commit 8be55167562eef7e55802c446f86783c70b99c80 · pyrox.dev/nixpkgs

+1 -1

nixos/modules/config/krb5/default.nix

··· 84 84 type = types.package; 85 85 default = pkgs.krb5Full; 86 86 defaultText = "pkgs.krb5Full"; 87 - example = literalExample "pkgs.heimdalFull"; 87 + example = literalExample "pkgs.heimdal"; 88 88 description = '' 89 89 The Kerberos implementation that will be present in 90 90 <literal>environment.systemPackages</literal> after enabling this

+9 -2

nixos/modules/programs/atop.nix

··· 141 141 // mkService cfg.atopgpu.enable "atopgpu" [ atop ]; 142 142 timers = mkTimer cfg.atopRotateTimer.enable "atop-rotate" [ atop ]; 143 143 }; 144 - security.wrappers = 145 - lib.mkIf cfg.setuidWrapper.enable { atop = { source = "${atop}/bin/atop"; }; }; 144 + 145 + security.wrappers = lib.mkIf cfg.setuidWrapper.enable { 146 + atop = 147 + { setuid = true; 148 + owner = "root"; 149 + group = "root"; 150 + source = "${atop}/bin/atop"; 151 + }; 152 + }; 146 153 } 147 154 ); 148 155 }

+1 -1

nixos/modules/programs/plotinus.nix

··· 30 30 ###### implementation 31 31 32 32 config = mkIf cfg.enable { 33 - environment.variables.XDG_DATA_DIRS = [ "${pkgs.plotinus}/share/gsettings-schemas/${pkgs.plotinus.name}" ]; 33 + environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.plotinus}/share/gsettings-schemas/${pkgs.plotinus.name}" ]; 34 34 environment.variables.GTK3_MODULES = [ "${pkgs.plotinus}/lib/libplotinus.so" ]; 35 35 }; 36 36 }

+23 -18

nixos/modules/services/cluster/kubernetes/default.nix

··· 5 5 let 6 6 cfg = config.services.kubernetes; 7 7 8 - defaultContainerdConfigFile = pkgs.writeText "containerd.toml" '' 9 - version = 2 10 - root = "/var/lib/containerd" 11 - state = "/run/containerd" 12 - oom_score = 0 8 + defaultContainerdSettings = { 9 + version = 2; 10 + root = "/var/lib/containerd"; 11 + state = "/run/containerd"; 12 + oom_score = 0; 13 13 14 - [grpc] 15 - address = "/run/containerd/containerd.sock" 14 + grpc = { 15 + address = "/run/containerd/containerd.sock"; 16 + }; 16 17 17 - [plugins."io.containerd.grpc.v1.cri"] 18 - sandbox_image = "pause:latest" 18 + plugins."io.containerd.grpc.v1.cri" = { 19 + sandbox_image = "pause:latest"; 19 20 20 - [plugins."io.containerd.grpc.v1.cri".cni] 21 - bin_dir = "/opt/cni/bin" 22 - max_conf_num = 0 21 + cni = { 22 + bin_dir = "/opt/cni/bin"; 23 + max_conf_num = 0; 24 + }; 23 25 24 - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] 25 - runtime_type = "io.containerd.runc.v2" 26 + containerd.runtimes.runc = { 27 + runtime_type = "io.containerd.runc.v2"; 28 + }; 26 29 27 - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes."io.containerd.runc.v2".options] 28 - SystemdCgroup = true 29 - ''; 30 + containerd.runtimes."io.containerd.runc.v2".options = { 31 + SystemdCgroup = true; 32 + }; 33 + }; 34 + }; 30 35 31 36 mkKubeConfig = name: conf: pkgs.writeText "${name}-kubeconfig" (builtins.toJSON { 32 37 apiVersion = "v1"; ··· 248 253 (mkIf cfg.kubelet.enable { 249 254 virtualisation.containerd = { 250 255 enable = mkDefault true; 251 - configFile = mkDefault defaultContainerdConfigFile; 256 + settings = mkDefault defaultContainerdSettings; 252 257 }; 253 258 }) 254 259

+1

nixos/modules/services/networking/dnscrypt-wrapper.nix

··· 217 217 home = "${dataDir}"; 218 218 createHome = true; 219 219 isSystemUser = true; 220 + group = "dnscrypt-wrapper"; 220 221 }; 221 222 users.groups.dnscrypt-wrapper = { }; 222 223

+1 -1

nixos/modules/services/networking/flannel.nix

··· 164 164 path = [ pkgs.iptables ]; 165 165 preStart = optionalString (cfg.storageBackend == "etcd") '' 166 166 echo "setting network configuration" 167 - until ${pkgs.etcdctl}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' 167 + until ${pkgs.etcd}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' 168 168 do 169 169 echo "setting network configuration, retry" 170 170 sleep 1

+1 -1

nixos/modules/services/search/meilisearch.nix

··· 8 8 in 9 9 { 10 10 11 - meta.maintainers = with maintainers; [ filalex77 ]; 11 + meta.maintainers = with maintainers; [ Br1ght0ne ]; 12 12 13 13 ###### interface 14 14

+1 -1

nixos/modules/services/system/kerberos/heimdal.nix

··· 27 27 { 28 28 # No documentation about correct triggers, so guessing at them. 29 29 30 - config = mkIf (cfg.enable && kerberos == pkgs.heimdalFull) { 30 + config = mkIf (cfg.enable && kerberos == pkgs.heimdal) { 31 31 systemd.services.kadmind = { 32 32 description = "Kerberos Administration Daemon"; 33 33 wantedBy = [ "multi-user.target" ];

-1

nixos/tests/all-tests.nix

··· 223 223 krb5 = discoverTests (import ./krb5 {}); 224 224 ksm = handleTest ./ksm.nix {}; 225 225 kubernetes = handleTestOn ["x86_64-linux"] ./kubernetes {}; 226 - latestKernel.hardened = handleTest ./hardened.nix { latestKernel = true; }; 227 226 latestKernel.login = handleTest ./login.nix { latestKernel = true; }; 228 227 leaps = handleTest ./leaps.nix {}; 229 228 libreddit = handleTest ./libreddit.nix {};

-2

nixos/tests/atop.nix

··· 105 105 }; 106 106 in 107 107 { 108 - name = "atop"; 109 - 110 108 justThePackage = makeTest { 111 109 name = "atop-justThePackage"; 112 110 machine = {

+1 -1

nixos/tests/cntr.nix

··· 9 9 makeTest { 10 10 name = "cntr-${backend}"; 11 11 12 - meta = { maintainers = with lib.maintainers; [ srk mic92 ]; }; 12 + meta = { maintainers = with lib.maintainers; [ sorki mic92 ]; }; 13 13 14 14 nodes = { 15 15 ${backend} = { pkgs, ... }: {

+5

nixos/tests/ec2.nix

··· 24 24 ln -s vda1 /dev/xvda1 25 25 ''; 26 26 27 + # In a NixOS test the serial console is occupied by the "backdoor" 28 + # (see testing/test-instrumentation.nix) and is incompatible with 29 + # the configuration in virtualisation/amazon-image.nix. 30 + systemd.services."serial-getty@ttyS0".enable = mkForce false; 31 + 27 32 # Needed by nixos-rebuild due to the lack of network 28 33 # access. Determined by trial and error. 29 34 system.extraDependencies = with pkgs; ( [

+2 -2

nixos/tests/enlightenment.nix

··· 11 11 imports = [ ./common/user-account.nix ]; 12 12 services.xserver.enable = true; 13 13 services.xserver.desktopManager.enlightenment.enable = true; 14 - services.xserver.displayManager.lightdm = { 15 - enable = true; 14 + services.xserver.displayManager = { 15 + lightdm.enable = true; 16 16 autoLogin = { 17 17 enable = true; 18 18 user = "alice";

+1 -3

nixos/tests/hardened.nix

··· 1 - import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { 1 + import ./make-test-python.nix ({ pkgs, ... } : { 2 2 name = "hardened"; 3 3 meta = with pkgs.lib.maintainers; { 4 4 maintainers = [ joachifm ]; ··· 10 10 { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; 11 11 users.users.sybil = { isNormalUser = true; group = "wheel"; }; 12 12 imports = [ ../modules/profiles/hardened.nix ]; 13 - boot.kernelPackages = 14 - lib.mkIf latestKernel pkgs.linuxPackages_latest_hardened; 15 13 environment.memoryAllocator.provider = "graphene-hardened"; 16 14 nix.useSandbox = false; 17 15 virtualisation.emptyDiskImages = [ 4096 ];

+1 -1

nixos/tests/kerberos/heimdal.nix

··· 9 9 }; 10 10 krb5 = { 11 11 enable = true; 12 - kerberos = pkgs.heimdalFull; 12 + kerberos = pkgs.heimdal; 13 13 libdefaults = { 14 14 default_realm = "FOO.BAR"; 15 15 };

+1 -1

nixos/tests/meilisearch.nix

··· 10 10 ''; 11 11 in { 12 12 name = "meilisearch"; 13 - meta.maintainers = with lib.maintainers; [ filalex77 ]; 13 + meta.maintainers = with lib.maintainers; [ Br1ght0ne ]; 14 14 15 15 machine = { ... }: { 16 16 environment.systemPackages = with pkgs; [ curl jq ];

+4 -1

nixos/tests/minio.nix

··· 28 28 machine = { pkgs, ... }: { 29 29 services.minio = { 30 30 enable = true; 31 - inherit accessKey secretKey; 31 + rootCredentialsFile = pkgs.writeText "minio-credentials" '' 32 + MINIO_ROOT_USER=${accessKey} 33 + MINIO_ROOT_PASSWORD=${secretKey} 34 + ''; 32 35 }; 33 36 environment.systemPackages = [ pkgs.minio-client ]; 34 37

+1 -1

nixos/tests/mpv.nix

··· 14 14 { 15 15 environment.systemPackages = [ 16 16 pkgs.curl 17 - (pkgs.mpv-with-scripts.override { 17 + (pkgs.wrapMpv pkgs.mpv-unwrapped { 18 18 scripts = [ pkgs.mpvScripts.simple-mpv-webui ]; 19 19 }) 20 20 ];

+13 -3

nixos/tests/mysql/mariadb-galera-mariabackup.nix

··· 4 4 mysqlenv-common = pkgs.buildEnv { name = "mysql-path-env-common"; pathsToLink = [ "/bin" ]; paths = with pkgs; [ bash gawk gnutar inetutils which ]; }; 5 5 mysqlenv-mariabackup = pkgs.buildEnv { name = "mysql-path-env-mariabackup"; pathsToLink = [ "/bin" ]; paths = with pkgs; [ gzip iproute2 netcat procps pv socat ]; }; 6 6 7 + # Common user configuration 8 + users = { ... }: 9 + { 10 + users.users.testuser = { 11 + isSystemUser = true; 12 + group = "testusers"; 13 + }; 14 + users.groups.testusers = { }; 15 + }; 16 + 7 17 in { 8 18 name = "mariadb-galera-mariabackup"; 9 19 meta = with pkgs.lib.maintainers; { ··· 17 27 galera_01 = 18 28 { pkgs, ... }: 19 29 { 30 + imports = [ users ]; 20 31 networking = { 21 32 interfaces.eth1 = { 22 33 ipv4.addresses = [ ··· 31 42 firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; 32 43 firewall.allowedUDPPorts = [ 4567 ]; 33 44 }; 34 - users.users.testuser = { isSystemUser = true; }; 35 45 systemd.services.mysql = with pkgs; { 36 46 path = [ mysqlenv-common mysqlenv-mariabackup ]; 37 47 }; ··· 75 85 galera_02 = 76 86 { pkgs, ... }: 77 87 { 88 + imports = [ users ]; 78 89 networking = { 79 90 interfaces.eth1 = { 80 91 ipv4.addresses = [ ··· 89 100 firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; 90 101 firewall.allowedUDPPorts = [ 4567 ]; 91 102 }; 92 - users.users.testuser = { isSystemUser = true; }; 93 103 systemd.services.mysql = with pkgs; { 94 104 path = [ mysqlenv-common mysqlenv-mariabackup ]; 95 105 }; ··· 122 132 galera_03 = 123 133 { pkgs, ... }: 124 134 { 135 + imports = [ users ]; 125 136 networking = { 126 137 interfaces.eth1 = { 127 138 ipv4.addresses = [ ··· 136 147 firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; 137 148 firewall.allowedUDPPorts = [ 4567 ]; 138 149 }; 139 - users.users.testuser = { isSystemUser = true; }; 140 150 systemd.services.mysql = with pkgs; { 141 151 path = [ mysqlenv-common mysqlenv-mariabackup ]; 142 152 };

+13 -3

nixos/tests/mysql/mariadb-galera-rsync.nix

··· 4 4 mysqlenv-common = pkgs.buildEnv { name = "mysql-path-env-common"; pathsToLink = [ "/bin" ]; paths = with pkgs; [ bash gawk gnutar inetutils which ]; }; 5 5 mysqlenv-rsync = pkgs.buildEnv { name = "mysql-path-env-rsync"; pathsToLink = [ "/bin" ]; paths = with pkgs; [ lsof procps rsync stunnel ]; }; 6 6 7 + # Common user configuration 8 + users = { ... }: 9 + { 10 + users.users.testuser = { 11 + isSystemUser = true; 12 + group = "testusers"; 13 + }; 14 + users.groups.testusers = { }; 15 + }; 16 + 7 17 in { 8 18 name = "mariadb-galera-rsync"; 9 19 meta = with pkgs.lib.maintainers; { ··· 17 27 galera_04 = 18 28 { pkgs, ... }: 19 29 { 30 + imports = [ users ]; 20 31 networking = { 21 32 interfaces.eth1 = { 22 33 ipv4.addresses = [ ··· 31 42 firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; 32 43 firewall.allowedUDPPorts = [ 4567 ]; 33 44 }; 34 - users.users.testuser = { isSystemUser = true; }; 35 45 systemd.services.mysql = with pkgs; { 36 46 path = [ mysqlenv-common mysqlenv-rsync ]; 37 47 }; ··· 70 80 galera_05 = 71 81 { pkgs, ... }: 72 82 { 83 + imports = [ users ]; 73 84 networking = { 74 85 interfaces.eth1 = { 75 86 ipv4.addresses = [ ··· 84 95 firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; 85 96 firewall.allowedUDPPorts = [ 4567 ]; 86 97 }; 87 - users.users.testuser = { isSystemUser = true; }; 88 98 systemd.services.mysql = with pkgs; { 89 99 path = [ mysqlenv-common mysqlenv-rsync ]; 90 100 }; ··· 116 126 galera_06 = 117 127 { pkgs, ... }: 118 128 { 129 + imports = [ users ]; 119 130 networking = { 120 131 interfaces.eth1 = { 121 132 ipv4.addresses = [ ··· 130 141 firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ]; 131 142 firewall.allowedUDPPorts = [ 4567 ]; 132 143 }; 133 - users.users.testuser = { isSystemUser = true; }; 134 144 systemd.services.mysql = with pkgs; { 135 145 path = [ mysqlenv-common mysqlenv-rsync ]; 136 146 };

+29 -7

nixos/tests/mysql/mysql.nix

··· 1 - import ./../make-test-python.nix ({ pkgs, ...} : { 1 + import ./../make-test-python.nix ({ pkgs, ...}: 2 + 3 + 4 + let 5 + # Setup common users 6 + users = { ... }: 7 + { 8 + users.groups.testusers = { }; 9 + 10 + users.users.testuser = { 11 + isSystemUser = true; 12 + group = "testusers"; 13 + }; 14 + 15 + users.users.testuser2 = { 16 + isSystemUser = true; 17 + group = "testusers"; 18 + }; 19 + }; 20 + 21 + in 22 + 23 + { 2 24 name = "mysql"; 3 25 meta = with pkgs.lib.maintainers; { 4 26 maintainers = [ eelco shlevy ]; ··· 9 31 { pkgs, ... }: 10 32 11 33 { 12 - users.users.testuser = { isSystemUser = true; }; 13 - users.users.testuser2 = { isSystemUser = true; }; 34 + imports = [ users ]; 35 + 14 36 services.mysql.enable = true; 15 37 services.mysql.initialDatabases = [ 16 38 { name = "testdb3"; schema = ./testdb.sql; } ··· 40 62 { pkgs, ... }: 41 63 42 64 { 65 + imports = [ users ]; 66 + 43 67 # prevent oom: 44 68 # Kernel panic - not syncing: Out of memory: compulsory panic_on_oom is enabled 45 69 virtualisation.memorySize = 1024; 46 70 47 - users.users.testuser = { isSystemUser = true; }; 48 - users.users.testuser2 = { isSystemUser = true; }; 49 71 services.mysql.enable = true; 50 72 services.mysql.initialDatabases = [ 51 73 { name = "testdb3"; schema = ./testdb.sql; } ··· 75 97 { pkgs, ... }: 76 98 77 99 { 78 - users.users.testuser = { isSystemUser = true; }; 79 - users.users.testuser2 = { isSystemUser = true; }; 100 + imports = [ users ]; 101 + 80 102 services.mysql.enable = true; 81 103 services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' 82 104 ALTER USER root@localhost IDENTIFIED WITH unix_socket;

+1 -1

nixos/tests/pantheon.nix

··· 1 - import ./make-test-python.nix ({ pkgs, ...} : 1 + import ./make-test-python.nix ({ pkgs, lib, ...} : 2 2 3 3 { 4 4 name = "pantheon";

+1 -1

nixos/tests/postfixadmin.nix

··· 1 1 import ./make-test-python.nix ({ pkgs, ...} : { 2 2 name = "postfixadmin"; 3 - meta = with pkgs.stdenv.lib.maintainers; { 3 + meta = with pkgs.lib.maintainers; { 4 4 maintainers = [ globin ]; 5 5 }; 6 6

+5 -1

nixos/tests/prometheus-exporters.nix

··· 554 554 WorkingDirectory = "/var/spool/mail"; 555 555 }; 556 556 }; 557 - users.users.mailexporter.isSystemUser = true; 557 + users.users.mailexporter = { 558 + isSystemUser = true; 559 + group = "mailexporter"; 560 + }; 561 + users.groups.mailexporter = {}; 558 562 }; 559 563 exporterTest = '' 560 564 wait_for_unit("postfix.service")

+2

nixos/tests/systemd-networkd-ipv6-prefix-delegation.nix

··· 42 42 # DO NOT COPY THIS TO PRODUCTION AS IS. Think about it at least twice. 43 43 # Everyone on the "isp" machine will be able to add routes to the kernel. 44 44 security.wrappers.add-dhcpd-lease = { 45 + owner = "root"; 46 + group = "root"; 45 47 source = pkgs.writeShellScript "add-dhcpd-lease" '' 46 48 exec ${pkgs.iproute2}/bin/ip -6 route replace "$1" via "$2" 47 49 '';

+1 -1

nixos/tests/tigervnc.nix

··· 6 6 with import ../lib/testing-python.nix { inherit system pkgs; }; 7 7 makeTest { 8 8 name = "tigervnc"; 9 - meta = with pkgs.stdenv.lib.maintainers; { 9 + meta = with pkgs.lib.maintainers; { 10 10 maintainers = [ lheckemann ]; 11 11 }; 12 12

+1 -1

nixos/tests/wasabibackend.nix

··· 14 14 port = 18332; 15 15 }; 16 16 }; 17 - services.bitcoind = { 17 + services.bitcoind."testnet" = { 18 18 enable = true; 19 19 testnet = true; 20 20 rpc.users = {