3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

65 commits

Author SHA1 Message Date
Joachim F 5dafbb2cb1
Merge pull request #56719 from bricewge/miniflux-service
miniflux: add service
2019-04-12 09:57:30 +00:00
Bas van Dijk 2f2e2971d6
Merge pull request #58255 from jbgi/prometheus2
Add Prometheus 2 service in parallel with 1.x version (continuation)
2019-04-09 14:14:18 +02:00
Robin Gloster a58ab8fc05
Merge pull request #58398 from Ma27/package-documize
documize-community: init at 2.2.1
2019-04-08 22:34:11 +00:00
Maximilian Bosch acbb74ed18
documize-community: init at 2.2.1
Documize is an open-source alternative for wiki software like Confluence
based on Go and EmberJS. This patch adds the sources for the community
edition[1], for commercial their paid-plan[2] needs to be used.

For commercial use a derivation that bundles the commercial package and
contains a `$out/bin/documize` can be passed to
`services.documize.enable`.

The package compiles the Go sources, the build process also bundles the
pre-built frontend from `gui/public` into the binary.

The NixOS module generates a simple `systemd` unit which starts the
service as a dynamic user, database and a reverse proxy won't be
configured.

[1] https://www.documize.com/get-started/
[2] https://www.documize.com/pricing/
2019-04-08 23:54:57 +02:00
Bas van Dijk 394970047e nixos/tests: register the prometheus2 test 2019-04-08 15:24:23 +02:00
Jeremy Apthorp e8b68dd4f4 miniflux: add service 2019-04-06 03:52:15 +02:00
Jörg Thalheim d8445c9925
tests/pdns-recursor: add 2019-04-04 19:42:49 +01:00
Franz Pletz ab574424a0
Merge pull request #57789 from Ma27/wireguard-test
nixos/wireguard: add test
2019-04-02 08:11:52 +00:00
Tim Steinbach 5aef5c5931
kafka: Add test for 2.2
Also add back tests, don't seem broken anymore.

This is just fine:
nix-build ./nixos/release.nix -A tests.kafka.kafka_2_1.x86_64-linux -A tests.kafka.kafka_2_2.x86_64-linux
2019-04-01 08:39:25 -04:00
Tim Steinbach 3db50cc82f
linux: Add testing test 2019-04-01 08:31:36 -04:00
aszlig dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Aaron Andersen c99ea1c203 nixos/mailcatcher: add nixos test 2019-03-27 09:56:46 -04:00
Benjamin Staffin c94005358c NixOS: Run Docker containers as declarative systemd services (#55179)
* WIP: Run Docker containers as declarative systemd services

* PR feedback round 1

* docker-containers: add environment, ports, user, workdir options

* docker-containers: log-driver, string->str, line wrapping

* ExecStart instead of script wrapper, %n for container name

* PR feedback: better description and example formatting

* Fix docbook formatting (oops)

* Use a list of strings for ports, expand documentation

* docker-continers: add a simple nixos test

* waitUntilSucceeds to avoid potential weird async issues

* Don't enable docker daemon unless we actually need it

* PR feedback: leave ExecReload undefined
2019-03-25 00:59:09 +02:00
aszlig 12efcc2dee
Merge overlayfs fix, LTS kernel bump and test
In Linux 4.19 there has been a major rework of the overlayfs
implementation and it now opens files in lowerdir with O_NOATIME, which
in turn caused issues in our VM tests because the process owner of QEMU
doesn't match the file owner of the lowerdir.

The crux here is that 9p propagates the O_NOATIME flag to the host and
the guest kernel has no way of verifying whether that flag will lead to
any problems beforehand.

There is ongoing work to possibly fix this in the kernel, but it will
take a while until there is a working patch and consensus.

So in order to bring our default kernel back to 4.19 and of course make
it possible to run newer kernels in VM tests, I'm merging a small QEMU
patch as an interim solution, which we can drop once we have a working
fix in the next round of stable kernels.

Now we already had Linux 4.19 set as the default kernel, but that was
subsequently reverted in 048c36ccaa
because the patch we have used was the revert of the commit I bisected a
while ago.

This patch broke overlayfs in other ways, so I'm also merging in a VM
test by @bachp, which only tests whether overlayfs is working, just to
be on the safe side that something like this won't happen in the future.

Even though this change could be considered a moderate mass-rebuild at
least for GNU/Linux, I'm merging this to master, mainly to give us some
time to get it into the current 19.03 release branch (and subsequent
testing window) once we got no new breaking builds from Hydra.

Cc: @samueldr, @lheckemann

Fixes: https://github.com/NixOS/nixpkgs/issues/54509
Fixes: https://github.com/NixOS/nixpkgs/issues/48828
Merges: https://github.com/NixOS/nixpkgs/pull/57641
Merges: https://github.com/NixOS/nixpkgs/pull/54508
2019-03-19 00:15:51 +01:00
worldofpeace 5e7623aefc nixos/tests/colord: init 2019-03-18 08:05:42 -04:00
Maximilian Bosch 0c4e9e397e
nixos/wireguard: add test
After working on the last wireguard bump (#57534), we figured that it's
probably a good idea to have a basic test which confirms that a simple
VPN with wireguard still works.

This test starts two peers with a `wg0` network interface and adds a v4
and a v6 route that goes through `wg0`.
2019-03-18 00:22:23 +01:00
Pascal Bach a8307b9f39 nixos/overlayfs: add test 2019-03-15 15:15:32 +01:00
aszlig 0ba48f46da
nixos/systemd-chroot: Rename chroot to confinement
Quoting @edolstra from [1]:

  I don't really like the name "chroot", something like "confine[ment]"
  or "restrict" seems better. Conceptually we're not providing a
  completely different filesystem tree but a restricted view of the same
  tree.

I already used "confinement" as a sub-option and I do agree that
"chroot" sounds a bit too specific (especially because not *only* chroot
is involved).

So this changes the module name and its option to use "confinement"
instead of "chroot" and also renames the "chroot.confinement" to
"confinement.mode".

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:03 +01:00
aszlig ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Martin Weinelt a978d3dcd2
nixos/knot: init 2019-03-14 01:28:53 +01:00
hyperfekt 3731835efc nixos/fish: generate autocompletions from man pages 2019-02-27 12:23:48 +01:00
aanderse e5405f9ae8 nixos/beanstalkd: new service for existing package (#55953) 2019-02-22 14:10:02 +01:00
Frederik Rietdijk 6fe10d2779 Merge master into staging-next 2019-02-16 09:29:54 +01:00
Frederik Rietdijk 7257dedd7c Merge master into staging-next 2019-02-13 12:33:29 +01:00
Johan Thomsen adc9da6178 nixos/flannel: fix flannel nixos test, add test to all-tests.nix 2019-02-12 18:26:39 +01:00
Florian Klink e6df4dfe59
Merge pull request #54800 from nlewo/nova
Remove cloud-init from the Openstack image configuration
2019-02-11 22:23:32 +01:00
Antoine Eiche d190b204f0 Rename novaImage to openstackImage
People don't necessary know `nova` is related to Openstack (it is a
component of Openstack). So, it is more explicit to call it
`openstackImage`.
2019-02-11 20:58:44 +01:00
Matthew Bauer 5c09d977c7 Merge remote-tracking branch 'origin/master' into staging 2019-02-09 12:14:06 -05:00
Ryan Mulligan d2904c8fbd
Merge pull request #53442 from erictapen/osrm-test
nixos/tests: add osrm-backend test
2019-02-08 06:46:57 -08:00
Florian Klink 400aa7b86a minio: add test to nixos/tests/all-tests.nix 2019-02-05 17:38:34 +01:00
Maximilian Bosch a29294cb95
nixos/ndppd: register test 2019-02-03 16:47:01 +01:00
Florian Klink e84a23c5f7 neo4j: add neo4j test 2019-02-01 16:01:08 +01:00
Vladimír Čunát 8ba516664b
Merge branch 'staging-next' into staging 2019-02-01 09:42:53 +01:00
Pierre Bourdon 20b1febace
nixos/tests: add nginx-sso basic functionality test 2019-01-29 19:54:14 +01:00
Wael Nasreddine f072cfe1eb
nixos/pam: refactor U2F, docs about u2f_keys path (#54756)
* change enableU2F option to u2f.* set
* add few u2f options (not all) to customize pam-u2f module
* document default u2f_keys locations

Co-authored-by: Tomasz Czyż <tomasz.czyz@gmail.com>
Co-authored-by: Arda Xi <arda@ardaxi.com>
2019-01-29 08:45:26 -08:00
Matthew Bauer 92f0f8dd68 Merge remote-tracking branch 'NixOS/master' into staging 2019-01-27 00:01:13 -05:00
Elis Hirwing 3df02c6c03
nixos/jackett: Add test for jackett to ensure startup 2019-01-25 07:12:41 +01:00
Elis Hirwing eb356ef3f8
nixos/lidarr: Add test for lidarr to ensure startup 2019-01-25 07:12:08 +01:00
Elis Hirwing ddcb2c473d
nixos/radarr: Add test for radarr to ensure startup 2019-01-25 07:11:28 +01:00
Elis Hirwing 8be2345baf
nixos/sonarr: Add test for sonarr to ensure startup 2019-01-25 07:10:40 +01:00
Justin Humm 694c351cc3
nixos/tests: add osrm-backend test 2019-01-25 00:43:34 +01:00
worldofpeace 4abc6ff9e8 nixos/tests/all-tests.nix: add pantheon 2019-01-24 17:33:05 -05:00
Jörg Thalheim ecd1129dee
nixos/telegraf: add test 2019-01-21 11:37:20 +00:00
Piotr Bogdan cfc281f571 nixos/tests/kerberos: fix evaluation 2019-01-11 04:36:51 +00:00
Joachim Fasting e6538caa48
nixos/tests: re-enable hardened test
Has been okay since 62623b60d5
2019-01-06 14:08:20 +01:00
Jan Tojnar ef935fa101
Merge branch 'master' into staging 2018-12-24 15:02:29 +01:00
Florian Klink 0f46188ca1 nixos/tests: add google-oslogin test 2018-12-21 17:52:37 +01:00
Maximilian Bosch 64d05bbdd2
clickhouse: fix module and package runtime
Although the package itself builds fine, the module fails because it
tries to log into a non-existant file in `/var/log` which breaks the
service. Patching to default config to log to stdout by default fixes
the issue. Additionally this is the better solution as NixOS heavily
relies on systemd (and thus journald) for logging.

Also, the runtime relies on `/etc/localtime` to start, as it's not
required by the module system we set UTC as sensitive default when using
the module.

To ensure that the service's basic functionality is available, a simple
NixOS test has been added.
2018-12-20 13:03:41 +01:00
Frederik Rietdijk 9ab61ab8e2 Merge staging-next into staging 2018-12-19 09:00:36 +01:00
Franz Pletz 58db4c1a7e
Revert "nixos/tests: add clamav test"
This reverts commit 6433f3b13b.

Fixes #52446.
2018-12-17 19:24:44 +01:00