Merge branch 'master' into staging

Very many rebuilds from master :-(
NixOS · Sep 27, 2017 · 95b706f · 95b706f
2 parents 8984a76 + e83b78b
commit 95b706f
Show file tree

Hide file tree

Showing 52 changed files with 638 additions and 248 deletions.
diff --git a/doc/package-notes.xml b/doc/package-notes.xml
@@ -477,32 +477,18 @@ it. Place the resulting <filename>package.nix</filename> file into
 
   <varlistentry>
   <term>Using the FOSS Radeon or nouveau (nvidia) drivers</term>
-  <listitem><itemizedlist><listitem><para>
-  Both the open source radeon drivers as well as the nouveau drivers (nvidia)
-  need a newer libc++ than is provided by the default runtime, which leads to a
-  crash on launch. Use <programlisting>environment.systemPackages =
-  [(pkgs.steam.override { newStdcpp = true; })];</programlisting> in your config
-  if you get an error like
-  <programlisting>
-libGL error: unable to load driver: radeonsi_dri.so
-libGL error: driver pointer missing
-libGL error: failed to load driver: radeonsi
-libGL error: unable to load driver: swrast_dri.so
-libGL error: failed to load driver: swrast</programlisting>
-  or
-  <programlisting>
-libGL error: unable to load driver: nouveau_dri.so
-libGL error: driver pointer missing
-libGL error: failed to load driver: nouveau
-libGL error: unable to load driver: swrast_dri.so
-libGL error: failed to load driver: swrast</programlisting></para></listitem>
-  <listitem><para>
-  Steam ships statically linked with a version of libcrypto that
-  conflics with the one dynamically loaded by radeonsi_dri.so.
-  If you get the error
-  <programlisting>steam.sh: line 713: 7842 Segmentation fault (core dumped)</programlisting>
-  have a look at <link xlink:href="https://github.com/NixOS/nixpkgs/pull/20269">this pull request</link>.
-  </para></listitem>
+  <listitem><itemizedlist>
+    <listitem><para>The <literal>newStdcpp</literal> parameter
+    was removed since NixOS 17.09 and should not be needed anymore.
+    </para></listitem>
+
+    <listitem><para>
+    Steam ships statically linked with a version of libcrypto that
+    conflics with the one dynamically loaded by radeonsi_dri.so.
+    If you get the error
+    <programlisting>steam.sh: line 713: 7842 Segmentation fault (core dumped)</programlisting>
+    have a look at <link xlink:href="https://github.com/NixOS/nixpkgs/pull/20269">this pull request</link>.
+    </para></listitem>
 
   </itemizedlist></listitem></varlistentry>
 

diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml
@@ -9,6 +9,7 @@
 <para>This section lists the release notes for each stable version of NixOS
 and current unstable revision.</para>
 
+<xi:include href="rl-1803.xml" />
 <xi:include href="rl-1709.xml" />
 <xi:include href="rl-1703.xml" />
 <xi:include href="rl-1609.xml" />

diff --git a/nixos/doc/manual/release-notes/rl-1709.xml b/nixos/doc/manual/release-notes/rl-1709.xml
@@ -289,6 +289,52 @@ FLUSH PRIVILEGES;
       in them being reloaded.
     </para>
   </listitem>
+
+  <listitem>
+    <para>
+      <literal>services.mysqlBackup</literal> now works by default
+      without any user setup, including for users other than
+      <literal>mysql</literal>.
+    </para>
+
+    <para>
+      By default, the <literal>mysql</literal> user is no longer the
+      user which performs the backup. Instead a system account
+      <literal>mysqlbackup</literal> is used.
+    </para>
+
+    <para>
+      The <literal>mysqlBackup</literal> service is also now using
+      systemd timers instead of <literal>cron</literal>.
+    </para>
+
+    <para>
+      Therefore, the <literal>services.mysqlBackup.period</literal>
+      option no longer exists, and has been replaced with
+      <literal>services.mysqlBackup.calendar</literal>, which is in
+      the format of <link
+      xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events">systemd.time(7)</link>.
+    </para>
+
+    <para>
+      If you expect to be sent an e-mail when the backup fails,
+      consider using a script which monitors the systemd journal for
+      errors. Regretfully, at present there is no built-in
+      functionality for this.
+    </para>
+
+    <para>
+      You can check that backups still work by running
+      <command>systemctl start mysql-backup</command> then
+      <command>systemctl status mysql-backup</command>.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>Steam: the <literal>newStdcpp</literal> parameter
+    was removed and should not be needed anymore.</para>
+  </listitem>
+
 </itemizedlist>
 
 <para>Other notable improvements:</para>
@@ -344,7 +390,7 @@ FLUSH PRIVILEGES;
   </listitem>
   <listitem>
     <para>
-      Definitions for <filename>/etc/hosts</filename> can now be sped
+      Definitions for <filename>/etc/hosts</filename> can now be specified
       declaratively with <literal>networking.hosts</literal>.
     </para>
   </listitem>

diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml
@@ -29,8 +29,7 @@ following incompatible changes:</para>
 
 <itemizedlist>
   <listitem>
-    <para>
-    </para>
+    <para></para>
   </listitem>
 </itemizedlist>
 

diff --git a/nixos/modules/services/backup/mysql-backup.nix b/nixos/modules/services/backup/mysql-backup.nix
@@ -6,10 +6,28 @@ let
 
   inherit (pkgs) mysql gzip;
 
-  cfg = config.services.mysqlBackup ;
-  location = cfg.location ;
-  mysqlBackupCron = db : ''
-    ${cfg.period} ${cfg.user} ${mysql}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > ${location}/${db}.gz
+  cfg = config.services.mysqlBackup;
+  defaultUser = "mysqlbackup";
+
+  backupScript = ''
+    set -o pipefail
+    failed=""
+    ${concatMapStringsSep "\n" backupDatabaseScript cfg.databases}
+    if [ -n "$failed" ]; then
+      echo "Backup of database(s) failed:$failed"
+      exit 1
+    fi
+  '';
+  backupDatabaseScript = db: ''
+    dest="${cfg.location}/${db}.gz"
+    if ${mysql}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > $dest.tmp; then
+      mv $dest.tmp $dest
+      echo "Backed up to $dest"
+    else
+      echo "Failed to back up to $dest"
+      rm -f $dest.tmp
+      failed="$failed ${db}"
+    fi
   '';
 
 in
@@ -26,17 +44,16 @@ in
         '';
       };
 
-      period = mkOption {
-        default = "15 01 * * *";
+      calendar = mkOption {
+        type = types.str;
+        default = "01:15:00";
         description = ''
-          This option defines (in the format used by cron) when the
-          databases should be dumped.
-          The default is to update at 01:15 (at night) every day.
+          Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second).
         '';
       };
 
       user = mkOption {
-        default = "mysql";
+        default = defaultUser;
         description = ''
           User to be used to perform backup.
         '';
@@ -66,16 +83,49 @@ in
 
   };
 
-  config = mkIf config.services.mysqlBackup.enable {
-
-    services.cron.systemCronJobs = map mysqlBackupCron config.services.mysqlBackup.databases;
-
-    system.activationScripts.mysqlBackup = stringAfter [ "stdio" "users" ]
-      ''
-        mkdir -m 0700 -p ${config.services.mysqlBackup.location}
-        chown ${config.services.mysqlBackup.user} ${config.services.mysqlBackup.location}
-      '';
-
+  config = mkIf cfg.enable {
+    users.extraUsers = optionalAttrs (cfg.user == defaultUser) (singleton
+      { name = defaultUser;
+        isSystemUser = true;
+        createHome = false;
+        home = cfg.location;
+        group = "nogroup";
+      });
+
+    services.mysql.ensureUsers = [{
+      name = cfg.user;
+      ensurePermissions = with lib;
+        let
+          privs = "SELECT, SHOW VIEW, TRIGGER, LOCK TABLES";
+          grant = db: nameValuePair "${db}.*" privs;
+        in
+          listToAttrs (map grant cfg.databases);
+    }];
+
+    systemd = {
+      timers."mysql-backup" = {
+        description = "Mysql backup timer";
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = cfg.calendar;
+          AccuracySec = "5m";
+          Unit = "mysql-backup.service";
+        };
+      };
+      services."mysql-backup" = {
+        description = "Mysql backup service";
+        enable = true;
+        serviceConfig = {
+          User = cfg.user;
+          PermissionsStartOnly = true;
+        };
+        preStart = ''
+          mkdir -m 0700 -p ${cfg.location}
+          chown -R ${cfg.user} ${cfg.location}
+        '';
+        script = backupScript;
+      };
+    };
   };
 
 }
diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix
@@ -42,7 +42,7 @@ in
 
           Then you can Use this sieve filter:
             require ["fileinto", "reject", "envelope"];
-            
+
             if header :contains "X-Spam-Flag" "YES" {
               fileinto "spam";
             }
@@ -67,11 +67,11 @@ in
       initPreConf = mkOption {
         type = types.str;
         description = "The SpamAssassin init.pre config.";
-        default = 
-        ''          
+        default =
+        ''
           #
           # to update this list, run this command in the rules directory:
-          # grep 'loadplugin.*Mail::SpamAssassin::Plugin::.*' -o -h * | sort | uniq     
+          # grep 'loadplugin.*Mail::SpamAssassin::Plugin::.*' -o -h * | sort | uniq
           #
 
           #loadplugin Mail::SpamAssassin::Plugin::AccessDB
@@ -122,7 +122,11 @@ in
   config = mkIf cfg.enable {
 
     # Allow users to run 'spamc'.
-    environment.systemPackages = [ pkgs.spamassassin ];
+
+    environment = {
+      etc = singleton { source = spamdEnv; target = "spamassassin"; };
+      systemPackages = [ pkgs.spamassassin ];
+    };
 
     users.extraUsers = singleton {
       name = "spamd";
@@ -138,7 +142,7 @@ in
 
     systemd.services.sa-update = {
       script = ''
-        set +e 
+        set +e
         ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/ --siteconfigpath=${spamdEnv}/" spamd
 
         v=$?
@@ -153,7 +157,7 @@ in
       '';
     };
 
-    systemd.timers.sa-update = { 
+    systemd.timers.sa-update = {
       description = "sa-update-service";
       partOf      = [ "sa-update.service" ];
       wantedBy    = [ "timers.target" ];
@@ -177,15 +181,10 @@ in
       # 0 and 1 no error, exitcode > 1 means error:
       # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes
       preStart = ''
-        # this abstraction requires no centralized config at all
-        if [ -d /etc/spamassassin ]; then
-          echo "This spamassassin does not support global '/etc/spamassassin' folder for configuration as this would be impure. Merge your configs into 'services.spamassassin' and remove the '/etc/spamassassin' folder to make this service work. Also see 'https://github.com/NixOS/nixpkgs/pull/26470'."; 
-          exit 1
-        fi
         echo "Recreating '/var/lib/spamasassin' with creating '3.004001' (or similar) and 'sa-update-keys'"
         mkdir -p /var/lib/spamassassin
         chown spamd:spamd /var/lib/spamassassin -R
-        set +e 
+        set +e
         ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/ --siteconfigpath=${spamdEnv}/" spamd
         v=$?
         set -e

diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
@@ -428,7 +428,7 @@ in
         fi
       '';
 
-    nix.nrBuildUsers = mkDefault (lib.max 10 cfg.maxJobs);
+    nix.nrBuildUsers = mkDefault (lib.max 32 cfg.maxJobs);
 
     users.extraUsers = nixbldUsers;
 

diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix
@@ -141,7 +141,6 @@ in
               ${optionalString (data.ed25519PrivateKeyFile != null) "Ed25519PrivateKeyFile = ${data.ed25519PrivateKeyFile}"}
               ${optionalString (data.listenAddress != null) "ListenAddress = ${data.listenAddress}"}
               ${optionalString (data.bindToAddress != null) "BindToAddress = ${data.bindToAddress}"}
-              Device = /dev/net/tun
               Interface = tinc.${network}
               ${data.extraConfig}
             '';
@@ -168,6 +167,7 @@ in
           Type = "simple";
           Restart = "always";
           RestartSec = "3";
+          ExecStart = "${data.package}/bin/tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}";
         };
         preStart = ''
           mkdir -p /etc/tinc/${network}/hosts
@@ -187,9 +187,6 @@ in
             [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096
           fi
         '';
-        script = ''
-          tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}
-        '';
       })
     );
 

diff --git a/nixos/release.nix b/nixos/release.nix
@@ -283,6 +283,7 @@ in rec {
   tests.mumble = callTest tests/mumble.nix {};
   tests.munin = callTest tests/munin.nix {};
   tests.mysql = callTest tests/mysql.nix {};
+  tests.mysqlBackup = callTest tests/mysql-backup.nix {};
   tests.mysqlReplication = callTest tests/mysql-replication.nix {};
   tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; };
   tests.nat.firewall-conntrack = callTest tests/nat.nix { withFirewall = true; withConntrackHelpers = true; };

diff --git a/nixos/tests/mysql-backup.nix b/nixos/tests/mysql-backup.nix
@@ -0,0 +1,42 @@
+# Test whether mysqlBackup option works
+import ./make-test.nix ({ pkgs, ... } : {
+  name = "mysql-backup";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ rvl ];
+  };
+
+  nodes = {
+    master = { config, pkgs, ... }: {
+      services.mysql = {
+        enable = true;
+        initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ];
+        package = pkgs.mysql;
+      };
+
+      services.mysqlBackup = {
+        enable = true;
+        databases = [ "doesnotexist" "testdb" ];
+      };
+    };
+  };
+
+  testScript =
+    '' startAll;
+
+       # Need to have mysql started so that it can be populated with data.
+       $master->waitForUnit("mysql.service");
+
+       # Wait for testdb to be populated.
+       $master->sleep(10);
+
+       # Do a backup and wait for it to finish.
+       $master->startJob("mysql-backup.service");
+       $master->waitForJob("mysql-backup.service");
+
+       # Check that data appears in backup
+       $master->succeed("${pkgs.gzip}/bin/zcat /var/backup/mysql/testdb.gz | grep hello");
+
+       # Check that a failed backup is logged
+       $master->succeed("journalctl -u mysql-backup.service | grep 'fail.*doesnotexist' > /dev/null");
+    '';
+})