2.3.0 is the final release, the repo is now archived.
Also I don't use it anymore for quite a while, so it didn't have a real
nixpkgs maintainer either.
Closes#338712
This is the error message on fail:
> qemu-system-aarch64: -device canokey,file=/tmp/canokey-file: Warning:
> speed mismatch trying to attach usb device "CanoKey QEMU" (full
> speed) to bus "usb0.0", port "3" (high speed)
My Understanding of the Issue is: The test failed because
qemu-system-aarch64 apparently has different USB controllers enabled by
default, resulting in a "speed mismatch" between the USB controller and
CanoKey that only occurred on aarch64.
I could reproduce the issue on x86_64 by enabling the EHCI controller
and then fix the issue by specifying which USB bus to use for the
CanoKey.
This didn't fully fix the issue on my first attempt, because the UCHI
controller enabled by -usb doesn't have the same bus name on aarch64
and x86_64.
While bus=usb-bus.0 worked on x86_64, on aarch64 i get this message:
> qemu-system-aarch64: -device canokey,bus=usb-bus.0,file=
> /tmp/canokey-file: Bus 'usb-bus.0' not found
The final solution now manually enables the OHCI controller (which may
be similar to UHCI, but i really have no idea other than it works) and
assigns it the id aka bus name "usb-bus", so it works the same under
both architectures.
- change tested app from gnome-calculator to gnome-pomodoro as plotinus
only works on gtk3 apps
- change screenshot result to one that shows popup from plotinus
instead of preferences window
- add 2 minute timeouts waiting for windows
- add 10 minute timeout for full test
When wireguard began being tested on multiple kernel versions, the
current default version at the time was hard coded:
41bd6d2614.
We should update this and prevent it from becoming stale ever again by
computing the default value.
Modify the tests for open-webui such that the name of the service
is set via the 'environmentFile' option, then check that the
service's name differs from the default.
Added extra option to enable unprivileged containers. This includes a
patch to remove the hard-coded path to `lxc-user-nic` and a new security
wrapper to set SUID to `lxc-user-nic`.
Use the store directory for the devicetree package containing the
desired DTB when installing to the ESP. This allows for more than one
NixOS generation containing differing DTBs to coexist on the same ESP
(similar to how we can have multiple kernels & initrds). This change
removes the assumption that the filepath passed to `copy_from_file` is a
file that lives at the toplevel of a nix output path (which prior to the
systemd-boot DTB support was the case for the kernel and initrd
derivations).
This adds a new `imageStream` option that can be used in conjunction
with `pkgs.dockerTools.streamLayeredImage` so that the image archive
never needs to be materialized in the `/nix/store`. This greatly
improves the disk utilization for systems that use container images
built using Nix because they only need to store image layers instead of
the full image. Additionally, when deploying the new system and only
new layers need to be built/copied.
Test out both nix upgrade-nix and a NixOS upgrade.
Inject a fake fallback-paths.nix assuming a stable -> latest upgrade.
The NixOS upgrade does not use nixos-rebuild switch due to the
cost+annoyance of the instantiation needing
system.includeBuildDependencies.
This links the generated configuration to /etc/wpa_supplicant.conf
unless `allowAuxiliaryImperativeNetworks`. In the latter case the
file in /etc should be writable and the generated one remains only
in the Nix store.
provision # [ 8.223448] (kanidmd)[819]: kanidm.service: Failed to set up mount namespacing: /ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/ofborg-evaluator-1/nixos/tests/common/acme/server:
No such file or directory
- Split desktop into desktop-basics (basic keybind & app launching) and
desktop-appinteractions (one applications triggering something in another) due to timeouts
- Wrap machine.wait_for_text to wait 10 seconds before starting
The 10 second delay improves runtime dramatically on weaker hardware. In desktop-ayatana-indicators
on my aarch64 laptop, runtime was cut down by 818,41 seconds (~ 14 minutes).
Hopefully helps abit with timeout issues on ARM :(
This replaces the current implementation (splicing the secrets into the
configuration file using environment variables) with the new built-in
mechanism ext_password_backend.
With some minor syntax changes, it works exactly as before, except the
heavy lifting is done by wpa_supplicant and probably less error-prone.
Previously the cgi-user option in stargazer was broken in this module
because stargazer didn't have CAP_SETUID and CAP_SETGID. cgi-user tells
stargazer to run cgi processes as a different user. I added an option
allowCgiUser that give stargazer these capabilities when enabled. I made
this an option because access to those syscalls greatly increases the
damage a RCE bug in stargazer could do. So they should only be enabled
if needed.
Although kubectl has builtin JSONpath support, it is only supported
partially and the support varies between different versions. While using
JSONpath in tests worked for some versions, it failed for others. This
contribution replaces the problematic JSONpath usages with the jq JSON
processor.
Now it's possible to start multiple mailpit instances - for e.g.
multiple testing environments - on the same machine:
{
services.mailpit.instances = {
dev = { /* ... */ };
staging = { /* ... */ };
};
}
The simplest way to start a single instance is by declaring
services.mailpit.instances.default = {};
Since the systemd boot counting PR was merged, dashes in specialisation
names cause issues when installing the boot loader entries, since dashes
are also used as separator for the different components of the file name
of the boot loader entries on disk.
The assertion avoids this footgun which is pretty annoying to recover
from.
Because ARM hardware is starting to have serious issues with completing everything, due to
- A seemingly harmless Lomiri crash & restart early on eating up some time (adding more RAM seemed to have helped with that?), and
- Every OCR usually taking multiple minutes to complete
So start splitting them up into parts
- greeter, for testing just the greeter
- desktop, for general app stuff
- desktop-ayatana-indicators, for checking indicators (OCR-heavy & especially slow)
Currently passing on my hardware, but might need to be split up more in the future.
PgBouncer instance running on localhost may not be the on being
monitored in connectionString. Remove checks that forbid valid
configuration from being used and instead document requirements for
PgBouncer configuration when used with the exporter.
This change adds services.pgbouncer.settings option as per [RFC 0042]
and deprecates other options that were previously used to generate
configuration file.
In addition to that, we also place the configuration file under
environment.etc to allow reloading configuration without service
restart.
[RFC 0042]: https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
I'm not using seriously Pixelfed those days, this software is
non-trivial and the NixOS module seems to have some sharp edges.
Change-Id: Ie93df9dcb00d0a58bd5e4165e377979c489af0b0
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
By default the use of alias generates warning:
$ nix build --no-link -f. nixosTests.bittorrent
evaluation warning: transmission has been renamed to transmission_3 since transmission_4 is also available. Note that upgrade caused data loss for some users so backup is recommended (see NixOS 24.11 release notes for details)
When alaises are disabled that causes the eval failure:
error: attribute 'transmission' missing
at /home/slyfox/dev/git/nixpkgs/nixos/tests/bittorrent.nix:24:36:
23| transmissionConfig = { ... }: {
24| environment.systemPackages = [ pkgs.transmission ];
| ^
25| services.transmission = {
Did you mean one of transmission_3 or transmission_4?
Add a simple test that starts rss-bridge and tries to fetch the feed of
a demo bridge. On success we know the system setup (web server, PHP) and
rss-bridge are working fine. Internet access is avoided by using a demo
bridge.
This is a breaking change, requiring users of `featureGates` to change
from a `listOf str` to `attrsOf bool`.
Before:
```nix
featureGates = [ "EphemeralContainers" ];
extraOpts = pkgs.lib.concatStringsSep " " (
[
"--container-runtime=remote"
''--feature-gates="CSIMigration=false"''
});
```
After:
```nix
featureGates = {EphemeralContainers = true; CSIMigration=false;};
```
This is much nicer, and sets us up for later work of migrating to
configuration files for other services, like e.g. has been happening
with kubelet (see: #290119).
Signed-off-by: Christina Sørensen <christina@cafkafk.com>
This adds migration instructions for the removed global shared instance
configuration of fcgiwrap.
Adding those explicit messages to the previous options requires moving
the newly defined options from `services.fcgiwrap.*` to
`services.fcgiwrap.instances.*` due to an option namespace clash.
`mkRenamedOptionModule` was not used because the previous options do
not directly map to the new ones. In particular, `user` and `group`
were described as setting the socket's permission, but were actually
setting the process' running user.
Co-authored-by: Minijackson <minijackson@riseup.net>
The k3s update script filters the assets of a
corresponding release for airgap images archives
and provides these as passthru attributes of the
k3s derivation. We use zstd archives, as these
offer the best compression ratios and decompression
speed. Furthermore, the `airgapImages` passthru
provides the images archive that matches the host
platform architecture, however, this only works
for aarch64 and x86_64. In addition, a txt file
listing all container images of a release is made
available via a passthru attribute. The airgap
images archives can be combined nicely with the
`services.k3s.images` option, e.g. to pre-provision
k3s nodes for environments without Internet
connectivity.
It has started to take 10 minutes to get a match, and we open the starter more than once.
Let's just drop this check, ydotool helps alot with getting it open more reliably.
The docker-tools test, where this originates, was not run on aarch64-linux, but this is an artifact of its age more so than anything else.
Co-authored-by: Ivan Trubach <mr.trubach@icloud.com>
Adds a module for rathole package. The package itself
and this module is very similar to frp, so the options
and tests are not very far off from those for frp.
This is a full rewrite independent of the previously removed cryptpad
module, managing cryptpad's config in RFC0042 along with a shiny test.
Upstream cryptpad provides two nginx configs, with many optimizations
and complex settings; this uses the easier variant for now but
improvements (e.g. serving blocks and js files directly through nginx)
should be possible with a bit of work and care about http headers.
the /checkup page of cryptpad passes all tests except HSTS, we don't
seem to have any nginx config with HSTS enabled in nixpkgs so leave this
as is for now.
Co-authored-by: Pol Dellaiera <pol.dellaiera@protonmail.com>
Co-authored-by: Michael Smith <shmitty@protonmail.com>
On Linux we cannot feasbibly generate users statically because we need
to take care to not change or re-use UIDs over the lifetime of a machine
(i.e. over multiple generations). This means we need the context of the
running machine.
Thus, stop creating users statically and instead generate them at
runtime irrespective of mutableUsers.
When /etc is immutable, the password files (e.g. /etc/passwd etc.) are
created in a separate directory (/var/lib/nixos/etc). /etc will be
pre-populated with symlinks to this separate directory.
Immutable users are now implemented by bind-mounting the password files
read-only onto themselves and only briefly re-mounting them writable to
re-execute sysusers. The biggest limitation of this design is that you
now need to manually unmount this bind mount to change passwords because
sysusers cannot change passwords for you. This shouldn't be too much of
an issue because system users should only rarely need to change their
passwords.
systemd-sysusers cannot create normal users (i.e. with a UID > 1000).
Thus we stop trying an explitily only use systemd-sysusers when there
are no normal users on the system (e.g. appliances).
