The backupPrepareCommand and backupCleanupCommand options offer a way to
run a script to prepare for backup and then cleanup it once finish.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Allow providing the repository as a file, useful when we don't want it
being stored in the Git repository as plain text.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.
Some options in config.yaml need values to be strings, which currently
can be used with environmentFile but not loadCredential. But it's
possible to use loadCredential for those options, e.g. we can
substitute their values in ExecStart, but not in ExecStartPre due to
[1].
[1]: https://github.com/systemd/systemd/issues/19604
Prior to this patch:
$ nix-instantiate --eval -E '
> with import ./. {
> localSystem.config = "aarch64-unknown-linux-musl";
> };
> (nixos {}).config.nixpkgs.localSystem.config
> '
"aarch64-unknown-linux-gnu"
Because only the system triple was being passed through, the Musl part
of the system specification was lost. This patch fixes various
occurrences of NixOS evaluation when a Nixpkgs evaluation is already
available, to pass through the full elaborated system attribute set,
to avoid this loss of precision.
we expose it under settings instead of at the listener toplevel because
mosquitto seems to pick the addresses it will listen on
nondeterministically from the set of addresses configured on the
interface being bound to. encouraging its use by putting it into the
toplevel options for a listener seems inadvisable.
The old attribute is deprecated:
trace: warning: In test `chromium-stable': The `machine' attribute in NixOS
tests (pkgs.nixosTest / make-test-pyton.nix / testing-python.nix / makeTest) is
deprecated. Please use the equivalent `nodes.machine'.
Note: This is only a refactoring.
This allows btrbk instances without a triggering timer by setting
`onCalendar` to `null`.
This is useful for manual-starting only btrbk backup settings.
This will package up the closure of pkgs.hello in a tarball, and will
later on verify machinectl pull-tar properly unpacked it, serving as a
regression test for #108158.
Closes#108158
Initially applied via e7f6370701, then
reverted by 96aaf29234.
Re-applying this patch: the pleroma NixOS test is broken without it.
It was originally impossible to login in toot without having an
interactive shell. I opened https://github.com/ihabunek/toot/pull/180
upstream to fix that and fetch this patch for this test.
The author decided to fix the issue using a slightly different
approach at a3eb5dca24
Because of this upstream fix, our custom patch does not apply anymore.
Using that stdin-based login upstream feature.
Pointing pleroma_ctl to the right RELEASE_COOKIE as well.
Added Nextcloud 23 and set it as the default Nextcloud version for the
NixOS module. Added PHP 8.1 as an option for phpPackage and default for
Nextcloud ≥ 24.
The test would previously error out like this:
> synapse_homeserver[1155]: synapse.config._base.ConfigError: You have
> enabled open registration without any verification. This is a known
> vector for spam and abuse. If you would like to allow public
> registration, please consider adding email, captcha, or token-based
> verification. Otherwise this check can be removed by setting the
> `enable_registration_without_verification` config option to `true`.
- Make tests/lxd.nix use NixOS's lxdMeta & lxdImage to avoid relying on
3rd party containers such as Alpine Linux for testing purposes.
- Merge tests/lxd-image.nix into tests/lxd.nix, since now both have a
similar structure.
- Extract duplicated inline LXD configuration into a separate file,
- Add passthru.lxd-nftables & passthru.lxd-image-server.
This commit implements the following additional test cases for gitlab:
- Creating regular users
- git clone over http and ssh
- git push over ssh
- Forking projects
- Creating and merging Merge Requests
- Opening and closing issues.
Run each browser check as a separate NixOS test.
This fixes a problem in which one browser starts up before the previous
browser is finished exiting, exhausting a resource and causing a
spurious test failure.
As a bonus, splitting the test
* Gives more signal about exactly what's broken in the pass/fail status,
* Makes it easier to quickly diagnose test failures,
* Makes development iteration faster,
* Allows concurrent test execution, which makes the test finish sooner
when parallel builds are enabled.
* Would allow each browser's test to be included in its nixpkgs
passthru.tests, if desired (not done in this commit).
Reviewed-by: rnhmjoj <rnhmjoj@inventati.org>
this commit passes the build dependencies to the
pgadmin nixos test for package and regression testing.
Also added changelog and some clarifying comments.
Signed-off-by: Florian Brandes <florian.brandes@posteo.de>
We need to move NixOS containers somewhere else so these don't clash
with Podman, Skopeo & other container software in the libpod &
cri-o/cri-u/libcontainer ecosystems.
The state directory move is not strictly a requirement but is good for
consistency.
Tested on a RPi3 B+ with a 2g swapfile. On that system the test
still sometimes fails, but I suspect this is because it is really
just not powerful enough for this task.
Fixes#170395
- Code formatters normally strip trailing whitespace.
Since this test depends on the whitespace to succeed,
formatting the code would break the test
- This small change make this file to be formatted
while at the same time preserving the test meaning
`fcitx5` and `service.earlyoom` rely on use XDG autostart files to start.
But for X session with only window manager and no desktop manager
(`none` is used), no one can start them.
This options is added to run these autostart files for sessions without
desktop manager to make other services just work.
* python3Packages.fenics: fix build, pin to older boost
Looking at upstream, there are various issues with newer boost.
(At least some of them have been since fixed)
For now, fix the build by using a version of boost that works
with the current version.
Error here was complaining about `std::min_element`,
which is no longer available, apparently, due to newer boost
no longer (transitively) including <algorithm>.
This was added in C++17, so I'm not sure the cmake flag
specifying dolfin built with C++11 makes sense or is used.
Leaving for now :).
* nixos/tests/fenics: fix name of machine/node in script
Still fails for now.
* python3Packages.fenics: fix accidentally changed strings in subst
Looks like in migration to pkg-config this was erroneously
changed from `pkgconfig` (python package, and source string)
to `pkg-config` (nix package name, tool name).
(see 9bb3fccb5b)
Fixes the NixOS test.
With version 17 of Keycloak, the Wildfly based distribution was
deprecated in favor of the one based on Quarkus. The difference in
configuration is massive and to accommodate it, both the package and
module had to be rewritten.
Service:
- Fix misleading comment:
We could in fact implement password copying as a preStart script by
amending BindReadOnlyPaths, but adding an extra service is simpler.
Test:
- Add more detailed subtest names
- Simplify date check
The networkd.conf file controls a variety of interesting settings
which don't seem to be configurable at the moment, including
adding names to route tables (for networkd only, although this commit
also exports them into iproute2 for convenience's sake), and
the speed metering functionality built into networkd.
Importantly, however, this also allows disabling the systemd
functionality where it likes to delete all the routes and routing rules
that haven't been configured through networkd whenever something causes
it to perform a reconfiguration.
Adds a fully fledged NixOS VM integration test which uses jmtpfs and
gvfs to test the functionality of MTP inside of NixOS. It uses USB
device emulation in QEMU to create MTP device(s) which can be tested
against.
Installs Java into the Jenkins agent and allows specifying the JDK/JRE package to use. This is necessary as Jenkins verifies if the agent contains Java installed through the java -fullversion command, which if not, the connection will fail.
the build-time check is not safe (e.g. doesn't protect from bad users or nomissingok
paths missing), so add a new unit for configuration switch time check
Now the service no longer starts immediately,
check if the config we generated makes sense as soon as possible.
The check isn't perfect because logrotate --debug wants to check
users required, there are two problems:
- /etc/passwd and /etc/group are sandboxed and we don't have
visibility of system users
- the check phase runs as nixbld which cannot su to other users
and logrotate fails on this
Until these two problems can be addressed, users-related checks
are filtered out, it's still much better than no check.
The check can be disabled with services.logrotate.checkConfig
if required
(bird also has a preCheck param, to prepare the environment
before check, but we can add it if it becomes necessary)
Since this makes for very verbose builds, we only show errors:
There is no way to control log level, but logrotate hardcodes
'error:' at common log level, so we can use grep, taking care
to keep error codes
Some manual tests:
───────┬──────────────────────────────────────────
│ File: valid-config.conf
───────┼──────────────────────────────────────────
1 │ missingok
───────┴──────────────────────────────────────────
logrotate --debug ok
grep ok
───────┬──────────────────────────────────────────
│ File: postrotate-no-end.conf
───────┼──────────────────────────────────────────
1 │ missingok
2 │ /file {
3 │ postrotate
4 │ test
5 │ }
───────┴──────────────────────────────────────────
error: postrotate-no-end.conf:prerotate, postrotate or preremove without endscript
───────┬──────────────────────────────────────────
│ File: missing-file.conf
───────┼──────────────────────────────────────────
1 │ "test" { daily }
───────┴──────────────────────────────────────────
error: stat of test failed: No such file or directory
───────┬──────────────────────────────────────────
│ File: unknown-option.conf
───────┼──────────────────────────────────────────
1 │ some syntax error
───────┴──────────────────────────────────────────
logrotate --debug ok
error: unknown-option.conf:1 unknown option 'some' -- ignoring line
───────┬──────────────────────────────────────────
│ File: unknown-user.conf
───────┼──────────────────────────────────────────
1 │ su notauser notagroup
───────┴──────────────────────────────────────────
error: unknown-user.conf:1 unknown user 'notauser'
In particular note that logrotate would not error on unknown option
(it just ignores the line) but this change makes the check fail.
using freeform is the new standard way of using modules and should replace
extraConfig.
In particular, this will allow us to place a condition on mails
having pkgs.logrotate depend on mailutils brings in quite a bit of dependencies
through mailutil itself and recursive dependency to guile when most people
do not need it.
Remove mailutils dependency from the package, and conditionally add it to the
service if the user specify the mail option either at top level or in a path
Fixes#162001
This accomplishes multiple things:
- Allows us to start systemd without stage-2-init.sh. This was not
possible before because the environment would have been wrong
- `systemctl daemon-reexec` also changes the environment, giving us
newer tools for the fs packages
- Starts systemd in a fully clean environment, making everything more
consistent and pure
We can perform most of the mkdir/ln/rm using systemd-tmpfiles
instead which cleans up the script.
/bin and /home are created by their activation script snippets
usbfs is deprecated and unused.
hwclock seems to be automatically executed by systemd on startup.
The mkswap to prevent hibernation cycles seems to be executed by systemd
as well since the provided regression tests succeeds.
This patch allows creation of files like
/etc/systemd/system/user-.slice.d/limits.conf with
systemd.units."user-.slice.d/limits.conf" = {
text = ''
[Slice]
CPUAccounting=yes
CPUQuota=50%
'';
};
which previously threw an error
Also renames the systemd-unit-path test to sytsemd-misc, and extends it to
test that `systemd.units` can handle directories. In this case we make
sure that resource limits specified in user slices apply.
The tests complained:
/nix/store/nm3nf5y4hzgmy00lw5s6ls68j38y84y0-gjs-1.72.0-installedTests/libexec/installed-tests/gjs/scripts/testCommandLineModules.sh: line 90: gjs-console: command not found
But they still passed.
* nixos/earlyoom: bring the module up to date
Removes deprecated option `ignoreOOMScoreAdjust`, introduces `killHook`
as a replacement for `notificationsCommand`, and adds an `extraArgs`
option for things not covered by the module.
* nixos/earlyoom: add nixos test
* nixos/earlyoom: add reportInterval
Allows setting the interval for logging a memory report. Defaults to
3600 following upstream
(https://github.com/rfjakob/earlyoom/blob/master/earlyoom.default#L5)
to avoid flooding logs.
* nixos/earlyoom: add free{Mem,Swap}KillThreshold
Fixes https://github.com/NixOS/nixpkgs/issues/83504
In https://github.com/NixOS/nixpkgs/pull/142747, the implementation
behind Machine.execute() has been changed to pipe all the command's
output into base64 on the guest machine.
Unfortunately this means that base64 is blocking until stdout is closed,
which in turn means that we now need to make sure that whenever we run a
program in background via "&" we also need to make sure to close stdout,
which we do by redirecting stdout to stderr.
Signed-off-by: aszlig <aszlig@nix.build>
some change in the last 24 hours altered the behaviour of st such that
it now dies with a non-zero exit code when the shell exits, so kill is
now necessary
It was originally impossible to login in toot without having an
interactive shell. I opened https://github.com/ihabunek/toot/pull/180
upstream to fix that and fetch this patch for this test.
The author decided to fix the issue using a slightly different
approach at a3eb5dca24
Because of this upstream fix, our custom patch does not apply anymore.
Using that stdin-based login upstream feature.
pam-ussh allows authorizing using an SSH certificate stored in your
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
certificates rather than raw public keys.
it's really easy to accidentally write the wrong systemd Exec* directive, ones
that works most of the time but fails when users include systemd metacharacters
in arguments that are interpolated into an Exec* directive. add a few functions
analogous to escapeShellArg{,s} and some documentation on how and when to use them.
This adds an option `services.taskserver.openFirewall` to allow the user
to choose whether or not the firewall port should be opened for the
service. This is no longer the case by default.
See also https://github.com/NixOS/nixpkgs/issues/19504.
The cntr sometimes hangs until the 10-hour hydra limit. This behaviour
appears to be an edge-case related to the type of TTY in which the cntr
command runs during test execution. We can work around this by running
the command as a background job.
I additionally added a wait_for_open_port to fix nondeterministic test
failures I observed after fixing the hanging issue.
In issue #157787 @martined wrote:
Trying to use confinement on packages providing their systemd units
with systemd.packages, for example mpd, fails with the following
error:
system-units> ln: failed to create symbolic link
'/nix/store/...-system-units/mpd.service': File exists
This is because systemd-confinement and mpd both provide a mpd.service
file through systemd.packages. (mpd got updated that way recently to
use upstream's service file)
To address this, we now place the unit file containing the bind-mounted
paths of the Nix closure into a drop-in directory instead of using the
name of a unit file directly.
This does come with the implication that the options set in the drop-in
directory won't apply if the main unit file is missing. In practice
however this should not happen for two reasons:
* The systemd-confinement module already sets additional options via
systemd.services and thus we should get a main unit file
* In the unlikely event that we don't get a main unit file regardless
of the previous point, the unit would be a no-op even if the options
of the drop-in directory would apply
Another thing to consider is the order in which those options are
merged, since systemd loads the files from the drop-in directory in
alphabetical order. So given that we have confinement.conf and
overrides.conf, the confinement options are loaded before the NixOS
overrides.
Since we're only setting the BindReadOnlyPaths option, the order isn't
that important since all those paths are merged anyway and we still
don't lose the ability to reset the option since overrides.conf comes
afterwards.
Fixes: https://github.com/NixOS/nixpkgs/issues/157787
Signed-off-by: aszlig <aszlig@nix.build>
Currently the test-watch.service gets started in a loop as long as
/testpath exists, so `rm /testpath /testpath-modified` runs into a race
condition where if the service was just getting activated, it will
create /testpath-modified and make the test fail.
This is fixed by making the service RemainAfterExit so that it only
starts once, and stopping it manually after we remove /testpath.
logrotate.timer is enough for rotating logs. Enabling logrotate.service would
make the service start on every configuration switch, leading to tests failure when
logrotate is enabled.
Also update test to make sure the timer is active and runs the service
on date change.
