
* Makes it easier to quickly diagnose test failures,
* Makes development iteration faster,
* Allows concurrent test execution, which makes the test finish sooner
when parallel builds are enabled.
* Would allow each browser's test to be included in its nixpkgs
passthru.tests, if desired (not done in this commit).
Reviewed-by: rnhmjoj <rnhmjoj@inventati.org>
this commit passes the build dependencies to the
pgadmin nixos test for package and regression testing.
Also added changelog and some clarifying comments.
Signed-off-by: Florian Brandes <florian.brandes@posteo.de>
We need to move NixOS containers somewhere else so these don't clash
with Podman, Skopeo & other container software in the libpod &
cri-o/cri-u/libcontainer ecosystems.
The state directory move is not strictly a requirement but is good for
consistency.
Tested on a RPi3 B+ with a 2g swapfile. On that system the test
still sometimes fails, but I suspect this is because it is really
just not powerful enough for this task.
Fixes#170395
- Code formatters normally strip trailing whitespace.
Since this test depends on the whitespace to succeed,
formatting the code would break the test
- This small change make this file to be formatted
while at the same time preserving the test meaning
`fcitx5` and `service.earlyoom` rely on use XDG autostart files to start.
But for X session with only window manager and no desktop manager
(`none` is used), no one can start them.
This options is added to run these autostart files for sessions without
desktop manager to make other services just work.
* python3Packages.fenics: fix build, pin to older boost
Looking at upstream, there are various issues with newer boost.
(At least some of them have been since fixed)
For now, fix the build by using a version of boost that works
with the current version.
Error here was complaining about `std::min_element`,
which is no longer available, apparently, due to newer boost
no longer (transitively) including <algorithm>.
This was added in C++17, so I'm not sure the cmake flag
specifying dolfin built with C++11 makes sense or is used.
Leaving for now :).
* nixos/tests/fenics: fix name of machine/node in script
Still fails for now.
* python3Packages.fenics: fix accidentally changed strings in subst
Looks like in migration to pkg-config this was erroneously
changed from `pkgconfig` (python package, and source string)
to `pkg-config` (nix package name, tool name).
(see 9bb3fccb5b)
Fixes the NixOS test.
With version 17 of Keycloak, the Wildfly based distribution was
deprecated in favor of the one based on Quarkus. The difference in
configuration is massive and to accommodate it, both the package and
module had to be rewritten.
Service:
- Fix misleading comment:
We could in fact implement password copying as a preStart script by
amending BindReadOnlyPaths, but adding an extra service is simpler.
Test:
- Add more detailed subtest names
- Simplify date check
The networkd.conf file controls a variety of interesting settings
which don't seem to be configurable at the moment, including
adding names to route tables (for networkd only, although this commit
also exports them into iproute2 for convenience's sake), and
the speed metering functionality built into networkd.
Importantly, however, this also allows disabling the systemd
functionality where it likes to delete all the routes and routing rules
that haven't been configured through networkd whenever something causes
it to perform a reconfiguration.
Adds a fully fledged NixOS VM integration test which uses jmtpfs and
gvfs to test the functionality of MTP inside of NixOS. It uses USB
device emulation in QEMU to create MTP device(s) which can be tested
against.
Installs Java into the Jenkins agent and allows specifying the JDK/JRE package to use. This is necessary as Jenkins verifies if the agent contains Java installed through the java -fullversion command, which if not, the connection will fail.
the build-time check is not safe (e.g. doesn't protect from bad users or nomissingok
paths missing), so add a new unit for configuration switch time check
Now the service no longer starts immediately,
check if the config we generated makes sense as soon as possible.
The check isn't perfect because logrotate --debug wants to check
users required, there are two problems:
- /etc/passwd and /etc/group are sandboxed and we don't have
visibility of system users
- the check phase runs as nixbld which cannot su to other users
and logrotate fails on this
Until these two problems can be addressed, users-related checks
are filtered out, it's still much better than no check.
The check can be disabled with services.logrotate.checkConfig
if required
(bird also has a preCheck param, to prepare the environment
before check, but we can add it if it becomes necessary)
Since this makes for very verbose builds, we only show errors:
There is no way to control log level, but logrotate hardcodes
'error:' at common log level, so we can use grep, taking care
to keep error codes
Some manual tests:
───────┬──────────────────────────────────────────
│ File: valid-config.conf
───────┼──────────────────────────────────────────
1 │ missingok
───────┴──────────────────────────────────────────
logrotate --debug ok
grep ok
───────┬──────────────────────────────────────────
│ File: postrotate-no-end.conf
───────┼──────────────────────────────────────────
1 │ missingok
2 │ /file {
3 │ postrotate
4 │ test
5 │ }
───────┴──────────────────────────────────────────
error: postrotate-no-end.conf:prerotate, postrotate or preremove without endscript
───────┬──────────────────────────────────────────
│ File: missing-file.conf
───────┼──────────────────────────────────────────
1 │ "test" { daily }
───────┴──────────────────────────────────────────
error: stat of test failed: No such file or directory
───────┬──────────────────────────────────────────
│ File: unknown-option.conf
───────┼──────────────────────────────────────────
1 │ some syntax error
───────┴──────────────────────────────────────────
logrotate --debug ok
error: unknown-option.conf:1 unknown option 'some' -- ignoring line
───────┬──────────────────────────────────────────
│ File: unknown-user.conf
───────┼──────────────────────────────────────────
1 │ su notauser notagroup
───────┴──────────────────────────────────────────
error: unknown-user.conf:1 unknown user 'notauser'
In particular note that logrotate would not error on unknown option
(it just ignores the line) but this change makes the check fail.
using freeform is the new standard way of using modules and should replace
extraConfig.
In particular, this will allow us to place a condition on mails
having pkgs.logrotate depend on mailutils brings in quite a bit of dependencies
through mailutil itself and recursive dependency to guile when most people
do not need it.
Remove mailutils dependency from the package, and conditionally add it to the
service if the user specify the mail option either at top level or in a path
Fixes#162001
This accomplishes multiple things:
- Allows us to start systemd without stage-2-init.sh. This was not
possible before because the environment would have been wrong
- `systemctl daemon-reexec` also changes the environment, giving us
newer tools for the fs packages
- Starts systemd in a fully clean environment, making everything more
consistent and pure
We can perform most of the mkdir/ln/rm using systemd-tmpfiles
instead which cleans up the script.
/bin and /home are created by their activation script snippets
usbfs is deprecated and unused.
hwclock seems to be automatically executed by systemd on startup.
The mkswap to prevent hibernation cycles seems to be executed by systemd
as well since the provided regression tests succeeds.
This patch allows creation of files like
/etc/systemd/system/user-.slice.d/limits.conf with
systemd.units."user-.slice.d/limits.conf" = {
text = ''
[Slice]
CPUAccounting=yes
CPUQuota=50%
'';
};
which previously threw an error
Also renames the systemd-unit-path test to sytsemd-misc, and extends it to
test that `systemd.units` can handle directories. In this case we make
sure that resource limits specified in user slices apply.
The tests complained:
/nix/store/nm3nf5y4hzgmy00lw5s6ls68j38y84y0-gjs-1.72.0-installedTests/libexec/installed-tests/gjs/scripts/testCommandLineModules.sh: line 90: gjs-console: command not found
But they still passed.
* nixos/earlyoom: bring the module up to date
Removes deprecated option `ignoreOOMScoreAdjust`, introduces `killHook`
as a replacement for `notificationsCommand`, and adds an `extraArgs`
option for things not covered by the module.
* nixos/earlyoom: add nixos test
* nixos/earlyoom: add reportInterval
Allows setting the interval for logging a memory report. Defaults to
3600 following upstream
(https://github.com/rfjakob/earlyoom/blob/master/earlyoom.default#L5)
to avoid flooding logs.
* nixos/earlyoom: add free{Mem,Swap}KillThreshold
Fixes https://github.com/NixOS/nixpkgs/issues/83504
In https://github.com/NixOS/nixpkgs/pull/142747, the implementation
behind Machine.execute() has been changed to pipe all the command's
output into base64 on the guest machine.
Unfortunately this means that base64 is blocking until stdout is closed,
which in turn means that we now need to make sure that whenever we run a
program in background via "&" we also need to make sure to close stdout,
which we do by redirecting stdout to stderr.
Signed-off-by: aszlig <aszlig@nix.build>
some change in the last 24 hours altered the behaviour of st such that
it now dies with a non-zero exit code when the shell exits, so kill is
now necessary
It was originally impossible to login in toot without having an
interactive shell. I opened https://github.com/ihabunek/toot/pull/180
upstream to fix that and fetch this patch for this test.
The author decided to fix the issue using a slightly different
approach at a3eb5dca24
Because of this upstream fix, our custom patch does not apply anymore.
Using that stdin-based login upstream feature.
pam-ussh allows authorizing using an SSH certificate stored in your
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
certificates rather than raw public keys.
it's really easy to accidentally write the wrong systemd Exec* directive, ones
that works most of the time but fails when users include systemd metacharacters
in arguments that are interpolated into an Exec* directive. add a few functions
analogous to escapeShellArg{,s} and some documentation on how and when to use them.
This adds an option `services.taskserver.openFirewall` to allow the user
to choose whether or not the firewall port should be opened for the
service. This is no longer the case by default.
See also https://github.com/NixOS/nixpkgs/issues/19504.