diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/continuous-integration/github-runner/options.nix | 12 | ||||
| -rw-r--r-- | nixos/modules/services/continuous-integration/github-runner/service.nix | 37 | ||||
| -rw-r--r-- | nixos/modules/services/continuous-integration/gitlab-runner.nix | 14 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/fwupd.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/services/misc/n8n.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/amazon-options.nix | 9 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/evcc.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/mate.nix | 58 | ||||
| -rw-r--r-- | nixos/tests/n8n.nix | 4 |
10 files changed, 117 insertions, 29 deletions
diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix index 72ac0c129900..fd9d8ebbda88 100644 --- a/nixos/modules/services/continuous-integration/github-runner/options.nix +++ b/nixos/modules/services/continuous-integration/github-runner/options.nix @@ -170,4 +170,16 @@ with lib; default = null; defaultText = literalExpression "username"; }; + + workDir = mkOption { + type = with types; nullOr str; + description = lib.mdDoc '' + Working directory, available as `$GITHUB_WORKSPACE` during workflow runs + and used as a default for [repository checkouts](https://github.com/actions/checkout). + The service cleans this directory on every service start. + + A value of `null` will default to the systemd `RuntimeDirectory`. + ''; + default = null; + }; } diff --git a/nixos/modules/services/continuous-integration/github-runner/service.nix b/nixos/modules/services/continuous-integration/github-runner/service.nix index cd81631582f9..7ce97e04f376 100644 --- a/nixos/modules/services/continuous-integration/github-runner/service.nix +++ b/nixos/modules/services/continuous-integration/github-runner/service.nix @@ -20,6 +20,9 @@ with lib; +let + workDir = if cfg.workDir == null then runtimeDir else cfg.workDir; +in { description = "GitHub Actions runner"; @@ -28,7 +31,7 @@ with lib; after = [ "network.target" "network-online.target" ]; environment = { - HOME = runtimeDir; + HOME = workDir; RUNNER_ROOT = stateDir; } // cfg.extraEnvironment; @@ -42,7 +45,7 @@ with lib; config.nix.package ] ++ cfg.extraPackages; - serviceConfig = rec { + serviceConfig = { ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service"; # Does the following, sequentially: @@ -54,7 +57,7 @@ with lib; # - Set up the directory structure by creating the necessary symlinks. ExecStartPre = let - # Wrapper script which expects the full path of the state, runtime and logs + # Wrapper script which expects the full path of the state, working and logs # directory as arguments. Overrides the respective systemd variables to provide # unambiguous directory names. This becomes relevant, for example, if the # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory= @@ -65,12 +68,12 @@ with lib; set -euo pipefail STATE_DIRECTORY="$1" - RUNTIME_DIRECTORY="$2" + WORK_DIRECTORY="$2" LOGS_DIRECTORY="$3" ${lines} ''; - runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" ] cfg; + runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" "workDir" ] cfg; newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig); currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json"; newConfigTokenPath= "$STATE_DIRECTORY/.new-token"; @@ -119,14 +122,15 @@ with lib; else # The state directory is entirely empty which indicates a first start copy_tokens - fi ''; + fi + ''; configureRunner = writeScript "configure" '' if [[ -e "${newConfigTokenPath}" ]]; then echo "Configuring GitHub Actions Runner" args=( --unattended --disableupdate - --work "$RUNTIME_DIRECTORY" + --work "$WORK_DIRECTORY" --url ${escapeShellArg cfg.url} --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} --name ${escapeShellArg cfg.name} @@ -153,18 +157,21 @@ with lib; ln -s '${newConfigPath}' "${currentConfigPath}" fi ''; - setupRuntimeDir = writeScript "setup-runtime-dirs" '' + setupWorkDir = writeScript "setup-work-dirs" '' + # Cleanup previous service + ${pkgs.findutils}/bin/find -H "$WORK_DIRECTORY" -mindepth 1 -delete + # Link _diag dir - ln -s "$LOGS_DIRECTORY" "$RUNTIME_DIRECTORY/_diag" + ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag" - # Link the runner credentials to the runtime dir - ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$RUNTIME_DIRECTORY/" + # Link the runner credentials to the work dir + ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/" ''; in - map (x: "${x} ${escapeShellArgs [ stateDir runtimeDir logsDir ]}") [ + map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [ "+${unconfigureRunner}" # runs as root configureRunner - setupRuntimeDir + setupWorkDir ]; # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner) @@ -181,7 +188,7 @@ with lib; # Home of persistent runner data, e.g., credentials StateDirectory = [ systemdDir ]; StateDirectoryMode = "0700"; - WorkingDirectory = runtimeDir; + WorkingDirectory = workDir; InaccessiblePaths = [ # Token file path given in the configuration, if visible to the service @@ -232,6 +239,8 @@ with lib; ]; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; + BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ]; + # Needs network access PrivateNetwork = false; # Cannot be true due to Node diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index d18c4cff0405..3e6dba16e8ac 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -9,14 +9,14 @@ let The hash is recorded in the runner's name because we can't do better yet See https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29350 for more details */ - genRunnerName = service: let + genRunnerName = name: service: let hash = substring 0 12 (hashString "md5" (unsafeDiscardStringContext (toJSON service))); - in if service ? description + in if service ? description && service.description != null then "${hash} ${service.description}" else "${name}_${config.networking.hostName}_${hash}"; hashedServices = mapAttrs' - (name: service: nameValuePair (genRunnerName service) service) cfg.services; + (name: service: nameValuePair (genRunnerName name service) service) cfg.services; configPath = ''"$HOME"/.gitlab-runner/config.toml''; configureScript = pkgs.writeShellApplication { name = "gitlab-runner-configure"; @@ -38,7 +38,7 @@ let '' else '' export CONFIG_FILE=${configPath} - mkdir -p "$(dirname "${configPath}")" + mkdir -p "$(dirname ${configPath})" touch ${configPath} # update global options @@ -534,9 +534,9 @@ in { }; }; config = mkIf cfg.enable { - warnings = (mapAttrsToList + warnings = mapAttrsToList (n: v: "services.gitlab-runner.services.${n}.`registrationConfigFile` points to a file in Nix Store. You should use quoted absolute path to prevent this.") - (filterAttrs (n: v: isStorePath v.registrationConfigFile) cfg.services)); + (filterAttrs (n: v: isStorePath v.registrationConfigFile) cfg.services); environment.systemPackages = [ cfg.package ]; systemd.services.gitlab-runner = { @@ -570,7 +570,7 @@ in { ExecStartPre = "!${configureScript}/bin/gitlab-runner-configure"; ExecStart = "${startScript}/bin/gitlab-runner-start"; ExecReload = "!${configureScript}/bin/gitlab-runner-configure"; - } // optionalAttrs (cfg.gracefulTermination) { + } // optionalAttrs cfg.gracefulTermination { TimeoutStopSec = "${cfg.gracefulTimeout}"; KillSignal = "SIGQUIT"; KillMode = "process"; diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index 8d7651f97c39..a3bb61a6cb0c 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -158,6 +158,9 @@ in { services.udev.packages = [ cfg.package ]; + # required to update the firmware of disks + services.udisks2.enable = true; + systemd.packages = [ cfg.package ]; security.polkit.enable = true; diff --git a/nixos/modules/services/misc/n8n.nix b/nixos/modules/services/misc/n8n.nix index f59df471e1e0..cdfe9dc8482c 100644 --- a/nixos/modules/services/misc/n8n.nix +++ b/nixos/modules/services/misc/n8n.nix @@ -9,7 +9,6 @@ let in { options.services.n8n = { - enable = mkEnableOption (lib.mdDoc "n8n server"); openFirewall = mkOption { @@ -22,7 +21,7 @@ in type = format.type; default = {}; description = lib.mdDoc '' - Configuration for n8n, see <https://docs.n8n.io/reference/configuration.html> + Configuration for n8n, see <https://docs.n8n.io/hosting/environment-variables/configuration-methods/> for supported values. ''; }; @@ -45,6 +44,10 @@ in N8N_USER_FOLDER = "/var/lib/n8n"; HOME = "/var/lib/n8n"; N8N_CONFIG_FILES = "${configFile}"; + + # Don't phone home + N8N_DIAGNOSTICS_ENABLED = "false"; + N8N_VERSION_NOTIFICATIONS_ENABLED = "false"; }; serviceConfig = { Type = "simple"; diff --git a/nixos/modules/virtualisation/amazon-options.nix b/nixos/modules/virtualisation/amazon-options.nix index 915bbf9763db..926fe43b0ffe 100644 --- a/nixos/modules/virtualisation/amazon-options.nix +++ b/nixos/modules/virtualisation/amazon-options.nix @@ -2,9 +2,6 @@ let inherit (lib) literalExpression types; in { - imports = [ - (lib.mkRemovedOptionModule [ "ec2" "hvm" ] "Only HVM instances are supported, so specifying it is no longer necessary.") - ]; options = { ec2 = { zfs = { @@ -52,6 +49,12 @@ in { Whether the EC2 instance is using EFI. ''; }; + hvm = lib.mkOption { + description = "Unused legacy option. While support for non-hvm has been dropped, we keep this option around so that NixOps remains compatible with a somewhat recent `nixpkgs` and machines with an old `stateVersion`."; + internal = true; + default = true; + readOnly = true; + }; }; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index e5dc4a82e1b4..070c19eed92b 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -377,6 +377,7 @@ in { man = handleTest ./man.nix {}; mariadb-galera = handleTest ./mysql/mariadb-galera.nix {}; mastodon = discoverTests (import ./web-apps/mastodon { inherit handleTestOn; }); + mate = handleTest ./mate.nix {}; matomo = handleTest ./matomo.nix {}; matrix-appservice-irc = handleTest ./matrix/appservice-irc.nix {}; matrix-conduit = handleTest ./matrix/conduit.nix {}; diff --git a/nixos/tests/evcc.nix b/nixos/tests/evcc.nix index c223977a9d82..b445735ede98 100644 --- a/nixos/tests/evcc.nix +++ b/nixos/tests/evcc.nix @@ -88,7 +88,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with subtest("Check journal for errors"): _, output = machine.execute("journalctl -o cat -u evcc.service") assert "FATAL" not in output - assert "ERROR" not in output with subtest("Check systemd hardening"): _, output = machine.execute("systemd-analyze security evcc.service | grep -v '✓'") diff --git a/nixos/tests/mate.nix b/nixos/tests/mate.nix new file mode 100644 index 000000000000..78ba59c5fc20 --- /dev/null +++ b/nixos/tests/mate.nix @@ -0,0 +1,58 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "mate"; + + meta = { + maintainers = lib.teams.mate.members; + }; + + nodes.machine = { ... }: { + imports = [ + ./common/user-account.nix + ]; + + services.xserver.enable = true; + + services.xserver.displayManager = { + lightdm.enable = true; + autoLogin = { + enable = true; + user = "alice"; + }; + }; + + services.xserver.desktopManager.mate.enable = true; + + # Silence log spam due to no sound drivers loaded: + # ALSA lib confmisc.c:855:(parse_card) cannot find card '0' + hardware.pulseaudio.enable = true; + }; + + testScript = { nodes, ... }: + let + user = nodes.machine.users.users.alice; + in + '' + with subtest("Wait for login"): + machine.wait_for_x() + machine.wait_for_file("${user.home}/.Xauthority") + machine.succeed("xauth merge ${user.home}/.Xauthority") + + with subtest("Check that logging in has given the user ownership of devices"): + machine.succeed("getfacl -p /dev/snd/timer | grep -q ${user.name}") + + with subtest("Check if MATE session components actually start"): + machine.wait_until_succeeds("pgrep marco") + machine.wait_for_window("marco") + machine.wait_until_succeeds("pgrep mate-panel") + machine.wait_for_window("Top Panel") + machine.wait_for_window("Bottom Panel") + machine.wait_until_succeeds("pgrep caja") + machine.wait_for_window("Caja") + + with subtest("Open MATE terminal"): + machine.succeed("su - ${user.name} -c 'DISPLAY=:0.0 mate-terminal >&2 &'") + machine.wait_for_window("Terminal") + machine.sleep(20) + machine.screenshot("screen") + ''; +}) diff --git a/nixos/tests/n8n.nix b/nixos/tests/n8n.nix index c1753a418f67..044240fbce7f 100644 --- a/nixos/tests/n8n.nix +++ b/nixos/tests/n8n.nix @@ -19,7 +19,7 @@ in testScript = '' machine.wait_for_unit("n8n.service") - machine.wait_for_open_port(${toString port}) - machine.succeed("curl --fail http://localhost:${toString port}/") + machine.wait_for_console_text("Editor is now accessible via") + machine.succeed("curl --fail -vvv http://localhost:${toString port}/") ''; }) |