Merge branch 'master' into staging-next

There ver very many conflicts, basically all due to
name -> pname+version.  Fortunately, almost everything was auto-resolved
by kdiff3, and for now I just fixed up a couple evaluation problems,
as verified by the tarball job.  There might be some fallback to these
conflicts, but I believe it should be minimal.

Hydra nixpkgs: ?compare=1538299

nixos/tests/all-tests.nix

@@ -47,6 +47,7 @@ in
   codimd = handleTest ./codimd.nix {};
   colord = handleTest ./colord.nix {};
   containers-bridge = handleTest ./containers-bridge.nix {};
+  containers-ephemeral = handleTest ./containers-ephemeral.nix {};
   containers-extra_veth = handleTest ./containers-extra_veth.nix {};
   containers-hosts = handleTest ./containers-hosts.nix {};
   containers-imperative = handleTest ./containers-imperative.nix {};
@@ -73,7 +74,7 @@ in
   #ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};
   ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {};
   ecryptfs = handleTest ./ecryptfs.nix {};
-  ejabberd = handleTest ./ejabberd.nix {};
+  ejabberd = handleTest ./xmpp/ejabberd.nix {};
   elk = handleTestOn ["x86_64-linux"] ./elk.nix {};
   env = handleTest ./env.nix {};
   etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {};
@@ -93,8 +94,10 @@ in
   gitlab = handleTest ./gitlab.nix {};
   gitolite = handleTest ./gitolite.nix {};
   gjs = handleTest ./gjs.nix {};
+  glusterfs = handleTest ./glusterfs.nix {};
   gnome3-xorg = handleTest ./gnome3-xorg.nix {};
   gnome3 = handleTest ./gnome3.nix {};
+  gnome-photos = handleTest ./gnome-photos.nix {};
   gocd-agent = handleTest ./gocd-agent.nix {};
   gocd-server = handleTest ./gocd-server.nix {};
   google-oslogin = handleTest ./google-oslogin {};
@@ -114,6 +117,7 @@ in
   hound = handleTest ./hound.nix {};
   hydra = handleTest ./hydra {};
   i3wm = handleTest ./i3wm.nix {};
+  icingaweb2 = handleTest ./icingaweb2.nix {};
   iftop = handleTest ./iftop.nix {};
   incron = handleTest ./incron.nix {};
   influxdb = handleTest ./influxdb.nix {};
@@ -124,6 +128,7 @@ in
   jackett = handleTest ./jackett.nix {};
   jellyfin = handleTest ./jellyfin.nix {};
   jenkins = handleTest ./jenkins.nix {};
+  jormungandr = handleTest ./jormungandr.nix {};
   kafka = handleTest ./kafka.nix {};
   kerberos = handleTest ./kerberos/default.nix {};
   kernel-latest = handleTest ./kernel-latest.nix {};
@@ -138,6 +143,7 @@ in
   latestKernel.login = handleTest ./login.nix { latestKernel = true; };
   ldap = handleTest ./ldap.nix {};
   leaps = handleTest ./leaps.nix {};
+  libxmlb = handleTest ./libxmlb.nix {};
   lidarr = handleTest ./lidarr.nix {};
   lightdm = handleTest ./lightdm.nix {};
   limesurvey = handleTest ./limesurvey.nix {};
@@ -150,6 +156,7 @@ in
   mediawiki = handleTest ./mediawiki.nix {};
   memcached = handleTest ./memcached.nix {};
   mesos = handleTest ./mesos.nix {};
+  metabase = handleTest ./metabase.nix {};
   miniflux = handleTest ./miniflux.nix {};
   minio = handleTest ./minio.nix {};
   misc = handleTest ./misc.nix {};
@@ -217,7 +224,8 @@ in
   prometheus = handleTest ./prometheus.nix {};
   prometheus2 = handleTest ./prometheus-2.nix {};
   prometheus-exporters = handleTest ./prometheus-exporters.nix {};
-  prosody = handleTest ./prosody.nix {};
+  prosody = handleTest ./xmpp/prosody.nix {};
+  prosodyMysql = handleTest ./xmpp/prosody-mysql.nix {};
   proxy = handleTest ./proxy.nix {};
   quagga = handleTest ./quagga.nix {};
   quake3 = handleTest ./quake3.nix {};
@@ -249,6 +257,7 @@ in
   systemd = handleTest ./systemd.nix {};
   systemd-confinement = handleTest ./systemd-confinement.nix {};
   systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
+  systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {};
   pdns-recursor = handleTest ./pdns-recursor.nix {};
   taskserver = handleTest ./taskserver.nix {};
   telegraf = handleTest ./telegraf.nix {};
@@ -256,6 +265,7 @@ in
   tinydns = handleTest ./tinydns.nix {};
   tor = handleTest ./tor.nix {};
   transmission = handleTest ./transmission.nix {};
+  trezord = handleTest ./trezord.nix {};
   udisks2 = handleTest ./udisks2.nix {};
   upnp = handleTest ./upnp.nix {};
   uwsgi = handleTest ./uwsgi.nix {};

nixos/tests/containers-ephemeral.nix

@@ -0,0 +1,56 @@
+# Test for NixOS' container support.
+
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "containers-ephemeral";
+
+  machine = { pkgs, ... }: {
+    virtualisation.memorySize = 768;
+    virtualisation.writableStore = true;
+
+    containers.webserver = {
+      ephemeral = true;
+      privateNetwork = true;
+      hostAddress = "10.231.136.1";
+      localAddress = "10.231.136.2";
+      config = {
+        services.nginx = {
+          enable = true;
+          virtualHosts.localhost = {
+            root = (pkgs.runCommand "localhost" {} ''
+              mkdir "$out"
+              echo hello world > "$out/index.html"
+            '');
+          };
+        };
+        networking.firewall.allowedTCPPorts = [ 80 ];
+      };
+    };
+  };
+
+  testScript = ''
+    $machine->succeed("nixos-container list") =~ /webserver/ or die;
+
+    # Start the webserver container.
+    $machine->succeed("nixos-container start webserver");
+
+    # Check that container got its own root folder
+    $machine->succeed("ls /run/containers/webserver");
+
+    # Check that container persistent directory is not created
+    $machine->fail("ls /var/lib/containers/webserver");
+
+    # Since "start" returns after the container has reached
+    # multi-user.target, we should now be able to access it.
+    my $ip = $machine->succeed("nixos-container show-ip webserver");
+    chomp $ip;
+    $machine->succeed("ping -n -c1 $ip");
+    $machine->succeed("curl --fail http://$ip/ > /dev/null");
+
+    # Stop the container.
+    $machine->succeed("nixos-container stop webserver");
+    $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null");
+
+    # Check that container's root folder was removed
+    $machine->fail("ls /run/containers/webserver");
+  '';
+})

nixos/tests/glusterfs.nix

@@ -0,0 +1,65 @@
+import ./make-test.nix ({ ... } :
+
+let
+  client = { pkgs, ... } : {
+    environment.systemPackages = [ pkgs.glusterfs ];
+    fileSystems = pkgs.lib.mkVMOverride
+    [ { mountPoint = "/gluster";
+        fsType = "glusterfs";
+        device = "server1:/gv0";
+    } ];
+  };
+
+  server = { pkgs, ... } : {
+    networking.firewall.enable = false;
+    services.glusterfs.enable = true;
+
+    # create a mount point for the volume
+    boot.initrd.postDeviceCommands = ''
+      ${pkgs.e2fsprogs}/bin/mkfs.ext4 -L data /dev/vdb
+    '';
+
+    virtualisation.emptyDiskImages = [ 1024 ];
+
+    fileSystems = pkgs.lib.mkVMOverride
+      [ { mountPoint = "/data";
+          device = "/dev/disk/by-label/data";
+          fsType = "ext4";
+        }
+      ];
+  };
+in {
+  name = "glusterfs";
+
+  nodes = {
+    server1 = server;
+    server2 = server;
+    client1 = client;
+    client2 = client;
+  };
+
+  testScript = ''
+    $server1->waitForUnit("glusterd.service");
+    $server2->waitForUnit("glusterd.service");
+
+    # establish initial contact
+    $server1->succeed("sleep 2");
+    $server1->succeed("gluster peer probe server2");
+    $server1->succeed("gluster peer probe server1");
+
+    $server1->succeed("gluster peer status | grep Connected");
+
+    # create volumes
+    $server1->succeed("mkdir -p /data/vg0");
+    $server2->succeed("mkdir -p /data/vg0");
+    $server1->succeed("gluster volume create gv0 server1:/data/vg0 server2:/data/vg0");
+    $server1->succeed("gluster volume start gv0");
+
+    # test clients
+    $client1->waitForUnit("gluster.mount");
+    $client2->waitForUnit("gluster.mount");
+
+    $client1->succeed("echo test > /gluster/file1");
+    $client2->succeed("grep test /gluster/file1");
+  '';
+})

nixos/tests/gnome-photos.nix

@@ -0,0 +1,42 @@
+# run installed tests
+import ./make-test.nix ({ pkgs, lib, ... }:
+
+let
+
+  # gsettings tool with access to gsettings-desktop-schemas
+  desktop-gsettings = with pkgs; stdenv.mkDerivation {
+    name = "desktop-gsettings";
+    dontUnpack = true;
+    nativeBuildInputs = [ glib wrapGAppsHook ];
+    buildInputs = [ gsettings-desktop-schemas ];
+    installPhase = ''
+      runHook preInstall
+      mkdir -p $out/bin
+      ln -s ${glib.bin}/bin/gsettings $out/bin/desktop-gsettings
+      runHook postInstall
+    '';
+  };
+
+in
+
+{
+  name = "gnome-photos";
+  meta = {
+    maintainers = pkgs.gnome-photos.meta.maintainers;
+  };
+
+  machine = { pkgs, ... }: {
+    imports = [ ./common/x11.nix ];
+    programs.dconf.enable = true;
+    services.gnome3.at-spi2-core.enable = true; # needed for dogtail
+    environment.systemPackages = with pkgs; [ gnome-desktop-testing desktop-gsettings ];
+    services.dbus.packages = with pkgs; [ gnome-photos ];
+  };
+
+  testScript = ''
+    $machine->waitForX;
+    # dogtail needs accessibility enabled
+    $machine->succeed("desktop-gsettings set org.gnome.desktop.interface toolkit-accessibility true 2>&1");
+    $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.gnome-photos.installedTests}/share' 2>&1");
+  '';
+})

nixos/tests/icingaweb2.nix

@@ -0,0 +1,71 @@
+import ./make-test.nix ({ pkgs, ... }: {
+  name = "icingaweb2";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ das_j ];
+  };
+
+  nodes = {
+    icingaweb2 = { config, pkgs, ... }: {
+      services.icingaweb2 = {
+        enable = true;
+
+        modulePackages = with pkgs.icingaweb2Modules; {
+          particles = theme-particles;
+          spring = theme-spring;
+        };
+
+        modules = {
+          doc.enable = true;
+          migrate.enable =  true;
+          setup.enable = true;
+          test.enable = true;
+          translation.enable = true;
+        };
+
+        generalConfig = {
+          global = {
+            module_path = "${pkgs.icingaweb2}/modules";
+          };
+        };
+
+        authentications = {
+          icingaweb = {
+            backend = "external";
+          };
+        };
+
+        groupBackends = {
+          icingaweb = {
+            backend = "db";
+            resource = "icingaweb_db";
+          };
+        };
+
+        resources = {
+          # Not used, so no DB server needed
+          icingaweb_db = {
+            type = "db";
+            db = "mysql";
+            host = "localhost";
+            username = "icingaweb2";
+            password = "icingaweb2";
+            dbname = "icingaweb2";
+          };
+        };
+
+        roles = {
+          Administrators = {
+            users = "*";
+            permissions = "*";
+          };
+        };
+      };
+    };
+  };
+
+  testScript = ''
+    startAll();
+    $icingaweb2->waitForUnit("multi-user.target");
+    $icingaweb2->succeed("curl -sSf http://icingaweb2/authentication/login");
+  '';
+})

nixos/tests/jormungandr.nix

@@ -0,0 +1,49 @@
+import ./make-test.nix ({ pkgs, ... }: {
+  name = "jormungandr";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ mmahut ];
+  };
+
+  nodes = {
+    bft = { ... }: {
+      environment.systemPackages = [ pkgs.jormungandr ];
+
+      services.jormungandr.enable = true;
+      services.jormungandr.genesisBlockFile = "/var/lib/jormungandr/block-0.bin";
+      services.jormungandr.secretFile = "/etc/secrets/jormungandr.yaml";
+    };
+  };
+
+  testScript = ''
+    startAll;
+
+    # Let's wait for the StateDirectory
+    $bft->waitForFile("/var/lib/jormungandr/");
+
+    # First, we generate the genesis file for our new blockchain
+    $bft->succeed("jcli genesis init > /root/genesis.yaml");
+
+    # We need to generate our secret key
+    $bft->succeed("jcli key generate --type=Ed25519 > /root/key.prv");
+
+    # We include the secret key into our services.jormungandr.secretFile
+    $bft->succeed("mkdir -p /etc/secrets");
+    $bft->succeed("echo -e \"bft:\\n signing_key:\" \$(cat /root/key.prv) > /etc/secrets/jormungandr.yaml");
+
+    # After that, we generate our public key from it
+    $bft->succeed("cat /root/key.prv | jcli key to-public > /root/key.pub");
+
+    # We add our public key as a consensus leader in the genesis configration file
+    $bft->succeed("sed -ie \"s/ed25519_pk1vvwp2s0n5jl5f4xcjurp2e92sj2awehkrydrlas4vgqr7xzt33jsadha32/\$(cat /root/key.pub)/\" /root/genesis.yaml");
+
+    # Now we can generate the genesis block from it
+    $bft->succeed("jcli genesis encode --input /root/genesis.yaml --output /var/lib/jormungandr/block-0.bin");
+
+    # We should have everything to start the service now
+    $bft->succeed("systemctl restart jormungandr");
+    $bft->waitForUnit("jormungandr.service");
+
+    # Now we can test if we are able to reach the REST API
+    $bft->waitUntilSucceeds("curl -L http://localhost:8607/api/v0/node/stats | grep uptime");
+  '';
+})

nixos/tests/libxmlb.nix

@@ -0,0 +1,17 @@
+# run installed tests
+import ./make-test.nix ({ pkgs, ... }:
+
+{
+  name = "libxmlb";
+  meta = {
+    maintainers = pkgs.libxmlb.meta.maintainers;
+  };
+
+  machine = { pkgs, ... }: {
+    environment.systemPackages = with pkgs; [ gnome-desktop-testing ];
+  };
+
+  testScript = ''
+    $machine->succeed("gnome-desktop-testing-runner -d '${pkgs.libxmlb.installedTests}/share'");
+  '';
+})

nixos/tests/metabase.nix

@@ -0,0 +1,20 @@
+import ./make-test.nix ({ pkgs, ... }: {
+  name = "metabase";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ mmahut ];
+  };
+
+  nodes = {
+    machine = { ... }: {
+      services.metabase.enable = true;
+      virtualisation.memorySize = 1024;
+    };
+  };
+
+  testScript = ''
+    startAll;
+    $machine->waitForUnit("metabase.service");
+    $machine->waitForOpenPort(3000);
+    $machine->waitUntilSucceeds("curl -L http://localhost:3000/setup | grep Metabase");
+  '';
+})

nixos/tests/networking.nix

@@ -21,7 +21,7 @@ let
         useNetworkd = networkd;
         firewall.checkReversePath = true;
         firewall.allowedUDPPorts = [ 547 ];
-        interfaces = mkOverride 0 (listToAttrs (flip map vlanIfs (n:
+        interfaces = mkOverride 0 (listToAttrs (forEach vlanIfs (n:
           nameValuePair "eth${toString n}" {
             ipv4.addresses = [ { address = "192.168.${toString n}.1"; prefixLength = 24; } ];
             ipv6.addresses = [ { address = "fd00:1234:5678:${toString n}::1"; prefixLength = 64; } ];

nixos/tests/nginx.nix

@@ -3,15 +3,15 @@
 #      generated virtual hosts config.
 #   2. whether the ETag header is properly generated whenever we're serving
 #      files in Nix store paths
-
+#   3. nginx doesn't restart on configuration changes (only reloads)
 import ./make-test.nix ({ pkgs, ... }: {
   name = "nginx";
   meta = with pkgs.stdenv.lib.maintainers; {
     maintainers = [ mbbx6spp ];
   };
 
-  nodes = let
-    commonConfig = { pkgs, ... }: {
+  nodes = {
+    webserver = { pkgs, lib, ... }: {
       services.nginx.enable = true;
       services.nginx.commonHttpConfig = ''
         log_format ceeformat '@cee: {"status":"$status",'
@@ -32,30 +32,42 @@ import ./make-test.nix ({ pkgs, ... }: {
           location /favicon.ico { allow all; access_log off; log_not_found off; }
         '';
       };
+
       services.nginx.virtualHosts.localhost = {
         root = pkgs.runCommand "testdir" {} ''
           mkdir "$out"
           echo hello world > "$out/index.html"
         '';
       };
-    };
-  in {
-    webserver = commonConfig;
 
-    newwebserver = { pkgs, lib, ... }: {
-      imports = [ commonConfig ];
-      services.nginx.virtualHosts.localhost = {
-        root = lib.mkForce (pkgs.runCommand "testdir2" {} ''
-          mkdir "$out"
-          echo hello world > "$out/index.html"
-        '');
-      };
+      services.nginx.enableReload = true;
+
+      nesting.clone = [
+        {
+          services.nginx.virtualHosts.localhost = {
+            root = lib.mkForce (pkgs.runCommand "testdir2" {} ''
+              mkdir "$out"
+              echo content changed > "$out/index.html"
+            '');
+          };
+        }
+
+        {
+          services.nginx.virtualHosts."1.my.test".listen = [ { addr = "127.0.0.1"; port = 8080; }];
+        }
+
+        {
+          services.nginx.package = pkgs.nginxUnstable;
+        }
+      ];
     };
+
   };
 
   testScript = { nodes, ... }: let
-    newServerSystem = nodes.newwebserver.config.system.build.toplevel;
-    switch = "${newServerSystem}/bin/switch-to-configuration test";
+    etagSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-1";
+    justReloadSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-2";
+    reloadRestartSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-3";
   in ''
     my $url = 'http://localhost/index.html';
 
@@ -77,9 +89,23 @@ import ./make-test.nix ({ pkgs, ... }: {
 
     subtest "check ETag if serving Nix store paths", sub {
       my $oldEtag = checkEtag;
-      $webserver->succeed('${switch}');
+      $webserver->succeed("${etagSystem}/bin/switch-to-configuration test >&2");
+      $webserver->sleep(1); # race condition
       my $newEtag = checkEtag;
       die "Old ETag $oldEtag is the same as $newEtag" if $oldEtag eq $newEtag;
     };
+
+    subtest "config is reloaded on nixos-rebuild switch", sub {
+      $webserver->succeed("${justReloadSystem}/bin/switch-to-configuration test >&2");
+      $webserver->waitForOpenPort("8080");
+      $webserver->fail("journalctl -u nginx | grep -q -i stopped");
+      $webserver->succeed("journalctl -u nginx | grep -q -i reloaded");
+    };
+
+    subtest "restart when nginx package changes", sub {
+      $webserver->succeed("${reloadRestartSystem}/bin/switch-to-configuration test >&2");
+      $webserver->waitForUnit("nginx");
+      $webserver->succeed("journalctl -u nginx | grep -q -i stopped");
+    };
   '';
 })

nixos/tests/php-pcre.nix

@@ -8,30 +8,25 @@ import ./make-test.nix ({ ...}: {
     services.httpd = {
       enable = true;
       adminAddr = "please@dont.contact";
-      extraSubservices = lib.singleton {
-        function = f: {
-          enablePHP = true;
-          phpOptions = "pcre.jit = true";
+      enablePHP = true;
+      phpOptions = "pcre.jit = true";
+      extraConfig =
+      let
+        testRoot = pkgs.writeText "index.php"
+        ''
+          <?php
+            preg_match('/(${testString})/', '${testString}', $result);
+            var_dump($result);
+          ?>
+        '';
+      in
+        ''
+          Alias / ${testRoot}/
 
-          extraConfig =
-          let
-            testRoot = pkgs.writeText "index.php"
-            ''
-              <?php
-                preg_match('/(${testString})/', '${testString}', $result);
-                var_dump($result);
-              ?>
-            '';
-          in
-            ''
-              Alias / ${testRoot}/
-
-              <Directory ${testRoot}>
-                Require all granted
-              </Directory>
-            '';
-        };
-      };
+          <Directory ${testRoot}>
+            Require all granted
+          </Directory>
+        '';
     };
   };
   testScript = { ... }:

nixos/tests/prosody.nix

@@ -1,38 +0,0 @@
-import ./make-test.nix {
-  name = "prosody";
-
-  machine = { pkgs, ... }: {
-    services.prosody = {
-      enable = true;
-      # TODO: use a self-signed certificate
-      c2sRequireEncryption = false;
-      extraConfig = ''
-        storage = "sql"
-      '';
-      virtualHosts.test = {
-        domain = "example.com";
-        enabled = true;
-      };
-    };
-    environment.systemPackages = [
-      (pkgs.callPackage ./xmpp-sendmessage.nix {})
-    ];
-  };
-
-  testScript = ''
-    $machine->waitForUnit('prosody.service');
-    $machine->succeed('prosodyctl status') =~ /Prosody is running/;
-
-    # set password to 'nothunter2' (it's asked twice)
-    $machine->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com');
-    # set password to 'y'
-    $machine->succeed('yes | prosodyctl adduser azurediamond@example.com');
-    # correct password to 'hunter2'
-    $machine->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com');
-
-    $machine->succeed("send-message");
-
-    $machine->succeed('prosodyctl deluser cthon98@example.com');
-    $machine->succeed('prosodyctl deluser azurediamond@example.com');
-  '';
-}

nixos/tests/subversion.nix

@@ -1,121 +0,0 @@
-import ./make-test.nix ({ pkgs, ...} : 
-
-let
-
-  # Build some packages with coverage instrumentation.
-  overrides = pkgs:
-    with pkgs.stdenvAdapters;
-    let
-      do = pkg: pkg.override (args: {
-        stdenv = addCoverageInstrumentation args.stdenv;
-      });
-    in
-      rec {
-        apr = do pkgs.apr;
-        aprutil = do pkgs.aprutil;
-        apacheHttpd = do pkgs.apacheHttpd;
-        mod_python = do pkgs.mod_python;
-        subversion = do pkgs.subversion;
-
-        # To build the kernel with coverage instrumentation, we need a
-        # special patch to make coverage data available under /proc.
-        linux = pkgs.linux.override (orig: {
-          stdenv = overrideInStdenv pkgs.stdenv [ pkgs.keepBuildTree ];
-          extraConfig =
-            ''
-              GCOV_KERNEL y
-              GCOV_PROFILE_ALL y
-            '';
-        });
-      };
-
-in
-
-{
-  name = "subversion";
-  meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ eelco ];
-  };
-
-  nodes =
-    { webserver =
-        { ... }:
-
-        {
-          services.httpd.enable = true;
-          services.httpd.adminAddr = "e.dolstra@tudelft.nl";
-          services.httpd.extraSubservices =
-            [ { function = import <services/subversion>;
-                urlPrefix = "";
-                dataDir = "/data/subversion";
-                userCreationDomain = "192.168.0.0/16";
-              }
-            ];
-          nixpkgs.config.packageOverrides = overrides;
-        };
-
-      client =
-        { pkgs, ... }:
-
-        {
-          environment.systemPackages = [ pkgs.subversion ];
-          nixpkgs.config.packageOverrides = overrides;
-        };
-
-    };
-
-  testScript =
-    ''
-      startAll;
-
-      $webserver->waitForOpenPort(80);
-
-      print STDERR $client->succeed("svn --version");
-
-      print STDERR $client->succeed("curl --fail http://webserver/");
-
-      # Create a new user through the web interface.
-      $client->succeed("curl --fail -F username=alice -F fullname='Alice Lastname' -F address=alice\@example.org -F password=foobar -F password_again=foobar http://webserver/repoman/adduser");
-
-      # Let Alice create a new repository.
-      $client->succeed("curl --fail -u alice:foobar --form repo=xyzzy --form description=Xyzzy http://webserver/repoman/create");
-
-      $client->succeed("curl --fail http://webserver/") =~ /alice/ or die;
-
-      # Let Alice do a checkout.
-      my $svnFlags = "--non-interactive --username alice --password foobar";
-      $client->succeed("svn co $svnFlags http://webserver/repos/xyzzy wc");
-      $client->succeed("echo hello > wc/world");
-      $client->succeed("svn add wc/world");
-      $client->succeed("svn ci $svnFlags -m 'Added world.' wc/world");
-
-      # Create a new user on the server through the create-user.pl script.
-      $webserver->execute("svn-server-create-user.pl bob bob\@example.org Bob");
-      $webserver->succeed("svn-server-resetpw.pl bob fnord");
-      $client->succeed("curl --fail http://webserver/") =~ /bob/ or die;
-
-      # Bob should not have access to the repo.
-      my $svnFlagsBob = "--non-interactive --username bob --password fnord";
-      $client->fail("svn co $svnFlagsBob http://webserver/repos/xyzzy wc2");
-
-      # Bob should not be able change the ACLs of the repo.
-      # !!! Repoman should really return a 403 here.
-      $client->succeed("curl --fail -u bob:fnord -F description=Xyzzy -F readers=alice,bob -F writers=alice -F watchers= -F tardirs= http://webserver/repoman/update/xyzzy")
-          =~ /not authorised/ or die;
-
-      # Give Bob access.
-      $client->succeed("curl --fail -u alice:foobar -F description=Xyzzy -F readers=alice,bob -F writers=alice -F watchers= -F tardirs= http://webserver/repoman/update/xyzzy");
-
-      # So now his checkout should succeed.
-      $client->succeed("svn co $svnFlagsBob http://webserver/repos/xyzzy wc2");
-
-      # Test ViewVC and WebSVN
-      $client->succeed("curl --fail -u alice:foobar http://webserver/viewvc/xyzzy");
-      $client->succeed("curl --fail -u alice:foobar http://webserver/websvn/xyzzy");
-      $client->succeed("curl --fail -u alice:foobar http://webserver/repos-xml/xyzzy");
-
-      # Stop Apache to gather all the coverage data.
-      $webserver->stopJob("httpd");
-    '';
-
-})

nixos/tests/systemd-networkd-wireguard.nix

@@ -0,0 +1,80 @@
+let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ...}: {
+      imports = [ common/user-account.nix ];
+      systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
+      networking.useNetworkd = true;
+      networking.firewall.enable = false;
+      virtualisation.vlans = [ 1 ];
+      environment.systemPackages = with pkgs; [ wireguard-tools ];
+      boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+      systemd.network = {
+        enable = true;
+        netdevs = {
+          "90-wg0" = {
+            netdevConfig = { Kind = "wireguard"; Name = "wg0"; };
+            wireguardConfig = {
+              PrivateKeyFile = privkpath ;
+              ListenPort = 51820;
+              FwMark = 42;
+            };
+            wireguardPeers = [ {wireguardPeerConfig={
+              Endpoint = "192.168.1.${peerId}:51820";
+              PublicKey = pubk;
+              PresharedKeyFile = pkgs.writeText "psk.key" "yTL3sCOL33Wzi6yCnf9uZQl/Z8laSE+zwpqOHC4HhFU=";
+              AllowedIPs = [ "10.0.0.${peerId}/32" ];
+              PersistentKeepalive = 15;
+            };}];
+          };
+        };
+        networks = {
+          "99-nope" = {
+            matchConfig.Name = "eth*";
+            linkConfig.Unmanaged = true;
+          };
+          "90-wg0" = {
+            matchConfig = { Name = "wg0"; };
+            address = [ "10.0.0.${nodeId}/32" ];
+            routes = [
+              { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; }
+            ];
+          };
+          "90-eth1" = {
+            matchConfig = { Name = "eth1"; };
+            address = [ "192.168.1.${nodeId}/24" ];
+          };
+        };
+      };
+    };
+in import ./make-test.nix ({pkgs, ... }: {
+  name = "networkd-wireguard";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ ninjatrappeur ];
+  };
+  nodes = {
+    node1 = { pkgs, ... }@attrs:
+    let localConf = {
+        privkpath = pkgs.writeText "priv.key" "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00=";
+        pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE=";
+        nodeId = "1";
+        peerId = "2";
+    };
+    in generateNodeConf (attrs // localConf);
+
+    node2 = { pkgs, ... }@attrs:
+    let localConf = {
+        privkpath = pkgs.writeText "priv.key" "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k=";
+        pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
+        nodeId = "2";
+        peerId = "1";
+    };
+    in generateNodeConf (attrs // localConf);
+  };
+testScript = ''
+    startAll;
+    $node1->waitForUnit('systemd-networkd-wait-online.service');
+    $node2->waitForUnit('systemd-networkd-wait-online.service');
+    $node1->succeed('ping -c 5 10.0.0.2');
+    $node2->succeed('ping -c 5 10.0.0.1');
+    # Is the fwmark set?
+    $node2->succeed('wg | grep -q 42');
+'';
+})

nixos/tests/systemd.nix

@@ -78,19 +78,16 @@ import ./make-test.nix ({ pkgs, ... }: {
       $machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"');
     };
 
-    # Regression test for https://github.com/NixOS/nixpkgs/issues/35268
-    subtest "file system with x-initrd.mount is not unmounted", sub {
-      $machine->shutdown;
-      $machine->waitForUnit('multi-user.target');
-      # If the file system was unmounted during the shutdown the file system
-      # has a last mount time, because the file system wasn't checked.
-      $machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"');
-    };
-
     subtest "systemd-shutdown works", sub {
       $machine->shutdown;
       $machine->waitForUnit('multi-user.target');
       $machine->succeed('test -e /tmp/shared/shutdown-test');
     };
+
+   # Test settings from /etc/sysctl.d/50-default.conf are applied
+   subtest "systemd sysctl settings are applied", sub {
+     $machine->waitForUnit('multi-user.target');
+     $machine->succeed('sysctl net.core.default_qdisc | grep -q "fq_codel"');
+   };
   '';
 })

nixos/tests/trezord.nix

@@ -0,0 +1,20 @@
+import ./make-test.nix ({ pkgs, ... }: {
+  name = "trezord";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ mmahut ];
+  };
+
+  nodes = {
+    machine = { ... }: {
+      services.trezord.enable = true;
+      services.trezord.emulator.enable = true;
+    };
+  };
+
+  testScript = ''
+    startAll;
+    $machine->waitForUnit("trezord.service");
+    $machine->waitForOpenPort(21325);
+    $machine->waitUntilSucceeds("curl -L http://localhost:21325/status/ | grep Version");
+  '';
+})

nixos/tests/xmpp/ejabberd.nix

@@ -1,4 +1,4 @@
-import ./make-test.nix ({ pkgs, ... }: {
+import ../make-test.nix ({ pkgs, ... }: {
   name = "ejabberd";
   meta = with pkgs.stdenv.lib.maintainers; {
     maintainers = [ ajs124 ];
@@ -45,8 +45,7 @@ import ./make-test.nix ({ pkgs, ... }: {
               ip: "127.0.0.1"
               module: ejabberd_service
               access: local
-              shaper_rule: fast
-              ip: "127.0.0.1"
+              shaper: fast
 
           ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
           ## password storage (see auth_password_format option).
@@ -181,7 +180,6 @@ import ./make-test.nix ({ pkgs, ... }: {
             mod_client_state: {}
             mod_configure: {} # requires mod_adhoc
             ## mod_delegation: {} # for xep0356
-            mod_echo: {}
             #mod_irc:
             #  host: "irc.@HOST@"
             #  default_encoding: "utf-8"

nixos/tests/xmpp/prosody-mysql.nix

@@ -0,0 +1,77 @@
+import ../make-test.nix {
+  name = "prosody-mysql";
+
+  nodes = {
+    client = { nodes, pkgs, ... }: {
+      environment.systemPackages = [
+        (pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = nodes.server.config.networking.primaryIPAddress; })
+      ];
+    };
+    server = { config, pkgs, ... }: {
+      nixpkgs.overlays = [
+        (self: super: {
+          prosody = super.prosody.override {
+            withDBI = true;
+            withExtraLibs = [ pkgs.luaPackages.luadbi-mysql ];
+          };
+        })
+      ];
+      networking.extraHosts = ''
+        ${config.networking.primaryIPAddress} example.com
+      '';
+      networking.firewall.enable = false;
+      services.prosody = {
+        enable = true;
+        # TODO: use a self-signed certificate
+        c2sRequireEncryption = false;
+        extraConfig = ''
+          storage = "sql"
+          sql = {
+            driver = "MySQL";
+            database = "prosody";
+            host = "mysql";
+            port = 3306;
+            username = "prosody";
+            password = "password123";
+          };
+        '';
+        virtualHosts.test = {
+          domain = "example.com";
+          enabled = true;
+        };
+      };
+    };
+    mysql = { config, pkgs, ... }: {
+      networking.firewall.enable = false;
+      services.mysql = {
+        enable = true;
+        initialScript = pkgs.writeText "mysql_init.sql" ''
+          CREATE DATABASE prosody;
+          CREATE USER 'prosody'@'server' IDENTIFIED BY 'password123';
+          GRANT ALL PRIVILEGES ON prosody.* TO 'prosody'@'server';
+          FLUSH PRIVILEGES;
+        '';
+        package = pkgs.mariadb;
+      };
+    };
+  };
+
+  testScript = { nodes, ... }: ''
+    $mysql->waitForUnit('mysql.service');
+    $server->waitForUnit('prosody.service');
+    $server->succeed('prosodyctl status') =~ /Prosody is running/;
+
+    # set password to 'nothunter2' (it's asked twice)
+    $server->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com');
+    # set password to 'y'
+    $server->succeed('yes | prosodyctl adduser azurediamond@example.com');
+    # correct password to 'hunter2'
+    $server->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com');
+
+    $client->succeed("send-message");
+
+    $server->succeed('prosodyctl deluser cthon98@example.com');
+    $server->succeed('prosodyctl deluser azurediamond@example.com');
+  '';
+}
+

nixos/tests/xmpp/prosody.nix

@@ -0,0 +1,46 @@
+import ../make-test.nix {
+  name = "prosody";
+
+  nodes = {
+    client = { nodes, pkgs, ... }: {
+      environment.systemPackages = [
+        (pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = nodes.server.config.networking.primaryIPAddress; })
+      ];
+    };
+    server = { config, pkgs, ... }: {
+      networking.extraHosts = ''
+        ${config.networking.primaryIPAddress} example.com
+      '';
+      networking.firewall.enable = false;
+      services.prosody = {
+        enable = true;
+        # TODO: use a self-signed certificate
+        c2sRequireEncryption = false;
+        extraConfig = ''
+          storage = "sql"
+        '';
+        virtualHosts.test = {
+          domain = "example.com";
+          enabled = true;
+        };
+      };
+    };
+  };
+
+  testScript = { nodes, ... }: ''
+    $server->waitForUnit('prosody.service');
+    $server->succeed('prosodyctl status') =~ /Prosody is running/;
+
+    # set password to 'nothunter2' (it's asked twice)
+    $server->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com');
+    # set password to 'y'
+    $server->succeed('yes | prosodyctl adduser azurediamond@example.com');
+    # correct password to 'hunter2'
+    $server->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com');
+
+    $client->succeed("send-message");
+
+    $server->succeed('prosodyctl deluser cthon98@example.com');
+    $server->succeed('prosodyctl deluser azurediamond@example.com');
+  '';
+}