Merge staging-next into staging

maintainers/maintainer-list.nix

@@ -2909,6 +2909,12 @@
     githubId = 14790226;
     name = "Hubert Jasudowicz";
   };
+  c-h-johnson = {
+    name = "Charles Johnson";
+    email = "charles@charlesjohnson.name";
+    github = "c-h-johnson";
+    githubId = 138403247;
+  };
   chkno = {
     email = "scottworley@scottworley.com";
     github = "chkno";
@@ -6074,6 +6080,12 @@
     githubId = 25820499;
     name = "Roman Kretschmer";
   };
+  goatchurchprime = {
+    email = "julian@goatchurch.org.uk";
+    github = "goatchurchprime";
+    githubId = 677254;
+    name = "Julian Todd";
+  };
   gobidev = {
     email = "adrian.groh@t-online.de";
     github = "Gobidev";
@@ -7349,6 +7361,11 @@
     github = "jali-clarke";
     githubId = 17733984;
   };
+  james-atkins = {
+    name = "James Atkins";
+    github = "james-atkins";
+    githubId = 9221409;
+  };
   jamiemagee = {
     email = "jamie.magee@gmail.com";
     github = "JamieMagee";
@@ -8090,6 +8107,12 @@
     email = "j.loos@posteo.net";
     githubId = 57965027;
   };
+  josephst = {
+    name = "Joseph Stahl";
+    email = "hello@josephstahl.com";
+    github = "josephst";
+    githubId = 1269177;
+  };
   joshniemela = {
     name = "Joshua Niemelä";
     email = "josh@jniemela.dk";
@@ -12051,6 +12074,12 @@
     githubId = 2946283;
     name = "Brian Cohen";
   };
+  nova-madeline = {
+    matrix = "@nova:tchncs.de";
+    github = "nova-r";
+    githubId = 126072875;
+    name = "nova madeline";
+  };
   novenary = {
     email = "streetwalkermc@gmail.com";
     github = "9ary";
@@ -12389,6 +12418,12 @@
     githubId = 75299;
     name = "Malcolm Matalka";
   };
+  orichter = {
+    email = "richter-oliver@gmx.net";
+    github = "RichterOliver";
+    githubId = 135209509;
+    name = "Oliver Richter";
+  };
   orivej = {
     email = "orivej@gmx.fr";
     github = "orivej";
@@ -16375,6 +16410,12 @@
     github = "thielema";
     githubId = 898989;
   };
+  thillux = {
+    name = "Markus Theil";
+    email = "theil.markus@gmail.com";
+    github = "thillux";
+    githubId = 2171995;
+  };
   thilobillerbeck = {
     name = "Thilo Billerbeck";
     email = "thilo.billerbeck@officerent.de";

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -80,6 +80,8 @@
 
 - The Caddy module gained a new option named `services.caddy.enableReload` which is enabled by default. It allows reloading the service instead of restarting it, if only a config file has changed. This option must be disabled if you have turned off the [Caddy admin API](https://caddyserver.com/docs/caddyfile/options#admin). If you keep this option enabled, you should consider setting [`grace_period`](https://caddyserver.com/docs/caddyfile/options#grace-period) to a non-infinite value to prevent Caddy from delaying the reload indefinitely.
 
+- mdraid support is now optional. This reduces initramfs size and prevents the potentially undesired automatic detection and activation of software RAID pools. It is disabled by default in new configurations (determined by `stateVersion`), but the appropriate settings will be generated by `nixos-generate-config` when installing to a software RAID device, so the standard installation procedure should be unaffected. If you have custom configs relying on mdraid, ensure that you use `stateVersion` correctly or set `boot.swraid.enable` manually.
+
 ## Other Notable Changes {#sec-release-23.11-notable-changes}
 
 - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -381,6 +381,7 @@ sub in {
 
 my $fileSystems;
 my %fsByDev;
+my $useSwraid = 0;
 foreach my $fs (read_file("/proc/self/mountinfo")) {
     chomp $fs;
     my @fields = split / /, $fs;
@@ -510,8 +511,8 @@ sub in {
     # boot.initrd.luks.devices entry.
     if (-e $device) {
         my $deviceName = basename(abs_path($device));
-        if (-e "/sys/class/block/$deviceName"
-            && read_file("/sys/class/block/$deviceName/dm/uuid",  err_mode => 'quiet') =~ /^CRYPT-LUKS/)
+        my $dmUuid = read_file("/sys/class/block/$deviceName/dm/uuid",  err_mode => 'quiet');
+        if ($dmUuid =~ /^CRYPT-LUKS/)
         {
             my @slaves = glob("/sys/class/block/$deviceName/slaves/*");
             if (scalar @slaves == 1) {
@@ -527,8 +528,14 @@ sub in {
                 }
             }
         }
+        if (-e "/sys/class/block/$deviceName/md/uuid") {
+            $useSwraid = 1;
+        }
     }
 }
+if ($useSwraid) {
+    push @attrs, "boot.swraid.enable = true;\n\n";
+}
 
 
 # Generate the hardware configuration file.

nixos/modules/module-list.nix

@@ -1108,6 +1108,7 @@
   ./services/security/clamav.nix
   ./services/security/endlessh-go.nix
   ./services/security/endlessh.nix
+  ./services/security/esdm.nix
   ./services/security/fail2ban.nix
   ./services/security/fprintd.nix
   ./services/security/haka.nix

nixos/modules/profiles/installation-device.nix

@@ -106,6 +106,8 @@ with lib;
         systemdStage1Network
       ];
 
+    boot.swraid.enable = true;
+
     # Show all debug messages from the kernel but don't log refused packets
     # because we have the firewall enabled. This makes installs from the
     # console less cumbersome if the machine has a public IP.

nixos/modules/services/mail/nullmailer.nix

@@ -203,18 +203,18 @@ with lib;
     users = {
       users.${cfg.user} = {
         description = "Nullmailer relay-only mta user";
-        group = cfg.group;
+        inherit (cfg) group;
         isSystemUser = true;
       };
 
       groups.${cfg.group} = { };
     };
 
     systemd.tmpfiles.rules = [
-      "d /var/spool/nullmailer - ${cfg.user} - - -"
-      "d /var/spool/nullmailer/failed 750 ${cfg.user} - - -"
-      "d /var/spool/nullmailer/queue 750 ${cfg.user} - - -"
-      "d /var/spool/nullmailer/tmp 750 ${cfg.user} - - -"
+      "d /var/spool/nullmailer - ${cfg.user} ${cfg.group} - -"
+      "d /var/spool/nullmailer/failed 770 ${cfg.user} ${cfg.group} - -"
+      "d /var/spool/nullmailer/queue 770 ${cfg.user} ${cfg.group} - -"
+      "d /var/spool/nullmailer/tmp 770 ${cfg.user} ${cfg.group} - -"
     ];
 
     systemd.services.nullmailer = {
@@ -238,7 +238,7 @@ with lib;
       program = "sendmail";
       source = "${pkgs.nullmailer}/bin/sendmail";
       owner = cfg.user;
-      group = cfg.group;
+      inherit (cfg) group;
       setuid = true;
       setgid = true;
     };

nixos/modules/services/printing/cupsd.nix

@@ -4,7 +4,7 @@ with lib;
 
 let
 
-  inherit (pkgs) cups cups-pk-helper cups-filters;
+  inherit (pkgs) cups cups-pk-helper cups-filters xdg-utils;
 
   cfg = config.services.printing;
 
@@ -313,7 +313,9 @@ in
         description = "CUPS printing services";
       };
 
-    environment.systemPackages = [ cups.out ] ++ optional polkitEnabled cups-pk-helper;
+    # We need xdg-open (part of xdg-utils) for the desktop-file to proper open the users default-browser when opening "Manage Printing"
+    # https://github.com/NixOS/nixpkgs/pull/237994#issuecomment-1597510969
+    environment.systemPackages = [ cups.out xdg-utils ] ++ optional polkitEnabled cups-pk-helper;
     environment.etc.cups.source = "/var/lib/cups";
 
     services.dbus.packages = [ cups.out ] ++ optional polkitEnabled cups-pk-helper;

nixos/modules/services/security/esdm.nix

@@ -0,0 +1,102 @@
+{ lib, config, pkgs, ... }:
+
+let
+  cfg = config.services.esdm;
+in
+{
+  options.services.esdm = {
+    enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration");
+    package = lib.mkPackageOptionMD pkgs "esdm" { };
+    serverEnable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = lib.mdDoc ''
+        Enable option for ESDM server service. If serverEnable == false, then the esdm-server
+        will not start. Also the subsequent services esdm-cuse-random, esdm-cuse-urandom
+        and esdm-proc will not start as these have the entry Want=esdm-server.service.
+      '';
+    };
+    cuseRandomEnable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = lib.mdDoc ''
+        Enable option for ESDM cuse-random service. Determines if the esdm-cuse-random.service
+        is started.
+      '';
+    };
+    cuseUrandomEnable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = lib.mdDoc ''
+        Enable option for ESDM cuse-urandom service. Determines if the esdm-cuse-urandom.service
+        is started.
+      '';
+    };
+    procEnable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = lib.mdDoc ''
+        Enable option for ESDM proc service. Determines if the esdm-proc.service
+        is started.
+      '';
+    };
+    verbose = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Enable verbose ExecStart for ESDM. If verbose == true, then the corresponding "ExecStart"
+        values of the 4 aforementioned services are overwritten with the option
+        for the highest verbosity.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      ({
+        systemd.packages = [ cfg.package ];
+      })
+      # It is necessary to set those options for these services to be started by systemd in NixOS
+      (lib.mkIf cfg.serverEnable {
+        systemd.services."esdm-server".wantedBy = [ "basic.target" ];
+        systemd.services."esdm-server".serviceConfig = lib.mkIf cfg.verbose {
+          ExecStart = [
+            " " # unset previous value defined in 'esdm-server.service'
+            "${cfg.package}/bin/esdm-server -f -vvvvvv"
+          ];
+        };
+      })
+
+      (lib.mkIf cfg.cuseRandomEnable {
+        systemd.services."esdm-cuse-random".wantedBy = [ "basic.target" ];
+        systemd.services."esdm-cuse-random".serviceConfig = lib.mkIf cfg.verbose {
+          ExecStart = [
+            " " # unset previous value defined in 'esdm-cuse-random.service'
+            "${cfg.package}/bin/esdm-cuse-random -f -v 6"
+          ];
+        };
+      })
+
+      (lib.mkIf cfg.cuseUrandomEnable {
+        systemd.services."esdm-cuse-urandom".wantedBy = [ "basic.target" ];
+        systemd.services."esdm-cuse-urandom".serviceConfig = lib.mkIf cfg.verbose {
+          ExecStart = [
+            " " # unset previous value defined in 'esdm-cuse-urandom.service'
+            "${config.services.esdm.package}/bin/esdm-cuse-urandom -f -v 6"
+          ];
+        };
+      })
+
+      (lib.mkIf cfg.procEnable {
+        systemd.services."esdm-proc".wantedBy = [ "basic.target" ];
+        systemd.services."esdm-proc".serviceConfig = lib.mkIf cfg.verbose {
+          ExecStart = [
+            " " # unset previous value defined in 'esdm-proc.service'
+            "${cfg.package}/bin/esdm-proc --relabel -f -o allow_other /proc/sys/kernel/random -v 6"
+          ];
+        };
+      })
+    ]);
+
+  meta.maintainers = with lib.maintainers; [ orichter thillux ];
+}

nixos/modules/services/web-apps/nexus.nix

@@ -7,7 +7,6 @@ let
   cfg = config.services.nexus;
 
 in
-
 {
   options = {
     services.nexus = {
@@ -20,6 +19,16 @@ in
         description = lib.mdDoc "Package which runs Nexus3";
       };
 
+      jdkPackage = mkOption {
+        type = types.package;
+        default = pkgs.openjdk8;
+        defaultText = literalExample "pkgs.openjdk8";
+        example = literalExample "pkgs.openjdk8";
+        description = ''
+          The JDK package to use.
+        '';
+      };
+
       user = mkOption {
         type = types.str;
         default = "nexus";
@@ -110,7 +119,7 @@ in
       createHome = true;
     };
 
-    users.groups.${cfg.group} = {};
+    users.groups.${cfg.group} = { };
 
     systemd.services.nexus = {
       description = "Sonatype Nexus3";
@@ -123,6 +132,7 @@ in
         NEXUS_USER = cfg.user;
         NEXUS_HOME = cfg.home;
 
+        INSTALL4J_JAVA_HOME = "${cfg.jdkPackage}";
         VM_OPTS_FILE = pkgs.writeText "nexus.vmoptions" cfg.jvmOpts;
       };
 

nixos/modules/system/boot/stage-1.nix

@@ -133,10 +133,6 @@ let
       copy_bin_and_libs ${getBin pkgs.lvm2}/bin/dmsetup
       copy_bin_and_libs ${getBin pkgs.lvm2}/bin/lvm
 
-      # Add RAID mdadm tool.
-      copy_bin_and_libs ${pkgs.mdadm}/sbin/mdadm
-      copy_bin_and_libs ${pkgs.mdadm}/sbin/mdmon
-
       # Copy udev.
       copy_bin_and_libs ${udev}/bin/udevadm
       copy_bin_and_libs ${udev}/lib/systemd/systemd-sysctl
@@ -225,7 +221,6 @@ let
       $out/bin/udevadm --version
       $out/bin/dmsetup --version 2>&1 | tee -a log | grep -q "version:"
       LVM_SYSTEM_DIR=$out $out/bin/lvm version 2>&1 | tee -a log | grep -q "LVM"
-      $out/bin/mdadm --version
       ${optionalString config.services.multipath.enable ''
         ($out/bin/multipath || true) 2>&1 | grep -q 'need to be root'
         ($out/bin/multipathd || true) 2>&1 | grep -q 'need to be root'
@@ -354,9 +349,6 @@ let
       [ { object = bootStage1;
           symlink = "/init";
         }
-        { object = pkgs.writeText "mdadm.conf" config.boot.initrd.services.swraid.mdadmConf;
-          symlink = "/etc/mdadm.conf";
-        }
         { object = pkgs.runCommand "initrd-kmod-blacklist-ubuntu" {
               src = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf";
               preferLocalBuild = true;
@@ -727,6 +719,6 @@ in
   };
 
   imports = [
-    (mkRenamedOptionModule [ "boot" "initrd" "mdadmConf" ] [ "boot" "initrd" "services" "swraid" "mdadmConf" ])
+    (mkRenamedOptionModule [ "boot" "initrd" "mdadmConf" ] [ "boot" "swraid" "mdadmConf" ])
   ];
 }