Merge staging-next into staging

NixOS · Sep 22, 2021 · 42ade1c · 42ade1c
2 parents 2505488 + 09a7436
commit 42ade1c
Show file tree

Hide file tree

Showing 62 changed files with 384 additions and 127 deletions.
diff --git a/nixos/modules/config/krb5/default.nix b/nixos/modules/config/krb5/default.nix
@@ -84,7 +84,7 @@ in {
         type = types.package;
         default = pkgs.krb5Full;
         defaultText = "pkgs.krb5Full";
-        example = literalExample "pkgs.heimdalFull";
+        example = literalExample "pkgs.heimdal";
         description = ''
           The Kerberos implementation that will be present in
           <literal>environment.systemPackages</literal> after enabling this

diff --git a/nixos/modules/programs/atop.nix b/nixos/modules/programs/atop.nix
@@ -141,8 +141,15 @@ in
             // mkService cfg.atopgpu.enable "atopgpu" [ atop ];
           timers = mkTimer cfg.atopRotateTimer.enable "atop-rotate" [ atop ];
         };
-      security.wrappers =
-        lib.mkIf cfg.setuidWrapper.enable { atop = { source = "${atop}/bin/atop"; }; };
+
+      security.wrappers = lib.mkIf cfg.setuidWrapper.enable {
+        atop =
+          { setuid = true;
+            owner = "root";
+            group = "root";
+            source = "${atop}/bin/atop";
+          };
+      };
     }
   );
 }
diff --git a/nixos/modules/programs/plotinus.nix b/nixos/modules/programs/plotinus.nix
@@ -30,7 +30,7 @@ in
   ###### implementation
 
   config = mkIf cfg.enable {
-    environment.variables.XDG_DATA_DIRS = [ "${pkgs.plotinus}/share/gsettings-schemas/${pkgs.plotinus.name}" ];
+    environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.plotinus}/share/gsettings-schemas/${pkgs.plotinus.name}" ];
     environment.variables.GTK3_MODULES = [ "${pkgs.plotinus}/lib/libplotinus.so" ];
   };
 }
diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix
@@ -5,28 +5,33 @@ with lib;
 let
   cfg = config.services.kubernetes;
 
-  defaultContainerdConfigFile = pkgs.writeText "containerd.toml" ''
-    version = 2
-    root = "/var/lib/containerd"
-    state = "/run/containerd"
-    oom_score = 0
-
-    [grpc]
-      address = "/run/containerd/containerd.sock"
+  defaultContainerdSettings = {
+    version = 2;
+    root = "/var/lib/containerd";
+    state = "/run/containerd";
+    oom_score = 0;
+
+    grpc = {
+      address = "/run/containerd/containerd.sock";
+    };
 
-    [plugins."io.containerd.grpc.v1.cri"]
-      sandbox_image = "pause:latest"
+    plugins."io.containerd.grpc.v1.cri" = {
+      sandbox_image = "pause:latest";
 
-    [plugins."io.containerd.grpc.v1.cri".cni]
-      bin_dir = "/opt/cni/bin"
-      max_conf_num = 0
+      cni = {
+        bin_dir = "/opt/cni/bin";
+        max_conf_num = 0;
+      };
 
-    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
-      runtime_type = "io.containerd.runc.v2"
+      containerd.runtimes.runc = {
+        runtime_type = "io.containerd.runc.v2";
+      };
 
-    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes."io.containerd.runc.v2".options]
-      SystemdCgroup = true
-  '';
+      containerd.runtimes."io.containerd.runc.v2".options = {
+        SystemdCgroup = true;
+      };
+    };
+  };
 
   mkKubeConfig = name: conf: pkgs.writeText "${name}-kubeconfig" (builtins.toJSON {
     apiVersion = "v1";
@@ -248,7 +253,7 @@ in {
     (mkIf cfg.kubelet.enable {
       virtualisation.containerd = {
         enable = mkDefault true;
-        configFile = mkDefault defaultContainerdConfigFile;
+        settings = mkDefault defaultContainerdSettings;
       };
     })
 

diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix
@@ -217,6 +217,7 @@ in {
       home = "${dataDir}";
       createHome = true;
       isSystemUser = true;
+      group = "dnscrypt-wrapper";
     };
     users.groups.dnscrypt-wrapper = { };
 

diff --git a/nixos/modules/services/networking/flannel.nix b/nixos/modules/services/networking/flannel.nix
@@ -164,7 +164,7 @@ in {
       path = [ pkgs.iptables ];
       preStart = optionalString (cfg.storageBackend == "etcd") ''
         echo "setting network configuration"
-        until ${pkgs.etcdctl}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}'
+        until ${pkgs.etcd}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}'
         do
           echo "setting network configuration, retry"
           sleep 1

diff --git a/nixos/modules/services/search/meilisearch.nix b/nixos/modules/services/search/meilisearch.nix
@@ -8,7 +8,7 @@ let
 in
 {
 
-  meta.maintainers = with maintainers; [ filalex77 ];
+  meta.maintainers = with maintainers; [ Br1ght0ne ];
 
   ###### interface
 

diff --git a/nixos/modules/services/system/kerberos/heimdal.nix b/nixos/modules/services/system/kerberos/heimdal.nix
@@ -27,7 +27,7 @@ in
 {
   # No documentation about correct triggers, so guessing at them.
 
-  config = mkIf (cfg.enable && kerberos == pkgs.heimdalFull) {
+  config = mkIf (cfg.enable && kerberos == pkgs.heimdal) {
     systemd.services.kadmind = {
       description = "Kerberos Administration Daemon";
       wantedBy = [ "multi-user.target" ];

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
@@ -223,7 +223,6 @@ in
   krb5 = discoverTests (import ./krb5 {});
   ksm = handleTest ./ksm.nix {};
   kubernetes = handleTestOn ["x86_64-linux"] ./kubernetes {};
-  latestKernel.hardened = handleTest ./hardened.nix { latestKernel = true; };
   latestKernel.login = handleTest ./login.nix { latestKernel = true; };
   leaps = handleTest ./leaps.nix {};
   libreddit = handleTest ./libreddit.nix {};

diff --git a/nixos/tests/atop.nix b/nixos/tests/atop.nix
@@ -105,8 +105,6 @@ let assertions = rec {
 };
 in
 {
-  name = "atop";
-
   justThePackage = makeTest {
     name = "atop-justThePackage";
     machine = {

diff --git a/nixos/tests/cntr.nix b/nixos/tests/cntr.nix
@@ -9,7 +9,7 @@ let
     makeTest {
       name = "cntr-${backend}";
 
-      meta = { maintainers = with lib.maintainers; [ srk mic92 ]; };
+      meta = { maintainers = with lib.maintainers; [ sorki mic92 ]; };
 
       nodes = {
         ${backend} = { pkgs, ... }: {

diff --git a/nixos/tests/ec2.nix b/nixos/tests/ec2.nix
@@ -24,6 +24,11 @@ let
           ln -s vda1 /dev/xvda1
         '';
 
+        # In a NixOS test the serial console is occupied by the "backdoor"
+        # (see testing/test-instrumentation.nix) and is incompatible with
+        # the configuration in virtualisation/amazon-image.nix.
+        systemd.services."serial-getty@ttyS0".enable = mkForce false;
+
         # Needed by nixos-rebuild due to the lack of network
         # access. Determined by trial and error.
         system.extraDependencies = with pkgs; ( [

diff --git a/nixos/tests/enlightenment.nix b/nixos/tests/enlightenment.nix
@@ -11,8 +11,8 @@ import ./make-test-python.nix ({ pkgs, ...} :
     imports = [ ./common/user-account.nix ];
     services.xserver.enable = true;
     services.xserver.desktopManager.enlightenment.enable = true;
-    services.xserver.displayManager.lightdm = {
-      enable = true;
+    services.xserver.displayManager = {
+      lightdm.enable = true;
       autoLogin = {
         enable = true;
         user = "alice";

diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
@@ -1,4 +1,4 @@
-import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
+import ./make-test-python.nix ({ pkgs, ... } : {
   name = "hardened";
   meta = with pkgs.lib.maintainers; {
     maintainers = [ joachifm ];
@@ -10,8 +10,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
     { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
       users.users.sybil = { isNormalUser = true; group = "wheel"; };
       imports = [ ../modules/profiles/hardened.nix ];
-      boot.kernelPackages =
-        lib.mkIf latestKernel pkgs.linuxPackages_latest_hardened;
       environment.memoryAllocator.provider = "graphene-hardened";
       nix.useSandbox = false;
       virtualisation.emptyDiskImages = [ 4096 ];

diff --git a/nixos/tests/kerberos/heimdal.nix b/nixos/tests/kerberos/heimdal.nix
@@ -9,7 +9,7 @@ import ../make-test-python.nix ({pkgs, ...}: {
     };
     krb5 = {
       enable = true;
-      kerberos = pkgs.heimdalFull;
+      kerberos = pkgs.heimdal;
       libdefaults = {
         default_realm = "FOO.BAR";
       };

diff --git a/nixos/tests/meilisearch.nix b/nixos/tests/meilisearch.nix
@@ -10,7 +10,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
     '';
   in {
     name = "meilisearch";
-    meta.maintainers = with lib.maintainers; [ filalex77 ];
+    meta.maintainers = with lib.maintainers; [ Br1ght0ne ];
 
     machine = { ... }: {
       environment.systemPackages = with pkgs; [ curl jq ];

diff --git a/nixos/tests/minio.nix b/nixos/tests/minio.nix
@@ -28,7 +28,10 @@ in {
     machine = { pkgs, ... }: {
       services.minio = {
         enable = true;
-        inherit accessKey secretKey;
+        rootCredentialsFile = pkgs.writeText "minio-credentials" ''
+          MINIO_ROOT_USER=${accessKey}
+          MINIO_ROOT_PASSWORD=${secretKey}
+        '';
       };
       environment.systemPackages = [ pkgs.minio-client ];
 

diff --git a/nixos/tests/mpv.nix b/nixos/tests/mpv.nix
@@ -14,7 +14,7 @@ in
     {
       environment.systemPackages = [
         pkgs.curl
-        (pkgs.mpv-with-scripts.override {
+        (pkgs.wrapMpv pkgs.mpv-unwrapped {
           scripts = [ pkgs.mpvScripts.simple-mpv-webui ];
         })
       ];

diff --git a/nixos/tests/mysql/mariadb-galera-mariabackup.nix b/nixos/tests/mysql/mariadb-galera-mariabackup.nix
@@ -4,6 +4,16 @@ let
   mysqlenv-common      = pkgs.buildEnv { name = "mysql-path-env-common";      pathsToLink = [ "/bin" ]; paths = with pkgs; [ bash gawk gnutar inetutils which ]; };
   mysqlenv-mariabackup = pkgs.buildEnv { name = "mysql-path-env-mariabackup"; pathsToLink = [ "/bin" ]; paths = with pkgs; [ gzip iproute2 netcat procps pv socat ]; };
 
+  # Common user configuration
+  users = { ... }:
+  {
+    users.users.testuser = {
+      isSystemUser = true;
+      group = "testusers";
+    };
+    users.groups.testusers = { };
+  };
+
 in {
   name = "mariadb-galera-mariabackup";
   meta = with pkgs.lib.maintainers; {
@@ -17,6 +27,7 @@ in {
     galera_01 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -31,7 +42,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-mariabackup ];
       };
@@ -75,6 +85,7 @@ in {
     galera_02 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -89,7 +100,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-mariabackup ];
       };
@@ -122,6 +132,7 @@ in {
     galera_03 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -136,7 +147,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-mariabackup ];
       };

diff --git a/nixos/tests/mysql/mariadb-galera-rsync.nix b/nixos/tests/mysql/mariadb-galera-rsync.nix
@@ -4,6 +4,16 @@ let
   mysqlenv-common      = pkgs.buildEnv { name = "mysql-path-env-common";      pathsToLink = [ "/bin" ]; paths = with pkgs; [ bash gawk gnutar inetutils which ]; };
   mysqlenv-rsync       = pkgs.buildEnv { name = "mysql-path-env-rsync";       pathsToLink = [ "/bin" ]; paths = with pkgs; [ lsof procps rsync stunnel ]; };
 
+  # Common user configuration
+  users = { ... }:
+  {
+    users.users.testuser = {
+      isSystemUser = true;
+      group = "testusers";
+    };
+    users.groups.testusers = { };
+  };
+
 in {
   name = "mariadb-galera-rsync";
   meta = with pkgs.lib.maintainers; {
@@ -17,6 +27,7 @@ in {
     galera_04 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -31,7 +42,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-rsync ];
       };
@@ -70,6 +80,7 @@ in {
     galera_05 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -84,7 +95,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-rsync ];
       };
@@ -116,6 +126,7 @@ in {
     galera_06 =
       { pkgs, ... }:
       {
+      imports = [ users ];
       networking = {
         interfaces.eth1 = {
           ipv4.addresses = [
@@ -130,7 +141,6 @@ in {
         firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
         firewall.allowedUDPPorts = [ 4567 ];
       };
-      users.users.testuser = { isSystemUser = true; };
       systemd.services.mysql = with pkgs; {
         path = [ mysqlenv-common mysqlenv-rsync ];
       };
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,7 +8,7 @@ let @@
     in
     {
-      meta.maintainers = with maintainers; [ filalex77 ];
+      meta.maintainers = with maintainers; [ Br1ght0ne ];
       ###### interface
@@ Expand Down @@