This corrects the multi-node test after a couple recent changes which
resulted in it being broken.
The `lib.toString` change was an incorrect tree-wide refactor, and the
aarch64 change also introduced an error in python indentation/formatting
I believe.
- Fix hostname configuration on proxmox, which uses "hostname" in user-data
instead of "local-hostname" in meta-data.
- Allow setting resolv.conf through cloud-init
- Add tests for new changes
- Add timeouts to make tests fail faster
This will add `passthru.schema_version` to be used as default value for
the adguardhome module.
It will also update the `update.sh` to keep the `schema_version` in sync
with the version by inspecting the sourcecode.
This might break existing configs, if they use deprecated values that don't
appear in newer schema_versions and schema_version wasn't set explicitly.
Explicit declarations of schema_version always have higher priority.
This also removes the `host` and `config` settings in favour of using the
appropriate `settings`.
Fixes#173938
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
I haven't had time to look into this yet but it looks like opening chrome://gpu
doesn't work anymore without proper GPU rendering (we use software rendering
due to the virtualisation).
According to the console output the new window never opens (at least with
Google Chrome - I couldn't test it with Chromium yet due to the failing builds
for M107 and M108):
```
(finished: sending keys ‘chrome://gpu
‘, in 0.14 seconds)
machine: waiting for a window to appear
machine: must succeed: xwininfo -root -tree | sed 's/.*0x[0-9a-f]* \"\([^\"]*\)\".*/\1/; t; d'
(finished: must succeed: xwininfo -root -tree | sed 's/.*0x[0-9a-f]* \"\([^\"]*\)\".*/\1/; t; d', in 0.05 seconds)
machine # Error: eglChooseConfig returned zero configs
machine # at Create (../../third_party/dawn/src/dawn/native/opengl/ContextEGL.cpp:53)
machine #
machine: must succeed: xwininfo -root -tree | sed 's/.*0x[0-9a-f]* \"\([^\"]*\)\".*/\1/; t; d'
machine # WARNING: lavapipe is not a conformant vulkan implementation, testing use only.
(finished: must succeed: xwininfo -root -tree | sed 's/.*0x[0-9a-f]* \"\([^\"]*\)\".*/\1/; t; d', in 0.06 seconds)
machine: must succeed: xwininfo -root -tree | sed 's/.*0x[0-9a-f]* \"\([^\"]*\)\".*/\1/; t; d'
(finished: must succeed: xwininfo -root -tree | sed 's/.*0x[0-9a-f]* \"\([^\"]*\)\".*/\1/; t; d', in 0.09 seconds)
[...]
```
The meta attribute "timeout" is only set for Chromium (might still be required
due to the long build duration). The Google Chrome tests were failing with:
error: attribute 'timeout' missing
According to nixos/lib/testing/meta.nix "null values are filtered out by
`meta`" so `timeout = chromiumPkg.meta.timeout or null` might be fine as
well.
This commit refactors `services.grafana.provision.datasources` towards
the RFC42 style. To preserve backwards compatibility, we have to jump
through a ton of hoops, introducing esoteric type signatures and bizarre
structs. The Grafana module definition should hopefully become a lot
cleaner after a release cycle or two once the old configuration style is
completely deprecated.
This commit refactors `services.grafana.provision.dashboards` towards
the RFC42 style. To preserve backwards compatibility, we have to jump
through a ton of hoops, introducing esoteric type signatures and bizarre
structs. The Grafana module definition should hopefully become a lot
cleaner after a release cycle or two once the old configuration style is
completely deprecated.
This will remove all state directories related to CUPS on startup, which
is particularly useful for guaranteeing that printer discovery works
more reliably on some networks, since CUPS will no longer be able to
store state that effects the next run of the service, such as old
printer names and mDNS information.
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
This has shown to be flaky in the VM test, at least when running on
the aarch64 ofborg builder(s).
I assume it's some flakyness in systemd-networkd not being fully up, or
at least not up to the point that it properly replies to the _gateway
request.
This part of the test is supposed to test external (non-glibc) nss
module lookup for the host database works, which is already sufficiently
covered in the previous checks (for *.localhost). Drop these redundant
checks. We're not integration-testing networkd here.
The current `ExecStart` will not allow for multiple sockets to properly
be passed to the program since the extra newline character is interpreted to
be part of the socket path.
Configures the `--cache-dir` parameter for the prune and check commands run after backing up. For `check`, also adds a `checkOpts` flag to enable using the cache, since that is disabled by default.
Build will start failing with the following error in 2.55.1 due to `/build/librsvg-2.55.1/.libs` ending up in rpath:
RPATH of binary /nix/store/78k70limslvxs6y98hdirbcixl3car1q-librsvg-2.55.1-installedTests/libexec/installed-tests/RSVG/api contains a forbidden reference to /build/
With the announced EOL of the venerable ISC DHCP Server it is time to
migrate this test to Kea, it's successor.
The ISP has also received an upgrade to its interface configuration,
which now happens completely through networkd.
https://www.isc.org/blogs/isc-dhcp-eol/
*Flags implies a list
slightly relevant:
> stdenv: start deprecating non-list configureFlags https://github.com/NixOS/nixpkgs/pull/173172
the makeInstalledTests function in `nixos/tests/installed-tests/default.nix` isn't available outside of nixpkgs so
it's not a breaking change
Adapt to changes introduced in Systemd 250:
> The [DHCPv6PrefixDelegation] section in .network file is renamed to
> [DHCPPrefixDelegation], as now the prefix delegation is also
> supported with DHCPv4 protocol by enabling the Use6RD= setting.
Replaces the `dhcpV6PrefixDelegationConfig` with
`dhcpPrefixDelegationConfig` and throws an error if the old option is
used.
Also adapt the respective IPv6 prefix delegation test.
nixosTests.systemd is quite heavy, it requires a full graphical system,
which is quite a big of a rebuild if the only thing you want to test is
whether dynamic users work.
This is now moved to an `nscd` test, which tests various NSS lookups,
making extra sure that the nscd path is tested, not the fallback path
(by hiding /etc/nsswitch.conf and /etc/hosts for getent).
nixosTests.resolv is removed. It didn't check for reverse lookups,
didn't catch nscd breaking halfway in between, and also had an
ambiguous reverse lookup - 192.0.2.1 could either reverse lookup to
host-ipv4.example.net, or host-dual.example.net.
Lego has a built-in mechanism for sleeping for a random amount
of time before renewing a certificate. In our environment this
is not only unnecessary (as our systemd timer takes care of it)
but also unwanted since it slows down the execution of the
systemd service encompassing it, thus also slowing down the
start up of any services its depending on.
Also added FixedRandomDelay to the timer for more predictability.
Fixes#190493
Check if an actual key file exists. This does not
completely cover the work accountHash does to ensure
that a new account is registered when account
related options are changed.
Fixes#191794
Lego threw a permission denied error binding to port 80.
AmbientCapabilities with CAP_NET_BIND_SERVICE was required.
Also added a test for this.
It's an ugly solution (like before), but some of us want to
nix-build nixos/tests/foo.nix
This PR makes that possible once more for tests are wired with `make-test-python.nix`.
Fixes the problem introduced by 12b3066aae
which caused nixos/release.nix to return the wrong attributes, while
intending to only affect nixos/lib's runTest.
This also removes callTest from the test options, because callTest is
only ever invoked by all-tests.nix.
This makes sure that we don't try to evaluate the tests with an
incompatible kernel version. The original reviewer didn't react within
10 days, but since they got notified and all this commit is doing is to
fix evaluation, I consider it safe to merge.
Cc: @adisbladis
Right now, the latest kernel is version 5.19, for which there is no
compatible upstream release for ZFS. However, our NixOS VM test always
uses linuxPackages_latest and thus will fail with an evaluation error
most of the time when a new mainline kernel is released.
Since we expose a latestCompatibleLinuxPackages attribute for the ZFS
packages, we already know what's the latest kernel version that is
supported so let's use that instead of linuxPackages_latest.
Signed-off-by: aszlig <aszlig@nix.build>
Co-authored-by: Ctem <c@ctem.me>
Co-authored-by: Brian Leung <leungbk@posteo.net>
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
The udisks2 service was enabled to fix the test in (c5ebec7ee4).
However, cagebreak doesn't require udisks2, just polkit (which the
udisks2 module enables and which is why the cagebreak test broke after
the udisks2 module was disabled by default).
I've documented why polkit is required in this PR:
https://github.com/NixOS/nixpkgs/pull/156858
In this case the "dependency" chain is basically cagebreak -> wlroots ->
libseat -> logind (with polkit support) -> polkit.
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
- Replace misleading docs.
- Add new assertions to let configurations make more sense.
- Add clusterInit flag.
- Add some more docs about HA and non-HA modes setup.
- Improve multi-node tests for HA mode.
Fix https://github.com/NixOS/nixpkgs/issues/182085
Due to how complex minecraft world generation has gotten in recent
years, it now can take several minutes to complete the first generation
of a world seed, even on relatively new and powerful hardware.
We are testing if a minecraft server can run inside of a nix enviroment,
and not so much about stress testing the CI.
Test running before this change:
> (finished: waiting for TCP port 43000, in 118.49 seconds)
Test running with this change:
> (finished: waiting for TCP port 43000, in 27.88 seconds)
Choice of using `level-type` and `generate-structures` was made as they
support almost every version of minecraft. These two also make it
extremely clear what it does, compared to the more complex
`generator-settings` and all its toggles.
in [v0.25.0][1]: Breaking changes of Task API (relevant summarized)
- `update` -> `task`
- `GET - /indexes/:indexUid/updates/:updateId` -> `/indexes/:indexUid/tasks`
- `updateId` -> `uid` of `task`
- also: new `GET - /tasks/:taskUid` introduced
- `status` values changed
in [v0.28.0][2]: Breaking changes in `/indexes` endpoints
- `total` now appear in the response body
[1]: https://github.com/meilisearch/meilisearch/releases/tag/v0.25.0
[2]: https://github.com/meilisearch/meilisearch/releases/tag/v0.28.0
So far, we have been building Systemd without `BPF_FRAMEWORK`. As a
result, some Systemd features like `RestrictNetworkInterfaces=` cannot
work. To make things worse, Systemd doesn't even complain when using a
feature which requires `+BPF_FRAMEWORK`; yet, the option has no effect:
# systemctl --version | grep -o "\-BPF_FRAMEWORK"
-BPF_FRAMEWORK
# systemd-run -t -p RestrictNetworkInterfaces="lo" ping -c 1 8.8.8.8
This commit enables `BPF_FRAMEWORK` by default. This is in line with
other distros (e.g., Fedora). Also note that BPF does not support stack
protector: https://lkml.org/lkml/2020/2/21/1000. To that end, I added a
small `CFLAGS` patch to the BPF building to keep using stack protector
as a default.
I also added an appropriate NixOS test.
According to pulseaudio(1), a system wide pulseaudio instance
can only be accessed by members of the `pulse-access` group.
This name seems to be hardcoded in
pulseaudio -- I didn't find any switch to change it.
We need to define the group so users can connect to the deamon.
This commit also fixes the systemwide pulseaudio vm test:
Previously, the test user `alice`
was just a member of the `audio` group.
This blocked access to the daemon and failed the test.
The commit changes the group assignment and fixes the vm test.
The test tries to detect the presence of pavucontrol's
window by looking for the tab label "Playback".
However, the OCR mechanism fails to resolve the
text, possibly due to the grey background color.
To fix this issue, we instead look for the name of the
sound device ("Dummy Output") which gets resolved by OCR.
Note: Strangely, the tab "Playback" *is* correctly
resolved when the test is run in interactive mode.
This might be due to the changed screen resolution,
but I didn't investigate further.
Enable keter module
Keter is an apploader which:
1. has the old app running on a port.
2. loads a new one, and wait for that to complete
3. switches the old with the new one once the new one finished loading.
It supports more functionality but this use case
is the primary one being used by supercede.
Adds keter as a module to nixos.
Currently keter is unusable with nix,
because it relies on bundeling of a tar and uploading that to a specific folder.
These expressions automate these devops tasks,
with especially nixops in mind.
This will work with versions above 1.8
The test seems to work.
This uses a new version of keter which has good
support for status code on error pages.
We're using this config at production at supercede
so it should be fine.
Squash log:
==========
mention keter in changelog
Update generated release notes
Always restart keter on failure
This is a little bit of extra stability in case keter crashes.
Which can happen under extreme conditions (DoS attacks).
Update nixos/doc/manual/release-notes/rl-2205.section.md
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/module-list.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Remove sanitization
don't put domain in as a string
Update nixos/tests/keter.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
add jappie as module maintainer
Use type path instead of two seperate options
Fix generated docs
added test machinery to figure out why it's failing
Fix the test, use console output
run nixpkgs-fmt on all modules
Inline config file.
This get's rid of a lot of inderection as well.
Run nix format
remove comment
simplify executable for test
delete config file
add config for keter root
Remove after redis clause
set keter root by default to /var/lib/keter
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
fix nit
add newlines
add default text and move description in a long description
Delete rather obvious comment
fix release db thing
remove longDescription and put it in a comment instead
change description of mkEnalbeOption
explain what keter does by using the hackage synopsis
set domain to keterDomain and same for executable
move comment to where it's happening
fix type error
add formatting better comment
try add seperate user for keter
Revert "try add seperate user for keter"
This reverts commit d3522d36c96117335bfa072e6f453406c244e940.
Doing this breaks the setup
set default to avoid needing cap_net_bind_service
remove weird comment
use example fields
eleborated on process leakage
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
run nixpkgs-fmt
update docs
Fix formatting, set keter package by default
format our little nixexpr
replace '' -> " where possible
drop indent for multiline string
make description much shorter
regen docs database
Introduced by fd7d901133. The openldap
module now expects the database directory to be below
`/var/lib/openldap`, oterhwise it'll fail evaluation like this:
Failed assertions:
- Database dc=example,dc=org has `olcDbDirectory` (/var/db/openldap) that is not a subdirectory of
`/var/lib/openldap/`.
