So far, we have been building Systemd without `BPF_FRAMEWORK`. As a
result, some Systemd features like `RestrictNetworkInterfaces=` cannot
work. To make things worse, Systemd doesn't even complain when using a
feature which requires `+BPF_FRAMEWORK`; yet, the option has no effect:
# systemctl --version | grep -o "\-BPF_FRAMEWORK"
-BPF_FRAMEWORK
# systemd-run -t -p RestrictNetworkInterfaces="lo" ping -c 1 8.8.8.8
This commit enables `BPF_FRAMEWORK` by default. This is in line with
other distros (e.g., Fedora). Also note that BPF does not support stack
protector: https://lkml.org/lkml/2020/2/21/1000. To that end, I added a
small `CFLAGS` patch to the BPF building to keep using stack protector
as a default.
I also added an appropriate NixOS test.
According to pulseaudio(1), a system wide pulseaudio instance
can only be accessed by members of the `pulse-access` group.
This name seems to be hardcoded in
pulseaudio -- I didn't find any switch to change it.
We need to define the group so users can connect to the deamon.
This commit also fixes the systemwide pulseaudio vm test:
Previously, the test user `alice`
was just a member of the `audio` group.
This blocked access to the daemon and failed the test.
The commit changes the group assignment and fixes the vm test.
The test tries to detect the presence of pavucontrol's
window by looking for the tab label "Playback".
However, the OCR mechanism fails to resolve the
text, possibly due to the grey background color.
To fix this issue, we instead look for the name of the
sound device ("Dummy Output") which gets resolved by OCR.
Note: Strangely, the tab "Playback" *is* correctly
resolved when the test is run in interactive mode.
This might be due to the changed screen resolution,
but I didn't investigate further.
Enable keter module
Keter is an apploader which:
1. has the old app running on a port.
2. loads a new one, and wait for that to complete
3. switches the old with the new one once the new one finished loading.
It supports more functionality but this use case
is the primary one being used by supercede.
Adds keter as a module to nixos.
Currently keter is unusable with nix,
because it relies on bundeling of a tar and uploading that to a specific folder.
These expressions automate these devops tasks,
with especially nixops in mind.
This will work with versions above 1.8
The test seems to work.
This uses a new version of keter which has good
support for status code on error pages.
We're using this config at production at supercede
so it should be fine.
Squash log:
==========
mention keter in changelog
Update generated release notes
Always restart keter on failure
This is a little bit of extra stability in case keter crashes.
Which can happen under extreme conditions (DoS attacks).
Update nixos/doc/manual/release-notes/rl-2205.section.md
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/module-list.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Remove sanitization
don't put domain in as a string
Update nixos/tests/keter.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
add jappie as module maintainer
Use type path instead of two seperate options
Fix generated docs
added test machinery to figure out why it's failing
Fix the test, use console output
run nixpkgs-fmt on all modules
Inline config file.
This get's rid of a lot of inderection as well.
Run nix format
remove comment
simplify executable for test
delete config file
add config for keter root
Remove after redis clause
set keter root by default to /var/lib/keter
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
fix nit
add newlines
add default text and move description in a long description
Delete rather obvious comment
fix release db thing
remove longDescription and put it in a comment instead
change description of mkEnalbeOption
explain what keter does by using the hackage synopsis
set domain to keterDomain and same for executable
move comment to where it's happening
fix type error
add formatting better comment
try add seperate user for keter
Revert "try add seperate user for keter"
This reverts commit d3522d36c96117335bfa072e6f453406c244e940.
Doing this breaks the setup
set default to avoid needing cap_net_bind_service
remove weird comment
use example fields
eleborated on process leakage
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
run nixpkgs-fmt
update docs
Fix formatting, set keter package by default
format our little nixexpr
replace '' -> " where possible
drop indent for multiline string
make description much shorter
regen docs database
Introduced by fd7d901133. The openldap
module now expects the database directory to be below
`/var/lib/openldap`, oterhwise it'll fail evaluation like this:
Failed assertions:
- Database dc=example,dc=org has `olcDbDirectory` (/var/db/openldap) that is not a subdirectory of
`/var/lib/openldap/`.
The systemd-coredump module required systemd to be built with
withCoredump=true, even if the module was disabled.
- allow systemd to be missing systemd-coredump if the module is disabled
- switch to mkDefault for the sysctl config to allow user overrides when
the module is disabled
- add nixos tests for both the enabled and disabled cases
New web builds required updated title information to look for.
Rocket by default only listens on localhost, set to 0.0.0.0 to be
reachable by the client.
Selenium/Webdriver API changes required updates to function calls.
This change allows detecting configuration errors during
switch-to-configuration instead of them being reported asynchronously
*after* switch-to-configuration has exited.
(And update the NixOS test accordingly.)
Due to recent changes (likely a sqlite3 update) the sqlite3 meta-command
did suddenly succeed while sqlite3 is still unable to read the still
encrypted database. It just prints the following output and doesn't
seem to try to open/read the DB (which would fail):
```
main: /home/alice/.config/Signal/sql/db.sqlite r/w
```
We can simply fix this "regression" by instructing sqlite3 to list the tables
in the database (which fails because it cannot read the encrypted DB):
```
machine: must fail: su - alice -c 'sqlite3 ~/.config/Signal/sql/db.sqlite .tables'
machine # [ 47.036720] su[1178]: Successful su for alice by root
machine # [ 47.041049] su[1178]: pam_unix(su:session): session opened for user alice(uid=1000) by (uid=0)
machine # Error: file is not a database
machine # [ 47.116070] su[1178]: pam_unix(su:session): session closed for user alice
(finished: must fail: su - alice -c 'sqlite3 ~/.config/Signal/sql/db.sqlite .tables', in 0.12 seconds)
```
Fix#181463.
We want Openldap clients to load /etc/ldap.conf at runtime, not
${pkgs.openldap}/etc/ldap.conf which is always a sample config.
Pass sysconfdir=/etc at compile time, so that /etc/krb5.conf is embedded
in the library as the path of its config file.
Pass sysconfdir=${out}/etc at install time, so that the sample configs
and schema files are correctly included in the build output.
This hack works because the Makefiles are not smart enough to notice
that the sysconfdir variable has changed across invocations -- because
nobody ever writes their Makefiles to be that smart. :-)
Fixes#181937.
airsonic_is_up should return a bool, but machine.succeed returns a
string causing testScriptWithTypes to fail. This is fixed by executing
the cmd with machine.execute and checking the status code.
We want Openldap clients to load /etc/ldap.conf at runtime, not
${pkgs.openldap}/etc/ldap.conf which is always a sample config.
Pass sysconfdir=/etc at compile time, so that /etc/krb5.conf is embedded
in the library as the path of its config file.
Pass sysconfdir=${out}/etc at install time, so that the sample configs
and schema files are correctly included in the build output.
This hack works because the Makefiles are not smart enough to notice
that the sysconfdir variable has changed across invocations -- because
nobody ever writes their Makefiles to be that smart. :-)
Fixes#181937.
Rely on services.jenkins-job-builder to reload the configuration instead
of doing that manually in the test.
(If this had been implemented already, it would have caught the bug
fixed by the parent commit, that services.jenkins-job-builder failed to
reload jenkins config from disk.)
Wait until home-assistant is fully reloaded or restarted to spot
possible errors during startup.
Swap out bluetooth_tracker for esphome, since the bluetooth tracker
causes errors, when it does not find a bluetooth device.
Drop mosquitto from the environment. It wasn't used since the 2022.3.0
release when MQTT stopped being configurable from the YAML config.
* Update to the latest upstream version of pass-secret-service that includes
systemd service files.
* Add patch to fix use of a function that has been removed from the Python
Cryptography library in NixOS 22.05
* Install systemd service files in the Nix package.
* Add NixOS test to ensure the D-Bus API activates the service unit.
* Add myself as a maintainer to the package and NixOS test.
* Use checkTarget instead of equivalent custom checkPhase.
The FUSE mount functionality of IPFS was broken by the update to v0.13.0, so disable it. Hopefully it will be fixed soon.
See https://github.com/ipfs/kubo/issues/9044.
Due to lack of maintenance. It is not compatible with the default
Python version (due to the tornado 5) dependency, and doesn't look
like it will be any time soon.
- support librewolf in the firefox nixos test
- use the correct binary name
- ensure autoplay is always on for the audio test, since
librewolf disables it by default
This was broken by a bad merge, where the same attribute was added
separately in two different places.
Fixes: ef895f6b43 ("Merge pull request #173239 from jojosch/mjolnir-update")
Since 831024e2b9 ("nixos/dhcpcd: assert if privSep && alternative
malloc"), this test has an assertion failure because dhcpcd (with
privsep enabled) is not compatible with the allocator used by the
hardened profile.
Since it's unclear[1] what to do about this for the hardened profile,
I propose doing the simplest thing possible to make the test eval,
which is to just disable dhcpcd privsep. It's very inconvenient when
trying to refactor the NixOS test infrastructure to have a test that
doesn't evaluate. Once the correct solution is found for using dhcpcd
with privsep with the hardened profile, this patch can be reverted.
[1]: https://github.com/NixOS/nixpkgs/pull/157430
This commit fixes the following error:
Failed assertions:
- Setting xdg.portal.enable to true requires a portal implementation in xdg.portal.extraPortals such as xdg-desktop-portal-gtk or xdg-desktop-portal-kde.
* nixos/vault: add option to start in dev mode.
This is not only useful for nixos tests i.e. when testing vault agent
setups but also when playing around with vault in local setups. In our
tests we can now make use of this option to test more vault features.
i.e. adding this feature has uncovered the need for a `StateDirectory`.
* Update nixos/modules/services/security/vault.nix
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
Co-authored-by: Jonas Chevalier <zimbatm@zimbatm.com>
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
Simon passed away in December 2021.
Simon, it was a pleasure to work with you, to learn things together
and to share good times. It ended too soon. You will be missed.
This improves security, by starting the service as an unprivileged user,
rather than starting as root and relying on the service to drop
privileges. This requires a significant cleanup of pre-init scripts, to
make use of StateDirectory and RuntimeDirectory for permissions.
By default, this is /run/ldapi, which is not compatible with systemd's
runtime directories. Change it to /run/slapd/ldapi (in library and
server). This makes `ldapi:///` work as a default socket again.
I have read the full diff[0] between the previous owner and the new
maintained fork that I'm switching to, and could not find any suspicious
code. The new fork includes fixes that are otherwise crashing as of
Python 3.10.
This commit also fixes the PYTHONPATH which prevents the client from
starting.
This commit also adds a test that the client can successfully query the
server, testing the two components at once.
[0] https://github.com/SystemRage/py-kms/compare/master...Py-KMS-Organization:master
dhclient is no longer built by default in the dhcp package, so this
test has been broken since that change was made. To fix, switch to
dhcpcd. dhcpcd insists on writing into /var/run, so we need to ensure
that exists.
Fixes: a2c379d4b6 ("dhcp: make client and relay component optional")
This used to be StandardOutput=syslog, which was removed because
syslog is deprecated, but that caused the test to fail. So bring it
back, but set it to the non-deprecated "journal" value instead (which
is what systemd interprets "syslog" as now anyway).
Fixes: 962e15aebc ("nixos: remove StandardOutput=syslog, StandardError=syslog lines")
Otherwise, since the update to Virtualbox 6.1.22, the test would fail
due to the shared directory not existing.
Fixes: ba0da8a076 ("virtualbox: 6.1.18 -> 6.1.22")
Nested KVM has been enabled by default on Linux on Intel for a long
time now, and since Virtualbox 6.1.0, the test won't run without it
because Virtualbox now only supports running hardware-accelerated VMs.
Additionally, this means we can 64-bit guests by default. The 32-bit
guest additions don't currently build, so this is important to have
the tests work with the default options.
Riak have been updated a lot since the version 2.2 (now 3.0.10) but
has seen no updated to the package. This is at this point
a problem forcing us to maintain old versions of erlang.
We would be happy to re accept a newer version of Riak if someone want
to spend the time to set it up.
The original implementation did a simple string-comparison against the
output of `ip route`. This is problematic because
* if the details in the string-output change, the test breaks. This is
less likely with JSON because the relevant values (i.e. destination,
interface etc) aren't supposed to be changed.
* this is causing issues with formatters[1][2].
[1] #161703
[2] #154818
With multiple specialization changes this isn't very helpful anymore,
but no biggie since we check the log for errors anyway and the log is
not too verbose anyway.
Use `networking.resolvconf.package` to allow DNS entries to be set using
the system-wide resolver implementation instead of hardcoding systemd or
openresolv.
Extend the tests by adding DNS entries and making one of the peers use
systemd-networkd (hence systemd-resolved).
Also add a few `networkd`-specific settings.
`nixos/modules/installer/kexec/kexec-boot.nix` doesn't contain any
custom NixOS config, other than importing `netboot-minimal.nix` (which
imports `netboot-base.nix`, which imports `netboot.nix`.
`netboot.nix` really is just describing a self-contained system config,
running entirely off kernel and initrd, so we might as well move the
kexec script generation there as well.
`netboot.nix` already contains some `system.build` attributes.
Provide a `system.build.kexecTree` attribute (and `kexecScript` for
composability).
