movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-07 11:05:30 +03:00
Code Activity

Merge staging-next into staging

Browse source
This commit is contained in:
Frederik Rietdijk 2020-03-28 21:15:15 +01:00
commit a36be028f5
639 changed files with 13721 additions and 10162 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nixos/doc/manual/installation/installing.xml
View file

@ -24,8 +24,7 @@
</para>
<para>
The NixOS manual is available on virtual console 8 (press Alt+F8 to access)
or by running <command>nixos-help</command>.
The NixOS manual is available by running <command>nixos-help</command>.
</para>
<para>

54
nixos/doc/manual/release-notes/rl-2003.xml
View file

@ -648,6 +648,55 @@ auth required pam_succeed_if.so uid >= 1000 quiet
<xref linkend="opt-environment.systemPackages"/>.
</para>
</listitem>
<listitem>
<para>
<package>nextcloud</package> has been updated to <literal>v18.0.2</literal>. This means
that users from NixOS 19.09 can't upgrade directly since you can only move one version
forward and 19.09 uses <literal>v16.0.8</literal>.
</para>
<para>
To provide a safe upgrade-path and to circumvent similar issues in the future, the following
measures were taken:
<itemizedlist>
<listitem>
<para>
The <package>pkgs.nextcloud</package>-attribute has been removed and replaced with
versioned attributes (currently <package>pkgs.nextcloud17</package> and
<package>pkgs.nextcloud18</package>). With this change major-releases can be backported
without breaking stuff and to make upgrade-paths easier.
</para>
</listitem>
<listitem>
<para>
Existing setups will be detected using
<link linkend="opt-system.stateVersion">system.stateVersion</link>: by default,
<package>nextcloud17</package> will be used, but will raise a warning which notes
that after that deploy it's recommended to update to the latest stable version
(<package>nextcloud18</package>) by declaring the newly introduced setting
<link linkend="opt-services.nextcloud.package">services.nextcloud.package</link>.
</para>
</listitem>
<listitem>
<para>
Users with an overlay (e.g. to use <package>nextcloud</package> at version
<literal>v18</literal> on <literal>19.09</literal>) will get an evaluation error
by default. This is done to ensure that our
<link linkend="opt-services.nextcloud.package">package</link>-option doesn't select an
older version by accident. It's recommended to use <package>pkgs.nextcloud18</package>
or to set <link linkend="opt-services.nextcloud.package">package</link> to
<package>pkgs.nextcloud</package> explicitly.
</para>
</listitem>
</itemizedlist>
</para>
<warning>
<para>
Please note that if you're comming from <literal>19.03</literal> or older, you have
to manually upgrade to <literal>19.09</literal> first to upgrade your server
to Nextcloud v16.
</para>
</warning>
</listitem>
</itemizedlist>
</section>
@ -776,6 +825,11 @@ auth required pam_succeed_if.so uid >= 1000 quiet
not <command>systemd-networkd</command>.
</para>
</listitem>
<listitem>
<para>
<package>mongodb</package> has been updated to version <literal>3.4.24</literal>.
</para>
</listitem>
</itemizedlist>
</section>
</section>

17
nixos/doc/manual/release-notes/rl-2009.xml
View file

@ -111,6 +111,23 @@
<link linkend="opt-security.duosec.integrationKey">security.duosec.integrationKey</link>.
</para>
</listitem>
<listitem>
<para>
The initrd SSH support now uses OpenSSH rather than Dropbear to
allow the use of Ed25519 keys and other OpenSSH-specific
functionality. Host keys must now be in the OpenSSH format, and at
least one pre-generated key must be specified.
</para>
<para>
If you used the <option>boot.initrd.network.ssh.host*Key</option>
options, you'll get an error explaining how to convert your host
keys and migrate to the new
<option>boot.initrd.network.ssh.hostKeys</option> option.
Otherwise, if you don't have any host keys set, you'll need to
generate some; see the <option>hostKeys</option> option
documentation for instructions.
</para>
</listitem>
</itemizedlist>
</section>

4
nixos/lib/make-options-doc/default.nix
View file

@ -133,6 +133,7 @@ in {
optionsJSON = pkgs.runCommand "options.json"
{ meta.description = "List of NixOS options in JSON format";
buildInputs = [ pkgs.brotli ];
}
''
# Export list of options in different format.
@ -141,8 +142,11 @@ in {
cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix))} $dst/options.json
brotli -9 < $dst/options.json > $dst/options.json.br
mkdir -p $out/nix-support
echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
echo "file json-br $dst/options.json.br" >> $out/nix-support/hydra-build-products
''; # */
optionsDocBook = pkgs.runCommand "options-docbook.xml" {} ''

5
nixos/lib/test-driver/test-driver.py
View file

@ -6,6 +6,7 @@ from xml.sax.saxutils import XMLGenerator
import _thread
import atexit
import base64
import codecs
import os
import pathlib
import ptpython.repl
@ -115,6 +116,7 @@ def create_vlan(vlan_nr: str) -> Tuple[str, str, "subprocess.Popen[bytes]", Any]
fd.write("version\n")
# TODO: perl version checks if this can be read from
# an if not, dies. we could hang here forever. Fix it.
assert vde_process.stdout is not None
vde_process.stdout.readline()
if not os.path.exists(os.path.join(vde_socket, "ctl")):
raise Exception("cannot start vde_switch")
@ -139,7 +141,7 @@ def retry(fn: Callable) -> None:
class Logger:
def __init__(self) -> None:
self.logfile = os.environ.get("LOGFILE", "/dev/null")
self.logfile_handle = open(self.logfile, "wb")
self.logfile_handle = codecs.open(self.logfile, "wb")
self.xml = XMLGenerator(self.logfile_handle, encoding="utf-8")
self.queue: "Queue[Dict[str, str]]" = Queue(1000)
@ -739,6 +741,7 @@ class Machine:
self.shell, _ = self.shell_socket.accept()
def process_serial_output() -> None:
assert self.process.stdout is not None
for _line in self.process.stdout:
# Ignore undecodable bytes that may occur in boot menus
line = _line.decode(errors="ignore").replace("\r", "").rstrip()

4
nixos/modules/misc/documentation.nix
View file

@ -218,9 +218,7 @@ in
++ optionals config.services.xserver.enable [ desktopItem pkgs.nixos-icons ]);
services.mingetty.helpLine = mkIf cfg.doc.enable (
"\nRun `nixos-help` "
+ optionalString config.services.nixosManual.showManual "or press <Alt-F${toString config.services.nixosManual.ttyNumber}> "
+ "for the NixOS manual."
"\nRun 'nixos-help' for the NixOS manual."
);
})

4
nixos/modules/module-list.nix
View file

@ -469,7 +469,6 @@
./services/misc/nix-daemon.nix
./services/misc/nix-gc.nix
./services/misc/nix-optimise.nix
./services/misc/nixos-manual.nix
./services/misc/nix-ssh-serve.nix
./services/misc/novacomd.nix
./services/misc/nzbget.nix
@ -485,7 +484,6 @@
./services/misc/redmine.nix
./services/misc/rippled.nix
./services/misc/ripple-data-api.nix
./services/misc/rogue.nix
./services/misc/serviio.nix
./services/misc/safeeyes.nix
./services/misc/sickbeard.nix
@ -692,6 +690,7 @@
./services/networking/prosody.nix
./services/networking/quagga.nix
./services/networking/quassel.nix
./services/networking/quorum.nix
./services/networking/quicktun.nix
./services/networking/racoon.nix
./services/networking/radicale.nix
@ -823,6 +822,7 @@
./services/web-apps/documize.nix
./services/web-apps/dokuwiki.nix
./services/web-apps/frab.nix
./services/web-apps/gerrit.nix
./services/web-apps/gotify-server.nix
./services/web-apps/grocy.nix
./services/web-apps/icingaweb2/icingaweb2.nix

4
nixos/modules/profiles/installation-device.nix
View file

@ -26,10 +26,6 @@ with lib;
# Show the manual.
documentation.nixos.enable = mkForce true;
services.nixosManual.showManual = true;
# Let the user play Rogue on TTY 8 during the installation.
#services.rogue.enable = true;
# Use less privileged nixos user
users.users.nixos = {

2
nixos/modules/services/desktops/gnome3/rygel.nix
View file

@ -26,5 +26,7 @@ with lib;
services.dbus.packages = [ pkgs.gnome3.rygel ];
systemd.packages = [ pkgs.gnome3.rygel ];
environment.etc."rygel.conf".source = "${pkgs.gnome3.rygel}/etc/rygel.conf";
};
}

73
nixos/modules/services/misc/nixos-manual.nix
View file

@ -1,73 +0,0 @@
# This module optionally starts a browser that shows the NixOS manual
# on one of the virtual consoles which is useful for the installation
# CD.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.nixosManual;
cfgd = config.documentation;
in
{
options = {
# TODO(@oxij): rename this to `.enable` eventually.
services.nixosManual.showManual = mkOption {
type = types.bool;
default = false;
description = ''
Whether to show the NixOS manual on one of the virtual
consoles.
'';
};
services.nixosManual.ttyNumber = mkOption {
type = types.int;
default = 8;
description = ''
Virtual console on which to show the manual.
'';
};
services.nixosManual.browser = mkOption {
type = types.path;
default = "${pkgs.w3m-nographics}/bin/w3m";
description = ''
Browser used to show the manual.
'';
};
};
config = mkMerge [
(mkIf cfg.showManual {
assertions = singleton {
assertion = cfgd.enable && cfgd.nixos.enable;
message = "Can't enable `services.nixosManual.showManual` without `documentation.nixos.enable`";
};
})
(mkIf (cfg.showManual && cfgd.enable && cfgd.nixos.enable) {
console.extraTTYs = [ "tty${toString cfg.ttyNumber}" ];
systemd.services.nixos-manual = {
description = "NixOS Manual";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${cfg.browser} ${config.system.build.manual.manualHTMLIndex}";
StandardInput = "tty";
StandardOutput = "tty";
TTYPath = "/dev/tty${toString cfg.ttyNumber}";
TTYReset = true;
TTYVTDisallocate = true;
Restart = "always";
};
};
})
];
}

62
nixos/modules/services/misc/rogue.nix
View file

@ -1,62 +0,0 @@
# Execute the game `rogue' on tty 9. Mostly used by the NixOS
# installation CD.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.rogue;
in
{
###### interface
options = {
services.rogue.enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the Rogue game on one of the virtual
consoles.
'';
};
services.rogue.tty = mkOption {
type = types.str;
default = "tty9";
description = ''
Virtual console on which to run Rogue.
'';
};
};
###### implementation
config = mkIf cfg.enable {
console.extraTTYs = [ cfg.tty ];
systemd.services.rogue =
{ description = "Rogue dungeon crawling game";
wantedBy = [ "multi-user.target" ];
serviceConfig =
{ ExecStart = "${pkgs.rogue}/bin/rogue";
StandardInput = "tty";
StandardOutput = "tty";
TTYPath = "/dev/${cfg.tty}";
TTYReset = true;
TTYVTDisallocate = true;
WorkingDirectory = "/tmp";
Restart = "always";
};
};
};
}

2
nixos/modules/services/monitoring/prometheus/alertmanager.nix
View file

@ -155,7 +155,7 @@ in {
systemd.services.alertmanager = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
after = [ "network-online.target" ];
preStart = ''
${lib.getBin pkgs.envsubst}/bin/envsubst -o "/tmp/alert-manager-substituted.yaml" \
-i "${alertmanagerYml}"

229
nixos/modules/services/networking/quorum.nix Normal file
View file

@ -0,0 +1,229 @@
{ config, pkgs, lib, ... }:
let
inherit (lib) mkEnableOption mkIf mkOption literalExample types optionalString;
cfg = config.services.quorum;
dataDir = "/var/lib/quorum";
genesisFile = pkgs.writeText "genesis.json" (builtins.toJSON cfg.genesis);
staticNodesFile = pkgs.writeText "static-nodes.json" (builtins.toJSON cfg.staticNodes);
in {
options = {
services.quorum = {
enable = mkEnableOption "Quorum blockchain daemon";
user = mkOption {
type = types.str;
default = "quorum";
description = "The user as which to run quorum.";
};
group = mkOption {
type = types.str;
default = cfg.user;
description = "The group as which to run quorum.";
};
port = mkOption {
type = types.port;
default = 21000;
description = "Override the default port on which to listen for connections.";
};
nodekeyFile = mkOption {
type = types.path;
default = "${dataDir}/nodekey";
description = "Path to the nodekey.";
};
staticNodes = mkOption {
type = types.listOf types.str;
default = [];
example = [ "enode://dd333ec28f0a8910c92eb4d336461eea1c20803eed9cf2c056557f986e720f8e693605bba2f4e8f289b1162e5ac7c80c914c7178130711e393ca76abc1d92f57@0.0.0.0:30303?discport=0" ];
description = "List of validator nodes.";
};
privateconfig = mkOption {
type = types.str;
default = "ignore";
description = "Configuration of privacy transaction manager.";
};
syncmode = mkOption {
type = types.enum [ "fast" "full" "light" ];
default = "full";
description = "Blockchain sync mode.";
};
blockperiod = mkOption {
type = types.int;
default = 5;
description = "Default minimum difference between two consecutive block's timestamps in seconds.";
};
permissioned = mkOption {
type = types.bool;
default = true;
description = "Allow only a defined list of nodes to connect.";
};
rpc = {
enable = mkOption {
type = types.bool;
default = true;
description = "Enable RPC interface.";
};
address = mkOption {
type = types.str;
default = "0.0.0.0";
description = "Listening address for RPC connections.";
};
port = mkOption {
type = types.port;
default = 22004;
description = "Override the default port on which to listen for RPC connections.";
};
api = mkOption {
type = types.str;
default = "admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,istanbul";
description = "API's offered over the HTTP-RPC interface.";
};
};
ws = {
enable = mkOption {
type = types.bool;
default = true;
description = "Enable WS-RPC interface.";
};
address = mkOption {
type = types.str;
default = "0.0.0.0";
description = "Listening address for WS-RPC connections.";
};
port = mkOption {
type = types.port;
default = 8546;
description = "Override the default port on which to listen for WS-RPC connections.";
};
api = mkOption {
type = types.str;
default = "admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,istanbul";
description = "API's offered over the WS-RPC interface.";
};
origins = mkOption {
type = types.str;
default = "*";
description = "Origins from which to accept websockets requests";
};
};
genesis = mkOption {
type = types.nullOr types.attrs;
default = null;
example = literalExample '' {
alloc = {
a47385db68718bdcbddc2d2bb7c54018066ec111 = {
balance = "1000000000000000000000000000";
};
};
coinbase = "0x0000000000000000000000000000000000000000";
config = {
byzantiumBlock = 4;
chainId = 494702925;
eip150Block = 2;
eip155Block = 3;
eip158Block = 3;
homesteadBlock = 1;
isQuorum = true;
istanbul = {
epoch = 30000;
policy = 0;
};
};
difficulty = "0x1";
extraData = "0x0000000000000000000000000000000000000000000000000000000000000000f85ad59438f0508111273d8e482f49410ca4078afc86a961b8410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0";
gasLimit = "0x2FEFD800";
mixHash = "0x63746963616c2062797a616e74696e65201111756c7420746f6c6572616e6365";
nonce = "0x0";
parentHash = "0x0000000000000000000000000000000000000000000000000000000000000000";
timestamp = "0x00";
}'';
description = "Blockchain genesis settings.";
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.quorum ];
systemd.tmpfiles.rules = [
"d '${dataDir}' 0770 '${cfg.user}' '${cfg.group}' - -"
];
systemd.services.quorum = {
description = "Quorum daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
PRIVATE_CONFIG = "${cfg.privateconfig}";
};
preStart = ''
if [ ! -d ${dataDir}/geth ]; then
if [ ! -d ${dataDir}/keystore ]; then
echo ERROR: You need to create a wallet before initializing your genesis file, run:
echo # su -s /bin/sh - quorum
echo $ geth --datadir ${dataDir} account new
echo and configure your genesis file accordingly.
exit 1;
fi
ln -s ${staticNodesFile} ${dataDir}/static-nodes.json
${pkgs.quorum}/bin/geth --datadir ${dataDir} init ${genesisFile}
fi
'';
serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStart = ''${pkgs.quorum}/bin/geth \
--nodiscover \
--verbosity 5 \
--nodekey ${cfg.nodekeyFile} \
--istanbul.blockperiod ${toString cfg.blockperiod} \
--syncmode ${cfg.syncmode} \
${optionalString (cfg.permissioned)
"--permissioned"} \
--mine --minerthreads 1 \
${optionalString (cfg.rpc.enable)
"--rpc --rpcaddr ${cfg.rpc.address} --rpcport ${toString cfg.rpc.port} --rpcapi ${cfg.rpc.api}"} \
${optionalString (cfg.ws.enable)
"--ws --wsaddr ${cfg.ws.address} --wsport ${toString cfg.ws.port} --wsapi ${cfg.ws.api} --wsorigins ${cfg.ws.origins}"} \
--emitcheckpoints \
--datadir ${dataDir} \
--port ${toString cfg.port}'';
Restart = "on-failure";
# Hardening measures
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
};
};
users.users.${cfg.user} = {
name = cfg.user;
group = cfg.group;
description = "Quorum daemon user";
home = dataDir;
isSystemUser = true;
};
users.groups.${cfg.group} = {};
};
}

2
nixos/modules/services/scheduling/atd.nix
View file

@ -67,8 +67,6 @@ in
systemd.services.atd = {
description = "Job Execution Daemon (atd)";
after = [ "systemd-udev-settle.service" ];
wants = [ "systemd-udev-settle.service" ];
wantedBy = [ "multi-user.target" ];
path = [ at ];

218
nixos/modules/services/web-apps/gerrit.nix Normal file
View file

@ -0,0 +1,218 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.gerrit;
# NixOS option type for git-like configs
gitIniType = with types;
let
primitiveType = either str (either bool int);
multipleType = either primitiveType (listOf primitiveType);
sectionType = lazyAttrsOf multipleType;
supersectionType = lazyAttrsOf (either multipleType sectionType);
in lazyAttrsOf supersectionType;
gerritConfig = pkgs.writeText "gerrit.conf" (
lib.generators.toGitINI cfg.settings
);
# Wrap the gerrit java with all the java options so it can be called
# like a normal CLI app
gerrit-cli = pkgs.writeShellScriptBin "gerrit" ''
set -euo pipefail
jvmOpts=(
${lib.escapeShellArgs cfg.jvmOpts}
-Xmx${cfg.jvmHeapLimit}
)
exec ${cfg.jvmPackage}/bin/java \
"''${jvmOpts[@]}" \
-jar ${cfg.package}/webapps/${cfg.package.name}.war \
"$@"
'';
gerrit-plugins = pkgs.runCommand
"gerrit-plugins"
{
buildInputs = [ gerrit-cli ];
}
''
shopt -s nullglob
mkdir $out
for name in ${toString cfg.builtinPlugins}; do
echo "Installing builtin plugin $name.jar"
gerrit cat plugins/$name.jar > $out/$name.jar
done
for file in ${toString cfg.plugins}; do
name=$(echo "$file" | cut -d - -f 2-)
echo "Installing plugin $name"
ln -sf "$file" $out/$name
done
'';
in
{
options = {
services.gerrit = {
enable = mkEnableOption "Gerrit service";
package = mkOption {
type = types.package;
default = pkgs.gerrit;
description = "Gerrit package to use";
};
jvmPackage = mkOption {
type = types.package;
default = pkgs.jre_headless;
defaultText = "pkgs.jre_headless";
description = "Java Runtime Environment package to use";
};
jvmOpts = mkOption {
type = types.listOf types.str;
default = [
"-Dflogger.backend_factory=com.google.common.flogger.backend.log4j.Log4jBackendFactory#getInstance"
"-Dflogger.logging_context=com.google.gerrit.server.logging.LoggingContext#getInstance"
];
description = "A list of JVM options to start gerrit with.";
};
jvmHeapLimit = mkOption {
type = types.str;
default = "1024m";
description = ''
How much memory to allocate to the JVM heap
'';
};
listenAddress = mkOption {
type = types.str;
default = "[::]:8080";
description = ''
<literal>hostname:port</literal> to listen for HTTP traffic.
This is bound using the systemd socket activation.
'';
};
settings = mkOption {
type = gitIniType;
default = {};
description = ''
Gerrit configuration. This will be generated to the
<literal>etc/gerrit.config</literal> file.
'';
};
plugins = mkOption {
type = types.listOf types.package;
default = [];
description = ''
List of plugins to add to Gerrit. Each derivation is a jar file
itself where the name of the derivation is the name of plugin.
'';
};
builtinPlugins = mkOption {
type = types.listOf (types.enum cfg.package.passthru.plugins);
default = [];
description = ''
List of builtins plugins to install. Those are shipped in the
<literal>gerrit.war</literal> file.
'';
};
serverId = mkOption {
type = types.str;
description = ''
Set a UUID that uniquely identifies the server.
This can be generated with
<literal>nix-shell -p utillinux --run uuidgen</literal>.
'';
};
};
};
config = mkIf cfg.enable {
services.gerrit.settings = {
cache.directory = "/var/cache/gerrit";
container.heapLimit = cfg.jvmHeapLimit;
gerrit.basePath = lib.mkDefault "git";
gerrit.serverId = cfg.serverId;
httpd.inheritChannel = "true";
httpd.listenUrl = lib.mkDefault "http://${cfg.listenAddress}";
index.type = lib.mkDefault "lucene";
};
# Add the gerrit CLI to the system to run `gerrit init` and friends.
environment.systemPackages = [ gerrit-cli ];
systemd.sockets.gerrit = {
unitConfig.Description = "Gerrit HTTP socket";
wantedBy = [ "sockets.target" ];
listenStreams = [ cfg.listenAddress ];
};
systemd.services.gerrit = {
description = "Gerrit";
wantedBy = [ "multi-user.target" ];
requires = [ "gerrit.socket" ];
after = [ "gerrit.socket" "network.target" ];
path = [
gerrit-cli
pkgs.bash
pkgs.coreutils
pkgs.git
pkgs.openssh
];
environment = {
GERRIT_HOME = "%S/gerrit";
GERRIT_TMP = "%T";
HOME = "%S/gerrit";
XDG_CONFIG_HOME = "%S/gerrit/.config";
};
preStart = ''
set -euo pipefail
# bootstrap if nothing exists
if [[ ! -d git ]]; then
gerrit init --batch --no-auto-start
fi
# install gerrit.war for the plugin manager
rm -rf bin
mkdir bin
ln -sfv ${cfg.package}/webapps/${cfg.package.name}.war bin/gerrit.war
# copy the config, keep it mutable because Gerrit
ln -sfv ${gerritConfig} etc/gerrit.config
# install the plugins
rm -rf plugins
ln -sv ${gerrit-plugins} plugins
''
;
serviceConfig = {
CacheDirectory = "gerrit";
DynamicUser = true;
ExecStart = "${gerrit-cli}/bin/gerrit daemon --console-log";
LimitNOFILE = 4096;
StandardInput = "socket";
StandardOutput = "journal";
StateDirectory = "gerrit";
WorkingDirectory = "%S/gerrit";
};
};
};
meta.maintainers = with lib.maintainers; [ edef zimbatm ];
}

44
nixos/modules/services/web-apps/nextcloud.nix
View file

@ -30,7 +30,7 @@ let
occ = pkgs.writeScriptBin "nextcloud-occ" ''
#! ${pkgs.stdenv.shell}
cd ${pkgs.nextcloud}
cd ${cfg.package}
sudo=exec
if [[ "$USER" != nextcloud ]]; then
sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR'
@ -42,6 +42,8 @@ let
occ $*
'';
inherit (config.system) stateVersion;
in {
options.services.nextcloud = {
enable = mkEnableOption "nextcloud";
@ -64,6 +66,11 @@ in {
default = false;
description = "Use https for generated links.";
};
package = mkOption {
type = types.package;
description = "Which package to use for the Nextcloud instance.";
relatedPackages = [ "nextcloud17" "nextcloud18" ];
};
maxUploadSize = mkOption {
default = "512M";
@ -309,10 +316,31 @@ in {
}
];
warnings = optional (cfg.poolConfig != null) ''
Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release.
Please migrate your configuration to config.services.nextcloud.poolSettings.
'';
warnings = []
++ (optional (cfg.poolConfig != null) ''
Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release.
Please migrate your configuration to config.services.nextcloud.poolSettings.
'')
++ (optional (versionOlder cfg.package.version "18") ''
You're currently deploying an older version of Nextcloud. This may be needed
since Nextcloud doesn't allow major version upgrades across multiple versions (i.e. an
upgrade from 16 is possible to 17, but not to 18).
Please deploy this to your server and wait until the migration is finished. After
that you can deploy to the latest Nextcloud version available.
'');
services.nextcloud.package = with pkgs;
mkDefault (
if pkgs ? nextcloud
then throw ''
The `pkgs.nextcloud`-attribute has been removed. If it's supposed to be the default
nextcloud defined in an overlay, please set `services.nextcloud.package` to
`pkgs.nextcloud`.
''
else if versionOlder stateVersion "20.03" then nextcloud17
else nextcloud18
);
}
{ systemd.timers.nextcloud-cron = {
@ -407,7 +435,7 @@ in {
path = [ occ ];
script = ''
chmod og+x ${cfg.home}
ln -sf ${pkgs.nextcloud}/apps ${cfg.home}/
ln -sf ${cfg.package}/apps ${cfg.home}/
mkdir -p ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps
ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php
@ -429,7 +457,7 @@ in {
environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
serviceConfig.Type = "oneshot";
serviceConfig.User = "nextcloud";
serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${pkgs.nextcloud}/cron.php";
serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php";
};
nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable {
serviceConfig.Type = "oneshot";
@ -471,7 +499,7 @@ in {
enable = true;
virtualHosts = {
${cfg.hostName} = {
root = pkgs.nextcloud;
root = cfg.package;
locations = {
"= /robots.txt" = {
priority = 100;

48
nixos/modules/services/web-apps/nextcloud.xml
View file

@ -113,5 +113,53 @@
maintenance:install</literal>! This command tries to install the application
and can cause unwanted side-effects!</para>
</warning>
<para>
Nextcloud doesn't allow to move more than one major-version forward. If you're e.g. on
<literal>v16</literal>, you cannot upgrade to <literal>v18</literal>, you need to upgrade to
<literal>v17</literal> first. This is ensured automatically as long as the
<link linkend="opt-system.stateVersion">stateVersion</link> is declared properly. In that case
the oldest version available (one major behind the one from the previous NixOS
release) will be selected by default and the module will generate a warning that reminds
the user to upgrade to latest Nextcloud <emphasis>after</emphasis> that deploy.
</para>
</section>
<section xml:id="module-services-nextcloud-maintainer-info">
<title>Maintainer information</title>
<para>
As stated in the previous paragraph, we must provide a clean upgrade-path for Nextcloud
since it cannot move more than one major version forward on a single upgrade. This chapter
adds some notes how Nextcloud updates should be rolled out in the future.
</para>
<para>
While minor and patch-level updates are no problem and can be done directly in the
package-expression (and should be backported to supported stable branches after that),
major-releases should be added in a new attribute (e.g. Nextcloud <literal>v19.0.0</literal>
should be available in <literal>nixpkgs</literal> as <literal>pkgs.nextcloud19</literal>).
To provide simple upgrade paths it's generally useful to backport those as well to stable
branches. As long as the package-default isn't altered, this won't break existing setups.
After that, the versioning-warning in the <literal>nextcloud</literal>-module should be
updated to make sure that the
<link linkend="opt-services.nextcloud.package">package</link>-option selects the latest version
on fresh setups.
</para>
<para>
If major-releases will be abandoned by upstream, we should check first if those are needed
in NixOS for a safe upgrade-path before removing those. In that case we shold keep those
packages, but mark them as insecure in an expression like this (in
<literal>&lt;nixpkgs/pkgs/servers/nextcloud/default.nix&gt;</literal>):
<programlisting>/* ... */
{
nextcloud17 = generic {
version = "17.0.x";
sha256 = "0000000000000000000000000000000000000000000000000000";
insecure = true;
};
}</programlisting>
</para>
</section>
</chapter>

22
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -46,6 +46,15 @@ let
}
''));
commonHttpConfig = ''
# The mime type definitions included with nginx are very incomplete, so
# we use a list of mime types from the mailcap package, which is also
# used by most other Linux distributions by default.
include ${pkgs.mailcap}/etc/nginx/mime.types;
include ${cfg.package}/conf/fastcgi.conf;
include ${cfg.package}/conf/uwsgi_params;
'';
configFile = pkgs.writers.writeNginxConfig "nginx.conf" ''
pid /run/nginx/nginx.pid;
error_log ${cfg.logError};
@ -61,12 +70,7 @@ let
${optionalString (cfg.httpConfig == "" && cfg.config == "") ''
http {
# The mime type definitions included with nginx are very incomplete, so
# we use a list of mime types from the mailcap package, which is also
# used by most other Linux distributions by default.
include ${pkgs.mailcap}/etc/nginx/mime.types;
include ${cfg.package}/conf/fastcgi.conf;
include ${cfg.package}/conf/uwsgi_params;
${commonHttpConfig}
${optionalString (cfg.resolver.addresses != []) ''
resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"} ${optionalString (!cfg.resolver.ipv6) "ipv6=off"};
@ -79,7 +83,7 @@ let
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
types_hash_max_size 4096;
''}
ssl_protocols ${cfg.sslProtocols};
@ -172,9 +176,7 @@ let
${optionalString (cfg.httpConfig != "") ''
http {
include ${cfg.package}/conf/mime.types;
include ${cfg.package}/conf/fastcgi.conf;
include ${cfg.package}/conf/uwsgi_params;
${common.httpConfig}
${cfg.httpConfig}
}''}

3
nixos/modules/services/x11/xserver.nix
View file

@ -651,8 +651,7 @@ in
systemd.services.display-manager =
{ description = "X11 Server";
after = [ "systemd-udev-settle.service" "acpid.service" "systemd-logind.service" ];
wants = [ "systemd-udev-settle.service" ];
after = [ "acpid.service" "systemd-logind.service" ];
restartIfChanged = false;

176
nixos/modules/system/boot/initrd-ssh.nix
View file

@ -10,19 +10,21 @@ in
{
options = {
boot.initrd.network.ssh.enable = mkOption {
options.boot.initrd.network.ssh = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Start SSH service during initrd boot. It can be used to debug failing
boot on a remote server, enter pasphrase for an encrypted partition etc.
Service is killed when stage-1 boot is finished.
The sshd configuration is largely inherited from
<option>services.openssh</option>.
'';
};
boot.initrd.network.ssh.port = mkOption {
port = mkOption {
type = types.int;
default = 22;
description = ''
@ -30,7 +32,7 @@ in
'';
};
boot.initrd.network.ssh.shell = mkOption {
shell = mkOption {
type = types.str;
default = "/bin/ash";
description = ''
@ -38,95 +40,163 @@ in
'';
};
boot.initrd.network.ssh.hostRSAKey = mkOption {
type = types.nullOr types.path;
default = null;
hostKeys = mkOption {
type = types.listOf (types.either types.str types.path);
default = [];
example = [
"/etc/secrets/initrd/ssh_host_rsa_key"
"/etc/secrets/initrd/ssh_host_ed25519_key"
];
description = ''
RSA SSH private key file in the Dropbear format.
Specify SSH host keys to import into the initrd.
WARNING: Unless your bootloader supports initrd secrets, this key is
contained insecurely in the global Nix store. Do NOT use your regular
SSH host private keys for this purpose or you'll expose them to
regular users!
To generate keys, use
<citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
<screen>
<prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
<prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed_25519_key
</screen>
<warning>
<para>
Unless your bootloader supports initrd secrets, these keys
are stored insecurely in the global Nix store. Do NOT use
your regular SSH host private keys for this purpose or
you'll expose them to regular users!
</para>
<para>
Additionally, even if your initrd supports secrets, if
you're using initrd SSH to unlock an encrypted disk then
using your regular host keys exposes the private keys on
your unencrypted boot partition.
</para>
</warning>
'';
};
boot.initrd.network.ssh.hostDSSKey = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
DSS SSH private key file in the Dropbear format.
WARNING: Unless your bootloader supports initrd secrets, this key is
contained insecurely in the global Nix store. Do NOT use your regular
SSH host private keys for this purpose or you'll expose them to
regular users!
'';
};
boot.initrd.network.ssh.hostECDSAKey = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
ECDSA SSH private key file in the Dropbear format.
WARNING: Unless your bootloader supports initrd secrets, this key is
contained insecurely in the global Nix store. Do NOT use your regular
SSH host private keys for this purpose or you'll expose them to
regular users!
'';
};
boot.initrd.network.ssh.authorizedKeys = mkOption {
authorizedKeys = mkOption {
type = types.listOf types.str;
default = config.users.users.root.openssh.authorizedKeys.keys;
defaultText = "config.users.users.root.openssh.authorizedKeys.keys";
description = ''
Authorized keys for the root user on initrd.
Note that Dropbear doesn't support OpenSSH's Ed25519 key type.
'';
};
};
config = mkIf (config.boot.initrd.network.enable && cfg.enable) {
imports =
map (opt: mkRemovedOptionModule ([ "boot" "initrd" "network" "ssh" ] ++ [ opt ]) ''
The initrd SSH functionality now uses OpenSSH rather than Dropbear.
If you want to keep your existing initrd SSH host keys, convert them with
$ dropbearconvert dropbear openssh dropbear_host_$type_key ssh_host_$type_key
and then set options.boot.initrd.network.ssh.hostKeys.
'') [ "hostRSAKey" "hostDSSKey" "hostECDSAKey" ];
config = let
# Nix complains if you include a store hash in initrd path names, so
# as an awful hack we drop the first character of the hash.
initrdKeyPath = path: if isString path
then path
else let name = builtins.baseNameOf path; in
builtins.unsafeDiscardStringContext ("/etc/ssh/" +
substring 1 (stringLength name) name);
sshdCfg = config.services.openssh;
sshdConfig = ''
Port ${toString cfg.port}
PasswordAuthentication no
ChallengeResponseAuthentication no
${flip concatMapStrings cfg.hostKeys (path: ''
HostKey ${initrdKeyPath path}
'')}
KexAlgorithms ${concatStringsSep "," sshdCfg.kexAlgorithms}
Ciphers ${concatStringsSep "," sshdCfg.ciphers}
MACs ${concatStringsSep "," sshdCfg.macs}
LogLevel ${sshdCfg.logLevel}
${if sshdCfg.useDns then ''
UseDNS yes
'' else ''
UseDNS no
''}
'';
in mkIf (config.boot.initrd.network.enable && cfg.enable) {
assertions = [
{ assertion = cfg.authorizedKeys != [];
{
assertion = cfg.authorizedKeys != [];
message = "You should specify at least one authorized key for initrd SSH";
}
{
assertion = cfg.hostKeys != [];
message = ''
You must now pre-generate the host keys for initrd SSH.
See the boot.inird.network.ssh.hostKeys documentation
for instructions.
'';
}
];
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear
copy_bin_and_libs ${pkgs.openssh}/bin/sshd
cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib
'';
boot.initrd.extraUtilsCommandsTest = ''
$out/bin/dropbear -V
# sshd requires a host key to check config, so we pass in the test's
echo -n ${escapeShellArg sshdConfig} |
$out/bin/sshd -t -f /dev/stdin \
-h ${../../../tests/initrd-network-ssh/ssh_host_ed25519_key}
'';
boot.initrd.network.postCommands = ''
echo '${cfg.shell}' > /etc/shells
echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd
echo 'sshd:x:1:1:sshd:/var/empty:/bin/nologin' >> /etc/passwd
echo 'passwd: files' > /etc/nsswitch.conf
mkdir -p /var/log
mkdir -p /var/log /var/empty
touch /var/log/lastlog
mkdir -p /etc/dropbear
mkdir -p /etc/ssh
echo -n ${escapeShellArg sshdConfig} > /etc/ssh/sshd_config
echo "export PATH=$PATH" >> /etc/profile
echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> /etc/profile
mkdir -p /root/.ssh
${concatStrings (map (key: ''
echo ${escapeShellArg key} >> /root/.ssh/authorized_keys
'') cfg.authorizedKeys)}
dropbear -s -j -k -E -p ${toString cfg.port} ${optionalString (cfg.hostRSAKey == null && cfg.hostDSSKey == null && cfg.hostECDSAKey == null) "-R"}
${flip concatMapStrings cfg.hostKeys (path: ''
# keys from Nix store are world-readable, which sshd doesn't like
chmod 0600 "${initrdKeyPath path}"
'')}
/bin/sshd -e
'';
boot.initrd.secrets =
(optionalAttrs (cfg.hostRSAKey != null) { "/etc/dropbear/dropbear_rsa_host_key" = cfg.hostRSAKey; }) //
(optionalAttrs (cfg.hostDSSKey != null) { "/etc/dropbear/dropbear_dss_host_key" = cfg.hostDSSKey; }) //
(optionalAttrs (cfg.hostECDSAKey != null) { "/etc/dropbear/dropbear_ecdsa_host_key" = cfg.hostECDSAKey; });
boot.initrd.postMountCommands = ''
# Stop sshd cleanly before stage 2.
#
# If you want to keep it around to debug post-mount SSH issues,
# run `touch /.keep_sshd` (either from an SSH session or in
# another initrd hook like preDeviceCommands).
if ! [ -e /.keep_sshd ]; then
pkill -x sshd
fi
'';
boot.initrd.secrets = listToAttrs
(map (path: nameValuePair (initrdKeyPath path) path) cfg.hostKeys);
};
}

5
nixos/modules/system/boot/stage-1.nix
View file

@ -142,7 +142,10 @@ let
let source' = if source == null then dest else source; in
''
mkdir -p $(dirname "$out/secrets/${dest}")
cp -a ${source'} "$out/secrets/${dest}"
# Some programs (e.g. ssh) doesn't like secrets to be
# symlinks, so we use `cp -L` here to match the
# behaviour when secrets are natively supported.
cp -Lr ${source'} "$out/secrets/${dest}"
''
) config.boot.initrd.secrets))
}

1
nixos/modules/tasks/filesystems/zfs.nix
View file

@ -478,6 +478,7 @@ in
createImportService = pool:
nameValuePair "zfs-import-${pool}" {
description = "Import ZFS pool \"${pool}\"";
# we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged
requires = [ "systemd-udev-settle.service" ];
after = [ "systemd-udev-settle.service" "systemd-modules-load.service" ];
wantedBy = (getPoolMounts pool) ++ [ "local-fs.target" ];

2
nixos/release-small.nix
View file

@ -28,7 +28,7 @@ let
in rec {
nixos = {
inherit (nixos') channel manual iso_minimal dummy;
inherit (nixos') channel manual options iso_minimal dummy;
tests = {
inherit (nixos'.tests)
containers-imperative

4
nixos/tests/all-tests.nix
View file

@ -97,6 +97,7 @@ in
fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};
freeswitch = handleTest ./freeswitch.nix {};
fsck = handleTest ./fsck.nix {};
gerrit = handleTest ./gerrit.nix {};
gotify-server = handleTest ./gotify-server.nix {};
grocy = handleTest ./grocy.nix {};
gitdaemon = handleTest ./gitdaemon.nix {};
@ -210,6 +211,7 @@ in
nghttpx = handleTest ./nghttpx.nix {};
nginx = handleTest ./nginx.nix {};
nginx-etag = handleTest ./nginx-etag.nix {};
nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};
nginx-sso = handleTest ./nginx-sso.nix {};
nix-ssh-serve = handleTest ./nix-ssh-serve.nix {};
nixos-generate-config = handleTest ./nixos-generate-config.nix {};
@ -250,6 +252,7 @@ in
prosodyMysql = handleTest ./xmpp/prosody-mysql.nix {};
proxy = handleTest ./proxy.nix {};
quagga = handleTest ./quagga.nix {};
quorum = handleTest ./quorum.nix {};
rabbitmq = handleTest ./rabbitmq.nix {};
radarr = handleTest ./radarr.nix {};
radicale = handleTest ./radicale.nix {};
@ -306,6 +309,7 @@ in
vault = handleTest ./vault.nix {};
victoriametrics = handleTest ./victoriametrics.nix {};
virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {};
wg-quick = handleTest ./wireguard/wg-quick.nix {};
wireguard = handleTest ./wireguard {};
wireguard-generated = handleTest ./wireguard/generated.nix {};
wireguard-namespaces = handleTest ./wireguard/namespaces.nix {};

56
nixos/tests/gerrit.nix Normal file
View file

@ -0,0 +1,56 @@
import ./make-test-python.nix ({ pkgs, ... }:
let
lfs = pkgs.fetchurl {
url = "https://gerrit-ci.gerritforge.com/job/plugin-lfs-bazel-master/90/artifact/bazel-bin/plugins/lfs/lfs.jar";
sha256 = "023b0kd8djm3cn1lf1xl67yv3j12yl8bxccn42lkfmwxjwjfqw6h";
};
in {
name = "gerrit";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ flokli zimbatm ];
};
nodes = {
server =
{ config, pkgs, ... }: {
networking.firewall.allowedTCPPorts = [ 80 2222 ];
virtualisation.memorySize = 1024;
services.gerrit = {
enable = true;
serverId = "aa76c84b-50b0-4711-a0a0-1ee30e45bbd0";
listenAddress = "[::]:80";
jvmPackage = pkgs.jdk12_headless;
jvmHeapLimit = "1g";
plugins = [ lfs ];
builtinPlugins = [ "hooks" "webhooks" ];
settings = {
gerrit.canonicalWebUrl = "http://server";
lfs.plugin = "lfs";
plugins.allowRemoteAdmin = true;
sshd.listenAddress = "[::]:2222";
sshd.advertisedAddress = "[::]:2222";
};
};
};
client =
{ ... }: {
};
};
testScript = ''
start_all()
server.wait_for_unit("gerrit.service")
server.wait_for_open_port(80)
client.succeed("curl http://server")
server.wait_for_open_port(2222)
client.succeed("nc -z server 2222")
'';
})

22
nixos/tests/initrd-network-ssh/default.nix
View file

@ -3,7 +3,7 @@ import ../make-test-python.nix ({ lib, ... }:
{
name = "initrd-network-ssh";
meta = with lib.maintainers; {
maintainers = [ willibutz ];
maintainers = [ willibutz emily ];
};
nodes = with lib; {
@ -17,9 +17,9 @@ import ../make-test-python.nix ({ lib, ... }:
enable = true;
ssh = {
enable = true;
authorizedKeys = [ "${readFile ./openssh.pub}" ];
authorizedKeys = [ (readFile ./id_ed25519.pub) ];
port = 22;
hostRSAKey = ./dropbear.priv;
hostKeys = [ ./ssh_host_ed25519_key ];
};
};
boot.initrd.preLVMCommands = ''
@ -42,11 +42,11 @@ import ../make-test-python.nix ({ lib, ... }:
"${toString (head (splitString " " (
toString (elemAt (splitString "\n" config.networking.extraHosts) 2)
)))} "
"${readFile ./dropbear.pub}"
"${readFile ./ssh_host_ed25519_key.pub}"
];
};
sshKey = {
source = ./openssh.priv; # dont use this anywhere else
source = ./id_ed25519;
mode = "0600";
};
};
@ -56,7 +56,17 @@ import ../make-test-python.nix ({ lib, ... }:
testScript = ''
start_all()
client.wait_for_unit("network.target")
client.wait_until_succeeds("ping -c 1 server")
def ssh_is_up(_) -> bool:
status, _ = client.execute("nc -z server 22")
return status == 0
with client.nested("waiting for SSH server to come up"):
retry(ssh_is_up)
client.succeed(
"ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'touch /fnord'"
)

BIN
nixos/tests/initrd-network-ssh/dropbear.priv
View file

Binary file not shown.

1
nixos/tests/initrd-network-ssh/dropbear.pub
View file

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzJ0OniLB91MpPC86I1m3wwJeAc+Gme7bAuaLIU/cSfPwxT5NO7MfCp0Pu94gYDKtDXMs/wXg0bTAVDeAFFkdIj6kBBumEmQLCTL48q2UxDIXVLT/E/AAgj6q7WwgCg7fwm4Vjn4z7aUyBx8EfRy+5/SQyeYla3D/lFYgMi5x4D6J+yeR+JPAptDE/IR5IizNV7mY0ZcoXYyHrrehI1tTYEEqjX13ZqS4OCBFWwHe1QHhRNM+jHhcATbgikjAj8FyFPtLvc+dSVtkuhQktQl36Bi8zMUQcV6+mM7Ln6DBcDlM9urHKLYPTWmUAyhxM955iglOn5z0RaAIcyNMT6hz0rHaNf0BIlmbXoTC0XGjHh/OnoOEC/zg0JqgQTnPiU45K4TnRSSXp2GfiDfiQAK0+HaXACkjuFR68u7WCZpB1Bse1OgKNClFqtRhIr5DilUb2/e5DCCmFkddMUcjmYqzZdbXNt7fo8CFULe+mbiCp8+tMg4aRTaDZ/Hk93nCvGE5TP2ypEMbfL6nRVKvXOjhdvSQQgKwx+O003FDEHCSG0Bpageh7yVpna+SPrbGklce7MjTpbx3iIwmvKpQ6asnK1L3KkahpY1S3NhQ+/S3Gs8KWQ5LAU+d3xiPX3jfIVHsCIIyxHDbwcJvxM4MFBFQpqRMD6E+LoM9RHjl4C9k2iQ== tmtynkky@duuni

8
nixos/tests/initrd-network-ssh/generate-keys.nix
View file

@ -1,12 +1,10 @@
with import ../../.. {};
runCommand "gen-keys" {
buildInputs = [ dropbear openssh ];
buildInputs = [ openssh ];
}
''
mkdir $out
dropbearkey -t rsa -f $out/dropbear.priv -s 4096 | sed -n 2p > $out/dropbear.pub
ssh-keygen -q -t rsa -b 4096 -N "" -f client
mv client $out/openssh.priv
mv client.pub $out/openssh.pub
ssh-keygen -q -t ed25519 -N "" -f $out/ssh_host_ed25519_key
ssh-keygen -q -t ed25519 -N "" -f $out/id_ed25519
''

7
nixos/tests/initrd-network-ssh/id_ed25519 Normal file
View file

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAVcX+32Yqig25RxRA8bel/f604wV0p/63um+Oku/3vfwAAAJi/AJZMvwCW
TAAAAAtzc2gtZWQyNTUxOQAAACAVcX+32Yqig25RxRA8bel/f604wV0p/63um+Oku/3vfw
AAAEAPLjQusjrB90Lk3996G3AbtTeK+XweNgxaegYnml/A/RVxf7fZiqKDblHFEDxt6X9/
rTjBXSn/re6b46S7/e9/AAAAEG5peGJsZEBsb2NhbGhvc3QBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

1
nixos/tests/initrd-network-ssh/id_ed25519.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBVxf7fZiqKDblHFEDxt6X9/rTjBXSn/re6b46S7/e9/ nixbld@localhost

51
nixos/tests/initrd-network-ssh/openssh.priv
View file

@ -1,51 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEA7+9A2PCPOTAlFmrablrUWA+VZdAuLfM6JXeHsOF7ZbC2F6lv
WmvDM925DQqhiAjcgWnt5WHWS5Y+b7lGnuzT7fyKegXd80nCRmqlpSG3srX0/lxR
aQAJLzfoDjcsF+ceswQo6GSsYnCHVxMNs007gbbVY3f7o+sWZtLdxJPD2iHvl5Zr
LK0d1RLMmU6cfIhIABlL0S8EWiv29RROepsCQnS0dnK2b+von1SCYoggvAMe2ToA
IAJ8+uqaYfGAyn9q8fjZiRHxLmKDq90tKoCUL5r/2dmEIE+t8T/3PfHoq1QzZts9
W9idhBdT21dEXBtGyoMtckp5njk5m82LQDYiOXkuSoIUhSOteh5g7fBv1BtVSERx
Jg3UeJjPeGKFwdnzapmAKC2w/6V8xcIINNA+fhZA7B9fD1RAi2TECZ+gyMYDc4T+
USlMSm9cfvSOrf2+5ngtFb84nHjqvClxCMLu+bCWK8HamqUzhE/a5LbR+48E7PyG
s3KV+sWFN9KOnakTjj/6iQhXZRhgeAK39F2XTk5Ms5Y+BRSStnMoMZA2grIV+jHi
1zbWokVqXPI5YRo5isR/PgtKAV6FfNWumcYoFJ9F40pMHQ6hJVEmtrCBx7EApSl3
mSGbQJUmilLC51qNhwQRbD//ZtpIrN82HTMKzZ6kj7kDCdsff+wsnkIXmmMCAwEA
AQKCAgA4tMINw6UF7hQF3VEsnbjr6xrzCiWv5HlMm5htPI1OdlpC81+G7ksfOfrf
UzDkFrwOtftsqBfem268Nvyy2OQprfMIbdSMCFWrEM9/XJ2u1gRGDYmMGF8TUtI8
cduw9oWx53zHl+uKBHBoKu+k/c7flFeQf63wisIroRCawhWau0SF/h3sXCndzuie
Hw8q+4aQx2m80bDkotlmCNuXbIU3MZ/pEql9gDLlXTLHmMaryM0EqAmZhx0ErGe6
WDqJIV4kPB0loSDwRoY6GzbugZ8ENUzcruTkQhCpIOYNNNw5idfwKkaxK1vm+SBv
iYt1fVjYyfH2vhVKSNoNsaGEloa1u4Dymt/FpFztEpRzHXcw93N8BdLxJ4OUhzm2
iAbpiyjniTIeAVVi7BUwLXh5WAx8nT0eeb1zKoZg1p1ciK5cYl1Uel7j8xRycsSW
3YgmtuPqY4Agbc9v3eXbQZNDk48JFMEqpIxk97FAkRYpzfxg5Qq14WJCp60CkdRt
T60hXy8lT/BcI8OWLfGJuBbsVLNRiC7PpwqRKQAinXSv134FpP7jrhpkMybs2oIS
5obRG7J5OfOTp925erG5mrpwqa3BPkgqx347Wj9z8quOZyuhi+XaPvqmPtvs5JOl
4RCqjt6RQlHm7xos9ZZGI4jDAIFaFWgyVZrYplOgwxWma4DTgQKCAQEA9+tizQRU
lF0lxNcEPvsFnYJo80Y+MQK9VdtlhR19YuSfwP1NCaMG1MhQ+PVBVmepOwJMRJR7
9PLfOouNMfixKBGP12dtStMuh7jowq/BxhRI6JWp3RhTZ1yJ9ouzHze7IDrEBa6w
p0hUu9H0Sbt51LXbC3JmTyhbdhfry559DfyGW1Ma/bv/pihL9B5Y7sNf1thNp1gi
GbQ9B+o2Yyw8ZD8zY+sl+aYDSWyCtcBV/KXEF74Bkfs/a5ExJ00X0jYj/TAp2ray
T4PY0FR8wN/O10bFLP9j+Xa/ywbcPhoj8nvVRIg9VfWT/QaEd+KR0EZVxdjCCqne
enbSQksTpAZNwQKCAQEA98E+BMmS+yHUVUhNZABtQ5avwuV4+DoSN8KTp3xwQ0CH
m9fWxSDs12FdyMhDxrJPeywvHtZ18/7cl3dr8wnFVE0s4ongnRDXsNk5xN6J3AaO
KqW4HF9cbwZqzLILy8TrO+EK/EQV9FypbrxqvxAlP1kezIA2CJNzVRAgimSuV/H7
05HTnp5W06fjtEf8U1CUrdNetoSROUo1j/IMGPYGlsBFYAGrj5y/BlKd+3T3kjRp
Xje7HpiykjrZHn0WDp04Ln+u9nveEewXmHKch313emt7HpW0xspp8JM8OZtEKozk
D5PfYdBfMJJOUlqovCCzTTJ6kNOahknKXFeO/qs5IwKCAQEAjF0/zhWikXF/fcfD
Bql2z2vTYdEmSvdjHSYff1Nn90K71DdVk5wytOxJM/sfp/z+yoMNjVKIL/IGQw5Z
va4xFx+CUhGjxlZ0pLEjT37U9gHsGYsK5jvslLvG/MixfH5AOwoqi5ERQVTpbIF9
jvVPEAh6YSu/ExglWGJIxTsRUIblxvTxdjEnl/p+rlM0RNJnA6vpo1J51BXA7CdF
7bZQ5u0Feo/bK1I70ClYg/DGfkmYEV0pZG5cxNkqfDbgwsqWa7YGLGd94xkh+ymq
jETqxeWyozxhbQ83nYpfzeVc7t//qlJ8b5uf0wUKoRmtNr9rtp13lzP/21REzPXW
w+oxwQKCAQAoAf2Y2lAw25KlPuq4ZlU+n9u8FkBFnWMJvBMJ7c9XHNmJMf6NkLaO
RTvWy3geYvbwxf7J9QnRH+vRTciR05cY+Olxn6A03N5nwXxRrToH3MsiWeZ0NnX/
u8KNUYcUHbV60ulqOThuYHQ/3I9EUUAijaqqjV2sXts19ke68W0x6HKpBJhuudT9
ktPzbdhyP8Xyl/pocNnerXwexZBsi3Ye6+eIDFz+8OnsBHVcgNPluS72tvsxgqj7
ciNTiBGCxKKo55eCWBhRPpXE2WUrf/hGPYsBMl2h6FfZMH1+M/N7B4tgdJmS+woU
Ftws8lTjJEiwA6HFN1ZxrwLNjJobx9yPAoIBAE0igsBuWWn6rXeOPylYg4264XOq
8gb94pte2n9amDgCzyCn8m6AL3snLC/AoCD19DK+gyK0ukoesXPa3iX6w2xv69ZC
urDx36Jhd4zrJb4QsFPoeKfDP+UvNVZaS41vipRRzY/y11em15prUZ4U8FA/UT1Y
FzkBo9r6iUZRnyBLppMuEfWASDtuRNmeIHynoT1AcQOH3l9vR210iEpmAuJr0CYA
bvTuz3UzzGGEAuIUvuaiRtkfKY52jBmiEr7SSPCr1HvLj3Ccz8bgjgR2kiXmcU50
1zLnaPAD44LZ/0Fjqj+PimQGT6K7CNXPllmYh7MvoU52g3SVPf6rHlIR0Nc=
-----END RSA PRIVATE KEY-----

1
nixos/tests/initrd-network-ssh/openssh.pub
View file

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDv70DY8I85MCUWatpuWtRYD5Vl0C4t8zold4ew4XtlsLYXqW9aa8Mz3bkNCqGICNyBae3lYdZLlj5vuUae7NPt/Ip6Bd3zScJGaqWlIbeytfT+XFFpAAkvN+gONywX5x6zBCjoZKxicIdXEw2zTTuBttVjd/uj6xZm0t3Ek8PaIe+XlmssrR3VEsyZTpx8iEgAGUvRLwRaK/b1FE56mwJCdLR2crZv6+ifVIJiiCC8Ax7ZOgAgAnz66pph8YDKf2rx+NmJEfEuYoOr3S0qgJQvmv/Z2YQgT63xP/c98eirVDNm2z1b2J2EF1PbV0RcG0bKgy1ySnmeOTmbzYtANiI5eS5KghSFI616HmDt8G/UG1VIRHEmDdR4mM94YoXB2fNqmYAoLbD/pXzFwgg00D5+FkDsH18PVECLZMQJn6DIxgNzhP5RKUxKb1x+9I6t/b7meC0VvziceOq8KXEIwu75sJYrwdqapTOET9rkttH7jwTs/IazcpX6xYU30o6dqROOP/qJCFdlGGB4Arf0XZdOTkyzlj4FFJK2cygxkDaCshX6MeLXNtaiRWpc8jlhGjmKxH8+C0oBXoV81a6ZxigUn0XjSkwdDqElUSa2sIHHsQClKXeZIZtAlSaKUsLnWo2HBBFsP/9m2kis3zYdMwrNnqSPuQMJ2x9/7CyeQheaYw== tmtynkky@duuni

7
nixos/tests/initrd-network-ssh/ssh_host_ed25519_key Normal file
View file

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDP9Mz6qlxdQqA4omrgbOlVsxSGONCJstjW9zqquajlIAAAAJg0WGFGNFhh
RgAAAAtzc2gtZWQyNTUxOQAAACDP9Mz6qlxdQqA4omrgbOlVsxSGONCJstjW9zqquajlIA
AAAEA0Hjs7LfFPdTf3ThGx6GNKvX0ItgzgXs91Z3oGIaF6S8/0zPqqXF1CoDiiauBs6VWz
FIY40Imy2Nb3Oqq5qOUgAAAAEG5peGJsZEBsb2NhbGhvc3QBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

1
nixos/tests/initrd-network-ssh/ssh_host_ed25519_key.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/0zPqqXF1CoDiiauBs6VWzFIY40Imy2Nb3Oqq5qOUg nixbld@localhost

1
nixos/tests/installer.nix
View file

@ -104,7 +104,6 @@ let
with subtest("Assert readiness of login prompt"):
machine.succeed("echo hello")
machine.wait_for_unit("nixos-manual")
with subtest("Wait for hard disks to appear in /dev"):
machine.succeed("udevadm settle")

84
nixos/tests/mongodb.nix
View file

@ -1,42 +1,52 @@
# This test start mongodb, runs a query using mongo shell
import ./make-test-python.nix ({ pkgs, ...} : let
testQuery = pkgs.writeScript "nixtest.js" ''
db.greetings.insert({ "greeting": "hello" });
print(db.greetings.findOne().greeting);
'';
in {
name = "mongodb";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ bluescreen303 offline cstrahan rvl phile314 ];
};
import ./make-test-python.nix ({ pkgs, ... }:
let
testQuery = pkgs.writeScript "nixtest.js" ''
db.greetings.insert({ "greeting": "hello" });
print(db.greetings.findOne().greeting);
'';
nodes = {
one =
{ ... }:
{
services = {
mongodb.enable = true;
mongodb.enableAuth = true;
mongodb.initialRootPassword = "root";
mongodb.initialScript = pkgs.writeText "mongodb_initial.js" ''
db = db.getSiblingDB("nixtest");
db.createUser({user:"nixtest",pwd:"nixtest",roles:[{role:"readWrite",db:"nixtest"}]});
'';
mongodb.extraConfig = ''
# Allow starting engine with only a small virtual disk
storage.journal.enabled: false
storage.mmapv1.smallFiles: true
'';
};
};
runMongoDBTest = pkg: ''
node.execute("(rm -rf data || true) && mkdir data")
node.execute(
"${pkg}/bin/mongod --fork --logpath logs --dbpath data"
)
node.wait_for_open_port(27017)
assert "hello" in node.succeed(
"mongo ${testQuery}"
)
node.execute(
"${pkg}/bin/mongod --shutdown --dbpath data"
)
node.wait_for_closed_port(27017)
'';
in {
name = "mongodb";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ bluescreen303 offline cstrahan rvl phile314 ];
};
testScript = ''
start_all()
one.wait_for_unit("mongodb.service")
one.succeed(
"mongo -u nixtest -p nixtest nixtest ${testQuery} | grep -q hello"
)
'';
})
nodes = {
node = {...}: {
environment.systemPackages = with pkgs; [
# mongodb-3_4
mongodb-3_6
mongodb-4_0
];
};
};
testScript = ''
node.start()
''
# + runMongoDBTest pkgs.mongodb-3_4
+ runMongoDBTest pkgs.mongodb-3_6
+ runMongoDBTest pkgs.mongodb-4_0
+ ''
node.shutdown()
'';
})

20
nixos/tests/nginx-pubhtml.nix Normal file
View file

@ -0,0 +1,20 @@
import ./make-test-python.nix {
name = "nginx-pubhtml";
machine = { pkgs, ... }: {
services.nginx.enable = true;
services.nginx.virtualHosts.localhost = {
locations."~ ^/\\~([a-z0-9_]+)(/.*)?$".alias = "/home/$1/public_html$2";
};
users.users.foo.isNormalUser = true;
};
testScript = ''
machine.wait_for_unit("nginx")
machine.wait_for_open_port(80)
machine.succeed("chmod 0711 /home/foo")
machine.succeed("su -c 'mkdir -p /home/foo/public_html' foo")
machine.succeed("su -c 'echo bar > /home/foo/public_html/bar.txt' foo")
machine.succeed('test "$(curl -fvvv http://localhost/~foo/bar.txt)" = bar')
'';
}

79
nixos/tests/quorum.nix Normal file
View file

@ -0,0 +1,79 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "quorum";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ mmahut ];
};
nodes = {
machine = { ... }: {
services.quorum = {
enable = true;
permissioned = false;
staticNodes = [ "enode://dd333ec28f0a8910c92eb4d336461eea1c20803eed9cf2c056557f986e720f8e693605bba2f4e8f289b1162e5ac7c80c914c7178130711e393ca76abc1d92f57@0.0.0.0:30303?discport=0" ];
genesis = {
alloc = {
"189d23d201b03ae1cf9113672df29a5d672aefa3" = {
balance = "0x446c3b15f9926687d2c40534fdb564000000000000";
};
"44b07d2c28b8ed8f02b45bd84ac7d9051b3349e6" = {
balance = "0x446c3b15f9926687d2c40534fdb564000000000000";
};
"4c1ccd426833b9782729a212c857f2f03b7b4c0d" = {
balance = "0x446c3b15f9926687d2c40534fdb564000000000000";
};
"7ae555d0f6faad7930434abdaac2274fd86ab516" = {
balance = "0x446c3b15f9926687d2c40534fdb564000000000000";
};
c1056df7c02b6f1a353052eaf0533cc7cb743b52 = {
balance = "0x446c3b15f9926687d2c40534fdb564000000000000";
};
};
coinbase = "0x0000000000000000000000000000000000000000";
config = {
byzantiumBlock = 1;
chainId = 10;
eip150Block = 1;
eip150Hash =
"0x0000000000000000000000000000000000000000000000000000000000000000";
eip155Block = 1;
eip158Block = 1;
isQuorum = true;
istanbul = {
epoch = 30000;
policy = 0;
};
};
difficulty = "0x1";
extraData =
"0x0000000000000000000000000000000000000000000000000000000000000000f8aff869944c1ccd426833b9782729a212c857f2f03b7b4c0d94189d23d201b03ae1cf9113672df29a5d672aefa39444b07d2c28b8ed8f02b45bd84ac7d9051b3349e694c1056df7c02b6f1a353052eaf0533cc7cb743b52947ae555d0f6faad7930434abdaac2274fd86ab516b8410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0";
gasLimit = "0xe0000000";
gasUsed = "0x0";
mixHash =
"0x63746963616c2062797a616e74696e65206661756c7420746f6c6572616e6365";
nonce = "0x0";
number = "0x0";
parentHash =
"0x0000000000000000000000000000000000000000000000000000000000000000";
timestamp = "0x5cffc201";
};
};
};
};
testScript = ''
start_all()
machine.wait_until_succeeds("mkdir -p /var/lib/quorum/keystore")
machine.wait_until_succeeds(
'echo \{\\"address\\":\\"9377bc3936de934c497e22917b81aa8774ac3bb0\\",\\"crypto\\":\{\\"cipher\\":\\"aes-128-ctr\\",\\"ciphertext\\":\\"ad8341d8ef225650403fd366c955f41095e438dd966a3c84b3d406818c1e366c\\",\\"cipherparams\\":\{\\"iv\\":\\"2a09f7a72fd6dff7c43150ff437e6ac2\\"\},\\"kdf\\":\\"scrypt\\",\\"kdfparams\\":\{\\"dklen\\":32,\\"n\\":262144,\\"p\\":1,\\"r\\":8,\\"salt\\":\\"d1a153845bb80cd6274c87c5bac8ac09fdfac5ff131a6f41b5ed319667f12027\\"\},\\"mac\\":\\"a9621ad88fa1d042acca6fc2fcd711f7e05bfbadea3f30f379235570c8e270d3\\"\},\\"id\\":\\"89e847a3-1527-42f6-a321-77de0a14ce02\\",\\"version\\":3\}\\" > /var/lib/quorum/keystore/UTC--2020-03-23T11-08-34.144812212Z--9377bc3936de934c497e22917b81aa8774ac3bb0'
)
machine.wait_until_succeeds(
"echo fe2725c4e8f7617764b845e8d939a65c664e7956eb47ed7d934573f16488efc1 > /var/lib/quorum/nodekey"
)
machine.wait_until_succeeds("systemctl restart quorum")
machine.wait_for_unit("quorum.service")
machine.sleep(15)
machine.wait_until_succeeds(
'geth attach /var/lib/quorum/geth.ipc --exec "eth.accounts" | grep 0x9377bc3936de934c497e22917b81aa8774ac3bb0'
)
'';
})

138
nixos/tests/wireguard/default.nix
View file

@ -1,97 +1,71 @@
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
in
import ../make-test-python.nix ({ pkgs, lib, ...} :
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = (import ./make-peer.nix) { inherit lib; };
in
{
name = "wireguard";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ ma27 ];
};
import ../make-test-python.nix ({ pkgs, ...} : {
name = "wireguard";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ ma27 ];
};
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = {
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.23.42.1/32" "fc00::1/128" ];
listenPort = 23542;
nodes = {
peer0 = { lib, ... }: {
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = "1";
"net.ipv6.conf.default.forwarding" = "1";
"net.ipv4.ip_forward" = "1";
};
inherit (wg-snakeoil-keys.peer0) privateKey;
networking.useDHCP = false;
networking.interfaces.eth1 = {
ipv4.addresses = lib.singleton {
address = "192.168.0.1";
prefixLength = 24;
};
ipv6.addresses = lib.singleton {
address = "fd00::1";
prefixLength = 64;
peers = lib.singleton {
allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ];
inherit (wg-snakeoil-keys.peer1) publicKey;
};
};
};
};
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.23.42.1/32" "fc00::1/128" ];
listenPort = 23542;
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = {
networking.wireguard.interfaces.wg0 = {
ips = [ "10.23.42.2/32" "fc00::2/128" ];
listenPort = 23542;
allowedIPsAsRoutes = false;
inherit (wg-snakeoil-keys.peer0) privateKey;
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ];
peers = lib.singleton {
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer1) publicKey;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
postSetup = let inherit (pkgs) iproute; in ''
${iproute}/bin/ip route replace 10.23.42.1/32 dev wg0
${iproute}/bin/ip route replace fc00::1/128 dev wg0
'';
};
};
};
};
peer1 = { pkgs, lib, ... }: {
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = "1";
"net.ipv6.conf.default.forwarding" = "1";
"net.ipv4.ip_forward" = "1";
};
testScript = ''
start_all()
networking.useDHCP = false;
networking.interfaces.eth1 = {
ipv4.addresses = lib.singleton {
address = "192.168.0.2";
prefixLength = 24;
};
ipv6.addresses = lib.singleton {
address = "fd00::2";
prefixLength = 64;
};
};
peer0.wait_for_unit("wireguard-wg0.service")
peer1.wait_for_unit("wireguard-wg0.service")
networking.wireguard.interfaces.wg0 = {
ips = [ "10.23.42.2/32" "fc00::2/128" ];
listenPort = 23542;
allowedIPsAsRoutes = false;
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
postSetup = let inherit (pkgs) iproute; in ''
${iproute}/bin/ip route replace 10.23.42.1/32 dev wg0
${iproute}/bin/ip route replace fc00::1/128 dev wg0
'';
};
};
};
testScript = ''
start_all()
peer0.wait_for_unit("wireguard-wg0.service")
peer1.wait_for_unit("wireguard-wg0.service")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
})
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}
)

23
nixos/tests/wireguard/make-peer.nix Normal file
View file

@ -0,0 +1,23 @@
{ lib, ... }: { ip4, ip6, extraConfig }:
lib.mkMerge [
{
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = "1";
"net.ipv6.conf.default.forwarding" = "1";
"net.ipv4.ip_forward" = "1";
};
networking.useDHCP = false;
networking.interfaces.eth1 = {
ipv4.addresses = [{
address = ip4;
prefixLength = 24;
}];
ipv6.addresses = [{
address = ip6;
prefixLength = 64;
}];
};
}
extraConfig
]

63
nixos/tests/wireguard/wg-quick.nix Normal file
View file

@ -0,0 +1,63 @@
import ../make-test-python.nix ({ pkgs, lib, ... }:
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
peer = (import ./make-peer.nix) { inherit lib; };
in
{
name = "wg-quick";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ xwvvvvwx ];
};
nodes = {
peer0 = peer {
ip4 = "192.168.0.1";
ip6 = "fd00::1";
extraConfig = {
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wg-quick.interfaces.wg0 = {
address = [ "10.23.42.1/32" "fc00::1/128" ];
listenPort = 23542;
inherit (wg-snakeoil-keys.peer0) privateKey;
peers = lib.singleton {
allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ];
inherit (wg-snakeoil-keys.peer1) publicKey;
};
};
};
};
peer1 = peer {
ip4 = "192.168.0.2";
ip6 = "fd00::2";
extraConfig = {
networking.wg-quick.interfaces.wg0 = {
address = [ "10.23.42.2/32" "fc00::2/128" ];
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
};
};
};
};
testScript = ''
start_all()
peer0.wait_for_unit("wg-quick-wg0.service")
peer1.wait_for_unit("wg-quick-wg0.service")
peer1.succeed("ping -c5 fc00::1")
peer1.succeed("ping -c5 10.23.42.1")
'';
}
)